A multi-part series on the essentials practitioners need to know about ESI collections
In “Collection and the Duty of Technology Competence,” we discussed lawyers’ duty of technology competence and the importance of understanding collection to fulfilling that duty. In “The Broad Scope of Collection,” we discussed the potential legal and technological scope of collection. In “How Computers Store ESI,” we discussed the operation of computer memory. In “Collecting and Recovering ESI from Computer Memory,” we discussed the technical process of collection. In “The Intersection of Technical and Legal Realities,” we discussed the intersection of that technical process with the legal requirements. In “Self-Collection and Its Risks,” we discussed the first of the three common collection approaches, and in this Part, we review the other two.
Traditionally, the most common collection approach has been in-person collection, in which the person executing the collection is in physical possession of the device(s) to be collected. This may be achieved by sending the devices to the person executing the collection, but is more often achieved by having the person executing the collection travel to where the custodian(s) and their device(s) are. These collections are carried out using specialized hardware and software tools, such as EnCase Forensic or FTK. As we discussed in “Collecting and Recovering ESI from Computer Memory,” these tools include features like write-blocking and hash verification to ensure accuracy and demonstrable forensic soundness.
In-person collection has many benefits. Most importantly, it ensures proper collection from the original source overseen by a professional rather than by the custodian. It can also give the person executing the collection an opportunity to interact with the custodians to gather useful information about the sources and what they contain, combining in-person custodian interviews with collection itself. And, when multiple custodians are in the same office location, it can be efficient, even when travel to that location is required.
In-person collection is not ideal for all situations, however. When custodians are distributed across multiple office locations – or when many employees work remotely from home – travel to all of those locations can quickly become too costly and time-consuming to make sense. Having one or more collection professionals on-site can also be disruptive to normal operations and may not be as subtle an approach as you require in certain investigative contexts.
In-person collection also raises the question of who should perform the collections. Instead of relying on third-party collection professionals, some organizations opt to acquire the relevant tools in-house and have one or more IT professionals carry out collections. Not all organizations are willing to assume the tool costs, employee training and certification costs, and downstream testimonial obligations that come with insourcing collection, but for some serial litigants it makes good sense. For everyone else, retaining the services of a third-party collection professional with their own tools, certifications, and ability to provide testimony is generally the best option.
As geographically-distributed (and remote) employees have become more common, remote collection has grown in popularity as an approach. Remote collection comes in three primary subtypes: self-executing devices with instructions, preconfigured drives plus remote access, and enterprise applications:
Of these three, the second subtype is the most widely used, especially for small and mid-size organizations. Large organizations are the most likely to consider investing in an enterprise application for the third subtype. Any of the three can save time and money when dealing with distributed custodians, as long as there is no reason to mistrust the custodians’ cooperation.
Upcoming in this Series
Next, in the final Part of this series, we will touch on some more challenging collection sources, including: enterprise, mobile, social, and cloud sources.