←All Posts Posted on December 6, 2014 By admin
As businesses and individuals store more and more of their data in electronic format, whether on computers, mobile devices or in the cloud, the ability to extract and present that information in legal proceedings and disputes becomes more crucial. Most people would see this as Computer Forensics or eDiscovery, and indeed the terms are often used to mean the same thing. But the two aren’t quite the same and it’s important to understand why that’s so.
The Main Differences
In truth, the processes involved are very similar. Both involve the identification, preservation, collecting, analysing and reporting of data. However, it’s generally the case that whilst eDiscovery involves dealing with ‘active’ data – information which is readily available to the user through file managers and programs installed on the machine – computer forensics is more complex. It involves digging a little deeper and looking at hidden areas of the system, logs and deleted files for example.
Computer forensics is likely to involve a higher level of expert analysis in order to provide time lines, uncover communication trails, determine the use of USB devices and so on. It’s also true that eDiscovery may have a fairly broad focus. It will often involve extracting relevant information from large volumes of other data. Forensics is more specifically targeted at extracting information surrounding a particular event or individual.
Of course it’s frequently the case that the eDiscovery may lead to a more detailed forensic investigation depending on what is discovered in the initial searches. For example if eDiscovery uncovers much less information than anticipated and there are indications that the missing data may have been removed or deleted intentionally. When choosing computer experts to support litigation, therefore, it’s a good idea to choose a company that has expertise in both fields.
There are also key differences in how the information collected is presented. Whilst eDiscovery will generally lead to a factual report being presented to a legal team for further action, a computer forensics expert may be called on to present their findings and testify as an expert witness in a court or tribunal.
Protecting the Data
In any investigation of computer data it’s vital that the information is not affected by the process of extracting it. The eDiscovery process is used to narrow down large volumes of data but any investigation must take care to work on copies of relevant files so as not to change the information they contain in any way.
A forensic examination process will take things further still. It will ensure that an exact copy is taken of a hard drive or other storage device to guarantee that files and their meta data are preserved completely intact. By using specialist tools the information can then be safely accessed without changing it in any way.
Forensics may also involve extracting information that isn’t readily accessible. For example, by uncovering hidden files, recovering deleted data, decrypting secure drives or opening password protected information.
It’s worth noting that – in the US in particular – the courts have taken a dim view of requests to provide copies of all computer information relating to a business. This is viewed as intrusive, so requests that are too broad are likely to be denied. The courts are, however, open to specific and limited requests that take a forensic approach to gathering data. This underlines the importance of understanding what data is required for a particular investigation and of using suitably qualified experts to gather and present it.
Summary
Although the terms tend to be used interchangeably, and there is a degree of overlap, there are clear differences between eDiscovery and Computer Forensics. The eDiscovery process usually deals with data from multiple desktop systems in an enterprise, or from servers with that may contain lots of user accounts and their associated information. The discovery methods tend to use proven software and hardware combinations and are often pre-planned at the start of an investigation.
Computer forensics goes deeper and may be a logical next step to the eDiscovery process. It may deal with single or multiple systems or devices, it’s also more often dealing with missing or incomplete data and, crucially its findings may be presented and challenged in court.