For many but the most well-versed in the world of computer based evidence, the terms ‘electronic discovery’ and ‘computer forensics‘ may seem synonymous but in fact, they fulfil very different roles, and involve a very different level of expertise.
Electronic discovery, usually shortened to e-discovery, is a term rooted in the American civil legal system and refers to the stage prior to a trial when a request is made by one party that the other hand over any and all archived electronic material that they hold in relation to the case. This will include emails, word processing documents, spreadsheets and other data.
Once handover has occurred, e-discovery involves the process of sifting through huge amounts of ‘raw’ data to remove duplicates (called ‘de-duping’) and useless information, in order to bring it together at a single location so that it can be searched electronically with ease by investigators or the lawyers representing that party.
Sometimes, e-discovery is used to recover data from a damaged computer, but often it is used to investigate whether a company is compliant with the law in the way that it stores and handles data. For example, in 2006, Morgan Stanley was fined 15 million USD because it was found to have email archiving that was not in line with that required by law.
In criminal cases, however, or indeed civil cases in which computer use or misuse is at the core of the activity in question, e-discovery may not be considered a satisfactory approach to evidence recovery, since it does not attempt to recover deleted or hidden data.
Computer forensics, also known as digital forensics, on the other hand is a much more specific discipline, which involves the analysis of computers and other electronic devices in order to produce legal evidence of a crime or unauthorised action. As such, computer forensic investigations often deal with the recovery of deliberately deleted or hidden evidence, or evidence of activity that leaves no obvious trace, such as the connection of a USB storage device to a PC.
As such, while e-discovery is essentially a process of organising data, computer forensics is a considerably more complex process which involves highly technical procedures such as ‘data carving’: the act of looking for flags in un-indexed, raw data which suggest the start and end of a block of data so that a single deleted file can be reassembled.
Because computer forensics is concerned with producing court admissible evidence, all investigations must follow a strict path that is fully auditable in line with the guidelines of the Association for Chief Police Officers for the handling of computer based evidence. If these guidelines are not properly adhered to, evidence could be thrown out of court. For this reason, computer forensics experts are often called to the stand to testify as to their findings and defend their methods under cross-examination.
It is clear then, that the differences between e-discovery and computer forensics are considerable, not only in terms of remit, but also in terms of the level of technical knowledge and skill required to successfully carry out an investigation. There is, of course, a place for both disciplines, but it is clear that e-discovery is rarely an appropriate tool for use in criminal rather than civil or legislative matters.