Digital Forensic Preservation vs. Collection: A Practical Guide

Checkmarks Representing Digital Forensic Preservation of Electronically Stored Information

Forensic preservation and collection are crucial steps in any investigation or litigation. The choices legal teams make in these early stages not only determine what kind of a legal strategy they could put together, but also how burdensome it is to put that strategy together, and what kinds of audibles they can call downstream if that’s necessary.  

Collection Does Not Equal Preservation

So what exactly do “data collection” and “data preservation” mean and why is it important to keep the ideas separate?
Forensic preservation = making sure data remains intact in case it’s needed.
Forensic collection = taking data into custody for actual investigation.  

Think of your data population as a grocery store. It doesn’t make sense to buy the entire grocery store to make one dish because maybe you might need those ingredients. It makes far more sense to read your recipe, make a shopping list of ingredients you’ll need, and only buy the ones required.

When you collect every potentially relevant piece of data, you’re effectively buying the whole grocery store. This is usually going to end up being needlessly expensive, and make other processes downstream needlessly burdensome. By preserving data, you keep the grocery store intact and can always go shopping again if your first collection doesn’t pan out the way you want. In some cases, data preservation could be as simple as checking a few boxes on the backend of Microsoft 365. This distinction allows legal teams to benefit from more economical, tailored forensics techniques without leaving important evidence on the table. Preserving data means that you’ll have the option to make a Plan B (or C or D or E!) without the added, costly burden of collecting everything.

So Why Is Forensic Data Preservation Necessary? Isn’t Data Stored Anyway?

For a long time, conventional wisdom was that anything you write on the internet is there forever, but that’s not as true as it once was. Now, most of the technology we use in our day-to-day lives is cloud based, and people are generating so much new data that old data has to go somewhere. Automated deletion has become par for the course in most organizations.

Luckily, data preservation is not always that complicated. It could be as simple as disabling some of those automated deletion functions, and even simple preservation practices can still have a profound impact. More and more organizations are realizing the importance of such strategic data retention. By automating the deletion of redundant or obsolete data, organizations save on data storage, while still ensuring that important data remains available if further investigation is necessary. Forensics technicians can advise you on such policies, and how to organize the data you want to keep.  

When investigations do happen, these data preservation measures can help things run more smoothly, and can set you up to make contingency plans if need be. If it comes out later that crucial data could’ve been preserved but wasn’t, you could face adverse consequences such as sanctions. In a recent antitrust litigation, Google was sanctioned after courts determined a failure to preserve important information.

The important thing here is not to neglect data preservation because you’re assuming data is preserved by default. A digital forensics expert can work with you and your IT team to determine what is and isn’t being preserved already, and what changes to make if any are warranted.

So How Do I Determine What Data To Collect?

Once we let go of the idea that every potentially relevant piece of data needs to be collected as long as it’s preserved, that begs another question: what DO we collect?

Well… it depends.

What are you actually hoping to find during your investigation? Knowing that can guide your forensics team in the right direction. While it’s understandable to want all the information before you’re too committed to a strategy, James Whitehead, Associate Director of Digital Forensics at Contact Discovery, says that’s not always the best order of operations.

“As digital forensics experts, we often bring the most value when legal teams have some idea of what information they’d like to find, and where that information is most likely to live,” James says. “We can control costs and save time if we’re able to narrowly tailor our forensics approach to what’s most likely to prove helpful.”  

Oftentimes, that reluctance to have a more targeted approach stems from a fear of leaving important data behind. By making sure you’re preserving, you’re able to be a little more calculated with collection while still hedging your bets.  

By approaching these two related, yet different forensic processes with the appropriate strategies, legal teams can have their cake and eat it too: effective, efficient investigations without too much clutter in their dataset, while still protecting themselves against spoliation and a lack of contingency options.      

Disclaimer: This content is for general information purposes only, was not written by an attorney, and does not constitute legal advice.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.