Forensic Readiness and eDiscovery

Forensic Readiness and eDiscovery

Dauda Sule
DOI: 10.4018/978-1-4666-6324-4.ch012
(Individual Chapters)
No Current Special Offers


In a bid to discover, uncover, and stamp out digital crime while ensuring information security and assurance, there is a need to investigate the crime once it has taken place. This will help trace the criminals and also secure an organization against future attacks. Forensic readiness entails that an organization be at alert in terms of digital evidence collection and storage – that is, collecting and storing such evidence constantly in a forensically sound manner, not just when the need for such evidence arises. In the event litigation arises or is anticipated, digital evidence may need to be reviewed by the opposing parties prior to court proceedings to assess quality of the evidence; this is eDiscovery. This chapter explores eDiscovery and forensic readiness. Digital evidence for eDiscovery needs to be forensically sound and provided in a timely and efficient manner - forensic readiness helps to ensure this. This chapter seeks to establish how forensic readiness is relevant to the eDiscovery process.
Chapter Preview


The field of digital forensics is still an emerging one – there are not really any firmly established principles for it yet, although there are guidelines available. Digital forensics is an important aspect of information security especially in this digital age, it is used to investigate and establish proof of crimes committed using IT resources and platforms. Every activity carried out using IT systems and platforms leaves a digital footprint and tends to be stored in the form of Electronically Stored Information (ESI). A review of ESI can reveal a lot about what had occurred on the system and/or platform.

Key Terms in this Chapter

Predictive Coding: Predictive coding is the use of IT tools and techniques, and workflow processes along with human input to filter out key documents for eDiscovery. This is used to reduce the quantity of non-responsive and irrelevant files contained in ESI that will be subjected to manual review.

Bit Stream Image: A bit stream image of a disk drive is a clone copy of it. It copies virtually everything included in the drive, including sectors and clusters, which makes it possible to retrieve files that were deleted from the drive. Bit stream images are usually used when conducting digital forensic investigations in a bid to avoid tampering with digital evidence such that it is not lost or corrupted.

ESI: ESI stands for electronically stored information. This is data and information that is generated on IT media and devices, like PCs, mobile devices, the Internet, CCTV footage, and so on. ESI is constantly generated in the normal course of operations of an organization and also personal individual use.

Litigation Hold: Litigation hold is a preservation order requiring an organization to preserve all data that may serve as evidence relating to legal proceedings involving it. This is required to protect the evidence from corruption, damage and destruction. The litigation hold may be issued by an attorney or issued internally by the organization to employees. Preservation of data that has potential of becoming evidence in a legal case should begin once there is an anticipation of litigation.

Forensic Readiness: An organization habitually gathering and storing ESI in a forensically sound manner pre-empting an incident where the ESI could serve as potential evidence is forensic readiness. The main goal is to maximize the potential of such ESI while minimizing cost involved in investigation.

eDiscovery: eDiscovery is the process whereby opposing parties in litigation review digital evidence in the other’s possession to asses quality prior to full court proceedings. eDiscovery developed from discovery which involved review of evidence by litigating parties prior to court proceedings. eDiscovery may also be viewed as the sum total processes involved in a digital investigation from collection to analysis and review.

Forensically Sound: Digital evidence is said to be forensically sound if it was collected, analyzed, handled and stored in a manner that is acceptable by the law, and there is reasonable evidence to prove so. Forensic soundness gives reasonable assurance that digital evidence was not corrupted or destroyed during investigative processes whether on purpose or by accident.

Digital forensics: Digital forensics may also be referred to as cyber forensics or computer forensics. Digital forensics involves collection, retrieval, analysis, review and storage of digital evidence in a legally acceptable manner usually for civil or criminal investigations and proceedings or in-house investigations. There are different types of digital forensics like disk forensics, memory forensics, network forensics, mobile forensics, and so on.

Chain of Custody: A chain of custody is a document that records all the processes digital evidence passed through from the point of collection to preservation as evidence in court or other proceedings. Details of how the evidence was collected, analyzed and stored are recorded, including who accessed it, when and why.

Complete Chapter List

Search this Book: