Best Evidence

When it comes to electronic preservation of evidence in civil litigation (as opposed to criminal evidence collection), there is some discussion about what is the best evidence to preserve.

On the one hand, you want to ensure you collect everything that is relevant.  On the other, you can’t collect primary sources for everything in most modern companies, because it is too disruptive.  For example, we don’t collect the disks from the email server, but this is highly likely in a criminal proceeding.

The question then becomes, what’s best?  How do you preserve defensibly whilst doing so economically?  Particularly when preservation requirements begin when litigation is a potential and not an actual event.

Our mandate is to preserve broadly, but how without breaking the bank?

By using a reasoned approach, seasoned with the perspective of a potential litigator and a judge.

When collecting materials, consider what might play out and designate accordingly.  Then determine what’s the most effective means of preserving it, and what arguments you can make if you’re excluding anything.

For example, if we preserve email based on a filter, is that filter sensible in terms of what the litigation might reference?  If the filter is too restrictive, opposing counsel will object and the judge might rule in their favor.  If we collect too broadly, we risk exposing client business secrets and increasing expenses for evidence handling.

Whatever the limitations you impose on a potential pool of evidence materials, make sure your rationale is sound.  Put yourself in opposing counsel’s shoes and ask the questions they will ask.  Follow the leads they will see, and document why a direction doesn’t make sense or is overly burdensome.

In the end, it is best to over preserve than under, but there’s no reason to overwhelm a client with a massive collection effort if something smaller makes sense.  Just make sure you can back it up with fair reasoning.

Efficiency Options

The two premier options for forensic collection are the Voomtech Hardcopy 3P, and the Tableau offerings.  We use both here, in limited ways, along with dcfldd booted from a CD.

One of the things that new people in the field sometimes miss, is effective use of technology for client efficiency.  The emphasis here is on parallel collections, but this actually works for any volume, from one on up.

As a new forensicator, the impulse can be to obtain the best “device” for collection, based on LE input or marketing or whatever.  Many of us rush to buy the best device for collection, when in fact, no device is necessary, and in many cases, detrimental.

Our first loyalty is to the preservation, and our second is to the client, which means, our imaging must be flawless and our billing must be minimal.  We are not here to maximize our billable hours; that is morally repugnant.  We should always strive for greater efficiency, and the way to do that is through the use of boot images for collection.

Assuming modern computer hardware (SATA2+, USB2+), the difference between using a dedicated device and using a boot image can be startling.  While a single PC can quickly show an advantage for a dedicated device, truly modern hardware (3 series SATA/USB) exceeds or equals it in cost and speed.

Dedicated devices cost money, around $2000 a piece.  A boot image is free, other than time to create it.  Both collection processes require opening a PC and messing with wires.  Both take about the same time on similar hardware, with the dedicated devices being faster on older hardware.

But if you need to do two or more, the cost effectiveness of a boot disk clearly shines. Duplicate the boot disk however many times necessary for a parallel effort (one tech can manage 10 running instances, typically) and do multiple PC’s at the same time.

The cost for using a dedicated device is $2000 x # of collections.

The cost for using a boot disk is $0 x # of collections.

The time (assuming you can afford that many) for dedicated devices is X collection devices x connect time.  It looks like this: fraction(x1)+fraction(x2)+fraction(xN).  By the time you get to the end of your loop in setup, the first device is finished and by the time you finish putting them all back together, the last one is finished and you close up.

The time is the same for the boot disk, only there’s no upfront cost for equipment. And they don’t break.  And they stay current with technology and don’t cycle out as technology advances.

(Slower machines are better on devices, but this is offset if the number of collected devices grows to overcome the efficiency gap.  Meaning, usb2 is slow, but 20 usb2 collections is faster than 20 dedicated hardware collections split using two devices.  There’s lots of wiggly room in low volume, do the math yourselves.)

And you can do a BUNCH of collections in a single sweep.  As mentioned previously (thanks Vestige!) the boot disk is the ONLY WAY to do an entire building in one night.

So if you’re considering buying yet another device, please reconsider.  Devices are nice for collection personnel that don’t know what they’re doing inside a boot image and require strict training (like criminal evidence collection by LE), but for forensic ePreservation, you can’t beat a boot disk.

We like Ubuntu + dcfldd.  It keeps overhead down and increases billing efficiency.  DO IT.