When to Use a Third Party Forensics Provider for Data Collection

Many companies hesitate to use third party forensic experts to preserve and collect their data for legal matters. The argument we hear often is that their IT department is familiar with the data systems and able to download the data without assistance. After all, they own and operate these systems and often understand them better than anyone else.  IT administrators certainly add great value to the eDiscovery collection effort as they are often Person(s) Most Knowledgeable (PMK) and can answer most if not all the questions about the data infrastructure. Most experienced IT personnel have knowledge of the organization’s data systems, networks and servers as well as historical knowledge about older systems and data migrations and can lend tremendous support in mapping all relevant data systems. It is important however to understand that there is often more to a data collection then simply downloading the data.

In a recent informal survey of attorneys in law firms and corporate organizations, FRONTEO gathered thoughts and perceptions of legal decision makers on the use of forensic experts.  Virtually every attorney we spoke with reported that their organization chooses to outsource forensic collections on at least some of their cases, for a variety of reasons.  About 20 percent of those we interviewed say they outsource all collections as a matter of policy.

Here we’ll outline the key reasons named for using a third party forensics provider, rather than having an internal IT team conduct the collection.

 

Defensibility

The single most prevalent reason case teams recommend third party forensics providers for the collection of data is defensibility. They want assurances that tried and tested workflows are used during the collection of relevant data systems designed.  Many common errors – which can incur penalties, sanctions or worse when data is incorrectly collected – can be mitigated through an expert consultation at the beginning of any collection.  These scoping calls are well documented and used later to substantiate collection methodology.  In litigation or government investigation cases, it is critical that the preservation and collection of data be accurately scoped and carefully documented, and data preserved and collected in a manner that is defensible in the eyes of the court.

 

Consultation: A forensic consultant with years of collection experience will know what questions to ask during the scoping phase of a project to ensure all data sources that could contain relevant data are properly identified and documented. Potential issues which can delay progress and cost a lot of money can be quickly and efficiently flagged at the early onset of an engagement to make sure that things like data archives or email stubbing are handled correctly.

 

Collections: There is a tool for every data collection and it’s important that the tool be used properly and is scientifically reproducible. The documentation must be so accurate that two forensic examiners should derive the same results when used independently.

Even when a company has ample IT staff with the skills and tools needed to confidently undertake a collection, the legal team may still want to assess whether there may be a need for expert testimony or whether separation of duty is of value to the case matter. When a forensic expert conducts the operation described above, they support the process and the results as a third party. If a question should arise about the veracity or integrity of the collected data, the forensic expert can provide an authoritative response through written or court testimony, outlining and defending the methods, processes and tools used in the collection process which will often allay most reasonable concerns.

 

Handling Emerging Technologies

Sources of potentially responsive ESI are growing. Identification and collection of data from computers and network servers can be relatively straightforward but there is a growing demand to collect from mobile devices, cloud applications (such as Dropbox, Gmail, salesforce.com and others), messaging apps and social media. Collecting from these sources requires expertise, and in some cases, new tools, to ensure a reviewable and forensically sound collection.  Many organizations choose to rely on a forensics expert to help identify and collect from these emerging technologies, rather than incur the risk and cost of ramping up internal resources.

 

Cross-border Cases and Multilanguage Data

In cases where potentially responsive data resides on PCs or devices in a remote office, or even overseas, effective collections may require local resources to help with navigating logistics through cultural or linguistic capabilities. A large eDiscovery service provider may have staff or language support in the remote locations who are available to support the collection needs.

A discovery service provider with offices and experts in multiple countries can offer invaluable experience in cross-border cases involving data with multiple languages or which includes unusual or legacy applications.  Documents containing double-byte characters (Asian languages, Chinese, Arabic, etc.) is fraught with potential technical encoding and processing issues. A multinational discovery service provider will have processes in place to handle these types of situations. In these cases a discovery service provider with forensic examiners experienced in cross-border data can help to ensure these types of data sets are properly collected and tested before they are processed for review.

 

Incontestable Documentation

In corporate organizations, data collection for a legal matter represents less than 5 percent of the typical IT person’s work activities.  Most IT and data management roles are not trained in the documentation of data collection which can be used to support defensibility in a court of law.  By comparison, creating detailed collection logs, taking photographs, and instituting detailed chain of custody documentation are all normal operations for professional forensic examiners. This careful documentation can often be critically important especially for some matters which may go on for years.

 

Prioritizing IT Service to the Organization

IT teams are challenged by constant change and complexity, and their priorities are driven by the business demands of the organization. An eDiscovery request is a time-critical interruption of daily business and an exception to familiar tasks.  The legal department and IT executives should consider priorities for IT staff and estimate the expected frequency and volume of ESI collection in the organization.  Using that information they can agree on who will own the eDiscovery data collection process, and under what circumstances the forensic collection effort should be outsourced.

 

Selecting a Forensic Service Provider

When evaluating a forensic provider, look at the size of the organization and locations of staff. If you operate globally, confirm that the provider also has global expertise. Next, look at the experience and certifications held by individual forensic experts on the team. FRONTEO’s Forensic Advisory Services has implemented an adaptation of the American Society of Crime Laboratory Directors (ASCLD) protocol, which is used by federal and local government agencies across the United States.

Our examiners have obtained the specialty credentials and certifications – EnCE, CCE, CSFA, ACE, CISSP, CCFE, CHFI and others – endorsing their expert skillset and level of understanding surrounding the proper handling of evidence to assure that its metadata remains intact and fully defensible.

Forensic collection is often the least expensive step in the litigation process, but in today’s climate it can be complex and a critical phase early in the EDRM model.  The decision to collect data in-house or to enlist the assistance of a forensics team might depend on the case and the volume and type of data involved, among other things.  Enlisting a forensics expert can be a cost-effective way to reduce risk and assure that a litigation or investigation starts off on the right foot.