Processing

Content on this page requires a newer version of Adobe Flash Player.

Get Adobe Flash player

Audit - Practices to Consider

It is often appropriate that the collection team be trained in computer forensic to insure that the collection process is done according to forensic protocols so that all data collected is properly preserved and that you do no harm to the computer. The level of training will depend upon the complexity of the collection and computer systems. The trend is for automation of the entire collection process in order to avoid collection errors and chain of custody problems.

Have three teams or subsets of each electronic discovery provider group. The first teams are the forensic investigators. It is their job to collect the evidence and document that process. The second team is in charge of logging, inventorying and safeguarding the evidence. The third team is in charge of copying the original data, fingerprinting it (via MD5 hashing) and analyzing the data. While these teams may overlap, it is generally a best practice to keep the second team small and differentiated from the other two teams. This is important because the task is very different and calls for a different skill set. The logging and inventory personnel need to be among the most organized in the organization. The logging and inventory processing are very likely to be subject to the most challenge in litigation. When the evidence (computer or media) is physically collected, document the collection by having the collector sign a form indicating: a) the date, b) time, c) name of the person(s) from whom the evidence was collected; and d) a description of the item(s) collected including unique identifiers (manufacturer name and serial number if possible and at least the manufacturer name and model number when the serial number is not apparent). (Important note: If the evidence is shipped to the electronic discovery provider, it should only be shipped via a carrier that provides excellent shipping and tracking documentation, insurance and high reliability. (For these reasons, we generally ship via companies such as FEDEX or UPS.) Bonded point-to-point carriers can also be utilized depending on security needs and cost. A copy of the form should be provided as a receipt to the person/company from whom the evidence was collected. Note that if a trained forensic investigator collects the evidence, he or she should complete a more lengthy form which also includes the address of the premises and lists the names and versions of any hardware or software tools used to make the collection. This form should also provide space for notes to capture the kinds of details that would help the investigator recall the events surrounding the collection should he or she ever need to testify.

As soon after the collection as is practical, the electronic discovery provider needs to take physical custody of the evidence. Following its written procedures the employee or employees responsible for logging the evidence collection should be given custody of it immediately. We recommend using a database to capture the log information. (While not yet a best practice, in the ideal electronic discovery environment, this database log would be available to clients and other interested parties through a secure log-in via the Web.) The headings should include at least the following:

  • Electronic discovery identification and inventory number (we strongly recommend using a barcode labeling system)
  • Date received
  • Matter name
  • Client name
  • Client/matter number
  • Name of person/company/shipper delivering evidence
  • Description of item(s) (including manufacturer name, model number and unique identifier/serial number whenever possible)
  • MD5 Hash of each piece of media where possible (electronic fingerprint)
  • Name of person receiving evidence (Logged by)
  • Check Out (check box—Yes/No)
    • If "Yes",
      • Date
      • Reason
      • Custodian name
        • Name of recipient (used when evidence shipped form electronic discovery provider to anyone)
        • Name of shipper
        • Shipper's tracking number
        • Date of shipment
        • Date of receipt
      • Check-in date

Whenever the original evidence is accessed, it should only be available to the small team in charge of logging and securing the evidence. Any activities involving the original evidence should be logged. After the logging, a communication to the owner of the evidence should be sent confirming the receipt of the evidence.

When the evidence (computer or media) is physically collected, document the collection by having the collector sign a form indicating: a) the date, b) time, c) name of the person(s) from whom the evidence was collected; and d) a description of the item(s) collected including unique identifiers (manufacturer name and serial number if possible and at least the manufacturer name and model number when the serial number is not apparent). A copy of the form should be provided as a receipt to the person/company from whom the evidence was collected.

More Categories











Audit and Chain of Custody Home

Practices to Consider

Analyzing Original Data

Interactive E-Discovery Guide

Technology Tools

  • E-Discovery Guide
    Dive into the specifics of the E-Discovery process with our interactive guide.
     
  • E-Discovery Wizard
    FindLaw's interactive tool to help you understand the new Federal Rules for electronic discovery.
     
  • Articles & Releases
    News, analysis and product releases to help keep you informed on legal technology developments.
     
  • Legal Technology Events
    Events, conferences and webinars on the subject of legal technology.
     
  • RSS feeds
    Subscribe to an RSS feed of the latest Legal Technology Articles and Releases.

Search


Ads by FindLaw