Name: Daylight
Price range: $

Governance or Guesswork: How Information Management Makes or Breaks Forensic Investigations

Guest: Allan Buxton, Managing Director of Data Breach and Forensics, Epiq Global

When digital investigations hit a wall, the root cause is often hiding in plain sight: poor information governance.

In this episode of Data Xposure, brought to you by Exterro, host Justin Tolman sits down with Allan Buxton, Managing Director of Data Breach and Forensics at Epiq Global, to expose the real-world consequences of governance gaps in forensic investigations. From ballooning costs to missed evidence, Allan shares how the absence of structured data policies can cripple an organization's ability to respond swiftly and defensibly when an incident strikes.

You’ll learn what separates forensic-ready organizations from those flying blind, why outside experts often struggle to help without the right groundwork, and the tactical steps legal, compliance, and security leaders can take now to avoid chaos later. If your team touches incident response or e-discovery—even occasionally—this is a conversation you can’t afford to miss.

Subscribe on Your Preferred Podcast Platform

Apple Podcasts | Spotify | YouTube

Episode Transcript

Justin Tolman (00:11):

When a forensic investigation starts off, multiple timers have started. Legal wants answers. Executives want assurances, and depending on where you're located, there are legal obligations for disclosure. And when you have to make those, often forensic teams are left scrambling and sifting through chaotic, disconnected data environments trying to piece together a digital trail with no map.

So welcome to Data Exposure, the podcast for data risk leaders where we shine a light on the hidden vulnerabilities that put your organization at risk. I'm Justin Tolman, the digital forensic subject matter expert here at Exterro and data exposure is brought to you by Exterro, the unified platform for eDiscovery privacy and digital forensics. We help organizations manage their data risks with clarity and confidence. Today's episode is about the quiet power of preparation, probably the most important part of any investigation preparation, how strong information governance can make or break a forensic response.

(01:11):

And the truth is that most forensic tools in this world can't compensate for broken data practices, scattered data or data. You don't know where it's at because the truth is, no matter how advanced your forensic software is or your examiners, it's costly for them to have to compensate for lack of or broken data practices.

Joining me today is Alan Buxton. He's the associate forensic director at Epic Global. Alan has over 20 years of digital forensic experience, both in law enforcement and in corporate service provider based investigations. And together today we're going to unpack the hidden costs of poor data governance, what slows down external forensic teams, specifically if you have to call in a third party, and the smart moves legal compliance and security leaders can make today to ensure their next investigation, your next investigation doesn't spiral into a guessing game and also trying to find where that data is when an incident happens.

So without further delay, let's bring in Alan and get the information from him. Thanks for coming in today to have this conversation with us, and I appreciate your perspective from a service provider outlook on investigations. I think that's different than first party. We'll talk about that. So thank you for coming in.

Allan Buxton (02:53):

It's my pleasure. Thanks for having me.

Justin Tolman (02:54):

So when I reached out to you to talk with us today, I talked about, hey, from a service provider's perspective, you come in. What are some of the things that either enable or make it harder for you to run your investigation? Let's start with maybe your first point on what can make it harder or easier, your choice on which way we go.

Allan Buxton (03:20):

Let's start with somewhere in the middle. We'll sit on the fence for a sec, right? Potentially when you're scouting out or scoping the potential for involvement on an investigative effort. First question is what data do I have to work with? What do you have that I can collect and analyze and investigate with, and where is it and is it relevant to the matter at hand? Okay. Sometimes what they have isn't necessarily what you need and you move on to the step of, well, can I get that data? So I mean, I can go into a little more detail if you'd like.

Justin Tolman (03:58):

Okay. Yeah, go--

Allan Buxton (03:59):

Ahead. So let's start with a simple thing. Sometimes it's internal investigation, sometimes it's something civil, sometimes outside counsel's already been retained and trying to figure out how valid claims are. It's a lot of gray area. But let's take something fairly common, which is a separated employee has made some claims. Maybe they're threatening a lawsuit, maybe they aren't. Maybe those claims are the reason they separated, and you have a due diligence obligation to investigate to prevent future things, right? If they separated six months ago before you have to hear about these claims, it's what are your retention policies for all of that email or anything in teams, any workplace chat. If it wasn't archived, then again, if you didn't leave knowing that there's a lid hold, there should be a lid hold applied. Then six months ins when that lid hold pops on. So data governance, knowing where your data is, knowing how it's retained either at the time of a separation or at the time of a notice of an investigation.

