By The Electronic Discovery Reference Model
of
The Electronic Discovery Reference Model
Before starting an electronic discovery investigation, it is important to
determine the scope of data to be collected and analyzed. Effectively
determining what is in and out of scope can be key to cost containment and can
have a significant or even substantial impact on the overall effort and time
elapsed prior to final production. Needless to say, incorrect up-front scoping
can even affect the overall outcome of a case.
Custodian of Interest Checklist
The following checklist provides an example of the kinds of questions that
need to be answered during an IT interview concerning the custodian(s) of
interest.
| IT INTERVIEW - CUSTODIAL INVENTORY (COMPANY CONFIDENTIAL)
|
|
| INSTRUCTIONS
For custodian "x", if this information has been collected and retained, could
you please provide inventory lists of:
|
|
| Security Principals |
| ___ |
All accounts associated with the custodian's identity, and any changes to
those accounts that happened during the times of interest? |
| ___ |
All security groups of which the custodian was a part during the time period
of interest? |
| ___ |
All users who had 'domain administrator', 'enterprise administrator',
'schema administrator', 'backup operator' or similar elevated privileges (either
explicitly assigned or inherited through group membership) at any point in time
during the time of interest. |
|
|
| E-mail Scope |
| ___ |
All mailboxes associated with the custodian's identity, including any
resource accounts (i.e., info mailbox, etc.) that the custodian used? |
| ___ |
All e-mail distribution lists that the custodian is on currently and
whatever history is known regarding distribution list membership during the time
periods of interest? |
| ___ |
All individuals with access to the custodian's mailbox during the time
period of interest? |
| ___ |
Which mailboxes the custodian had access to? |
| ___ |
List of any mailbox moves or migrations that happened during the time of
interest, along with specific tools and procedures used during the migration?
|
| ___ |
All public folders or other similar collaboration objects that the custodian
had access to? |
| ___ |
All backups in existence of the custodian's mailbox? |
| ___ |
Did the custodian have any PSTs in use anywhere and can these be recovered?
|
|
|
| File system Scope |
| ___ |
All network file shares that the custodian has access to and had access to
during the time periods of interest? |
| ___ |
All files that were created, modified or deleted by the custodian during the
time period of interest? |
| ___ |
All backups for file systems (network or local) used by the custodian,
including lists of any external hard drives or thumbdrives used for backup
purposes. |
|
|
| Applications |
| ___ |
All Commercial off-the-shelf (COTS) applications in-house |
| ___ |
All Custom software solutions in-house |
| ___ |
Standard desktop PC configurations listing software installed and specifics
for the custodian in question during the time of interest |
|
|
| Database Scope |
| ___ |
All databases that the custodian had access to (proprietary or otherwise)?
|
|
|
| Physical Location |
| ___ |
All employees and consultants who worked in the proximity of the custodian
during the time period of interest? |
| ___ |
All printers that the custodian shared with other users? |
|
|
| Devices |
| ___ |
All corporate technology assets that the custodian had access to during the
time period of interest, including: cell phones, laptops, home machines, desktop
PCs, blackberries, PDAs, ZIP drives, external hard drives, removable hard
drives, etc. |
|
|
| Other Media |
| ___ |
All voicemail system backups and logs for the time period of interest? |
| ___ |
Any Unified Messaging backups and logs for the time period of interest? |
|
|
Environment Review Checklist
The following checklist illustrates the kind of "environment review"
questions that should also be part of the IT Interview process in order to
define scope.
| IT INTERVIEW - ENVIRONMENT REVIEW (COMPANY CONFIDENTIAL)
|
|
| INSTRUCTIONS
Please answer the following questions:
|
|
| Discovery Tools |
|
Are there any analysis tools currently deployed on the network that perform
any of: |
| ___ |
Full or partial content indexing of any sort for e-mail servers, file
servers, IIS servers, etc.? |
| ___ |
Cross-server or cross-desktop search? |
| ___ |
E-mail content or attachment search? |
| ___ |
E-mail backup search or brick-level backup/recovery? |
| ___ |
Desktop search tools such as MSN Desktop Search, Google Desktop Search or
MSN Lookout? |
| ___ |
E-mail or other archival solutions? |
|
|
| Exclusions |
| Are there areas of the IT realm that can be excluded from scope, for
example: |
| ___ |
Certain databases |
| ___ |
Certain e-mail systems |
| ___ |
Certain file servers |
| ___ |
Certain systems |
|
|
| Standards |
| Are there documented standard operating procedures in place for any of: |
| ___ |
Incremental, differential, or full backups? |
| ___ |
Hourly, daily, weekly, monthly, or yearly backups? |
| ___ |
Onsite and offsite storage of backup media? |
| ___ |
Backup tape rotation in use (28 tape rotation; grandfather/father/son/
etc.)? |
| ___ |
Disaster Recovery and/or Business Continuity processes? |
|
|