ESI Collections

In a previous post, we set out a general road map for handling the intake of a new ESI (Electronically Stored Information) matter.  Frankly, what new matter does not involve some ESI, be it emails, some computer documents or a folder on a cloud storage service?  Today, let’s discuss how to collect the ESI in a logical or forensic collection, and what considerations counsel should be aware of at the onset to ensure all the correct data is collected.

Generally, an ESI collection falls into one of two categories:

Logical Collection

The first category is a “logical” collection.  In this type of collection, the concern is focused on the content of the data, and deals only with active (non-deleted) data.  Logical collections are really about what is IN the files or emails. 

Physical or Full Forensic Collections

The second of the two main categories is called a “forensic” collection or a “full physical” collection .  In a forensic collection, we are not only preserving the information in the files, but also the information about the files.  While logical collections preserve file metadata (data about the data), forensic collections leave absolutely nothing behind, including any deleted data that is present.  This is generally accomplished by making a full and complete “image” (a byte for byte copy) of the entire computer hard drive.

What is the Difference?

A great way to visualize the difference between a logical collection and a full forensic collection is to envision a folder on a computer containing PDF documents.  In a logical collection of the folder, all the PDF files and any dates and times associated with the PDFs would be captured and preserved.  In a forensic collection, the PDF files in the folder would be collected along with:

  • Any Word documents that were used to create the PDF files
  • Any web browsing history used for research in the creation of the documents
  • Any web browsing history that indicates a cloud storage location for other relevant documents
  • Any emails stored on the computer discussing the preparation of the documents
  • Any deleted versions of the documents that are recoverable
  • Any indications of the installation of programs used to try to wipe the drive of relevant data
  • Lots of other computer “usage” data

Choosing a Type of ESI Collection

As you can see, the forensic collection is much more robust than a logical collection.  That’s not to say, however, that we always want to perform a forensic collection instead of a logical collection.  Some reasons for choosing logical over forensic may include:

  • Cost – Logical collections can be less expensive due to the limitation of collected data
  • Time – Forensic images can take hours to complete while smaller, targeted logical collections can be relatively quick
  • Scope – It may be beyond what is reasonable (or allowed) to collect data outside of a certain scope.

Overall, if you are only interested in the “what”, a logical collection may suffice.  If, however, the “who” “when,” “how” and “where” are relevant, a full forensic collection may be more appropriate.

ABOUT Peak Forensics: Peak Forensics is a full service Computer Forensics, Electronic Discovery and Consulting firm in Phoenix, Arizona.  Peak Forensics provides experienced, professional computer forensics services, client centric electronic discovery and seasoned testimonial and trial consulting services.  Peak’s CEO and founder, Jefford Englander, has been actively participating in computer forensics and ESI investigations for 15 years and has a background in local and federal law enforcement and the civil litigation realm.  From ESI collection to forensic analysis, hosted review, reporting and expert testimony, Peak can lead you to focused information.

BlogForensics and E-DiscoveryGeneral