My last blog generally addressed the rules applicable to best practices as to identification of Electronically Stored Information (ESI). Once the data identification process is complete, the next step is to determine collection methodology. It is important that you plan collection of data in a way that insures preservation of the original metadata and avoids spoliation. In other words, you must comply with basic standards of forensic soundness. It is also critical that chain of custody protocols be observed. In this stage, you are laying the groundwork for showing later that: (1) all reasonable steps were taken to identify and preserve ESI and (2) the other side’s discovery requests would impose unreasonable expense, and undue burden.
Keep in mind that there are two primary collection methods: one is to make a forensic copy, and the other is to make a forensically sound copy. Although these sound similar, they are two entirely different procedures. I will not spend much time on a forensic copy because it is rare in civil litigation, but it is an exact copy of everything on the hard drive, including slack space and deleted files that have not yet been overwritten. Usually, this is going to be done by a vendor following rigorous chain of custody protocols. It is, in essence, the entire hard drive, including the hash values (often referred to as electronic fingerprints). This is more often done in criminal investigations.
More often in civil litigation, you will be obtaining a forensically sound copy of the reasonably accessible data. This is much more common in civil litigation because usually (but not always) we are not interested in what may have been deleted from the computer hard drive, or what the user’s internet history might have involved. In fact, usually (again not always) the only thing we are interested in is the active data on the computers and file servers, as well as e‑mail, related to the subject matter of litigation.
Also, you should consider inviting the other side to get involved, for example to agree on relevant dates. It is critical during the collection of ESI that the chain of custody be kept intact to insure admissibility in court. Also, you must be careful not to alter the data through the process of collection itself. This is where trained professionals in collection of ESI (typically, but not always, third‑party vendors) can be used. Forensically sound copies of ESI can be made, preserving all metadata, and not altering the information.
This was a general discussion of ESI collection best practices. In my next blog, I will delve into collection practices in more detail.