Continuing on our dive into forensics for e-discovery, today we cover more on the reasons for using it in practice, as well as highlights from CEIC 2010. . .

Now that we’ve examined the technology involved, one question remains: do you need forensically-defensible collection for e-discovery?  The answer is: not necessarily. Many lawsuits do not require this depth or scope of data collection (such as collecting from RAM), particularly civil cases.  And for general defensibility purposes, courts do not expect perfection.  The goal is a reasonable, good-faith effort to accurately preserve data and metadata with a repeatable, documented process  – one you can testify to in court if necessary.

Why use a forensic approach at all?  To the layman, forensics can sound hard and even scary, as well as potentially expensive and time-consuming – some vendors even refer to it as “the F word.”

Well, at this point you should consult a lawyer or expert – the goal is that you never have to use it.  But here are some good reasons to at least educate yourself about it:

1) Forensics has impressive capabilities, and the technology is cool – a.k.a. “the CSI defense.”  E-discovery is not just paper-based discovery on a computer.  The “paper trail” is now digital, and it’s important to know about this technology’s potential for the legal field, as well as the risks involved.  Like the fact that your deleted files are not really gone.

2) Forensic evidence is critical in trying some cases where the “smoking gun” isn’t just buried in a terabyte of text and document-level metadata – criminal matters, or trade secret or insider trading cases where you might have to dig through ‘track changes’ or reconstruct an IM history from RAM to see who knew what, and when.  E-discovery requires a tool box, and forensics can be an important one of those tools.

3) Targeted collection has its own benefits as an approach to e-discovery collection.  Forensics vendors argue that existing enterprise search tools are only as thorough and current as their latest index.  Likewise, preemptively storing data in a repository like an archive, ECM or Records Management system promises easier retrieval, but is not practical for all organizations and all types or volumes of data.

4) Last but not least: court defensibility (if done reputably by a qualified person with appropriate tools – this is not legal advice in any form).

I will leave it to the experts to flesh out the rest of the forensics story (or take issue with my cribbed-notes version in the comments), but a few show highlights from CEIC:

Exhibitors: As this was a tech show, I’ll lead with the tech.  While CEIC is unquestionably Guidance’s party, there was plenty of co-opetition on the exhibition floor from forensics rivals AccessData and Nuix, e-discovery appliance vendor Clearwell Systems, the now-integrated EMC SourceOne-Kazeon, and growing forensic consultancy D4, which showcased review tool partner kCura’s new Relativity 6 release.  451 subscribers can read about Guidance’s EnCase E-discovery V. 4 here, EMC’s new SourceOne for SharePoint here, a report on kCura here, and look forward to an imminent update on Clearwell 5.5, plus new coverage of AccessData and Nuix.

I recommend checking out the demos if you have the chance.  It’s interesting to see how technology evolves to make different active and dynamic data types accessible, both for collection (SharePoint is a big problem here – EMC, FTI and Nuix all debuted tools for it recently) and for attorney review.  For example, kCura’s latest release has a pivot table feature for attorneys to drill into large amounts of structured data like text messages intelligibly, as you would in Excel.

All-star cast:  CEIC ‘s 2010  e-discovery track featured some marquis panels on judicial opinions, international privacy regulations, advanced search and retrieval, and case law updates.  Many presenters are also on Guidance’s Advisory Board (which was meeting during the conference), so they actually stuck around after their sessions and gave attendees the chance to monopolize their attention at lunch and happy hour.  UK e-disclosure expert Chris Dale has a good run-down on the judges, which included Hon. Judge Peck, Judge Donald Shelton and Senior Master Steven Whitaker from the UK.  Also present: EDRM founders George Socha and Tom Gelbmann, the oft-cited Craig Ball, Browning Marean of DLA Piper, and of course Melissa Hathaway, former presidential Cyber-security Czar and worthy successor to last year’s keynoter Leonard Nimoy.

Browning gave a plug for Recommind‘s Axcelerate and Equivio Relevance‘s predictive coding capabilities for review during the search and retrieval panel, which thrilled me as a text analysis and search enthusiast.  451 subscribers can read more on these tools in our past coverage, or the recent long-form e-discovery report.

