At Vestige, we work many different types of cases. While we are primarily a Digital Forensics organization, we also specialize in other fields of data examination. An example of which is E-Discovery. Throughout our history, we have worked many E-Discovery cases and are proficient in identifying what our clients need and how they need it. All too frequently we are confronted with general confusion as to what E-Discovery can offer as opposed to what Digital Forensics can offer, if they are not the same thing. As if to confirm this confusion, occasionally, once we review case details, it is determined that what the client actually needs is Digital Forensics work instead of the E-Discovery process they requested, and vice versa.
Digital Forensics and E-Discovery: The Confusion
So what is the difference between Digital Forensics and E-Discovery? For some, it is not immediately evident what the difference is between the two. They both, after all, arrive at similar functional conclusions, assisting in legal matters and help provide insight from data. But what makes them different and which should be used in a given situation?
What is Digital Forensics?
Digital Forensics is the science of performing an analysis over electronic data. Digital Forensics can be performed over all manner of digital medium — hardware or software. From computers, cellular devices, tablets, and flash drives to application-specific data, cloud storage accounts, and everything in between, just about any form of data can be the subject of a Digital Forensics case. Digital Forensics is primarily an artifact-based service, also reviewing content if necessary, that finds the facts through investigation.
What is E-Discovery?
E-Discovery can be summarized as the search for relevant evidence from within a set of data. E-Discovery forensics involves taking data, usually documents, and searching over that data with keywords, date restrictions, or other metrics, segregating out documents deemed relevant to the case. This type of search service is becoming more common and requested in the legal world, as electronic searching is superior to physical eye-to-paper review, particularly in terms of accuracy and time utilization. E-Discovery is a solely content-based service that finds the facts through directed, customized searching.
What about Metadata?
Metadata is also an important topic in this conversation. Metadata is additional information about a piece of data that provides more context for that data. An example of metadata would be the date a document was created or where the document is located on a laptop. Metadata plays an important role in both Digital Forensics and in E-Discovery, but for different reasons. In E-Discovery, metadata provides some additional information about a file to assist in a review. While that is useful, metadata meets its actual potential when it is reviewed by an analyst through Digital Forensics. Metadata that is expertly analyzed and correctly interpreted can be a great boon for clients. In short, metadata review via E-Discovery only provides a piece of the puzzle. Providing the metadata to a forensic analyst could, and in our experience usually does, identify and answer questions that would otherwise go unnoticed.
Examples of How Each are Used in Different Situations
Below are some examples for each case type to provide context to when to use Digital Forensics and when to use E-Discovery.
- As an example for Digital Forensics, a client suspects a recently terminated employee of committing Intellectual Property theft (See our BLOG on this topic: Do You Suspect Employee(s) of Data or IP Theft?). The client has a laptop computer that was operated by the suspected ex-employee. What the client wants to know is was this suspect actually stealing company data as they departed, and if so, how and when was it taken.
- Digital Forensics would be able to provide evidence regarding connected USB devices, files accessed by users, cloud storage usage, email communications, and any other methods that data could have been taken from that laptop. Analysis of deleted data, installed applications, and Operating System integrity would also be performed to provide any evidence of track-covering behavior. What the client is looking for most effectively can be identified with an investigation of the artifacts on the laptop.
- On the E-Discovery side, an attorney has 500,000 emails from their client. The attorney needs to comb through the data, not only to gather relevant emails to the case, but also to identify any privileged or confidential emails, as the data was requested by opposing counsel for review during discovery.
- E-Discovery is the way to go in this situation. The particular artifacts are not as much of a concern during this phase of the case, and 500,000 emails is far too much for data to review manually. Generating a keyword list with accurate, relevant, and concise terms and phrases to apply against the data will almost instantly cut down the amount of email to be reviewed, as well as quickly categorize them for easy identification.
- The trap to avoid here is vague, common, or generally unhelpful terms for the situation. Some examples of bad keywords can include “document” or “file,” names that would hit on the entire data set, and direct bad-guy terms such as “fraud,” “embezzle,” or “steal.” Not only are these going to perform counterproductive false positives, but it is uncommon for a criminal to explicitly announce their crime. Luckily, Vestige has a good idea of what makes a good keyword in light of the case details and we occasionally work with clients to form a strong keyword list that will have ideal performance.
… But They Sometimes Work Together!
It is also not uncommon for one service to lead into the other. We have worked many cases where Digital Forensics was used to investigate the artifacts of a device, then the data content was searched using a keyword list to export relevant data for the client’s review. Conversely, we have seen cases where investigations are executed over devices that are uncovered through an E-Discovery searching procedure.
Digital Forensics and E-Discovery are indeed different services to be performed but they can also be utilized in conjunction with each other to provide a powerful and effective review of data. Digital Forensics provides useful insight from the artifacts that are generated by various sources of data, whether that be a laptop, cell phone, or even individual documents. E-Discovery provides an accurate and repeatable method for isolating relevant data based upon data content for an efficient review of data. All in all, each service has its place in the legal world and Vestige is here to help clients determine which better suits their needs.
By Ian Finch, BS, CGFA,
Senior Forensic Analyst
Vestige Digital Investigations