(04:59):

And the difference is that time delay and the difference is how that affects that data, right? It was a workstation repurposed. Is there a backup of if it was a company issued, mobile device was a backup preserved, right? And here's one for you. Now we live with is if that mobile device was kept on a shelf just in case or hasn't been reassigned yet, do we have the biometrics to unlock it or do we know the original before unlock phrasing?

All of those questions come into play and they're going to shape your investigation, not just how and how you can investigate and what you can investigate, but also how is that going to inform any findings. The absences may help a case. They may hurt a case. They may be right down the middle of saying, I can't really tell you definitively what happened because this is the data I'm missing.

Justin Tolman (05:45):

One of the things that you said during that about repurposing reminded me of when we both were still working back at BCI, there was an investigation of a former chief of police misusing agency funds or something like that. And when they brought me the laptop, it had been repurposed, but not recently. It had been repurposed six months ago. And then they decided to do this investigation. And so they went to the person who was using it and were like, Hey, we need this laptop to investigate the person who had it before. It was kind of wild, but of course there was nothing there relevant to the case.

So to your point, so important to have those retention policies. If you're going to repurpose it, image it or something, collect it and then repurpose it. But as they learned when they gave us the stuff, that information's long gone. So absolutely know where your data is, but also make sure you have some sense of where that data needs to be after you're moved on.

Allan Buxton (06:48):

What do you want to be able to do in the future is really the question. And you have to build those policies before those days before they're needed. But it's a solid state world. We're dating ourselves by saying even a case with a spinner, six to nine months is a very long shot for anything. You can legitimately point to someone else and say, they did it. And I know because they found a deleted space, solid state, man, that stuff is gone quick.

So once something's been repurposed, even if you're like, there's another user profile, maybe you say it's worth looking, facts come in. But if they're like, nah, we reset that box and clean OS and handed it off, probably not dealing with the workstation too much. It's not going to be a factor.

Justin Tolman (07:32):

And you mentioned it offhand, knowing what you want. So that's kind of key. And what is your feel, your recommendation for organizations when they have to bring in a third party provider when they start an investigation? How do they determine what they want? Maybe hopefully beforehand.

Allan Buxton (07:49):

So how do they determine it? Well, it comes down to what you're investigating. If it's a litigation demand, what the other side's demanding, if it's come to discovery. And then in part it's like, well, what data really makes your breaks this case? What application? If it's billing, do you have a billing record system? If it's payroll, where are those payroll records and how long have you kept them? How granular are they?

Someone's alleging that all their overtime for two years was never paid out. Is it a weekly system, two years down the road, six months down the road? Is that weekly system still available? Those records, is it grand enough to say what the employee entered, what the supervisor approved and what somebody paid?

So that is part of it. The other half is getting to the meat of those answers, which a lot of the time if you're outside counsel or inside counsel, or if you're HR tasked with an internal matter that needs a third party, you may not know those answers.

(08:49):

Those generally don't fall inside your bailiwick. So these days is way more specialized. There are very few companies now that have the IT guy, right? It's the cybersecurity team. So sometimes it's figuring out who you have to talk to to get those answers. And sometimes you might need the third party to play Saia and translate, and other times, times you might be able to work that out internally. Every time it's a little bit of a back and forth to try and get those answers. It's normally a dialogue. It's not one series of questions and answers.

Justin Tolman (09:21):

The risk of,

Allan Buxton (09:24):

Oh, great.

Justin Tolman (09:25):

That's always a good intro. At the risk of maybe going a bit further, what would your recommendation from the investigative standpoint be to a CISO or the director of IT or security on how they should preemptively set stuff up to make that process easier?

Allan Buxton (09:45):

Man, I think from my end, right? Once we know what needs to be collected, the next step is the collection process. And I think knowing or having in place a policy of how that data is going to be collected really helps.

And a lot of places that routinely engage in litigation, not saying they're bad businesses or whatever, but sometimes you get a definitive patent, sometimes it is just your third time at the rodeo so you know what you're in for. They have those policies in place that we run M 365, we will run self-collections and we will hand that off. That way we don't open holds in our network. We don't create accounts for people we don't really know, et cetera, et cetera, right?

And then other times, some jurisdictions don't permit self-collection, right? Sometimes if you are investigating someone in IT department triggering the self-collection chain isn't great. So it may tip your hands. So you need a policy in place.

Also for third party vendors, I would say you may never use it. It may not survive first contact with whatever systems have to be collected. Knowing that whatever, if your policy is only internal self-collection, knowing that the possibility exists out in the world, that someday you may need a third party vendor helpful. If you have no policy building a policy in place does, because we just talked about the solid state world.

