In today’s digital world, we’re all connected to our electronic devices, social media platforms, and cloud-based accounts like Gmail and DropBox. Remember the last time you printed something to file away? Even if you do, chances are you haven’t referenced it in a while. Digital files have made our lives easier, allowing us to maintain, modify, and transfer data with ease.

This convenience, however, can also complicate things for counsel and litigation support professionals responsible for managing electronic discovery requests. While reviewing the data might be a breeze, getting to that point can be quite a challenge.

Many law firms and corporations have in-house eDiscovery and document review capabilities, so it’s natural to assume that forensics would fall under that internal umbrella, right? Well, not exactly. If these organizations want to keep the preservation process in-house but lack a dedicated digital forensics team, the task is often delegated to their internal IT team.

Now, don’t get me wrong—IT plays a crucial role in managing electronic devices and the organization’s networks. However, they often lack the specialized knowledge and tools required to perform a collection in a forensically sound manner.

In this blog, we’ll discuss the dangers of using internal IT teams for forensic collections, as well as the benefits of working with digital forensic experts.

What is a Forensic Collection?

Before we dive into the nitty-gritty, let’s get a grasp on the basics: a forensic collection is all about gathering and preserving electronic data in a forensically sound way. But what does “forensically sound” mean? Simply put, it’s the process of collecting electronic data in a manner that ensures its integrity, reliability, and admissibility in court.

Performing a Forensically Sound Collection

To carry out a forensically sound collection, a digital forensics expert employs specialized tools and techniques that create a forensic copy of the data on an electronic device or media. I know it sounds technical, but trust me, it’s crucial to understand. So, let’s break it down together.

First, let’s clarify what it isn’t. It’s not a regular data backup or the outcome of a data recovery process. While a data backup may save essential files or documents, it only captures part of the bigger picture. This missing information can realistically impact the data’s admissibility as evidence in court.

Bit-by-Bit Copies

A bit-by-bit copy is an exact replica of the data on a Windows computer or a Mac computer that is preserved in a digital forensic lab. It’s created by copying every single bit (pun intended) of information. The resulting image is a precise duplicate of the original data, encompassing not just the files and documents but also the operating system, metadata, and other potentially hidden details.

Logical Collections

Logical collections, in contrast to bit-by-bit copies, involve the selective extraction of specific files, folders, or data from a Windows computer or a Mac computer. This method focuses on gathering only the data that is relevant to the case, while disregarding unnecessary information like system files or temporary data.

Live Collections

While bit-by-bit copies and logical collections in the forensics lab are widely regarded as the gold standard in digital forensic collections, there are instances where a live collection might be a more suitable choice. This approach involves collecting data from cloud-based accounts, social media accounts, or an operational computer.

In certain situations, powering down a device to create a forensic image could lead to the loss of crucial evidence. For example, during a network intrusion investigation, shutting down the system might accidentally destroy important information.

Performing a remote collection of a Mac computer is another example of when a live collection becomes necessary. This is due to the security features of Mac computers that hinder remote access and prevent the creation of bit-by-bit images. In such cases, digital forensic experts turn to live, logical collections to ensure data is gathered in accordance with forensically sound practices.

Though live collections may be more targeted compared to bit-by-bit copies, they remain a legitimate option when executed by experienced forensic professionals. By employing this method, valuable evidence can be preserved without causing further damage to the device or data.

Forensically Sound is More Than Just Preservation

In addition to the preservation of data, several factors contribute to determining whether a collection can be deemed forensically sound. The first factor is meticulous documentation. To preserve the data’s integrity, reliability, and admissibility, the methodology used to collect the information must be reproducible.

Achieving this requires maintaining detailed records of every step in the process, including:

  • Devices, media, or accounts that were preserved;
  • Tools, software, and techniques utilized during the preservation process; and
  • Any other pertinent information.

Another crucial factor that complements documentation is maintaining the chain of custody. The chain of custody process involves tracking the electronic evidence from the moment the original device is handed over, through the collection, and all the way until it is presented in court. This includes documenting who has had access to the evidence to ensure it hasn’t been tampered with or altered in any way.

