Updated: Jan 17, 2020
The process of identification, preservation and collection in the approach to review can be complex. Here is an overview of the process.
When there is a litigation or an investigation taking place, once the Forensic team know where all the data is stored within an organisation, the next step in the process is identification of the data sources that are required. For example, if it is an IP infringement - possibly the loss of communication data - then it is unlikely that any human resources data will be relevant. In this instance, it might be worth looking into email and Skype chat data or other methods of communication.
The team may then discover they have one target custodian and they can filter down to that person which means there is no need to look at everybody’s emails or Skype messages.
As the Forensic team are collecting evidence, it’s important to collect the information properly, in a defensible manner. For example, in a murder case, its proper procedure to use gloves to protect the evidence. Collecting electronic evidence also requires proper procedures for protection of the evidence.
It’s also important to decide whether to manage the collection internally or whether to outsource. Organisations sometimes don’t consider the relationship between the custodian and their IT department. If they happen to be friends, they may discuss the investigation and jeopardise the results or potentially deem the evidence as inadmissible.
Once the relevant data is identified, the Forensic team move on to data processing. Essentially, processing is taking all the different forms of data and making it into a more reviewable format. For example, there are emails, chat data and sales data, but the data is very difficult to review if you have to use the native platforms for all the different file types, eg. Outlook for emails, Adobe for PDFs or Microsoft Office for word documents.
Processing extracts all the text and gets everything into one review platform. Then you can step into the review stage where everyone can review all the documents in one platform and everything is kept nice and tidy.
How Analysis Can Assist
To make the review more efficient and faster, it is possible to add some analysis to the review stage. For example, email threading is quite a useful tool. This allows the reviewer to look at the last email in a chain of emails, so the reviewers don’t have to look at every single email in the chain individually. Generally, the last email in the chain will most likely contain all the content from the other emails and the highest priority information.
These tools can also be leveraged to analyse the reviewing patterns of the reviewer. That is, it can prioritise what it thinks is relevant to the way the reviewer is reviewing the material.
One very useful tool is deletion analysis. For example, if some emails were collected and it appeared a lot were missing, it is possible to leverage computer forensics to recover the lost emails and help process them so the emails can be reviewed.
It is also worthwhile to consider undertaking a high-level analysis prior to commencing review to get a sense of the data in the review. For instance, a high-level analysis can give an overview of a conversation between two people without having to review one document at a time. It is possible to see how often they communicated, the times they communicated, whether anyone else was involved in the conversations, etc. It also highlights any potential email deletion. As an illustration, if a normal month shows an average of 10,000 emails and then there is a sudden drop in December, it could be due to holidays or an IT issue or because people have actually deleted files. When the review is started, an in-depth analysis can be done using duplicate analysis, keyword search, contact searching, etc.
Once the data has been found that is relevant, the pertinent documents have been produced for court and it’s time to provide a statement, affidavit or expert report relating to the Forensic collection and analysis.
This process and everything that has been learned along the way then circles back to the organisation’s information governance so that the organisation is better prepared for a future litigation or investigation. The lessons along the way may feed into a change to protocols and how documents and data is retained and stored.