Recent leaps in software capabilities in the eDiscovery realm have given the digital examiner more options to apply workflows to successfully complete an investigation in a timely manner using techniques adopted in a Litigation or eDiscovery examination.

Before any digital forensic examination can begin, a collection of electronic evidence has to occur; this phase of the investigation may be performed by a separate team to the investigation analyst, thereby leading to a disconnect in information being conveyed to each group. This in turn has the potential to over complicate the eventual analysis of the raw data. Refinement of collection techniques and information sharing can lead to a more streamlined investigation; this concept is not new to eDiscovery but not always adopted by investigations teams.

Before we begin to review where digital forensics can learn from eDiscovery examinations, we first need to understand the two disciplines; for this we will begin with an outline of what eDiscovery is. Historically, corporation documentation was predominantly stored and shared on printed copies (paper) and sent to authorized parties via facsimile, email, or in a “memo” format. When legal action was imposed on the cooperation, a team of reviewers would sift through reams of printed paper to identify items meeting the case parameters. This process worked as most corporation documentation was stored on paper and records were typically kept to a minimum. With the dawn of the digital age, this process has also evolved to meet the growing needs of retention policies and the prolific use of electronic mail (email). It has been estimated in the early 2000s that over 90% of documentation had moved from paper-based systems to electronic databases where a fraction of that data was never printed. This shift in corporation work practices leads to the birth of electronic discovery (eDiscovery), whereby the collection of corporation data was no longer limited to printed paper but broadened its reach into electronic storage media such as hard disk drive, USBs, server databases, and online storage such as cloud-based solutions. This shift in paradigm leads to the birth of the eDiscovery workflows that can be as straightforward as collecting and reviewing a few 100 documents to handing 1000s of items depending on the scale of the case. However, the vast quantities of data now being stored and collected require software solutions to cull, de-duplicate, and allow keyword searching across multiple sets of unstructured data in minimum time frames. This adoption of technology and the need to review data quickly has led to a multibillion dollar industry driven by workflows and an expanding technological evolution.

The workflow of an eDiscovery examination typically follows standardized practices (customized on a needs basis). Once legal authority to collect the data has been established the collection analyst has several tools at their disposal to copy data from all known sources either through a software agent on the remote computer or by visiting the client site and copying the data onto a sterile drive for later review. This is known as the “collection” phase, which can contain individual files such as Microsoft Office documents, email databases, or full forensic collections of hard drives and thumbdrives. There are also occasions when hard copies of documents need to be scanned and added to the collection; this ensures that all data relating to the “matter” are in the dataset. Once the collection phase is completed, all files are added to the eDiscovery review software where the data will be processed and all words are indexed and ready for examination. The first phase of the analysis is typically to remove known files based on MD5 hashes (digital fingerprints). This is known as “DE-NIST” due to the source dataset of the digital fingerprints, NIST (National Institute of Standards and Technology), followed by De-Duplication; this process uses the same MD5 hash of file data to identify two or more files containing the exact same content. This process will remove duplicate items such as backup email messages and archives, back-up copies of office documents, and duplicate copies of any data. Some examination tools are able to perform “near duplication” algorithms, allowing the software to identify files containing similar but not exact same data content. All the actions described will ultimately produce a dataset without known irrelevant files, as well as reducing the number of duplicate documents for review to minimum.

The next phase in the examination is the physical (human) review of the processed data. This can take on multiple passes depending on the nature of the case and the complexity of the examination. This is typically performed by a single reviewer or a team of reviewers depending on the dataset or capabilities of the examination software, allowing collaborative examination of data. During this phase reviewer(s) will mark items of interest which need further review, redacted privileged items to obscure sensitive information to protect companies or individuals who do not form part of the examination or possibly flag items to pass onto legal review for clarification on jurisdictional ownership, that is, indecent images of a criminal nature.

Once the dataset has been culled down to a manageable size, a more detailed examination may begin to examine and locate items of interest by supplying search terms to the examination software whereby identifying items responsive to the search query. Modern eDiscovery review software typically contains many search query algorithms capable of Boolean searching, essentially applying simple logic to a keyword string, examples would be as follows.

The field of Digital Forensics and the Digital Investigator can be as broad as it is deep; nearly all types of criminal activity will involve some form of electronic data to be analyzed, from a disposable cellphone to a network intrusions case, each item will pose a challenge to the investigator.

