Evidence Lost, Time Wasted: What Every Investigator Wishes You Knew About Data Governance

When digital investigations hit a wall, it’s rarely because the forensic tools failed. More often, the problem starts long before the investigation begins—with scattered data, missing records, and policies that don’t hold up under pressure.

That’s the central message from a recent episode of Data Xposure, Exterro’s podcast for data risk leaders, hosted by Justin Tolman. In “Governance or Guesswork: How Information Management Makes or Breaks Forensic Investigations,” Tolman sat down with Allan Buxton, Managing Director of Data Breach and Forensics at Epiq Global, to unpack how poor information governance quietly sabotages forensic investigations—and what proactive organizations do differently.

“Most forensic tools in the world can’t compensate for broken data practices,” Buxton told Tolman. “Even the best examiners can’t recover what was never retained, or what’s already been overwritten.”

Every minute counts once an incident hits. Legal wants answers. Executives want assurances. Regulators expect swift, defensible disclosures. But without strong information governance, investigators waste precious time chasing evidence that’s already gone.

The good news? You can prevent that chaos before it starts. Here’s what every investigator wishes you knew about data governance.

1. Know What You Have—and Where It Lives

When investigators are called in, their first question is deceptively simple: What data do we have to work with? Too often, no one can answer.

Without an accurate data inventory, forensic teams waste hours or days tracking down repositories, locating custodians, and determining whether key data has already aged out of retention or been deleted.

Strong governance starts with visibility. Maintain an up-to-date data map that captures not just storage locations but also access policies, system owners, and data classifications. Tie that directly to your legal hold and retention systems so investigators can act immediately when an incident occurs.

2. Image Before You Reuse (Or Lose)

Buxton shared a real-world scenario that will make any investigator cringe: a company repurposed a departing employee’s laptop, then tried to investigate alleged misconduct six months later—only to find all relevant data wiped clean.

It’s an avoidable mistake. When devices are reassigned, reimaged, or returned to inventory, potential evidence is erased forever.

Forensic-ready organizations build preservation into their IT lifecycle. They image or securely collect data before repurposing devices linked to employee separations, HR investigations, or ongoing disputes. It’s a small procedural step that can prevent enormous downstream costs and legal uncertainty.

3. Define How (and Who) Collects Data

When an incident strikes, internal teams often lose critical time deciding whether to run collections themselves or call in an outside provider. Every hour spent negotiating process is an hour of evidence decay.

Establish a clear policy defining when self-collection is allowed, when third-party involvement is required, and how each process is initiated. In some jurisdictions or scenarios—such as investigating IT personnel—self-collection may be prohibited or strategically unwise.

“The clock is always ticking,” Buxton said. “If you don’t have those policies in place, it takes time to build them. And that time can cost you your evidence.”

4. Control the Scope—Or Watch Costs Spiral

Even the best-run investigations can collapse under the weight of scope creep. Each additional custodian, date range, or data type expands review time, storage costs, and attorney fees.

A clear investigative scope—defined early between legal, IT, and forensic teams—keeps costs manageable and results defensible. Specify custodians, systems, and date parameters up front, and stick to them unless new facts justify expansion.

“Scope creep doesn’t just slow you down,” Buxton warned. “It can blow your budget and delay results at the exact moment you need them most.”

5. Speak the Same Language

In eDiscovery and forensics, miscommunication is more common than most admit—and sometimes just as damaging as missing evidence. A single term like imaging can mean radically different things depending on who’s speaking: a TIFF conversion to an eDiscovery team, a bit-for-bit duplication to a forensic examiner.

Before an incident forces everyone into the same virtual room, standardize your terminology. Align definitions across teams through shared glossaries, playbooks, or cross-training. When investigators and counsel understand one another, data moves faster, and findings stand up better in court.

6. Retain with Purpose, Not Paranoia

Some organizations treat retention like a warehouse; others treat it like a ticking bomb. Both are wrong.

Effective retention policies strike a balance—preserving enough to meet legal, regulatory, and investigative needs without hoarding unnecessary risk. Annual reviews of retention schedules, deletion protocols, and system backups ensure that what’s kept is both useful and defensible.

Just as important, employees need to understand and follow those rules. As Buxton noted, “It’s not enough to have a policy on paper. Everyone has to know it, follow it, and be trained to defend it.”

Strong information governance isn’t glamorous—but it’s the unsung hero of every defensible investigation. It’s what allows forensic experts to focus on facts, not file hunts; to provide clarity instead of caveats.

As Buxton put it, “You have to build those policies before they’re needed. Once the clock starts, it’s too late.”

Your next investigation doesn’t have to be a guessing game. Get your governance in order now—before evidence, time, and trust are gone for good.

🎧 Listen to the full conversation:
“Governance or Guesswork: How Information Management Makes or Breaks Forensic Investigations” on Data Xposure, brought to you by Exterro.