A Data Forensics Expert's Advice on Targeted Collections

by Warren G. Kruse - Altep on July 30, 2015

Collection , Litigation Support , Product Spotlight

blog_targeted-collection-horizontal

More and more, we hear case teams talking targeted collections rather than full disk images of custodians’ hard drives. The benefits of a targeted collection are pretty clear—you collect less up front, and you spend less downstream—but it’s still a new approach for some case teams. Consider this insight as you develop the data management strategies that will be most effective for your case.

Why Consider a Targeted Collection?

e-Discovery and the technologies we use to perform it have evolved a great deal in recent years, and so should our strategies. A good legal services partner is a consultancy, not just a “collections” group. It’s our job to help educate internal case teams about the pros and cons of each possible approach and method, and then explain our recommendations and the reasoning behind them.

Collection is an area where the approach can have a significant impact. Broadly speaking, a full disk image offers one important advantage: you know you’ve captured everything on the media. That’s why case teams often prefer this approach, and why, for some projects, it makes the most sense.

However, our clients are often huge enterprises that simply can’t collect everything and ensure proportionality in the case. There’s simply too much data. By carefully targeting the right data, you can avoid wasting time, energy, and money.

When to Perform a Targeted Collection

Electing to perform a targeted collection depends on the case and the custodian. Best practices for selecting and refining a targeted collection strategy include two early steps to help decide whether it’s the right option:

1) Be as specific as possible in custodian questionnaires and interviews so you can determine the level of complexity before the case begins; and
2) Scout the custodians’ machines and compare the files they actually have against the body of data they say they have.

For example, custodian John Smith reports in his interview that he has one folder on his desktop for Project X. However, when you scout John’s machine, you find a sub-folder of My Documents which is also named Project X. The discrepancy raises the question whether John really remembers what his data comprises, or whether he’s fully disclosing his involvement. Given the uncertainties, you might opt to collect a full disk image rather than basing your approach on John’s responses.

Other custodians, meanwhile, will know exactly where their data is stored and what kinds of information they own. This makes them excellent candidates for targeted collections.

In this example, the combination of detailed custodian questionnaires and independent data auditing with a tool such as scout allows you to gather vital intelligence early on and helps you make the best decisions downstream.

The Keys to a Successful Collection

Once you’ve identified the appropriate approach for each custodian, keep these tips in mind:

The more information you obtain up front—before you’re actually collecting data—the better. Wise teams prepare for the worst and hope for the best—which is much easier when you know what to expect. Why buy a 2 TB hard drive, only to find out the person has a 200 GB laptop? Worse, why wait until after you’ve collected the data to learn how it’s organized?

For a targeted collection, you need to know ahead of time what you’re dealing with, and having a complete inventory of the files and folders on the custodian’s computer, before you start the collection, is essential.

Additionally, having insight from the start helps you schedule the collection appropriately and avoid interfering with the custodian’s workday. Knowing whether you’re collecting 5 GB or 500 GB helps both parties plan accordingly.

Stay focused. Start at the end goal of your search and build the right workflow based on those needs. What are you looking for? If it’s one email in someone’s inbox, do you really need the entire hard drive? With a good interview approach, you can develop a clear picture of the information in which you’re interested and where it’s most likely to be found.

Be flexible. You don’t have to commit to one strategy. It’s perfectly reasonable to do both targeted and forensic collections in a single case, depending on the custodians and the situation.

Warren G. Kruse is vice president of digital forensics at Altep. He has more than  20 years of experience in digital forensics for investigations and e-discovery, and holds a Master’s degree in digital investigations.

Altep is an Orange-level Relativity Best in Service partner with certified analysts, review specialists, administrators, sales professionals, and infrastructure specialists on staff.

Comments

Post a Comment

Required Field