Common & Overlooked ESI Sources – Forensic Data Collection Checklist
In order for a forensic data investigation to be thorough and complete, forensic examiners need to have confidence that the collection didn’t miss any relevant ESI. While most ESI can be attributed to the usual suspects, natural complexities and unique case-specific challenges can often lead to data being found in more obscure areas.
As a result, it’s important to always conduct information governance practices and data mapping before any collection is executed. While on the surface level a targeted collection may seem like all that is needed, it is important to explore all avenues before deciding on a collection route. Proper early case assessment decisions are driven by the data, custodian interviews, employee entrance/exit policies, and more rather than assumptions on what the case may hold.
Below is a checklist of both common and uncommon sources of ESI. This is not an all encompassing list but instead should be used as a jumping off point when assessing the scope of the collection.
____ | ESI Data Sources Checklist |
Mobile Devices & Smartphones: iPhone, androids, legacy devices (flip phones, blackberry, etc.) | |
Desktops & Laptops: Windows, Mac OS | |
Tablets: IOS, Android, Windows | |
External Hard Drives & USB’s | |
Smart Home & Devices: Echo, Ring, Show, SimpliSafe, Nest, Vivint, etc. | |
Wearable Technology: Apple Watch, FitBit, Garmin, Smart Glasses, etc. | |
RFID: Tile, Key Fobs, NTAG | |
Cloud Accounts: Slack, Outlook, OneDrive, Google Drive, DropBox, Teams, Zoom, etc. | |
Corporate Sources: Local & Shared Network Folders, Time & productivity tacking software, Document management systems | |
Email Servers: Microsoft 365, Gmail, AOL, Yahoo, Earthlink, mail.com, Exchange, Webmail, etc. | |
Social Media: Facebook, Instagram, Twitter, LinkedIn, Clubhouse, WeChat, WhatsApp, TikTok, etc. | |
Local backups | |
Loose files | |
Non-custodian data sources | |
Cloud linked documents & hyperlinked urls | |
Legacy systems and devices |