Digital Forensics – Stage 2: Electronic Discovery Processing & Analysis
Once data has been identified through appropriate data mapping techniques, and defensibly collected by a certified forensic examiner the data moves onto the next stage within the electronic data reference model (EDRM). The data will need to be processed for electronic discovery and further review. This can include converting file types into archivable structured formats to maintaining files in native format for review.
During the processing stage it is important to have these steps performed by professionals. Any loss of data integrity, meta-data, hash-values and so on creates downstream issues and overall future hurdles for legal teams. To combat this it is key to be using not only the latest technology and software equipped with the most recent service packs and indexes but also to have competent forensic examiners managing the processing of the data.
Processing and Data Analysis are treated together because analysis without reporting is not particularly helpful. Analysis is the process by which forensic experts utilize a variety of techniques and technologies to recover data and interpret the results. This goes beyond your typical eDiscovery processing of known and obvious data and is a specialized service done by certified forensic experts.
“The evidence recovered is analyzed to reconstruct events or actions and to reach conclusions, work that can often be performed by less specialized staff. When an investigation is complete the data is presented, usually in the form of a written report, in lay persons’ terms.” M Reith, C Carr, G Gunsch, “An examination of digital forensic models”. International Journal of Digital Evidence.
Data Filtering & Processing
- (IMPORT) data filtering includes de-duplication, file type filters, term filtering, and other first pass data filtering
- (EXPORT) native processing is related to data exported for full review after “IN” filtering has run it’s course
Recommendation: An important heuristic if you move forward with analysis is to narrow the scope as much as possible. Carefully consider which custodians and devices should be analyzed. While you do not want to miss anything important, irrelevant or repetitive information can cause costs to soar to astronomical levels.