Garrett Discovery Inc. Opens New Forensic Lab in Georgia
June 30, 2022
Electronic Medical Records vs. Legal Medical Records & Audit Trails
August 2, 2022
Show all

Forensics vs. eDiscovery Preservation Methods

Often times we find that clients of Garrett Discovery Inc. (GDI) have a hard time distinguishing between Forensics and eDiscovery. To assist in understanding the difference, we often repeat how a federal judge once described the difference to a litigant:

“If you can sit at a computer, navigate to the file being a user of the computer, that is eDiscovery.”

“If you must use specialized software, recover data, examine deleted data or parse through files that cannot be interpreted easily, that is Forensics.”

In GDI’s practice, these two distinct disciplines are treated completely different with many varying skillsets. It is daily that GDI receive calls from top tier eDiscovery companies asking if GDI can perform data collection for them on complex computer systems. Of course, GDI takes this work, as most firms would, if GDI has the bandwidth and talent to perform that task at hand. Wholesale data collection is sometimes difficult as modern systems have all types of storage and media types to include,  RAID storage, encrypted drives, Macbook (very problematic), mobile phones, vehicle infotainments systems that hold text and GPS logs to traditional discovery of files on servers, desktops and laptops. 

How you preserve data greatly affects your case!

Most forensic and eDiscovery professionals are familiar with data preservation. GDI often sees eDiscovery professionals wanting to only preserve what is relevant and necessary and forensic professionals wanting to preserve everything. It is important to understand the types of preservation and what is preserved when choosing that method. A few basic types are:

  1. Copy and Paste – End users usually do this if they have to produce a single document and this may be appropriate in some circumstances, it is certainly not a sound practice.
  2. Zip and Copy – This will preserve the file metadata and file properties. This is useful if you only have a handful of items to preserve.
  3. Targeted Collection – Usually a data preservation tool can be installed on the computing device and a selection of files and folders is made to preserve. This is forensically sound if using software that is generally accepted by the community. 
  4. Logical Collections – Can be the same as #3 above or you can select an entire logical partition of a hard drive (C:\, D:\, etc.)       *None of the methods above in 1-4 will capture deleted data!*
  5. Physical Imaging – This created a true copy of a physical device such as an entire hard drive. This is the most complete forensic method and is used when deleted data is needed or there is a good faith claim of spoliation. 
  6. Device Storage – Storing a device for safekeeping and later being able to use one of the methods below is sound as long as the device doesn’t have a chance of data loss due to not being connected to power. 

The next article GDI will talk about the costs of each of the above and you may be surprised that performing a targeted data collection may cost you more on the front end than physical imaging, but that overcollection may cost you more during your culling process on the back end. There are very compelling reasons to perform one type of preservation over the other. 

Garrett Discovery Inc. is a full service Digital Forensic and eDiscovery Firm. Criminal Defense to Civil Litigation to Subject Investigations, GDI have an unsurpassed reputation with a combined 100 years litigation experience and that means you benefit from our institutional knowledge.