The Digital Forensics Research Workshop (DFRWS) (Palmer, G., 2001) defined the science of digital forensics in 2001 as:

Using the DFRWS assessment of digital forensics we can start to draw some parallels in methodologies used in the EDRM discussed earlier in the chapter.

Although not all sections of the EDRM can fit into a workflow for a digital investigation, we can extract several sections such as:

Identification – This is the initial phase of the investigation where the items of interest need to be quickly identified and brought into custody, although investigators will gather as much intelligence prior to an arrest to ascertain the scope of items to be seized this is not always possible in most cases. The challenges also include locating remote data not disclosed by the suspect as well as data encryption and obfuscation.

Preservation – This phase has the potential to collect information that might later be unavailable such as remote storage access, physical memory (RAM), mounted encrypted volumes, and other physical devices unidentified during the search and seizure operation. Removing the suspect from the crime scene would also be grouped into this phase.

Collection – A digital investigator would typically create a bit-by-bit image of any seized storage media, allowing for examining of copies of data. Challenges arise with the widespread use of online storage solutions (Cloud) plus web-based email communications; this would require the examiner to subpoena the hosting organization ISP and collecting the logical file data only. Problems arise when the data are stored across country boundaries where local laws prevent the removal of data to other states.

Examination – This phase requires all the collected data to be analyzed and sorted into degrees of relevance to the alleged crime. Much of the data will need to be removed having no bearing on the case; many software applications will be used to achieve this as quickly as possible and the investigator will draw on their own investigative experience to determine if data are relevant or ignorable.

Analysis – Once all data have been examined the totality of the findings needs to be collated and cross referenced with the many storage devices held in custody relating to the case under investigation; this may require specialist tools to perform link analysis; linking all the devices together to gather a potential timeline of events.

Presentation – The investigator will prepare a report containing all the items they believe are relevant to the allegation; this will involve detailed reports of action taken to produce the final report and a glossary of terms for the less technically skilled readers of the report.

Table 6.1 quickly illustrates the similarities between the workflow processes.

The above process has already identified some of the key similarities between an eDiscovery examination and the digital investigation in a criminal case. With this knowledge, we can begin to surmise where eDiscovery techniques can aid in a criminal investigation; this can also lead to the use of eDiscovery tools to enhance the processes the forensic examiner has already employed.

The common ground can be further explored and expanded upon; to do this let us review specific phases and discuss how each discipline handles their obligations. The initial phase of collecting data is typically preceded with identifying the scope of the case; in eDiscovery this can take on the discussion of Mitigation Risk and Costs. An eDiscovery case is typically driven by the cost of the litigation, while attempting to meet legal commitments; this can be best managed at the Information Governance stage. However if the data are not provided in the correct form or timeframe, the cost of failure to meet these obligations can exceed the litigation itself. Criminal investigations have similar concerns; understanding where the data are stored and the volumes of data collected can exponentially increase the budgeted costs and time taken to examine the exhibits associated with the investigation. This can be further completed when documentation needs to be translated from one language to another. Preservation and Collection are the same for both Digital Investigations and eDiscovery; both have an end goal to collect all data relevant to the allegation. The manner at which these are carried out can be very different. In a Litigation case, a preservation order would need to be issued to inform the owner of the data to preserve all information for investigation. Failure to adhere to this order can be more costly than the litigation costs themselves, whereas in a digital investigation preservation of the data typically involves immediate seizure of the data from all known areas; interference of these data can lead to separate criminal charges.

The collection of data will vary from case to case in a digital investigation; in some instances the source files may be hosted on unfamiliar systems or stored in remote locations unknown to the investigator, whereas in an eDiscovery case storage locations would have been disclosed and are accessible to the examiner before collection. Both disciplines are faced with the potential high volume of data being brought into the forensic laboratory for processing.

The examination phase is where the separation in disciplines begins to show. For an eDiscovery analysis the data will be divided into relevant and irrelevant items; this is mostly achieved through automated processes in the review software. The outcome of the first pass can then lead to a pass-off to a team of eDiscovery reviewers to further identify items of relevance. For the digital investigations examiner this phase is where specialized personal are brought in to locate and identify items fitting the alleged crime. The investigations examiner may also need to bring in specialized personal to extract and analyze data from unfamiliar location, that is, cellphone data where cell-tower information needs to be accurately determined and explained. The process of hand-off between examiners is similar to first, second, and third passes in eDiscovery; this workflow allows for collaborative examination of the evidence while ensuring qualified personnel are examining data they are trained to provide expert witness testimonials.

