Common & Overlooked ESI Sources – Forensic Data Collection Checklist

In order for a forensic data investigation to be thorough and complete, forensic examiners need to have confidence that the collection didn’t miss any relevant ESI. While most ESI can be attributed to the usual suspects, natural complexities and unique case-specific challenges can often lead to data being found in more obscure areas.

As a result, it’s important to always conduct information governance practices and data mapping before any collection is executed. While on the surface level a targeted collection may seem like all that is needed, it is important to explore all avenues before deciding on a collection route. Proper early case assessment decisions are driven by the data, custodian interviews, employee entrance/exit policies, and more rather than assumptions on what the case may hold.

Below is a checklist of both common and uncommon sources of ESI. This is not an all encompassing list but instead should be used as a jumping off point when assessing the scope of the collection.

____ESI Data Sources Checklist
Mobile Devices & Smartphones: iPhone, androids, legacy devices (flip phones, blackberry, etc.) 
Desktops & Laptops: Windows, Mac OS 
Tablets: IOS, Android, Windows 
External Hard Drives & USB’s
Smart Home & Devices: Echo, Ring, Show, SimpliSafe, Nest, Vivint, etc. 
Wearable Technology: Apple Watch, FitBit, Garmin, Smart Glasses, etc.
RFID: Tile, Key Fobs, NTAG
Cloud Accounts: Slack, Outlook, OneDrive, Google Drive, DropBox, Teams, Zoom, etc. 
Corporate Sources: Local & Shared Network Folders, Time & productivity tacking software, Document management systems 
Email Servers: Microsoft 365, Gmail, AOL, Yahoo, Earthlink,, Exchange, Webmail, etc. 
Social Media: Facebook, Instagram, Twitter, LinkedIn, Clubhouse, WeChat, WhatsApp, TikTok, etc. 
Local backups 
Loose files 
Non-custodian data sources 
Cloud linked documents & hyperlinked urls
Legacy systems and devices