Insights: Article

Forensic Data Collections for Civil and Criminal Procedures

By Trent Leavitt

December 15, 2017

Forensic data collections are expansive. They can be anything from a single email account or cell phone to all of the computers of upper management in a large corporation. Regardless, they all need to be collected in a safe forensic manner. You might ask why it matters how it is collected. If the document, email, database or folder is able to be read, then what is the worry? The worry you should have is admissibility in court.

When a document, let’s say a Word document, needs to be used in court, the way that it was collected must be defensible. That means opposing counsel must be convinced that nothing has been deleted or altered. This is done by looking at the metadata. When data is not collected in a forensically sound manner, you inherently change the metadata, whether you mean to or not. Once opposing counsel objects because of spoiled metadata, it is out, and sanctions and/or summary judgment on your case can be right around the corner.

Three Problems in Forensic Data Collections.

First, they are not done correctly most of the time. Copying and pasting your documents onto a thumb drive and handing them to your lawyer is not the best idea (just FYI). Second, it’s not very defensible. If you or a member of your IT staff collected the data, the argument can be made that it might have been done with a certain amount of prejudice and that the key piece of evidence could have been left out. When you outsource, you outsource the defensibly and liability to the third party who is collecting the data. This takes a large amount of risk and exposure off of you and your client and places it on the third party responsible for the collection. Third, most people don’t know what is capable of being collected.

Data Collection Options

It used to be that data collections were a simple matter of placing documents into a forensic image and then sending it off for review. Today, the solutions are much more complex and cost-effective.

On-site collections are the most standard form of forensic data collections. This is going on-site to collect data directly from laptops, servers, desktops, cell phones when the circumstance calls for it. Everything should be collected in a sound court-approved manner. This is normally done for larger collection batches of data.

Remote collections are collections much like an on-site collection, only smaller in nature, which allows them to be performed remotely, thus saving you money. In order to perform remote collections, the third party will need to work with your IT staff to gain secure access to the network. IT staff can also be utilized in collections that would normally be done on-site, but don’t have to be. This saves money on the overall project.

Targeted collections are just that, a collection of data performed either on-site or remotely for a specific set of data. This can be done by collecting a set of data by a certain time period, or folder for example. This is best if you know exactly what it is that you need to be collected.

Cloud collections are forensic data collections that require harvesting data from cloud storage areas. This would include Gmail, Yahoo, Hotmail, Dropbox, Google Drive, etc. It is possible to forensically extract cloud-based data for use in court.

Social media forensic data collections have become more and more relevant in both civil and criminal cases. This is forensically collecting from Facebook, Twitter, Instagram, Youtube, to name a few. Please see our social media collection service page for more information. 

Mobile device forensic data collections are the collections of cell phones and tablets. Multiple tools are available for collecting from thousands of different types of mobile devices. Deleted text messages and other social media are among a few of the types of items that can be retrieved from cell phone forensic collections.

Culled forensic data collections are the combination of any of the above-listed collection methods, but with the ability to cull only the responsive data at the same time that the collection is taking place. Please see our page on culled data collections to get a better idea how this new technology can save large amounts of time and money as well as reducing risk.

For further information on how to use some of the tools that we make available to our clients, please click here to learn more about FTK Imager.