Device data collection has become an integral part of modern litigation. It involves gathering information and data from various devices, from smartphones to laptops and tablets.
Data can encompass a wide range of information, including personal details, usage patterns and geolocation data. As our reliance on technology grows, so does the role it can play in modern cases.
Understanding data dynamics and modern data collection devices can be crucial in painting a picture using electronically stored information (ESI) as evidence.
What data should you collect?
The first step in data collection is deciding which devices custodians may have used and if other sources could contain ESI relating to your case.
You'll want to collect data from mobile devices, laptops, desktops, USBs and external hard drives. Modern technology is ever-changing, so you must consider this when reviewing the devices you want to collect from. For example, smartwatches may play a more prominent role in cases as their popularity grows.
The types of data you can collect from devices today are diverse and extensive, including personal information, location data, usage patterns and messaging data. With relevant data, you can provide evidence against a party in a case using ESI alone.
Reviewing collection methods
Obtaining ESI from devices can be done by using two different methods. It's important to understand the difference between these two methods and know when to use either approach.
Explaining forensic image and logical copy
A forensic image describes an exact, bit-by-bit copy of a drive, meaning the entirety of the device's ESI is captured. At the most basic level, a forensic image is a complete copy of a drive, including the portions of the drive that aren't allocated to active files, known as slack space.
In essence, it's an exact duplicate of the original drive. These images give you both the files you'd expect to see if you were browsing through the device and the data from previously deleted files.
Your other option is to create a logical copy of the device you collect data from. This is a simple copy of the contents of the directories from the device and doesn't include previously deleted data or other information that a forensic image would capture.
Which should you go for?
Most eDiscovery civil matters usually result in the logical copy approach. This is because, typically, some previous knowledge will be held about the case, allowing for certain data to be targeted. By filtering out irrelevant data, collection specialists can reduce ESI file sizes — for example, only collecting WhatsApp data from a smartphone.
On the other hand, forensic images ensure that no recollections are required due to capturing the entirety of the device's data.
A great example of when a forensic image is best utilised is when there are suspicions of data tampering in a case or if deleted data is critical.
Creating a forensic image of a device requires specialist knowledge and suitable software. Not only this, you'll have to consider how you'll navigate through this data, with forensic images resulting in larger data sets than a logical copy.
Device auditing
A simple yet critical part of any eDiscovery project is the proper documentation of devices and the ESI that's been collected. The main reason is that it allows devices and ESI to be uniquely identified from one another and to show integrity has been upheld in the case.
This becomes important when discussing the chain of custody throughout evidence collection, tracking the time and date when devices or ESI have been transferred between individuals or organisations.
A thorough chain of custody throughout data collection demonstrates the authenticity of a document and disproves any claims of data tampering.
Examples of the unique identifiers you can use for your auditing include:
- Serial numbers — Provided by manufacturers to uniquely identify hardware
- IMEI (International Mobile Equipment Identity) — Provided by the GSMA (Groupe Spéciale Mobile Association) to identify smartphones and cellular-enabled tablets and smartwatches
- Evidence bag numbers — A unique string which identifies the evidence bag holding the physical device
- Hash value — A numeric value of a fixed length that uniquely identifies data.
A level of care must be applied when documenting this information, as neglecting to do so can damage the integrity of the case and lead to the possible dismissal of evidence.
Learn about data collection and more with our Content Hub
Looking to become an eDiscovery expert? We can help. Our Content Hub gives you lifetime access to our range of educational content, including our eBooks, resources, videos and more.
Take the next step towards eDiscovery expertise by signing up for free. Get started by clicking below.
<Content Hub LP>