The Role of IT Teams and the Limitations in Forensic Data Collections

Given the complexities of forensically sound collections, it’s crucial to consider who should manage these processes. While IT teams play an essential role in managing an organization’s electronic devices, networks, and data, they may not possess the specialized skill set and knowledge required for forensic collections. This lack of expertise can lead to potential risks for the organization, as outlined in the following sections:

Lack of Specialized Knowledge

Forensic collections demand specific tools and techniques to ensure data is preserved in a forensically sound manner. Internal IT teams may lack the expertise and resources required for such collections, which can jeopardize the admissibility of evidence. The importance of specialized knowledge and tools in forensic collections can be further understood through:

  1. Understanding Digital Evidence: Digital forensics experts excel in identifying, preserving, and analyzing various types of digital evidence relevant to a case. IT teams without specialized training may overlook crucial evidence or fail to comprehend its significance in a legal context.
  2. Specialized Software and Hardware: Digital forensics experts employ specialized tools to perform forensic collections without damaging or altering the original data. IT teams lacking access to these tools may unintentionally destroy or modify valuable evidence during the collection process.
  3. Adhering to Forensic Collection Best Practices: Strict adherence to best practices and industry standards is essential to maintain the reliability and admissibility of evidence in court. IT teams without this expertise may overlook these protocols.

Inadmissible Evidence

The risk of evidence being deemed inadmissible in court is significant if the data is not collected using forensically sound methods. Inadmissible evidence can severely impact the outcome of a case, leading to the following consequences:

  1. Legal Ramifications: Improperly collected evidence can weaken a party’s case and potentially result in a loss in court.
  2. Damage to Reputation: Mishandling evidence can tarnish an organization’s reputation, affecting credibility and long-term success.
  3. Increased Costs: Improper collection methods may necessitate additional investigations, increasing costs for the parties involved.
  4. Missed Opportunities: The exclusion of improperly collected evidence may prevent important information from reaching the proper parties.

Accidental Data Alteration or Loss

The risk of accidental data alteration or loss is heightened when internal IT teams without proper training handle forensic collections. This can have serious consequences, such as:

  1. Compromised Data Integrity: Altered or deleted data can compromise evidence integrity, weakening the strength of a case.
  2. Evidence Tampering Accusations: Unintentional data alteration or deletion can lead to evidence tampering accusations, further damaging a party’s credibility.
  3. Difficulty in Proving Authenticity: Altered or lost data makes proving the authenticity of remaining evidence challenging, creating doubts about its reliability.
  4. Prolonged Legal Proceedings: Data alteration or loss can lead to longer and more complicated legal proceedings, increasing costs and stress for the parties involved.

Inefficient Use of Resources

Relying on an internal IT team for forensic collections can result in inefficiencies in time and financial investment, leading to:

  1. Prolonged Collection Time: IT teams without specialized knowledge may take longer to complete the forensic collection process, delaying legal proceedings and increasing costs.
  2. Misallocation of IT Resources: Assigning forensic collection tasks to IT teams can divert their attention from core responsibilities, impacting the organization’s overall functioning.
  3. Additional Training and Tool Expenses: Equipping the IT team with the necessary skills and tools for forensic collections can incur significant expenses related to training and specialized software. Despite these investments, the IT team may still be unable to match the expertise of a dedicated digital forensics team.
  4. Repeated Efforts: In some cases, an internal IT team’s forensic collection effort may be deemed insufficient or inadmissible, requiring the organization to engage a professional digital forensics team to redo the work. This duplication of efforts can result in increased costs and further delays in legal proceedings.

Increased Liability

Relying on a non-specialized team for forensic collections can expose your organization to increased liability due to potential mishandling of the data collection process. Here are some of the consequences that may arise:

  1. Negligence Claims: Improperly executed data collection processes can lead to accusations of negligence, resulting in costly litigation and requiring your organization to invest time and resources in defending itself.
  2. Reputational Damage: Allegations of negligence or mishandling of digital evidence can significantly impact your organization’s reputation, leading to a loss of credibility and affecting client trust and future business opportunities.
  3. Spoliation of Evidence: Inadequate handling of digital evidence may result in its alteration, deletion, or corruption. This can lead to accusations of spoliation of evidence, which can result in sanctions, adverse inferences, or even dismissal of claims or defenses in legal proceedings.
  4. Compromised Client Confidentiality: Insufficient handling of digital evidence may lead to unauthorized access or disclosure of sensitive client information, potentially exposing your organization to legal consequences and further damaging its reputation.
  5. Increased Financial Burden: Facing litigation due to negligence or other allegations can result in a substantial financial burden for your organization, including legal fees, potential fines or penalties, and the cost of engaging a professional digital forensics team to remediate any issues caused by the internal IT team’s handling of the evidence.

Real-World Example: The Need for Forensics Best Practices

Recently, TCDI worked with a company that suspected one of its employees was stealing trade secrets and selling them to a competitor. To investigate this claim, the company decided to hire TCDI to preserve and analyze the employee’s computer for evidence of wrongdoing.

During the scoping discussions, it was decided that the company would send the employee’s computer to TCDI’s digital forensics lab to be preserved. While preparing the computer for shipping, the company’s IT team inquired about decrypting the computer before sending it to us. They were concerned that the encryption might cause difficulties in accessing the data once it arrived at our lab.

