Device Data Collection & What to Look Out For

Collecting ESI (Electronically Stored Information) from its native source may seem like quite the daunting task in the first initial stages of e-Discovery. The matter isn’t helped with the increased use of physical devices and applications potentially holding a whole host of information relating to a case. This ESI can range anywhere from message communication & file documentation to image GPS coordinates & file last access times.

However there are a number of measures which should be considered when performing device collection to comfortably move through the process:

Knowing What to Collect
The first step to keep in mind is deciding what devices might have been used by custodians and if there are other sources which could possibly contain ESI related to the case? In terms of physical devices; mobiles, laptops, desktops, USBs and external hard drives are good places to start collecting from; However, do consider collecting from other sources which may contain ESI such as tablets and smartwatches.

Identifying these sources of ESI is key to ensuring all data related to the case is collected and it is especially important to pay extra attention at the beginning of the case to help avoid subsequent collections during the case’s life cycle, as this can incur additional time/cost and potential late discovery of key information.

Collection Methods: Forensic Image or Logical Copy
Obtaining the actual ESI on the device can be achieved using two different methods and it is important to understanding the difference between the two, as well as knowing when’s best to utilise either approach.

A forensic image is an exact bit-by-bit copy of a drive, meaning the entirety of the devices ESI is captured. At the most basic level, a forensic image is a complete copy of a drive, including the portions of the drive that aren’t allocated to active files (known as slack space). This essentially is an exact duplicate of the original drive. These types of images give you both the files you’d expect to see if you were browsing through the device normally but also access to data from previously deleted files.

Alternatively, a logical copy is simple copy of the contents of the directories from the device but does not include previously deleted data or other information that a forensic image would capture.

Most e-Discovery civil matters generally go for the logical copy approach. This usually happens because some previous knowledge will be known about the case to allow for certain data to be targeted and filter everything else out to help reduce file sizes (i.e. collecting just WhatsApp data from a smartphone). On the other hand, forensic images allow for the entirety of the device to be captured which means no recollections of devices are needed because some data was missed on its first collection. Other examples of when a forensic image is best utilised is when there are suspicions of data tampering in a case or if deleted data was of high importance. This approach however requires specialist knowledge as well as software to perform and will create a larger data set than a logical copy.

Device Auditing
A simple yet critical part of any e-Discovery case is proper documentation of all the devices and the ESI which has been collected. The main reason for this is that it allows devices and ESI to be uniquely identified from one another, but another key point is to show integrity has been upheld in the case. This becomes important when talking about the chain of custody which tracks the time and date when devices or ESI have being transferred between different individuals or organisations. A thorough Chain of Custody Log demonstrates the authenticity of a document and disproves any claims of data tampering.

Examples of these unique identifiers included:

  • Serial Numbers – provided by manufactures to uniquely identify hardware
  • IMEI (International Mobile Equipment Identity) –  provided by GSMA (Groupe Spéciale Mobile Association) to uniquely identify smartphones cellular-enabled tablets and smartwatches
  • Evidence Bag Number – A unique string which identifies the evidence bag holding the physical device
  • Hash Value – A numeric value of a fixed length that uniquely identifies data.

It’s vital that care is taken when documenting this information as neglecting to do so can lead to the integrity of the case being damaged and possible dismissal of evidence.

Figure 1. Example of a serial number for a laptop