Users:  There really are no seat-fillers at CEIC; attendees are not just there for a Vegas getaway with continuing education credit.  Everyone I met was a practitioner and formidable techie, many from large companies and government organizations with high-volume litigation or internal investigations.

My conversations with them confirmed for me that e-discovery is still a case of “one size fits all nobody.”  When I asked about their go-to forensic brands, some users told me that each vendor’s tool has strengths, and ideally you should have access to and knowledge of several (if you can justify the purchase to accounting).  Some also use multiple “end-to-end” e-discovery platforms to suit their litigation requirements and cross-functional business processes.

One final thought to wrap this up.  The “e-discovery toolbox” analogy I keep beating to death is stolen extrapolated from George Socha’s advice on search methods: As in any project, you need to know your materials and understand what tools are best for the job.  Each has strengths in particular circumstances or scenarios, and with certain data types, locations and volumes.  It depends on your requirements and what results you’re looking for.

This year marked the 10^th anniversary of the Computer and Electronic Investigations Conference (CEIC), a show hosted by Guidance Software focusing on digital investigations in forensics, e-discovery and cyber-security.  I’ll be reviewing this event in two posts, because there’s a lot of ground to cover here – check in tomorrow for some show highlights and more on forensics in practice for e-discovery.

As you might guess, both the crowd and the content at CEIC had a heavy technical and practitioner bent, along with a refreshingly low BS-quotient – good attendance and engagement at the in-depth sessions, not a lot of swag-grabbing seat-fillers milling around the exhibition floor.  Forensics has traditionally had strong traction in law enforcement and government, but the new EnCase E-discovery certification exam (EnCEP) and cyber-security track brought in good numbers of private sector attendees from both IT and General Counsel as well.  Overall attendance reportedly grew about 40% this year to 1300.

At this point, some of us without EnCE certfication may be wondering, “why is forensics important to e-discovery, and what is it anyway?”

The bottom-line in practice is that forensic collection and Guidance’s EnCase format in particular have very strong court defensibility.  From a broader market perspective, Guidance is the only US e-discovery software vendor to go public (in 2006), and has an enviable customer base among the Fortune 500.  All this is to say that while forensics is an expert-grade technology, it is not at all a niche.  In fact, Guidance was #1 in our recent user survey for current usage at 23%, while rival forensics vendor AccessData was cited by 11% of respondents’ planning to purchase e-discovery software or services in 2010.

And what exactly is forensics?  Here I will steal paraphrase liberally from forensic examiner, attorney and expert at-large Craig Ball :

Computer forensics is the expert acquisition, interpretation and presentation of active, encoded and forensic data, along with its juxtaposition against other available information (e.g., credit card transactions, keycard access data, phone records and voicemail, e-mail, documents and instant message communications and texting).

What kind of data are we talking about?  According to Craig: any systems data and metadata generated by a computer’s OS and software (for example: the date you create an MS Outlook contact), as well as log files, hidden system files, and deleted files.  Many tools also handle encrypted files and have additional functions like scanning images to detect pornography – CSI-grade stuff.

The most familiar forensic method of gathering evidence is imaging an entire hard drive, i.e. creating an exact duplicate of every bit, byte and sector, including “empty” space and slack space, with no alteration or additions to the original data.  However for e-discovery purposes, processing and reviewing that much data from a large number of enterprise machines would be prohibitively expensive and time-consuming.  Not to mention the risk of finding things you’re not looking for (even potentially criminal data like pornography which must be reported by law), and the danger of making incriminating data or deleted files accessible to opposing counsel.  For these reasons (among others), vendors like Guidance offer “targeted collection,” often through desktop agents installed on laptops and PCs which automate searching and collections by specific criteria across the network.

Tomorrow’s post will feature CEIC highlights from users, vendors and speakers, plus more on forensics and the e-discovery use case.  In the meantime, for some additional perspective check out #CEIC on Twitter [update: or #CEIC2010], or blog coverage from Craig Ball, Chris Dale and Josh “Bowtie Law” Gilliland of D4.  Many thanks to them and to the others who shared their experiences with me.  Stay tuned.