Return to site

Don’t Collect what you Don’t Need

· Articles,Forensics

Sandline Discovery - Insight, Ideas and eDiscovery

-By Dan Cohen

Big data, more data, weird data—and so much of it is discoverable. So, what do you do when it comes time to produce? How do you fulfill your obligations while also ensuring that your efforts are proportional and cost-effective? Well, there’s no simple answer that applies to all situations but there are few guiding principles that do. One of them is nice and simple—don’t collect what you don’t need.

For the purposes of this article, we’re going to assume that you already know what you need but could use some help figuring out how to get it. This is a very common topic of conversation at Sandline. We hear this question a lot: “What’s the best way to collect my data?”

Well, once we figure out WHY you need to collect data, WHAT data you need to collect, WHEN you need it and WHERE it will go after collection, we can then answer your initial question—(which is really) HOW should we collect my data?

We’re not going to get into specific tools or technology today (we’ll dive into those in subsequent blog posts.) Today we’re going to describe the three high-level approaches to data preservation and collection.

Remember today’s guiding principle—don’t collect what you don’t need.

At Sandline, we always suggest a collection approach that follows this simple principle. Developing the approach starts with determining WHY, WHAT, WHEN, WHERE (see above) and then selecting a high-level collection method (HOW) followed by the details of the job which include tools, technology, process and personnel.

So, going back to your initial question, “What’s the best way to collect my data?” Here are the three options that we’ll choose from:

1. PHYSICAL IMAGE

If a true forensic collection is necessary, we’ll capture a bit-by-bit image of a device or drive including deleted files, slack space and unallocated space. This is the most thorough collection method but also results in the most data for analysis. We typically collect a physical image for preservation purposes or during an internal investigation.

2. LOGICAL IMAGE

Capturing active data while preserving metadata, creating a file audit trail and ensuring data integrity with hash validation is an option we employ on a regular basis. A logical image allows us to retrieve only the active data on a drive or partition, which speeds up the collection process, reduces the volume of data for analysis, cuts downstream costs and ensures a forensically sound approach.

3. TARGETED COLLECTION

Safely copying specific folders, files or documents in a targeted collection can go a long way to reduce data and cut costs. We try to avoid over-collection by excluding irrelevant or known non-responsive data during this type of collection. If we can focus solely on the data types in question or isolate the data that belongs to certain custodians or was created during a specific time-frame, the collection process and the document review are often faster and easier.

Using a variety of tools and techniques to employ any of these methods (or sometimes all of them in a single project), we can work together to develop a safe and defensible collection plan to target just what’s needed and exclude what’s not.

Let us help you decide whether #1, #2 or #3 is the right way to collect your data!

All Posts
×

Almost done…

We just sent you an email. Please click the link in the email to confirm your subscription!

OKSubscriptions powered by Strikingly