eDiscovery

A brief introduction to eDiscovery

What is it?

Electronic discovery involves the exchange of data between parties whom are in civil or criminal litigation.

Example; a company investigating a worker who is suspected of stealing files.

tip: To conduct a successful enquiry there is a need for efficiency and organisation as deadlines are tight and delay costs highly, keep in mind that organisations will want to know what you are doing at all times, so documentation is essential!

Law

Law is a huge aspect, the investigation MUST follow UK law, meaning ACPO guidelines. I will upload these in a separate document, however they are available from here.

Pre-investigation

Before starting there should be a meeting with the clients and IT staff as you need to know how the business runs; this meeting should also involve an asset inventory check.

Case example: A CEO had been accused of stealing documents and provides a laptop for investigation upon which nothing is found. However, an asset inventory check reveals that the CEO had two laptops, the second having the relevant data.

Note: BE CAREFUL, you do not know who is trying to hinder your investigation.

before starting, there should also be a clear outline of what will be done. This will include things such as keywords, data ranges and media that will be searched. This should also include the price.

Create a list of the custodians who will be investigated and include details such as their image data, email in GB on laptop, desktop, home etc. Although this will be updated and new custodians may be added as the investigation begins and continues, it will have benefits.

Benefits include:

Saving time

may aid in identifying evidence, for example, John Smith has significantly more GB on email compared to other custodians in same job role

allows for data to avoid being mixed up and wrong custodians having data tied to them

The five locations typical in e-discovery

Workstation environment (e.g home laptops)

PDAs such as Mobiles- currently on the increase

Removable media- USBs

Server environment- Email (often contains VERY useful information)

Backup environment- disaster backups

You should also ask about previous investigations as data may have already been preserved.

Finally...Interview the custodians; determine what they own, how they store data, do they email?

note: if they say one laptop but asset inventory shows two then this is a good indication of something suspicious

tip: When interviewing, it is best not to give away all the information you have. Rather than tell custodian what they were going at 10pm, ask. This way you can gauge how deceitful they are being.