Collecting Remotely

Three Key Questions to Ask Before Collecting Remotely

Worldwide, businesses, industries, and governments are attempting to reopen and recover from the early disruptions of the pandemic. Legal and compliance work is beginning to ramp back up and teams are looking to understand how to conduct investigations effectively with all the changes since the pandemic first began. Even so, operations will remain far from normal for a long time to come, leaving teams searching for efficient and defensible ways to conduct discovery work remotely.

The data collection phase of e-discovery and investigations was one of the most impacted by global lockdowns. Large data volumes of complex data types can make collection a challenge in the best of circumstances. But now, counsel must coordinate gathering and movement of information remotely, either managed and executed by outside providers, or through a guided self-collection exercise with individuals in scope for the matter. Both options introduce the risk of incomplete or inaccessible datasets, which may create complications and add costs downstream in the investigative process. In severe cases, these mistakes can lead to spoliation sanctions or regulatory penalties.

For legal teams weighing their options for data collection in today’s new normal, there are a few key questions that will help inform discovery decisions, and ensure remote process are effective and legally defensible. These include:

What technical requirements are involved, and what level of expertise is needed to fulfill them?

The technical requirements of a remote collection will vary depending on the data source investigators are targeting. In any case, the examiner conducting the collection will need full visibility into and knowledge of the data sources in scope, to prepare for the specific challenges that may arise. For example, hard drive data can be acquired remotely by booting the source computer from a USB drive, utilizing screen sharing capabilities to access the device over the internet, and using forensic tools to capture a full forensically sound image In other instances, it may make more sense to collect only targeted datasets from the hard drive, copying specific files and folders in a forensically sound manner. Both approaches require the involvement of people with technical capabilities to follow the investigator’s instructions and help troubleshoot issues such as permissions and network speeds. The tools and approach must also be able to account for chain of custody and ensure that nothing is missed or corrupted in the process.

Collecting from mobile devices, cloud sources and emerging data platforms like collaboration tools presents another set of unique technical and practical complexities. Because access and storage parameters among mobile devices and cloud data sources are continually changing, the tools and techniques that work today may not work tomorrow. Custom solutions are often needed on the fly in investigations to deal with unexpected challenges. Building these requires support from a computer forensics expert with knowledge of the restrictions of various platforms, and defensible workarounds.

Are any gotchas hiding in the environment that might require customized solutions?

While many of today’s leading cloud-based email systems offer search and basic export features, they are not designed to perform forensically sound data collections. For example, they may not search all data types on the platform, such as zip files, pictures, or screenshots that may have been uploaded. Simply searching for keywords and exporting the files that hit on them can undermine an investigation. This is a great example of when a customized solution, developed by forensic experts, may be needed to avoid the downstream costs and delays that can result from collection mistakes.

Teams may also face spoliation issues if the collection isn’t reinforced with detailed chain of custody documentation including validation of metadata and export reports that show exactly what, where and how files or hard drive images were pulled from their original sources.

How is the data protected?

In a remote collection, or any time large amounts of data are being moved around, security is paramount. Investigation and e-discovery providers should be able to provide detailed documentation of the protections they have in place generally, as well as the specific steps they plan to take to ensure security throughout the duration of a collection and beyond. Forensic images and other files collected remotely will typically be stored on external drives while they are processed and loaded into analytics and review platforms. These drives must be encrypted and physically kept in safes and/or a secure forensic lab to ensure sensitive information isn’t inadvertently exposed to anyone outside the case team.

Privacy compliance is another consideration that falls under the data protection umbrella. Collection and subsequent processing and review of information subject to privacy laws must remain within the bounds of the regulations in the jurisdiction where the data originated. Even when a matter originates in the U.S., it can quickly expand to other regions, and counsel must be prepared to deploy investigators who can collect and host the data in-country per cross-border data transfer restrictions.

Despite the inherent challenges with remote data collection, in many cases, investigations cannot wait indefinitely for the world returns to normalcy. Though remote collection is not usually a preferred method for investigations, it can be done securely and defensibly with the right controls in place to allow important investigatory work to proceed regardless of travel limitations and other lockdown-related obstacles.

Check Also


12 Personal Productivity Tips for Your Year-End Push, Pt. I

The first in a three-part series on Dennis Kennedy's and Tom Mighell's personal productivity tips and strategies.