Is there a place in eDiscovery today for hard drive imaging and bit by bit copies, which collect deleted items or slack/unused hard disk space? The answer is yes with some important limitations. For the vast majority of matters, ESI can be collected without imaging drives or utilizing proprietary container files. However, I occasionally still encounter folks who are victims of the dated and costly misconception that eDiscovery always requires the bit-level imaging of hard drives.
There are situations, though, where the existence of data (as opposed to its content) is central to the matter – when companies suspect employees of stealing proprietary information or when employees leave a company under suspicious circumstances. In these and other similar situations, it may make sense to have the employee’s workstation hard drive imaged for full forensic analysis. Even in these scenarios, I find that companies are more likely to hire an external investigator to perform this task to allay suspicions of tampering or bias, and the company generally would prefer that this investigator be the one to testify about this sensitive data acquisition. Then, for ESI beyond the target employee’s hard drive, other collection methods may be used. As we’re now midway through 2011 – a year in which I expect to see eDiscovery fully embraced by many corporations as a true business process – I wanted to analyze why the forensic disk image myth still exists, where it came from, and what the law really requires of an eDiscovery collections process.
Traditionally, cases that mentioned full forensic imaging of hard drives began their captions with United States v. or State v. because they were criminal matters. In traditional civil litigation – even the behemoth eDiscovery cases that get all the bloggers blogging – forensic imaging simply is not required or needed. In fact, in most cases, it will dramatically increase the cost associated with electronic discovery – this process adds unnecessary complexity in downstream phases of eDiscovery and leads to vast over-collection. Why collect the Microsoft Office suite 50 times when what you are really required to preserve and collect are the files created with those programs? When using disk imaging, program files are collected which drives up storage costs and requires the post-collection step of deNISTing (removing system files based on the NIST list). Why not leave those system files behind and perform a targeted collection of only user-created content? In addition, the primary rules governing civil litigation – the Federal Rules of Civil Procedure and Federal Rules of Evidence – simply do not require exact duplication of electronic files. I am amazed that there are so many experts who are still pushing full forensic imaging and duplication in every case. In fact, this goes against best practices published by The Sedona Conference, EDRM, and in the E-Discovery textbook co-authored by Judge Shira A. Sheindlin.
To Continue Reading: Click Here
----------------------------------------------
Source: eDiscovery 2.0
By: Brando A'Gostino
Subscribe to:
Post Comments (Atom)
0 comments:
Post a Comment