eforensics or ediscovery - what's in a name?

BY ALLAN WATT


Is there a difference between eforensics and ediscovery? Yes, definitely. eforensics, or Computer Forensics as it is also known,  involves the collection, preservation, analysis and presentation of computer based evidence. In litigation this is also likely to require expert testimony.


However, when we refer to computer forensics in its broadest term it is essentially electronic forensics, as the results of forensic searches and preservation action are sources of evidence.


The most important step in computer forensics is to acquire the evidence in such a way that it is collected to the highest standard, that is, to the criminal standard.


In most cases this will involve obtaining a forensic image of the full physical contents of the device usually a computer’s hard disk drive (HDD). Ediscovery definitions vary considerably, however for this article, the following has been adopted:
“Ediscovery” refers to any process in which electronic data is sought, located, secured, and searched with the intent of using it as evidence in a civil or criminal legal case.


The main principle is to collect and catalogue information that may be considered relevant to the matter, and then index, search and then remove irrelevant data. Following this process, is the process of preparing it in a manner that is suitable for review by legal professionals for disclosure to the other party.


From the differences outlined above it can be seen that some of them may be sufficiently subtle, that a practitioner seeking these types of services may not fully understand which service they require. Both are capable of providing the outcome sought.


With eforensics, it is assumed that the matter is likely to end up before the court, hence evidence is always collected in a forensically sound manner, the chain of evidence preserved and documented and methods are such that the collection of the data is undertaken, where possible, in a way that preserves the integrity of the original evidence. Though it can be referred to as “computer forensics and or eforensics, “forensics” is the operative word as there are more forensics aspects to an eforensics investigation than the “e” component.


Though we often refer to a computer, we in fact mean anything that is capable of storing data and or transferring data and includes computers, mobile phones, PDAs, USB storage devices, iPods, external hard disk drives and camera storage cards to name just a few.


A forensic mindset must remain foremost and within the discipline and the standards adopted by experts, all evidence is always treated the same and to the same standard. This standard being, the highest standard available that will not run the risk of having it excluded.
Should an investigation be commenced and through the investigation some evidence is located that could be used to prove a criminal offence, the evidence could be excluded or the weight applied to it severely reduced, if it was found the collection methods at the outset were below the accepted standard.


If there is doubt, then collection and preservation to eforensic standards should always be used.


The two main types of evidence are, factual and opinion. Factual electronic evidence could be where text existed on some electronic media and the fact that the text exists is the evidence. The evidence of who, what, where, when, how and why it got there, is usually opinion based and hence an expert required to adduce that evidence.


ediscovery is concerned with discovering electronic documents. These days, potentially discoverable documents can be voluminous and due to the sheer volumes of data that is required to be collected, it is often not done to absolute forensic standards.
The main focus with discovery is to look at what documents exist, such as Word documents, email and other electronic files, and the content of those files. The “who”, “what” and “when” is not usually an issue and is derived from the metadata extracted from the document itself.


Time to call a professional


So when would a lawyer need an e.forensic expert? The answer is in any one of the following cases:



  • Where the authenticity of the evidence may  be in question;

  • Where there may be deleted or hidden evidence.

  • Where it is necessary to prove:

  • Who was using the computer;

  • What actually occurred;

  • When did it occur;

  • Where did it happen or where is the data;

  • How evidence get on the computer; or

  • Why is some data there or not there.

An eforensics expert should be involved in any case that may  become  a criminal matter or where any aspect of the digital evidence may require the presentation of expert testimony before the court. A primary difference between the two disciplines is the person completing an e.forensic investigation should be a highly qualified and experienced expert witness and may be required to present evidence on the facts or opinions formed about the case before the court. Conversely, many ediscovery practitioners may never see the inside of a court room.


ediscovery and eforensics are essentially two separate functions that complement each other and in other ways are complete opposites, as data recovery is also part of the eforensics discipline.


Lawyers need to decide from the outset of a case whether eforensics skills or ediscovery skills are required, or a combination of both. Should a lawyer decide not to collect the data in a forensically sound manner and then identify there is an issue, a forensic investigation will find data that is considered contaminated. The complexity is the court may well see that due to interference in a non-forensically sound manner, the evidence is too unreliable to be accepted.


ediscovery in large cases such as class action cases can extend to millions of documents spanning terabytes of storage. Though eforensics can do similar the focus is normally based on more specific nodes such as a number of computers and servers. It is all about horses for courses.


The problems encountered of recent with even the basic PC having up to a 1.5TB internal hard disk drive may see a need for change in the near future. This could see more e.forensic and ediscovery joint assignments. However given the diversity of the two disciplines it is unlikely at this stage that they would become one. Hence the legal profession will still be tasked with having to make a choice on day one eforensics, ediscovery or both.


Allan Watt, Dip Policing, BBS, MSc (Hons) CFCE, CFE, is the  Head of eforensics at e.law  Australia.