Why Legal Teams Need Multiple Approaches to ESI Collection

It’s more important than ever that in-house legal departments ensure they have the capabilities to preserve data and collect it in a variety of ways from a range of different sources. The factors driving this include both the diversity of data types present in most organizations and the increase in use cases requiring data preservation, collection, and analysis.  

Regardless of the reason for preserving the data—whether it is for an internal or criminal investigation, civil litigation, or in response to a data breach—teams must use the technology and methodology appropriate to that specific purpose. In many critical scenarios, they will need to conduct a forensic collection.  

“We’re seeing increasing scrutiny from regulators, we’re seeing an increasing awareness among consumers regarding how their data is used,” says Len Robinson, Manager of Digital Investigations, E-Discovery & Corporate Threat Intelligence for Retail Business Services. “We’re seeing state legislatures now thinking of enacting more privacy laws. And we’re seeing increased strength in privacy regulations in the EU and other nations. The ocean of data just amplifies the challenge to all of us when we’re looking to search for that information.”  

Forensic collection is now a permanent fixture within the converging realities of legal and regulatory landscapes like data privacy and e-discovery.

Download the whitepaper today!

Logical vs. Forensic Data Collection

When we talk about forensic data collection, we’re talking about a completely different process than what standard e-discovery professionals are typically used to.

• Logical Collection: Finding and preserving target data in-place, copying only the files and folders that are visible to the end-user along with their standard metadata. This method is 100% suitable for routine e-discovery collections in standard civil litigation.
• Forensic Collection: Creating an exact, bit-for-bit duplicate copy of an entire storage drive (often called a forensic image). It containerizes evidence in its entirety in a forensically sound manner, creating an exact working copy for examination without altering the original device.

This advanced type of collection is incredibly valuable for legal professionals because it empowers investigators to look beyond the words on a page and unearth deleted, hidden, or encrypted data. While traditional forensic collections occur directly from physical hard drives, advanced enterprise forensic technology now allows investigators to execute these forensic collections from remote endpoints as well.

Technical Differences At-A-Glance

Data ElementLogical CollectionForensic CollectionVisible Files & FoldersYesYesStandard File MetadataYesYesDeleted Files & FragmentsNoYes (via Unallocated Space)File Slack & Raw Data BlocksNoYesFile Attributes & System LogsNoYesAPFS Snapshots (Apple Ecosystem)NoYesPrimary Use CaseCivil Litigation E-DiscoveryCriminal Matters / IP Theft / Critical Internal Investigations

Relying solely on logical collection during a high-stakes internal fraud investigation or a data breach response can cause you to miss the exact system artifacts or deleted emails needed to prove your case.

For additional information, step-by-step methodologies, and tips on picking the right tool for your department, download the complete guide: Forensic Collections for E-Discovery.