Aren’t Electronic Discovery and Computer Forensics the same thing?
Some people would say that they are, but many practitioners strongly disagree. Here are some definitions that I found for Electronic Discovery:
- Gartner said that “E-discovery is the production and presentation of ESI [Electronically Stored Information] that meets the basic requirements and needs of discovery.”
- About.com:Legal Careers described it as “the obligation of parties to a lawsuit to exchange documents that exist only in electronic form.”
- Wikipedia said that eDiscovery “includes “raw data” which Forensic Investigators can review for hidden evidence.”
- Search Financial Security added the following to the end of their definition, “Computer forensics, also called cyberforensics, is a specialized form of e-discovery in which an investigation is carried out on the contents of the hard drive of a specific computer. After physically isolating the computer, investigators make a digital copy of the hard drive. Then the original computer is locked in a secure facility to maintain its pristine condition. All investigation is done on the digital copy.”
So the definitions range from no mention of Computer Forensics to the inclusion of Computer Forensics as an integral part of eDiscovery. Here are some definitions that I found for Computer Forensics:
- ExperLaw gave a basic definition describing it as “obtaining and documenting digital information…”
- Cyber Security Institute said it is “the analysis of information contained within and created with computer systems and computing devices…”
- Wikipedia called it “a branch of forensic science pertaining to legal evidence found in computers and digital storage mediums.”
Now we have definitions ranging from simply obtaining information to forensic science and finally including the mention of legal evidence. Can Computer Forensics exist outside of eDiscovery? Or, can eDiscovery exist without Computer Forensics?
I think Search Financial Security stated it best when they described Computer Forensics as a specialized form of eDiscovery. So, Electronic Discovery may or may not include the use of Computer Forensics, depending on the budget or the type of evidence listed in a search warrant?
I’ve heard people say that a search for email doesn’t require Computer Forensics, because once you’ve found the email database file you don’t need to look any further. When dealing with a trusted individual that may be true, but what about a second hidden email database that they use for covert communications? Don’t you care about discovering that data too? The field of Accounting Forensics is all about the search for a second set of accounting books. Shouldn’t we then be including Computer Forensics in every investigation that we conduct? Oh, does that cost too much?
It’s unfortunate when we are forced to rush an investigation due to insufficient funds, or manpower, and miss potentially vital evidence. A computer novice can hide their data by simply renaming file extensions and deleting files. Without some level of Computer Forensics, those simple methods are successful. When you find the right Computer Forensics solution, it shouldn’t be a waste of your time. In fact it may actually save you time when it’s used correctly.