Speaking Technical in eDiscovery: Understanding How It Differs from Digital Forensics

In our last post, we discussed coming to “terms” with Speaking Technical in eDiscovery by learning the meaning of some very important terms. Another important aspect of speaking technical is understanding the difference between eDiscovery and digital forensics, and specific use cases for digital forensics.

Differences Between eDiscovery and Digital Forensics

There are a handful of similarities between eDiscovery and digital forensics. For example, they both deal with electronic evidence and many of the same phases exist in both disciplines – preservation, collection, processing, analysis, review and production – though how those phases are conducted can be significantly different. Here are some other differences between eDiscovery and digital forensics:

• Workflow vs. Investigative: eDiscovery is a collection of processes that constitute a workflow within the EDRM life cycle to address discovery objectives. Digital forensics is an investigative process to locate digital evidence or patterns within digital evidence.
• Straightforward vs. Hidden: In eDiscovery, key evidence is readily available within applications that are used in the normal course of business. Managing that evidence within discovery involves straightforward processes to move that evidentiary data through the workflow. In digital forensics, the evidence is often deleted or hidden and requires specific technical skills (such as data carving) to reconstruct evidence that would otherwise be lost.
• Targeted vs. Broad Preservation/Collection: eDiscovery preservation and collection has become more targeted in recent years to reduce costs downstream. For digital forensics, the preservation/collection process typically entails bit stream backup of an entire device to preserve and collect evidence, while still leveraging technology and best practices to provide a targeted set of data downstream.
• Forensics vs. Forensically Sound: Probably one of the most confusing terms that you hear used in the context of collections is the word “forensics”. At its simplest, it defines the suitability of the evidence, the tools used to collect it, the chain of custody and the integrity of the data.  Showing the digital forensic evidence has not been altered and is a reliable copy of the original is critical and is the basis of being “forensically sound”.  Taking it a step further, if the goal is to create a bit-by-bit forensically sound copy and then also analyze things like slack space or determine if any data was deleted, modified, copied, or moved, we generally think of this next level as “forensics”.
• Certification vs. Certifications: An eDiscovery professional may choose to obtain a certification of their capabilities (such as the Certified E-Discovery Specialist (CEDS) certification from ACEDS). A good digital forensics specialist typically has multiple certifications to illustrate their capabilities, including the Certified Fraud Examiner (CFE) certification from ACFE, Certified Forensic Computer Examiner (CFCE) certification from IACIS and Certified Computer Examiner (CCE) certification from ISFCE. Not to mention product specific certifications like AccessData Certified Examiner (ACE) certification with Exterro’s Forensic Toolkit (FTK) or EnCase Certified Examiner (EnCE) certification with OpenText.
• Expert vs. Expert Testimony: It takes expertise to provide services in both disciplines. But digital forensics services are much more likely to result in a need for expert testimony to discuss the results of an investigation.

Use Cases for Digital Forensics Services

Some cases involving eDiscovery are also more likely to require digital forensics services as well. Here are two examples:

• Theft of Intellectual Property: Cases involving alleged theft of IP often require digital forensics services to reconstruct evidence that was deleted in an attempt to hide IP theft activities. Here are two recent IP cases from Cobra Educational Partner eDiscovery Today where forensic examination either identified evidence destruction or was ordered because it was suspected.
• Criminal Cases: Of course, cases involving alleged criminal acts often involve potential destruction of evidence that must be investigated, especially on mobile devices.

Of course, any case could be a potential candidate for digital forensics services to authenticate evidence if tampering with, or falsification of, evidence is suspected. In this employment discrimination case involving claims of sexual harassment and wrongful termination from last year, digital forensics services determined that the plaintiff fabricated a text exchange between her and her supervisor, partly because the emoji used within the fabricated text exchange wasn’t supported by her iOS version!

And there are several use cases for digital forensics services that aren’t specifically eDiscovery related (or at least don’t start that way). Here are two examples:

• Corporate Internal Investigations: When an employee is suspected of wrongdoing, a forensics investigation specialist may be needed to assess and possibly reconstruct their activities to determine whether the suspicion is confirmed or not. Often, confirmed cases of wrongdoing can lead to litigation, which would then involve eDiscovery.
• Incident Response: Security breaches often require forensic analysis to trace the extent and origin of the breach.

Conclusion

Speaking Technical in eDiscovery includes an understanding of how digital forensics is different from eDiscovery, but it also involves an understanding of when digital forensics services may be needed – either in the context of an eDiscovery project or in some other use case.

In the next post, we’ll continue our discussion of Speaking Technical in eDiscovery with a discussion of perhaps the most important, yet misunderstood, type of data there is – metadata!

For more information about Cobra’s Digital Forensics services, click here.