Once all the data have been through its collection, examination, and review phase the responsive data are then exported for third-party review. In an eDiscovery examination, this would be performed by producing an export set for production. Redactions and Markups may be required whereby the export operation will typically produce PDF files of original native files obscuring privilege items and highlighting key points in others. In a Digital Investigations report, the investigator will select the relevant items bookmarked for the final report and export the native files from the source images to a location on disk. Both eDiscovery and Digital Investigations exports will then typically be reviewed by a third party prior to submission to a court or tribunal; therefore, details of origin and relevancy to the case need to be explained either in written form or through planned briefings.

With the information obtained from the above process, we can now start to define the key similarities between the two disciplines; the list below outlines these items:

Now we have had a brief explanation on the similar workflows between the disciplines we can start to build a table to quickly identify where each can learn from the other. In Table 6.2, we can clearly see where the key differences currently lay.

In summary, we have seen many landmark shifts on how Digital Investigations have evolved from its fledgling days of Computer Forensics when the “computer crime examiner” was only faced with small hard disk drives contained in desktop PCs. In today’s environment of Digital Investigations our investigators are faced with petabytes of data coming in from a multitude of external sources; cloud-based storage is presenting new legal challenges of ownership and cellular data where the most tech-savvy and none savvy suspects carry more computer power in their hands than an NASA Shuttle in the 1980s. The Digital Investigator now needs to look not only at how eDiscovery manages its “Big Data” but also the tools of choice used to cull through all the unstructured nature of the data. In the next section, we will look at how we can leverage the eDiscovery process and software tools to aid in a Forensic Investigation.

In order to look at how we can leverage eDiscovery processes for a Digital Forensic investigation, we first need to review the types of tools the examiner has at their disposal and the function they play in the EDRM process. As we have seen in this chapter, eDiscovery is familiar with dealing with large sets of unstructured data which have ultimately driven the software industry into producing analysis tools to effectively handle large volumes of data while keeping productivity costs trim. eDiscovery tools have typically been designed to focus attention on email communications and office documents with many venturing into visualization to draw a more graphical representation of data flows. When it is required to share data across a network for additional review the software packages typically produce a rendered view of the file, so the less technically trained reviewer simply needs to view the data without having to navigate a hierarchical file system. Many eDiscovery software vendors are now becoming more “Investigations” friendly where functions and process can be applied to a criminal investigation.

When considering an eDiscovery tool for use in a criminal case the investigator should first look to the software’s claims of functionality, that is, do any of the functions meet with the similarities in processing techniques between eDiscovery and investigations? Once a possible candidate is selected it should be able to handle forensic images, that is, EnCase E01, Access data’s AD1, Flat DD files, etc., and then have the capability to work at the physical level to potentially extract deleted data while performing carving operations. As eDiscovery tools are geared toward reviewers, the presentation of the items is also important therefore; a clear distinction between allocated data and recovered files must be obvious. Last, the ability to recognize all the components of file data is important as trained forensic examiners are used to viewing data at the Hex level while relying on extraction of file metadata to build an overall picture of the item.

When considering an eDiscovery tool to use in a criminal investigation several functions are required to ensure that the software can process the image files to produce a view of the data the investigator can work with. During the case creation phase several functions must occur:

The above list would be considered a minimum requirement for any software package to be considered a forensic platform. However, there are many other factors the examiner needs to be aware of, that is, the complexity of case creation for which the investigator has to make decisions when building their case, what preprocessing options can be disabled that are eDiscovery focused as well as the impact on presented data postprocessing, is training required to build a simple case.

Once the data have been ingested into the software we now get to the processing phase; this can greatly influence the examiner’s choice of which eDiscovery tool best fits the needs of the criminal examination. Examples of these considerations may be as simple as how the tool handles databases such as SQL for typical browser artifacts. Many eDiscovery tools can only view the data as extracted text, therefore giving no value to the data contained in the database whereas other tools are able to exact line-by-line information. These types of considerations are outlined, but not limited to the following list:

Once the processing phase has been completed, the investigator will reach the review stage of the examination. Typically, eDiscovery tools are designed to perform fast and accurate keyword searching; therefore on a case containing primarily documents this phase can outshine most forensic software tools. Again, there are a number of functions the eDiscovery tool should exhibit to be considered an option for the forensics investigator. The list below outlines some of the essential considerations:

There are a number of other functions that are desirable to the forensic examiner however, as with Digital Forensic software, each has their pluses and minuses with functionality. The investigator should determine what their minimum requirements are in functionality to remain productive before making a choice on any software package.

