eDiscovery Analysis: At the Onset, IT Analysis

Before starting an electronic discovery investigation, it is important to determine the scope of data to be collected and analyzed. Effectively determining what is in and out of scope can be key to cost containment and can have a significant or even substantial impact on the overall effort and time elapsed prior to final production. Needless to say, incorrect up-front scoping can even affect the overall outcome of a case.

How can you help determine the proper scope?

Custodian of Interest Checklist

The following checklist provides an example of the kinds of questions that need to be answered during an IT interview concerning the custodian(s) of interest in order to define scope.


For custodian "x", if this information has been collected and retained, could you please provide inventory lists of:

Security Principals
___ All accounts associated with the custodian's identity, and any changes to those accounts that happened during the times of interest?
___ All security groups of which the custodian was a part during the time period of interest?
___ All users who had 'domain administrator', 'enterprise administrator', 'schema administrator', 'backup operator' or similar elevated privileges (either explicitly assigned or inherited through group membership) at any point in time during the time of interest.
E-mail Scope
___ All mailboxes associated with the custodian's identity, including any resource accounts (i.e., info mailbox, etc.) that the custodian used?
___ All e-mail distribution lists that the custodian is on currently and whatever history is known regarding distribution list membership during the time periods of interest?
___ All individuals with access to the custodian's mailbox during the time period of interest?
___ Which mailboxes the custodian had access to?
___ List of any mailbox moves or migrations that happened during the time of interest, along with specific tools and procedures used during the migration?
___ All public folders or other similar collaboration objects that the custodian had access to?
___ All backups in existence of the custodian's mailbox?
___ Did the custodian have any PSTs in use anywhere and can these be recovered?
File system Scope
___ All network file shares that the custodian has access to and had access to during the time periods of interest?
___ All files that were created, modified or deleted by the custodian during the time period of interest?
___ All backups for file systems (network or local) used by the custodian, including lists of any external hard drives or thumbdrives used for backup purposes.
___ All Commercial off-the-shelf (COTS) applications in-house
___ All Custom software solutions in-house
___ Standard desktop PC configurations listing software installed and specifics for the custodian in question during the time of interest
Database Scope
___ All databases that the custodian had access to (proprietary or otherwise)?
Physical Location
___ All employees and consultants who worked in the proximity of the custodian during the time period of interest?
___ All printers that the custodian shared with other users?
___ All corporate technology assets that the custodian had access to during the time period of interest, including: cell phones, laptops, home machines, desktop PCs, blackberries, PDAs, ZIP drives, external hard drives, removable hard drives, etc.
Other Media
___ All voicemail system backups and logs for the time period of interest?
___ Any Unified Messaging backups and logs for the time period of interest?

Environment Review Checklist

The following checklist illustrates the kind of "environment review" questions that should also be part of the IT Interview process in order to define scope.


Please answer the following questions:

Discovery Tools
  Are there any analysis tools currently deployed on the network that perform any of:
___ Full or partial content indexing of any sort for e-mail servers, file servers, IIS servers, etc.?
___ Cross-server or cross-desktop search?
___ E-mail content or attachment search?
___ E-mail backup search or brick-level backup/recovery?
___ Desktop search tools such as MSN Desktop Search, Google Desktop Search or MSN Lookout?
___ E-mail or other archival solutions?
Are there areas of the IT realm that can be excluded from scope, for example:
___ Certain databases
___ Certain e-mail systems
___ Certain file servers
___ Certain systems
Are there documented standard operating procedures in place for any of:
___ Incremental, differential, or full backups?
___ Hourly, daily, weekly, monthly, or yearly backups?
___ Onsite and offsite storage of backup media?
___ Backup tape rotation in use (28 tape rotation; grandfather/father/son/ etc.)?
___ Disaster Recovery and/or Business Continuity processes?

Source: EDRM (edrm.net)