The phrase “forensic collection” often is associated in ourminds with a bit-by-bit copy of a computer's entire hard drive.This may be crucial in cases where we might expect authenticationissues or where investigation of slack and fragmented space may beimportant. Criminal cases are a prime example. But a collection ofelectronically stored information (ESI) may be limited to onlycertain files that are likely to be relevant and still beforensically sound.

What makes a collection forensically sound, whatever its scope,is not that the entire storage media has been copied bit by bit,but that the files that have been collected can be shown to beexact copies of what was on the source, including associatedmetadata. This requires that the collection method not alter thefiles or their metadata It also usually includes some way ofensuring non-alteration after collection, which generally meanstaking a digital fingerprint in the form of a hash value that canbe securely stored and used later to verify that the document stillis exactly like it was at the time of collection.

There are several commercially available tools that can collectspecific files or entire hard drives in a forensically soundmanner. With some of those, it is possible to narrow the collectionby date ranges, search terms and other parameters. Any goodcollection vendor has these in his tool box. Some companies alsohave these tools in house.

Reasons for collecting in a forensically sound manner may bevaried. It may be done because of a high expectation of challengesto authenticity, as is common in criminal cases. On the other hand,it may be done simply because a forensic tool is readily availableand using it minimizes potential risk, permitting the affectedemployees to return to normal document management after collectionhas occurred. But it is not just a defensive measure. Many benefitsof collecting in a forensically sound manner inure to the benefitof the party doing the collecting.

A forensically sound collection including the associatedmetadata allows for more robust data analytics and culling. Forexample, we can use email threading to see who has beencommunicating with whom about what by using a metadata field thatidentifies related emails in a chain even if the subject line hasbeen changed along the way. This can be a valuable tool as weidentify key players and begin to separate the potentially relevantdocuments from the rest. Of course other metadata fields also canbe useful for sorting and searching.

But a completely forensically sound collection is not alwaysnecessary. Much of the benefit of a forensically sound collectioncan still be obtained without using specialized collectionsoftware. Some simple methods for collecting ESI do alter somemetadata fields, which usually are less important and may beunnecessary in many cases, such as the creation date, last modifieddate, last accessed date, source path, etc.

For the best results:

• Do not attach loose documents to emails
• Do not copy documents to a new location
• Do not PDF or TIFF them (which essentially turns them into adigital version of paper)

Instead, ZIP them up at the folder level from their originallocation. Once ZIPed, the files can be emailed, FTPed or placed onportable media for overnight shipment. The ZIP file can easily bepassword protected for security in transit. This method is notperfectly forensically sound, but it may be enough in manysituations.

ZIP (or RAR) files are just container files. The programs caneasily be downloaded from the web using applications like Winzip orWinrar. Think of these as electronic bankers boxes that hold loosefiles.

However, unlike a banker's box 2,500 page limit, a .ZIP file canbe very large and hold many gigabytes of data. A ZIP folder is awrapper around the documents that protects most of the metadata,while at the same time compressing the data into a smaller size,making it easier to copy and transmit.

For email:

• Create a PST (Outlook) or NSF (Lotus Notes) file with relevantemail insidePST and NSF files are just container files foremails
• Do not forward the relevant email to your outside counsel ore-discovery vendor
• Do not attach the relevant email to another email fortransmission
• And, again, do not PDF or TIFF them: That will destroy theability to search and sort by custodian, sender, recipient,date, etc., while also breaking apart family relationships withattachments

To collect email, create a specific folder within a user accountand then create a PST or NSF file of those emails. Then these PSTor NSF files can be FTPed or copied onto portable media for overnight shipment with password protection if necessary.

If a truly forensically sound collection is called for, there isoften a challenge with remote employees who rarely connect to thenetwork, or do so on small or unreliable pipelines. Severalsoftware companies have created a portable, plug-and-play versionof their collection tools. These are small devices that look like athumb drive or a small external hard drive. They ship out to theremote employee and plug into the USB port. They can bepre-programmed to execute the collection protocol desired for thecase in question, e.g., full bit-by-bit image or a targetedcollection of certain files. When the collection is complete, theremote employee ships back the device to the lawyers or thee-discovery vendor.

Another option is remote collection. Again, multiple vendorshave remote collection capabilities. They may be able to conductsmall and midsize collection remotely and during off hours. Thisreduces the intrusion while also cutting on travel costs and otherincidental charges.

These services are available through many ESI collection vendorsand, often, outside law firms.