Strangely enough, not much should have changed during pandemic times if corporate entities, government agencies and vendors have been following best practices for data collection in the ever-changing industry of electronic discovery and forensics.
Data collection for criminal matters, corporate investigations or civil discovery used to be a tedious and time-consuming process mostly conducted on a customer site or where a subpoena was executed. In the past few years, however, with the migration of many public and private resources to the cloud, the absolute rock-solid requirement for performing on-site, physical collections of data directly from custodians, whether it be for a criminal, civil or investigatory matter, is becoming the exception instead of the norm.
Most of our large corporate entities, and many of the state and federal government agencies, have already begun or completed migrations to some form of cloud technology for day-to-day work and collaboration. Major technologies such as Microsoft 365, Google Cloud and Amazon Web Services provide end users with the ability to perform all of their daily tasks within the cloud ecosystem. This allows organizations to conduct business, work on projects and collaborate with one another from a centrally located and always available environment.
Collaboration applications within cloud environments offer the largest single benefit to employees for continued work, especially when they are not in the office. Users can message, video chat or even share documents in real time with one another, effectively removing the need to be physically present. This has been a solid asset of cloud collaboration long before issues arose regarding the current pandemic.
Another huge benefit is organizations can administer, monitor and maintain work product without supporting servers in multiple geographic locations. This allows these organizations to reduce costs for maintenance, upkeep and the troubleshooting of expensive and aging equipment.
For years, organizations have been slowly migrating their on-premises data to cloud applications, which has changed the landscape for forensic computer investigations and electronic discovery matters. While traditional forensic collections of hardware will always be necessary, practitioners should have already made the leap to understanding and being able to speak intelligently on collecting data from cloud resources.
None of this is new; very detailed processes and procedures already exist to allow examiners to collect data from these sources with best practices and established rules of evidence. The largest gap in the knowledge base, however, is the ability of organizations to monitor and organize forensic collections in our new work-from-home and cloud-dependent environments. Even though the technology has existed for quite a while, companies and organizations still have issues wrapping their heads around the verifiable and defensible collection processes that exist for those that are no longer in the office, have no physical media or a combination of the two.
Some forensic and electronic discovery companies have the capability to perform collections of physical media in the form of workstations, laptops, servers, flash media, optical disks and mobile devices, to name a few. And tried-and-tested processes, procedures and applications exist that allow examiners or consultants to collect data in a verifiable manner without physically being present. It is normally a combination of software programs, as well as tested methodologies, that make a collection forensic or not. It is always better to perform a forensic collection on any data relevant to a litigation which maintains pertinent metadata than to simply copy-and-paste the data and email it to outside counsel.
Cloud collections have their own applications and operating procedures, which allow this data to be collected in a forensically sound manner. Again, it is a combination of tested software and verified procedures that protect the integrity of data that will ultimately be used in a legal matter.
Outside of collecting raw data from physical devices or cloud-based repositories, there are also collection methodologies that allow consultants to extract data from cloud-based databases, management platforms and workflow applications. Most of these cloud-based applications utilize a shared tenant methodology, whereby many customers operate through a single instance of an application and the data is protected by role-based security only allowing certain users access to certain data.
Since most of these software as a service vendors do not allow direct access to underlying databases and file systems, consultants must utilize collection strategies that allow for the successful extraction of certain types of data with the exclusion of other data in a verifiable manner. Then this collected data must be stored in a manner that prevents spoliation or contamination.
Overall, the ability to collect from cloud-based resources, physical media at a remote distance and even applications that only allow a front-end level of access has been with us for quite some time. Only now a spotlight has now been placed on these technologies, as well as understanding how they work, for a post-COVID-19 work environment. Purchasing these products is only the first step. There must be an informed and experienced level of practice when collecting data in a defensible manner for legal matters. A combination of sound technologies and experience in the legal framework, when related to evidentiary matters, is essential to maintaining a sound e-discovery strategy.