The Differences Between E Discovery and Digital Forensics?

On the surface, you might look at this question and think that it is as basic as, "what is the difference between a cat and a dog?" However, if you take a second to reflect on all of the times that you have had to explain this question to family, friends, acquaintances or clients, you can see that it isn't as

straightforward is it appears. For better or worse, digital forensics has a habit of getting lumped into the same silo as ediscovery. While the similarities are noticeable, it is important to remember that each practice is unique and serves a specific purpose.

In this article, we will examine the three main differences between digital forensics and e-discovery. First, we will provide a basic overview between the two specialties. Next, we will look at the amount of data involved in each practice and how it differs. Finally, we will discuss the characteristics of the individuals who analyze the aforementioned data.

Basic Overview: Electronic discovery, simply, is the process of gathering electronic data. The gathered data is active and readily available, and it is found on any electronic storage device (computer, iPad, server, iPhone, etc). The holy grail of the ediscovery industry is the Electronic Discovery Reference Model (EDRM), a model created by industry legends George Socha and Tom Gelbmann. EDRM develops guidelines and sets standards to help ediscovery users improve quality and cost efficiency of electronic discovery. The basic model consists of the following nine stages: information management, identification, preservation, collection, processing, review, analysis, production and presentation. The scope of ediscovery collections is typically very narrow when compared to digital forensics. Simply put, you do not need all of the available data to produce the final product.

Digital forensics can be simply defined as a full "autopsy" of an electronic storage device. Much like a human autopsy that is needed to confirm a person's cause of death, an electronic autopsy is needed to validate a legal theory. Digital forensics identifies, collects, preserves, analyzes and produces data based off of a defensible process that complies with legal standards and passes muster in a court of law. Unlike ediscovery, the scope of digital forensics is much deeper. A forensic image (bit-by-bit copy) of the media in question is taken, and all potential data is analyzed (allocated and unallocated space). Deleted files, damaged data, encrypted files, metadata, slack space and user activity are all in play. If you have a legal theory that involves potential fraud, deleted data or anything that would not appear in the "live data", you need a forensics expert. Common types of cases that usually necessitate digital forensics, include: criminal matters, regulatory matters, insurance matters and employee matters (theft, IP infraction, abuse of policies, termination, general contentious circumstances).

Volume of a Device: The volume of a data reviewed in a particular device is another big difference between ediscovery and digital forensics. As we stated above, the scope of ediscovery can be narrowed significantly while digital forensics involves a bit-by-bit image of the media in question. In ediscovery, the goal is to deliver responsive data to the reviewer in a timely and cost effective manner. Generally, ediscovery is not concerned with analyzing the data, focusing on unallocated space, interpreting user intent or providing a legal opinion of the data. eDiscovery uses sophisticated software solutions to provide its client with a review platform to analyze the end results. Software solutions provide methods such as de-duplication, key word searches, hit counts and file extension filters to reduce the number of non-responsive files and counteract the explosion in ESI that we have seen in recent years. Additionally, ediscovery is more concerned with the active and readily available data, and not the ambient data that exists in the unallocated space.

On the flip side, digital forensics deals with a very comprehensive review of the allocated and unallocated portion of the media in question; usually a hard drive. Forensic examiners search intact files, file fragments and deleted files as well as perform keyword searches on the entire data set. The data review is performed by trained professionals with the experience and credentials to match (CCE, CFE, CCFE, etc). Digital forensics experts are concerned with providing an expert opinion on the data set, and they review the data accordingly.

Who Analyzes the Information: As we alluded to in the above sentence, one of the main differences between ediscovery and digital forensics is who analyzes the data. In ediscovery, the role of the service provider is to use the scope of the case to supply the relevant information in a reviewable format for further analysis. The person providing the ediscovery services should be qualified in technology and the legal process, but he or she does not need to be an expert. Most of the software solutions on the marketplace revolve around ediscovery, and each software solution aids a respective vendor in providing the necessary information in an efficient and cost-effective manner.

In comparison, digital forensics must be handled by a person with impeccable credentials. The digital forensics expert not only has to be qualified enough to follow the standard policies and practices that go into preserving digital evidence in a defensible manner, but must also be ready to be called for a deposition or take the stand in court. Since an engaged forensic expert must be disclosed in a case, this person should be highly skilled and qualified. Key elements of a qualified forensics expert include: technical aptitude, knowledge of specific procedures, applicable credentials and investigatory experience.

Comparable Analogy: One analogy that I like to use to simplify this conversation for people is to imagine a construction project. eDiscovery is the general contractor and digital forensics is the electrician. eDiscovery is a broad service that helps drive the results. Digital forensics is a highly specialized service that is needed in particular instances, and can only be accomplished by a trained professional.

Overall, it is perfectly understandable that an outsider might confuse digital forensics and ediscovery. This is especially true in today's marketplace where vendors are marketing themselves as "one-stop shops" whereby they can provide anything and everything under the ediscovery umbrella. However, upon closer inspection, it is apparent that these are two distinctive fields that require different skill sets and expectations. If all else fails, remember contractor versus electrician. That should at least ingrain the higher level differences between the two services.