Like jelly and jam, many lawyers and legal teams confuse eDiscovery with digital forensics. Some consider the two to be distinct disciplines, while others see a distinction without a difference.
Just like how jelly and jam are actually two different things (jelly is made from juice or syrup, but jam is made from crushed fruit or pulp), so too are eDiscovery and digital forensics.
eDiscovery refers to the handling, review, and production of electronically stored information (ESI) in a legal matter or litigation. Digital forensics analyzes ESI as part of an investigation, usually into alleged civil or criminal wrongdoing, and is often employed when a party suspects ESI has been tampered with or is unavailable.
Though there are additional differences between the two, both disciplines have their role to play in legal matters or litigation, so lawyers and legal teams should understand the distinction between the two and when they might need to rely on one versus the other during a legal matter.
What Are eDiscovery and Digital Forensics?
eDiscovery refers to the process of identifying sources of potentially relevant ESI, preserving/collecting it, processing it into a usable format for analysis, and then analyzing it for relevancy, confidentiality, and privilege before producing documents in discovery during a legal matter. eDiscovery usually follows the Electronic Discovery Reference Model (EDRM), whose stages include information governance, identification, preservation, collection, processing, review, analysis, and production.
Although eDiscovery is most often associated with civil litigation, it can occur in other legal contexts, such as:
- Internal investigations led by independent consultancies or law firms
- Regulatory investigations conducted by state/federal attorneys general or other government regulatory agencies
- Due diligence during mergers and acquisitions
Compare that to digital forensics, which involves using scientific methods and tools to identify, preserve, collect, analyze, validate, and present ESI as part of an investigation. Digital forensics requires knowledge of investigative techniques for computer systems or equipment/machinery. The goals of a digital forensics investigation may include:
- Locating or reconstructing deleted files
- Using operating system and web histories to develop timelines
- Analyzing metadata to identify critical information, such as user access, alterations to files, or equipment/machinery operations
Key Differences Between eDiscovery vs. Digital Forensics
Although eDiscovery and digital forensics seem similar, they differ from each other in key ways.
First, eDiscovery and digital forensics differ regarding the parties responsible for analyzing ESI. In eDiscovery, ESI is processed into a more easily reviewable format so legal teams can review it for relevancy and privilege to determine which documents should be produced and which should be redacted or withheld based on the sensitive or privileged information in them. But with digital forensics, computer or equipment experts analyze data from networks, electronic devices, and equipment to present findings to legal teams and/or their clients.
Each discipline has different goals as well. The purpose of eDiscovery is to gather relevant ESI that may serve as evidence in a legal matter or lawsuit. Information governance is key for eDiscovery since it enables parties to legal matters and their legal teams to quickly identify and gather potentially relevant information. Digital forensics, on the other hand, comes into play when ESI may be unavailable, in a not readily reviewable format, or when parties suspect that ESI may have been stolen, altered, or destroyed.
Finally, eDiscovery typically works with ESI that has been converted from its native file format into a more common format that’s easily reviewable by non-technically versed parties. But digital forensics works with ESI in its native format, and can also involve the examination of metadata to answer critical questions, such as whether particular users may have accessed, copied, or altered files.
The Power Players: Key Tools and Technologies in eDiscovery and Digital Forensics
eDiscovery and digital forensics each use a different suite of tools and technologies to accomplish their goals.
In today’s eDiscovery world, many legal teams are turning to cloud- or browser-based eDiscovery platforms that can perform most of the steps of the EDRM in one place. These platforms may allow corporations or legal teams to upload raw ESI or sync with common sources of ESI, such as Google Drive or the Microsoft suite, which are automatically processed into a reviewable format. Platforms may also automatically organize files, including through deduplication or email threading. The best eDiscovery platforms allow legal teams to conduct targeted searches for relevant files, review files on the platform, mark or redact files for confidentiality or privilege, and then generate a document production.
Digital forensics employs a wide range of tools whose use will depend on the specific task involved. Investigators use specialized equipment and software to copy raw data and metadata from electronic devices and equipment, especially when there are concerns that files may have been altered or deleted. Investigators may also use software to decrypt protected devices and files. Once digital forensics investigators extract data from a device, they use forensics platforms to examine files and associated metadata, as well as to recover or reconstruct files that were deleted or became corrupted.
Organizations, digital forensics investigators, and legal teams must stay at the forefront of eDiscovery and digital forensics tools because of the ever-increasing amounts of data and file types that must be handled or reviewed during investigations or discovery. They must also ensure that their tools allow them to conduct a defensible forensic investigation or discovery production. Investigations or productions that omit critical data could lead to legal liability and damages, a costly settlement, sanctions, or other financial consequences for a party involved in a legal dispute.
Both eDiscovery and digital forensics have a role to play in legal matters. While eDiscovery involves organizing, analyzing, and producing ESI as part of an investigation, transaction, or legal dispute, eDiscovery often can only take place after digital forensics ensures that legal teams have all of the relevant ESI.
Digital forensics investigators can help legal teams recover corrupted, altered, or deleted ESI or identify incidents of tampering with critical data or files. In digital forensics, the investigators analyze data, while in eDiscovery outside vendors or particular members of a legal team may collect and process data for analysis by other members of the team.
Organizations and legal teams should understand the purpose and capabilities of eDiscovery and digital forensics so they can identify when each process is appropriate for the situation they’re facing and the data they’ll need to review.
When organizations need to retrieve raw data or determine if networks or ESI have been improperly accessed, changed, or deleted, they should turn to digital forensics experts for help. However, if an organization finds itself in a legal matter or dispute, its legal team should turn to eDiscovery to gather, review, and produce relevant documents and information for investigators, regulators, or opposing parties.