Updated: Apr 29, 2020
For multinational firms, there are a number of challenges during collections. These can include staff in different countries, data stored in physical data centres across the globe or data stored in the cloud. These can all present unique difficulties with accessing data. As such, it’s critical to ensure data is collected in the most efficient manner.
The important concept to focus on is effective collection. Data can always be collected in an efficient manner, however if the relevant data is not collected then the information for the case will not come together.
There are a few ways to ensure effectiveness. Firstly, the collection team need to run comprehensive interviews with relevant organisational staff. The interviews will start with the Legal Team to get an understanding of the scope of the undertaking and then these discussions will shape the discussion with the IT Team who will have the most knowledge about the data and how it is stored. Next, the Collections Team need to understand the organisation’s policies around data and how employees handle the data, including whether they use personal devices for work. For example, whether they are using personal mobile phones that are connected to their work email account. If an employee is subject to an investigation, they may be required to surrender their personal mobile phone. The aim in all this is to prepare multi-dimensional metrics that link all the various employees to the various data sources and how best to collect them.
By the end of the interviewing process, the organisation may only have 10 or 20 employees who have been deemed relevant to the investigation and from that group the Collections Team may have 100GB of data in total that needs to be collected.
Personal devices will always create more intricacies around collections. Individuals are more inclined to utilise their personal devices to access work emails or to contact clients or colleagues to discuss matters over the phone or via messaging applications. When performing the collection, the main concerns of an individual is how long will they be without their personal device and whether their personal data be viewed.
The next challenge to face is scheduling. Any collections that are performed on shared resources need to be conducted in a manner that will create the least disruption. This can become more difficult with people travelling or if the collection needs to be performed in a covert manner without the person’s knowledge.
The data collection plan is essential as the Collections Team will only get one chance to collect a device in a forensically sound manner. The contents of an employee’s computer today may be very different to what is on that computer tomorrow. If they receive notification through their device that they are being collected, the employee can completely wipe everything and nothing can be recovered.
How does a Collections Team address this? To ensure any potentially relevant data is retained, a Document Preservation Notice is sent. It could be a simple email or memo notifying relevant employees about the investigation or dispute and that the organisation is putting a litigation hold on their devices. The employees would be instructed not to delete any of their data and to back up everything. The Collections Team would also disable the auto-deletion process and make sure the custodian of the data knows what to do to preserve the data.
Obviously, people can’t always be relied on so measures need to be put in place so that if someone actually tries to release the data, it can be recovered after the fact. The team at the organisation’s end may not have full knowledge about the methods to preserve all the different types of data as they are generally not trained to forensically prepare for investigation.
So, what sorts of data would be collected? Typically, data is divided broadly into two groups – structured and unstructured. Unstructured data is typically data created on a day to day basis such as emails and documents. An example of structured data is a database such as a Client Relationship Management system, Document Management System or HR database.
Structured data can create further complications as it needs to be exported. For unstructured data, a backup or forensic collection can be performed and this can be turned around quickly depending on the volume of data. However, for structured data, you may need to allow for extra weeks or months to get the relevant data ready for the purpose of discovery and may need to engage the assistance of the external system provider.
It is important to ensure that data is preserved when exported. For example, the date when the document was created, when it was last modified and by whom, who acts as document owner and what happened to the document. If you know the criteria, depending on how relevant they are, the team can perform keyword searches and run the search to produce the relevant data on the spot. These keyword searches may be possible within the system that houses the data or may require processing into an eDiscovery platform based on limited search functionality in the originating system.
However, in terms of investigations, sexual harassment matters, victimisation and bullying where there is a strong likelihood of data being deleted, the only way to recover the deleted data is through forensic imaging and data carving. Data carving will mean that any data that has been removed from the device could potentially be recovered.
Throughout the process, contemporaneous notes are completed by all members of the Team to ensure every element is fully documented. These notes will ensure chain of custody of devices is maintained, methods utilised to perform the collections, any issues face whilst onsite and any limitations faced. These notes ensure admissibility of the evidence collected in court and will provide the information required for the Collection Team to provide thorough statements on the overall collection process.
By David Kerstjens, Digital Forensics Lead