The case for forensics as part of your E-Discovery Process

First the disclaimers: I am not a lawyer nor have I ever played one on TV. Nothing that I write (or say) should be construed as legal advice.

The intent of this post is to highlight how and why computer forensic analysis belongs and should be part of your E-Discovery process. Perhaps the place to start is with the Federal Rules of Evidence Rule 901, Requirement of Authentication or Identification. Of particular interest is subsection 9 which states, “(9) Process or system. Evidence describing a process or system used to produce a result and showing that the process or system produces an accurate result.”

Computer Forensics does just that, it is a process by which information/data is collected and analyzed in a fashion which is repeatable and reproducible. So as anyone who follows that same procedures gets the same results and the results can be proven to be accurate. In Forensics this is done in part through cryptographic “hashing” or the process of feeding information into a formula to produce an answer that is unique and when the same information is feed into the formula it always produces the same answer. Conversely if a single “bit” of the information changes so does the answer. Thus computer forensics produces a result that is accurate and reproducible.

Naturally this type of analysis takes longer than say copying the data but there are many advantages other than producing accurate and reproducible results. Some of the key benefits include:

• Produces more information (think meta data, or data about data)
• Ultimately saves time and money
• Quicker lead generation
• More efficient replication of data
• Evidence is “scientific”
More to come in part 2