Collecting Responsive Data

The old methods of data preservation relied upon paper documents and the saving of these documents for use in future proceedings. Paper documents are easy to save, simply set them aside in boxes and produce them when and as required. Paper has nothing hidden, what you see is what you get.

Despite our love of paper, most documentation currently in use originates from electronic format. It may get printed to paper somewhere along the way, but it’s roots are digital. In fact these days most stored documents never get printed, they are totally digital. Being digital brings with it a host of new problems, to start, digital information needs to be interpreted in order to be useful. It is also fragile, the simple act of opening a digital document in it’s native format, often changes it forever.

Unlike paper documents, which most people can read and recognize dates and specific formatting, digital documents often store data such as dates, in a non-human readable format. For example, some dates are simply a string of numbers, representing the number of seconds that have elapsed since midnight (UTC) January 1st 1970. When interpreted correctly these numbers show the actual date and time intended.

Sharing of a digital document creates many issues. Even sharing on mediums that are “read-only” such as DVD, cause issues in data loss. The original electronic document has data that surrounds it’s content. This is often referred to as “metadata”. Metadata is described as “data about data”, in other words, data about the document such as creation date and time, the author, the version of software that created it. Sharing a letter via optical media changes metadata and even removes some. Think about date stamps on a cd, moving a letter from a Windows operating system to a cd, removes some of the date stamps that tell us about the file creation, modified and accessed times. Many civil disputes end up with arguments regarding when a document was created, altered or copied. Once this metadata has been altered or removed, there is no going back.

In civil cases where one party seeks to review documents by another, they often provide notice to the other side by way of a request to preserve data. Often times the local I.T. personnel are tasked with the collection. They tend to use the tools they have at hand and are not thinking about what changes will happen in the process of reviewing and saving the required data. This can lead to data that has been forever altered or completely lost. The altering or removal of data, intentional or not, is considered spoliation of data and is not uncommon. Once files are deleted or altered, having the I.T. personnel provide a “Ghost copy” of a hard drive will miss significant data. Ghost, while a popular and useful I.T. tool, is not a forensic tool. By design, some forensically significant data is not captured by ghost or other similar I.T. tools.

Use of forensic tools and techniques are the only method to ensure complete and defensible data collection. If you are faced with issues of data preservation, these are important factors to be considered. In our experience, failure to include your choice of forensic service provider in the planning process can lead to problems or complications in identifying, gathering and providing responsive data. e-Forensic Services is a telephone call way for consultation beforehand.