Why Decrypting the Computer In-House Is a Risky Move

We strongly advised against decrypting the computer prior to collection, as this could potentially alter or destroy crucial evidence. Decrypting a computer without proper forensic tools and techniques can change data timestamps, metadata, and other vital information that may be essential to proving the alleged misconduct.

Our Recommended Solution: Send the Decryption Key Separately

Instead, we suggested that the company send us the decryption key directly. By doing so, our digital forensic experts could use specialized forensic tools to decrypt the computer in a controlled manner. This approach ensured that no data was inadvertently altered, and the integrity of the evidence remained intact.

Lessons Learned

The IT team in this example had good intentions and was trying to be helpful by suggesting the decryption of the computer prior to shipping. They were not intentionally attempting to alter or destroy potential evidence. Their lack of familiarity with forensic best practices, however, could have inadvertently compromised crucial data.

This highlights the need for collaboration between internal IT departments and professional digital forensic teams. By working together and leveraging each other’s expertise, organizations can ensure the integrity of electronic evidence, avoid potential pitfalls, and ultimately uncover the truth in cases involving digital data.

The Importance of Engaging a Dedicated Digital Forensics Team

As you have seen, relying on internal IT teams for forensic collections can lead to several potential pitfalls, including inadmissible evidence, compromised data integrity, and increased liability.

Engaging a dedicated digital forensics team to handle the preservation of electronic data can not only mitigate these risks but also offer numerous benefits that strengthen your case and protect your organization’s reputation.

In this section, we will discuss the advantages of partnering with a digital forensics team for the preservation of electronic data.

Seamless Collaboration and Enhanced Expertise

By engaging a digital forensics team, you can bridge the gap between your internal IT department and the specialized knowledge required for forensic collections. A dedicated forensics team can work in tandem with your IT department, leveraging their unique expertise to handle the collection process more efficiently.

This collaborative approach ensures that your IT resources remain focused on their core responsibilities, while the forensics team focuses on preserving and analyzing the data in a forensically sound manner.

Swift and Accurate Collection Process

A professional digital forensics team is well-versed in the latest tools and techniques for preserving electronic data. With their specialized knowledge, they can execute the collection process swiftly and accurately, reducing the risk of mishandled data and ensuring the evidence is admissible in court.

This streamlined approach can save time and resources, ultimately expediting the legal proceedings.

Mitigated Risk of Liability

Engaging a digital forensics team significantly reduces the risks associated with increased liability. Their specialized expertise in handling digital evidence ensures that the collection process adheres to industry best practices and complies with legal and regulatory requirements.

By minimizing the risk of negligence claims, reputational damage, and spoliation of evidence, a digital forensics team safeguards your organization’s credibility and reputation.

Continuous Adaptation to Evolving Technology

Digital forensics is a constantly evolving field, with new technologies and methods emerging regularly. A dedicated digital forensics team stays up-to-date with the latest advancements in the industry, ensuring they can handle even the most complex digital evidence preservation scenarios.

By partnering with a team that consistently adapts to the changing landscape, you can remain confident in
their ability to handle the unique challenges of each case.

Conclusion

In conclusion, while internal IT teams play an essential role in managing an organization’s electronic devices, networks, and data, relying on them for forensic collections can lead to significant risks and challenges. The specialized skill set, tools, and knowledge required for forensically sound data collections often surpass the expertise of internal IT teams.

The potential pitfalls of using internal IT teams for forensic collections include a lack of specialized knowledge, inadmissible evidence, accidental data alteration or loss, inefficient use of resources, and increased liability. These risks not only impact the outcome of a case but can also cause long-term damage to an organization’s reputation and financial stability.

To avoid these risks, it is crucial for organizations to engage dedicated digital forensics experts who possess the necessary skills, experience, and tools to conduct forensic collections accurately and efficiently.

By doing so, organizations can ensure the preservation of valuable digital evidence, maintain its admissibility in court, and protect their interests in legal proceedings. In the end, investing in professional digital forensics services not only strengthens a case but also safeguards an organization’s credibility and reputation.

angel-garrow

Angel Garrow

Author

Share article:

Angel Garrow is a digital forensics expert with extensive experience in preserving, extracting, and interpreting electronically-stored information (ESI). Her expertise encompasses collecting and analyzing data from physical and virtual devices such as computers, mobile devices, cloud accounts, and social media. With a deep knowledge of the latest forensic tools and techniques, Angel is adept at collecting ESI for eDiscovery matters as well as performing digital investigations into user activity. Learn more about Angel.