Loading... Please Wait!

The Forensicators Present ... The Art of Data Collection


Arnold Garcia

Managing Consultant
Read Bio...

In the Internet age, to gain importance, relevance, followers, and money, people often say what they do is an “art.” Merriam-Webster defines an art as a “skill acquired by experience, study, or observation.” Data collection – my art – while scientifically based, passes the Merriam-Webster test.  Proper data collection can make or break cases, and finding a great data collection artist can gain you a clear advantage over your opposition.

Forensic data collections can be expansive, requiring an artist’s attention to detail. From a single email account to an individual’s smart devices to every computer and database in a corporation, they all need to be collected in a safe forensic manner.  Some of you may be saying, “Why does it matter how it is collected?  If the document, text message, email, or database can be read, what’s the worry?” The worry is admissibility and defensibility in court.

When electronic evidence is presented, the way it was collected must be defensible. For our discussion purposes, defensible means opposing counsel must be convinced nothing has been deleted or altered. Whether you mean to or not, using non-forensic methods can inadvertently alter key pieces of information. One way to confirm this is to look at the metadata. When data is not collected in a forensically sound manner, a possible side-effect is altered metadata. If opposing counsel has cause to object to admissibility because of spoiled metadata, that evidence is most likely out and the risk of spoliation charges, sanctions, and possible summary judgement may be right around the corner.

This makes the proper acquisition of electronic evidence incredibly important. Every forensic expert strives to acquire data in a manner that maintains its integrity and authenticity.  Unfortunately, some will fail.  Their forensic skills acquired through experience, study, and observation – their “artistry” – falls short when needed most.

Collecting data means creating forensically sound duplicates. In many collections, a write blocker should be used to prevent inadvertent alteration of the original source. Software imaging tools can also be used to either create a physical image of the entire device, capturing all data including what’s been deleted, or a logical image comprised of active directories and files available to a user, i.e. non-deleted files. As a way of verifying the integrity of acquired data, a technique called hashing is used. A digital hash, like an MD5, provides a digital “fingerprint” by conducting a mathematical algorithm of a device or file.  When needed, comparing this fingerprint to the data confirms no tampering or alterations. This method has been accepted by courts and the industry as evidence of non-alteration and the fingerprint is maintained with the case file.

In the end, data collection is a science, as well as an art. The hard science side includes tools, algorithms, facts, and data. For the art side, it’s experience, intuition, method, and creativity. Having confidence that your team is making the right decisions and choosing the best course of action, even when the way forward is less than clear and obvious, is critical. The expert with the right combination of scientific knowledge and artistry will more often than not be the difference between success and failure.  Finding and properly collecting digital evidence puts you in the best position for a positive outcome for you and your clients.  If you want to know more, give me a call, and I’ll be happy to discuss in more depth what sets iDS and our collections artists apart from the crowd.  


To access previous blog posts from The Forensicators, please CLICK HERE.


Please email Mr. Garcia at agarcia@idiscoverysolutions.com to discuss digital collections, forensics, and other analytics issues, as well as how the experts at iDS can assist with all your legal technology needs on your next case or internal investigation.

The opinions reflected in this post are solely those of the author and do not necessarily represent the views of iDiscovery Solutions (iDS), nor any additional current or former employee of iDS. Moreover, any references to specific litigation or investigation work or findings are fact-specific. 



Download Keys to Today’s Information Governance Landscape