Well, the cloud's no different. If the clock is ticking on data, you can't necessarily get that back. So if you don't have those policies in place, it takes time to build them. It takes time to figure out what's realistic or what you even can do with your systems or should do or want to do. And that can slow down collections, which slows down analysis, which slows down results. The clock is always ticking in any matter where there's litigation or pending litigation, I would say. So have your policies in place or at least know that those need to be exist on paper somewhere and be aware of what you're willing to accept in advance on both fronts.

Justin Tolman (11:45):

I think mostly in a good way, governments are now requiring these companies to report and or determine at least initial findings relatively quickly. And so if you're sitting there still negotiating and trying to figure out how to bring in a third party or internal or a collaborative work between the two, like you said, not only is the clock ticking, but you're up against legal barriers at that point as well.

Allan Buxton (12:10):

Sure, no one wants to hear the phrase accelerated docket if you haven't started collections yet. But there are other reasons. If you're negotiating a settlement, if you're really trying to figure out how valid it is, if both parties are working in good faith, if the longer the time drags on before you can feel like I have enough data to say, here's what we would be reasonable, here's what someone else feels is reasonable, the less faith some people may have in that it can be misconstrued. So again, the smooth streamlining that process, having that ready to go, having your point of contact team ready to go really helps.

Justin Tolman (12:43):

So obviously we won't talk specifics, but what are, you've gone into various organizations to do various types of investigations, but in general, what's probably the biggest issue, the biggest policy deficiency that causes investigations to trip up maybe take longer than they should?

Allan Buxton (13:06):

Two things leap to mind is one scope creep, right? We talk about this in law enforcement all the time. A warrant gives you exactly what you can search and what you are to search it for. Nothing more, nothing less. If plain sight applies, it even says stop and go back and get another warrant, or at least ask for one, right? Everything outside of that scope creep becomes a problem. Sometimes.

This is the date range we're looking into, the better scope I have for what you really need or what's going to meet your needs, the more streamlined and efficient, the more targeted a collection and investigation can be, and honestly, the faster it turns around. So all of that matters if you can really define your scope. And honestly, that plays an effect in budget too. If we're taking detours into different weeks or if we're revisiting data constantly or recollecting to add more weeks to something, then it has an effect on the bottom line as far as what you're going to spend for your matter also.

(14:06):

So scope creep is number one. Number two is really, really working through the process of the collection and understanding the formats and data and what those results are. It's not uncommon that when we talk about the technical side of what we do, our findings, people, they're happy to hear the findings and the how. I know this is true part, the guys kind of glaze over. Fair enough. You want to take my word for it? I don't put any out there, I can't defend. But it is helpful if you sit there and ask me to lay it out, then try to work up a bunch of prep if your matter doesn't resolve before you get to depositions in court, because then you now we're packing a lot of time in to what was a little more open timeframe, and you never want a matter to fold, right?

(15:01):

You don't want someone to settle when they shouldn't or don't feel that they should. If the reason they feel they need to settle is because they really don't understand what these facts, your findings say about the matter. So I think that working with your experts early, really taking the time to understand that helps.

On the civil side, it's gotten a lot better, right? eDiscovery's been codified for a good 20 years. Now the principles, generations of people have been working within it. But this isn't necessarily just for the attorneys, it's also for the clients. You want the guy paying the bill to know what you found, assuming he's not the target, at least initially, and what you found and what real world impact that may have on what's going

Justin Tolman (15:51):

One of the key trends right now is hopefully, I feel it's a trend, but maybe that's because I'm involved in it, is clearing up that communication and trying to break those silos down between the things. And one of the things that I've noticed is let's say that the company is very deep in eDiscovery, like you said, we're generations into it.

But things in the forensic or the incident response space, same words mean different things. The one I like to use is imaging. Imaging and forensics means your duplicating some storage device bit for bit, but imaging in any discovery sense means you're converting things to TIFFs. So if you were to say, I imaged this drive or I imaged this thing, and you don't take time to explain it or communicate, like you said early on in the process, that can cause confusion, frustration, slow things down later on, especially if you're not doing it early and you're in a time crunch and now you're having a vocab lesson.

Allan Buxton (16:51):

So I try to encourage my clients to ask questions, stop me, right? And this is something I fight with every report is in one sense, the report is for me because that's what I'll defend on the stand. So everything I need in that report needs to be there. But I also need data that the client can read and language the client can use to understand and put into context for them. And a report is one sided. It is words on a page. So consistency of terminology. I know you've heard me harp on that before. Absolutely. An author, an expert should be consistent in how they explain and describe things, at least as a technical reference. And from there we can explain it more. But I need the other guy to say, slow down. Walk me through this. Because we live in a more technically literate society now than I think we ever have before.

