When data needs collecting, many legal teams struggle with whether they should perform the collection themselves or have the data collected forensically. Self-collection of data typically comes with inherent risk, either intentionally through the application of a computer process or unintentionally due to system failure or lack of legal or technical training. However, in forensic data collection, the original source is shielded from modification, and the data set features a self-authenticating forensic image format that protects the contents.
What is Forensic Data Collection?
Forensic data collection is a process for collecting and preserving data for ediscovery. Such collections can involve anything from the information in a single email account or smartphone to all the computers used by the C-suite executives of a large corporation. Regardless of its size, a data collection method must be forensically sound — free of any alteration or destruction of either the data or its metadata.
Unfortunately, electronic data can be susceptible to the same issues that can arise with a computer’s normal operation. Just as a computer can create, change, or delete electronic data, there’s also the potential for an unsuitable digital forensic process to create unwanted alterations.
Ensuring the Admissibility of Digital Evidence
In order to produce evidence that will be admissible in court, the data collection process must be defensible. This means it must be consistent, repeatable, well-documented, and accompanied by an audit trail that outlines every step taken while collecting electronically-stored information (ESI). It’s critical to ensure that forensic data collection results are reliable and accurate to be able to withstand the scrutiny under the court of law.
Whether digital evidence is admissible or not depends on a series of legal tests performed by a judge to assess the following:
Reliability. There must be a review for signs of tampering, deletion, and other modifications to digital evidence.
Legality. Some forms of digital evidence, such as IP addresses, may not be legally admissible in court due to constitutional privacy protections.
Authenticity. There must be proof that evidence came from a specific system or location and has remained unaltered after it was collected (hashing the digital evidence helps with this).
Integrity. A chain of custody needs to be in place in order to record the transfer of evidence. This provides a digital fingerprint that helps with comparing digital evidence from the time of its collection with its current state.
Last Thoughts on Forensic Data Collection
The increased adoption of cloud-based tools has made it critical for legal professionals to closely monitor how they collect and share forensic data. As noted above, various factors can negatively impact the sanctity of the litigation process, making it difficult to maintain the integrity of the data. Without a defensible forensic collection process in place, the admissibility of digital evidence, along with the tools, methods, and techniques used in the collection process, could be challenged in court.