The analysis phase is where the two disciplines begin to show gaps; this is where the investigator now needs to begin to build a picture of historical events surrounding the items identified as being relevant to the allegation whereas litigation cases typically need to identify items containing keywords and phrases. Since eDiscovery tools are primarily focused on email communications, visualizations are typically limited to these artifacts; therefore in a criminal case where browser artifacts are the primary source of information our traditional forensic tools outshine eDiscovery. At the time of writing, several eDiscovery software packages are developing advanced visualization techniques to address these delinquencies. Once again, we can list the essential functions our tool needs to have in order to be used in a criminal investigation.

Finally, the production phase is typically where the investigator needs to produce a report for a prosecution counsel. The report function should be flexible enough to support investigator notes and comments on exported items and allow customized information about the items’ locations to be included in the report. The key items the report function should possess are:

When evaluating eDiscovery processes for use in a criminal case the investigator should look at all the possible scenarios they will put the tool to use on to ensure it has the capacity to get the job done. eDiscovery tools are not a replacement for traditional forensic tools; however, they can be used to sift through large volumes of data and produce a refined dataset the investigator can work with in a reasonable timeframe and EDRM workflows can aid in quickly triaging seized data. Remembering the scope of a typical litigation case, text-based examinations, and the broad range of cases a criminal investigator will come across throughout a calendar year, we can now finally draw our focus on where we can implement workflows seen in eDiscovery examinations to enhance Digital Investigations.

Digital Investigations typically begin with the identification of files and folders that may hold items of interest relating to the case under investigation. Using the approach of first pass review as in an eDiscovery workflow, the investigator has the option to use a forensic tool, such as AccessData’s FTK Imager to quickly identify items most likely to contain responsive data relating to the allegation, exporting the items from the full disk image(s) followed by an import into the eDiscovery tool for indexing and keyword searching. Although this process would not work for all types of cases or crimes, it does illustrate a workflow option to get to the relevant data quickly, culling irrelevant items from the indexing process and reducing the number of items to identify alleviates much of the overhead of most forensic tools while leveraging the indexing power of tools designed to work with large volumes of text-based items. This process may need to be repeated many times to eventually get to a refined set of data more manageable to examine; this process is similar to a first, second, and even third pass review. In the instance where large databases or binary files (graphics, movie files, etc.) need to be analyzed the examiner is still able to use the approach detailed above, culling to a smaller number of files; however they would then introduce the final data set into a forensic tool capable of handling more complex data structures for a more detailed analysis.

The workflow discussed previously can then be expanded to a distributed review process if the datasets are more than a single investigator can handle in a reasonable amount of time. Once the items of interest have been identified, they can be further divided into subcategories and reviewed by a pool of examiners, that is, office files can be further subdivided into file types. This is a common practice in eDiscovery cases where the software application is designed to host all the data in a single location and then create reviewer access credentials to manage the case centrally by granting access to certain data to certain reviewer accounts, which in turn allows for collaborative examinations. Several mainstream forensic tools are now adopting this approach, while still not promoting the forensic investigations labs adopt an eDiscovery workflow.

The idea of promoting an eDiscovery tool to provide an end-to-end solution for digital investigations is not practical. Most criminal cases contain an array of complex data structures the eDiscovery software vendors are not programmed to handle. Many forensic labs are already adopting the EDRM workflow as it fits well with the types of investigations they encounter. For a smaller forensic lab the first pass review may be better poised to speed up examination time but may be outside the budgetary constraints imposed on purchasing examination software. When considering a tool to follow a more eDiscovery approach without the high costs involved in purchasing the solution, the investigator should consider at what point open source and free software solutions can aid in this approach. Considerations on where and what types of data are likely to be encountered need to be considered too; for example, most forensic examinations will include cellphone and cloud-based data. Most forensic and eDiscovery tools are ill-equipped to handle these types of collections in conjunction with mainstream image formats; however, this should not exclude a tool from being chosen to help with a new workflow, it should merely be a consideration, that is, does the tool have the capacity and flexibility to deal with none standard data?

The digital forensic world is ever changing and looking for ways to refine their work practices while remaining concise and precise in examination of data. eDiscovery workflows are driven by similar goals with the added bonus of millions of dollars in software development and cost-effective workflows. The convergence of workflows is not necessarily inevitable but the forensic examiner can dissect the EDRM to suit the lab needs, thereby potentially becoming more productive and reducing backlogs in the analysis of data.