(17:40):

And that's a double-edged sword because like you said, when I say imaging, it may not mean what someone else means, right? If I hear a disc image, I tend to believe should be a physical disc image, otherwise I expect to hear logical image or a graphic image. But other people hear different things and you want them want to find the same point of context or at least inform them as to what yours is in a way they can understand as a matter, before the matter gets too far down the road where you're two weeks prior to whatever, or 48 hours prior to a hearing and you're really arguing, what does this mean? I need some help. I can help you, but it'd be better in the long run if we've built up a solid foundation.

Justin Tolman (18:23):

I think we've all had that experience walking into court, whatever it is, and they're like, Hey, can you explain this artifact? And you're like, not now. We go on in two minutes.

Allan Buxton (18:37):

It's a challenge, right? Communication is tough, and if you're not in it, guy, we can get down in the weeds. Even something as simple as email can blow up pretty hard if you're arguing the nuances of it. So email has been around 30 plus years as far as common sense goes, right? Like a OL and CompuServe, 30 years of awareness for email. It doesn't necessarily mean that when we get into talking about headers and even spam checks and filters, if that matters to your case, you're going to know what that means. So I say ask questions, ask 'em until you understand.

Justin Tolman (19:11):

I think that's a great catchphrase. Ask questions until you understand what is the key concept they need to have in their mind when they approach their systems, including data governance, policy, jurisdictional stuff, kind of wrapping this all together.

Allan Buxton (19:25):

Well, I think they need to know their retention policies, however they set them up. They have to be comfortable defending them. And I, I'm not an attorney or policy advisor, so I can only tell you what I see on the ground. But I think you need, if you're dealing with separated employees, if it's an employment matter or anything related to it, you need a policy for preserving the data that employee either generated for you or inadvertently created is they used your resources and how long are you willing to keep it right? Not everybody wants to keep everything forever. I get that. Other people do other businesses keep it longer than legal requirements go and the fights are there back and forth. As an investigator, keep your data forever and I have something to look at.

(20:17):

But at some point, if you're just piling hard drives and phones on a shelf, even humidity takes its toll, right? At some point they just don't work. Find that middle line, what works for you and what you're comfortable defending. Know where it stands within industry guidelines for whatever you're doing.

So consult as someone who actually understands those laws and be ready to go have those in place. Use them. Make sure your employees understand them and train to them and teach them and practice them. The courts are probably going to make you suck up of your communications and push them through a legal review, right? Or a privilege and relevance review. And sometimes all your communications get pulled in for those matters and then they get sorted and filtered. Doesn't mean everybody sees them, but you're going to be aware and you're going to learn from that.

Maybe I preserve X, Y, Z, maybe I conduct personal business only with these platforms and I conduct work business only with these and I don't merge the two. We're seeing a lot of that, a lot of advice and guidance that people should not conduct messaging or business over messaging. They should push it back to email because it's easy to retain business, email those systems again in place for 30 years as long as email has been around. But every messaging platform presents its own challenge.

Justin Tolman (21:32):

You said you need to have a policy of what you're retaining and have everybody follow it. And I think that's the thing, is having a policy is one thing I feel like, so I'm that person. You mentioned as an investigator, save all your data. So I have something to look at, man, I am not a delete. I like having all my chats and all this sort of stuff on retention, personal retention, but like you said, follow the policy.

Because we've seen examples around the industry. Certain companies require photo ID, government based, photo ID to authenticate ages, and even after they authenticate, they hold onto that data for whatever reason, they decide the reason is, and then they get breached and all that data is made public. And the question is, why didn't you delete your data?

We're just coming full circle back. Information governance, data governance, right? If you didn't know you had it, then you can't get rid of it.

Allan Buxton (22:31):

That is very, it's a good point. You really do need to know what you're storing, right? Storage is cheap, has been for a while, it gets cheaper, and when it doesn't, there's a competitor who's willing to make it cheaper, right? Storage is cheap, but having a means of tracking and knowing what you're retaining is critical as well. I'll agree on that one.

Justin Tolman (22:50):

If you had to give a grade in general based on your experience, boy, how industry-wide, so not, how well are people doing at tracking their data?

Allan Buxton (23:01):

Boy, honestly, with what I've seen in the last few years, I'd say it's a solid B plus. A lot of data out there. A lot of data is tracked and maintained. I think, like I said before, a lot of the struggles are kind of the same struggles we deal with on a smaller scale like messaging and communications external to the company or the corporation and how you retain on systems designed to be secure. How do you collect that and retain it? I think everybody struggles with that one.

