All data should be treated as evidence from hardcopy documents to emails, files, voicemail and chat messages. With the speed data is created, it is important to understand how preservation, collection and presentation is done forensically without destroying the data’s integrity.
Different countries treat data privacy issues with varying seriousness. From Singapore’s Personal Data Protection Act 2012 to the recent General Data Protection Regulation (GDPR) in Europe, organisations need to focus on changing their handling of customer data and data pertaining to their employees. Forensic data collection, preservation or examination must also be compliant with applicable laws.
Data collection is different to data preservation, which ensures potentially relevant data is not deleted. Also, that any systems, procedures or policies that can potentially destroy or delete the data is disabled.
Data Collection
Data collection involves obtaining documents from source data repositories and copying them into target locations for further analysis. Whatever technique is used should not tamper with the integrity of the data.
Several common categories of data:
- Active – real time data, e.g. emails and other traditional files stored on local hard drives or network drives.
- Cloud – data on cloud servers, e.g. social media, DropBox, One Drive.
- Mobile – iPads, mobile phones and wearable devices. Collecting data requires advanced tools and specialised expertise. Typical data: call logs, text messages, GPS locations, third party apps and health related data.
- Offline – inactive stored data, often by third parties. It presents challenges due to its age and the technology and expertise required for extraction.
- Hidden – deleted or fragmented data not visible to regular system users. The data needs to be recovered with specialised tools and can be evidence.
Considerations for Self-Collection
Self-collection, forensically-speaking, could create more work as evidence could be missed making key evidence inadmissible.
Before collection, consider - why is the identification, preservation and collection of evidence for litigation or investigation critical?
There is:
- an obligation to provide defensible Discovery in a litigation, product or in a regulatory investigation;
- an obligation to preserve data in a current or reasonably anticipated litigation;
- an obligation to file an affidavit around completeness of a discovery;
- the need to find all critical documents to defend the case and to know what adverse documents the opposing party may use; and
- the need to not give the opposing party reason to challenge the admissibility of critical documents.
If challenged, the collection may need to be defended through testimonial in court by the person who collected the data.
To find out more, read our article The Risks of Self Collection.
Risks of Self-Collection
Documents sourced for internal investigation can become evidence and the same considerations should be applied to avoid admissibility challenges by other parties.
Key risks of self-collection:
- Omitting preservation or collection of data that need specialist forensic tools, e.g. deleted files or internet history.
- Inadvertently changing document metadata.
- Not maintaining audit records of collection and chain of custody reports. Chain of custody accounts for the seizure, storage, transfer and condition of evidence logs to prove authenticity of collected documents.
- Inability to efficiently collect alternate data sources like mobile phones.
To find out more, read our article The Risks of Self Collection.
In summary, all data should be treated as potential evidence that could end up in court. The risks of collecting data without expert help are manifold and may make the data open to an admissibility challenge.
To find out more about how our Forensic Data Collection, Investigation and Audit specialists can assist you avoid these risks, contact us
Like what you're reading? Click here to subscribe to our latest news and information.