It seems Computer Forensics and e-Discovery have become synonymous with expensive. It’s becoming a more frequent occurrence where I receive a call from a law firm, who are trying to contain costs for their client and are asking what it would costs to clone the drive or export the data or print the documents so the firm or client can review the data. They don’t want the added expense of a third party filtering/reviewing data and believe they can complete the task with less cost and reasonably good results.
I understand the thought process behind this and sympathize with those who find themselves in such a position, however the reality is you get what you pay for. There are some immutable truths when it comes to electronic data;
- Storage media is fragile and changes rapidly
- Touching data changes it and once done cannot be un-done
- Printing the documents is not a viable option
- Electronic data contains metadata and requires interpretation
Storage Media is Fragile and Changes Rapidly
It wasn’t long ago that diskettes were the only way to move data from one computer to another unless you were connected to a network of some sort. Zip drives came along and could store 100MB of data which was considerably more than a diskette. They became very popular and were widely in use. While diskettes and their respective drives can still be purchased, Zip disks and drives are no longer in production. In the IT world, things continually change and some things outright disappear. Data on a backup tape deteriorates over time making old tape backups useless. Your paper files can last for many years and can be read a century later, your archived electronic data, not so much. Understanding how your data is stored and on what media type it resides is very important when dealing with a clients data.
Touching Data Changes it and Once Done Cannot be Un-Done
When we had only paper documents to deal with, things were very simple. The written content of a letter was all that could be considered. What you saw is what you had. Electronic documents have metadata associated to the document such as file dates and times for Created, Modified and Last Accessed. There may also be metadata such as creator, last printed or editing time among others. Copying client data from their storage media to another storage media changes the metadata for that data and in some cases, certain metadata will not be carried over to the copy being created, thus will not be available. Opening the files to review the content often changes the metadata.
Printing the documents is not a viable option
Modern computers come equipped with hard drives capable of storing vast numbers of user created files. There are a number of tools available that permit estimating of the volume of documents one can expect to review in a given size of exported data. Using these tools will quickly point out that a small export of user created files of 1 GB (many email stores will far exceed this size) will provide about 4000 MS Word documents or 82,000 pages of material to print. If we are looking at email that equates to 100,000 pages of email to print. How long will that take to print and more importantly how long will that take to review and what cost ? Modern computer drives are capable of storing 1000 times that amount of data.
Printed documents have no metadata. You will not have access to who created them, whether they were printed, who edited them or many other pieces of valuable data. Determining whether the document is an original or a forgery is almost impossible from a printed document.
Electronic Data Contains Metadata and Requires Interpretation
A copy of all user created files may not be of value unless you have the application installed with which to view each file type. A lack of proper tools may prevent correct interpretation of the data and thus lack critical information. Forensic preservation of the data can include capture of the applications used to create the documents.
No mater what you end up selecting as a process to proceed with, nothing negates the need to forensically preserve the data at the start. If you are complying with a data preservation request the onus is upon you to do so employing best practices. Failure to do so whether by design or by accident can carry severe penalties.
While you may want to review the data, it saves no time or money to export user documents in order to poke through them and look for things. The shear volume of data you will be faced with more often then not makes the process more expensive than a proper forensic preservation and targeted export of user data.