And the simple answer is ban it, but it never seems to stop it completely, right? Someone will shift to using a personal device instead of company issued. Company issued devices cost money. A BYOD is tempting. I think we struggle as a community with some types of data, not all of it, but some of it.

There's always one hoarder. There's always one guy who's got oral, who's got everything relevant or not. And then you try to search, you try to narrow the scope and it's just impossible because it's not organized. So the more granular process is, the easier it is for me, but it's also what I have a job. My job is to store through data.

Justin Tolman (24:17):

That's a good thing. Let's recap here as kind of a closing.

Know where your data is.
Be able to collect that data, know what you're retaining and how long you should retain it, and then make sure you're following that policy.
And also be aware, does your policy match the rules or laws of your jurisdiction on how you can collect and or analyze that data?

Is that a good sum up of what we've chatted about?

Allan Buxton (24:47):

That's a pretty good summary. That's a pretty good summary. Somewhere in there you have to have policies that limit access to non-corporate devices. I think to get past the, at some point, it's got to be, you'll use these platforms for your work as well. You've got to enforce it not just what you're keeping, but what people are generating it with. Every IT guy has a story about the room that didn't have a network drop that somebody set up a wireless access point, unsecured another room to get to.

Justin Tolman (25:16):

Exactly,

Allan Buxton (25:16):

Which is an instant hole in your security. I think that equivalent is out there for a great many things, right? And application is this safe to review? What does it store? Where does our data wind up? All those processes are absolutely fair. But yeah, if you ban different things and you don't have a competing solution, then sooner or later you get a rogue actor or a rogue piece of hardware and now your data starts to split. Have a policy in place, know what they are.

Justin Tolman (25:46):

Well, great. Alan, again, thanks as always for sharing some knowledge and some tips and tricks with the community. Always appreciated and it's

Allan Buxton (25:58):

Always my pleasure.

Justin Tolman (25:59):

Thank you.

Allan Buxton (26:00):

Thank you.

Justin Tolman (26:00):

And that's it for today's episode of Data Exposure, brought to you by Exterro. A huge thanks to Alan Buxton for joining us and sharing what it really takes to support a fast focus forensic response. And if you enjoyed today's episode, be sure to follow or subscribe on whatever platform you prefer. And send this episode to a colleague or a coworker or a friend who also works in data governance, forensics or whatever in this space. You might just save them some time, some effort, and maybe help them get a little bit ahead. So thanks again for listening and we'll see you next time.

E-Discovery Workflows

Legal Hold

Comprehensive Interview

In-Place Preservation

ECA, Collection & Processing

E-Discovery Data Management

Remote Mobile Discovery

Exterro Review for In-House Teams

Employee Change Monitor

Request Management

FOIA & Public Records Response

Smart Breach Review

Digital Forensics Products

FTK Forensic Toolkit

FTK Lab

FTK Imager

FTK Imager Pro

FTK Enterprise

FTK Central

Remote Mobile Discovery

FTK Connect

FTK Product Downloads

Data Privacy, Security, and Governance Suite

Exterro OptiX360

Data Retention

RoPA Manager

Assessments Manager

Consent and Preference Management

Data Subject Rights Manager

Law Enforcement Forensic Workflows

FTK Forensic Toolkit

FTK Lab

FTK Imager

FTK Connect

FTK Central

Exterro Data Risk Management Platform

What is Data Risk Management?

Find a Partner

Exterro Intelligence

Remote Mobile Discovery

Exterro Intelligence

Law Firms

Law Enforcement

Public Sector

Corporations

Service Providers

IT

E-Discovery

Forensic Investigation Team

Law Enforcement Team

Data Privacy, Security, and Governance

Cybersecurity Compliance

Data Compliance Regulations

Regulations - DPDPA Digital Personal Data Protection Act

Saudi Arabia’s Personal Data Protection Law (PDPL)

Regulations - NY DFS Cybersecurity Regulation

Regulations - GDPR General Data Protection Regulation

Regulations - European Union Artificial Intelligence Act (EU AI Act)

Regulations - CPRA California Privacy Rights Act

Regulations - CCPA California Consumer Privacy Act

Regulations - PIPEDA Personal Information Protection and Electronic Documents Act

Regulations - LGPD Lei Geral de Proteção de Dados

Regulations - PIPL Personal Information Protection Law

Exterro OptiX360

Resources by Content Type

Resources by Role & Team

Resources by Role & Team

Events + Webinars

FTK Podcast

Training & Certification

E-Discovery Workflows

Legal Hold

Comprehensive Interview

In-Place Preservation

ECA, Collection & Processing

E-Discovery Data Management

Remote Mobile Discovery

Exterro Review for In-House Teams

Employee Change Monitor

Request Management