Device data collection has become an integral part of modern litigation. It involves gathering information and data from various devices, from smartphones to laptops and tablets.
Data can encompass a wide range of information, including personal details, usage patterns and geolocation data. As our reliance on technology grows, so does the role it can play in modern cases.
Understanding data dynamics and modern data collection devices can be crucial in painting a picture using electronically stored information (ESI) as evidence.
What data should you collect?
The first step in data collection is deciding which devices custodians may have used and if other sources could contain ESI relating to your case.
You'll want to collect data from mobile devices, laptops, desktops, USBs and external hard drives. Modern technology is ever-changing, so you must consider this when reviewing the devices you want to collect from. For example, smartwatches may play a more prominent role in cases as their popularity grows.
The types of data you can collect from devices today are diverse and extensive, including personal information, location data, usage patterns and messaging data. With relevant data, you can provide evidence against a party in a case using ESI alone.
Reviewing collection methods
Obtaining ESI from devices can be done by using two different methods. It's important to understand the difference between these two methods and know when to use either approach.
Explaining forensic image and logical copy
A forensic image describes an exact, bit-by-bit copy of a drive, meaning the entirety of the device's ESI is captured. At the most basic level, a forensic image is a complete copy of a drive, including the portions of the drive that aren't allocated to active files, known as slack space.
In essence, it's an exact duplicate of the original drive. These images give you both the files you'd expect to see if you were browsing through the device and the data from previously deleted files.
Your other option is to create a logical copy of the device you collect data from. This is a simple copy of the contents of the directories from the device and doesn't include previously deleted data or other information that a forensic image would capture.
