Skip to content


Forensic Collections for E-Discovery: Key Differences between Logical and Forensic Collections

May 1, 2023

Why Legal Teams Need Multiple Approaches to ESI Collection

It’s more important than ever that in-house legal departments ensure that they have the capabilities to preserve data and collect it in a variety of ways from a range of different sources. The factors driving this include both the diversity of data types present in most organizations and the increase in use cases requiring data preservation, collection, and analysis. Regardless of the reason for preserving the data--an internal or criminal investigation, civil litigation, or in response to a data breach--they must use the technology and methodology appropriate to that purpose. In some cases, they will need to conduct a forensic collection.

“We’re seeing increasing scrutiny from regulators, we’re seeing an increasing awareness among consumers regarding how their data is used,” says Len Robinson, Manager of Digital Investigations, E-Discovery & Corporate Threat Intelligence for Retail Business Services. “We’re seeing state legislatures now thinking of enacting more privacy laws. And we’re seeing increased strength in privacy regulations in the EU and other nations. The ocean of data just amplifies the challenge to all of us when we’re looking to search for that information.”

Forensic collection is now a part of the converging realities within legal and regulatory landscapes like data privacy and e-discovery. In a recent whitepaper, Exterro examined what forensic collection tools are, why they should be used by e-discovery professionals, and how to pick the right data collection tool for the job.

Download the whitepaper today!

Common Forensic Collection Tools & Terms

When we talk about forensic data collection, we’re talking about a different type of collection than e-discovery professionals are used to. Rather than finding and preserving data in-place, and collecting an individual file or folder (called a logical collection), forensic collections create exact copies of the data beyond just the file itself, including any associated metadata. Forensic collection is a way of containerizing evidence in its entirety in a forensically sound manner and creating a working copy for examination.

This type of collection is incredibly valuable for legal professionals in certain specific scenarios because it empowers you to look beyond what’s contained in a document (the words on the page) and unearth deleted, hidden, or encrypted data. Usually, forensic collections occur from the hard drives, whereas typical e-discovery collections (logical collections) can take place from any number of data sources. However, it is worth mentioning that advanced enterprise forensic technology does allow forensic collection from remote sources.

Here are some key differences between logical collections and forensic collections. Logical collections allow e-discovery professionals to to copy all the files visible to the end user, where a forensic collection--namely, a full bit-for-bit copy of an entire drive--will contain access to deleted, volatile, and encrypted data that a user may not be aware of. Logical collections will pull in file data and metadata, but a forensic copy will contain both of those data types plus file slack, file attributes, raw data blocks, and APFS snapshots (if collecting from an Apple device). Finally, and practically speaking, logical collections are 100% suitable for e-discovery collections for civil litigation, but if you anticipate you may need the evidence for a potential criminal matter or a critical internal investigation, then forensic collection would be the optimal way to go.

For additional information, download the whitepaper Forensic Collections for E-Discovery today!

Sign Up for Alerts

Get notified when new content for specific topics is available.

Sign Up