Data collection and analysis for investigations is very different to collection for discovery or review. This article discusses the differences; how Early Case Assessment (ECA) can assist and the benefits of using review technology.
Data collection and analysis for an investigation
Collecting for investigation often involves overcoming many barriers. Analysis faces the added difficulty of reconstructing past events as they occurred.
An example of hidden complexity in an investigation is information about user activities in specific locations or timeframes. Video files may be overlooked but can contain complex hidden information. Studying the metadata (data about the data) such as who created the video and the time it was created, as well as the GPS location of the videos and/or images could be used to indicate when or where the item was recorded which might prove very pertinent.
Mobile phone data is another great data source which may create difficulties if the forensic investigator is not well versed. A Digital Forensics expert can assist if the person being investigated refuses to surrender their mobile phone. One would assume there is no way for the data to be collected. In reality, if the person ever connected their mobile phone to their work device and created a back-up, the forensic investigator can access the user-generated back-up. A large amount of data can be easily recovered using the back-up, including deleted data. This will likely include (but not be limited to) communications, documents and photos.
When it comes to data, ideally recovery should start as soon as possible. The longer the period of time between an incident and investigation, the higher the risk that data will not be recovered.
Our clients are particularly interested in a timeline of events to understand what occurred and allow for the development of the story. This involves reporting on significant dates and relates to when activity was recorded on a particular day. It includes activities such as when documents were created, what was deleted, when something was copied from C: drive to a USB, etc. The aim is to reconstruct these events and understand what happened on a particular day or timeframe.
Early Case Assessment (ECA)
Once all the data is collected, then what is irrelevant needs to be taken out.
Firstly, the level of duplication is checked so duplicates can be removed and the legal team doesn’t have to review the same emails over and over. This involves running initial searches to filter out the rubbish, eg. emails from Yahoo Sport or Google News. It is also possible to sort by custodian, eg. emails going from the company to an external receiver.
This process assists with planning and how data will be reviewed. It is important to examine the metrics for cutting the irrelevant data and capturing what is potentially relevant. The point is to prioritise and find evidence to move the review faster, saving time and money for all parties.
One of the other benefits of ECA is the ability to look at communications between two individuals and the events that happened, and better form an opinion about whether there is a chance in winning the case.
Using the review platform
Once the data is in the review platform and on a timeline, it is possible to click into the timeline using a real-time filter on the data and see all the custodians. Search terms are provided so the data can be searched.
There are two ways to review, by reviewing for what is relevant and by reviewing for what is irrelevant so it can be removed. In other words, are they responsive or non responsive? Or is it a hot document? The document then needs to be tagged. The tags are completely customisable. If the tags have already been decided on, it makes things much easier, particularly if working with a review team or multiple teams.
The review platform allows teams to work together without doubling up over each other, so the review is much faster. Everything is tracked and properly recorded, and it can also be used remotely. Users can log in with Google Chrome or Internet Explorer.
From here, analytics and technology can be used to help refine the review further.
Law In Order is a leading provider to the legal profession of eDiscovery and legal support services including forensic data collection, information governance, managed document review, and virtual arbitration or mediation services. We provide a secure, flexible and responsive outsourced service of unparalleled quality to law firms, government agencies and inhouse corporate legal teams. The Law In Order team is comprised of lawyers, paralegals, system operators, consultants and project managers, with unparalleled knowledge and experience in legal technology support services.
By David Kerstjens