Digital Forensics - Here's What Lawyers Need To Know

Posted by Paulette Keheley | Mon, Jun 15, 2020

Discovery entails a fair amount of detective work for lawyers, as they comb through files and records searching for information that will support their case and provide evidentiary value. There are times, however, when professional investigators need to be brought in to dig deeper into available data and conduct more thorough analysis. 

Digital forensics is an increasingly important component of the discovery process, especially as cases and trials revolve around — and often hinge upon — digital data. This practice is particularly important in criminal cases where chain of custody is a major concern, but it’s just as relevant in civil cases as well.

Lawyers need to understand the ins and outs of digital forensics to ensure the integrity of digital data being used as evidence in support of their cases.


What is digital forensics? Digital forensic definition

Digital forensics is typically associated with criminal law since it can often involve gathering evidence from digital sources that implicate an individual in a crime. However, that view is a bit too narrow to properly convey the full scope of digital forensics and the role it plays in legal matters. We prefer a more inclusive digital forensics definition that covers both criminal and civil cases. 

Broadly speaking, digital forensics refers to the recovery and analysis of any data contained on an electronic or digital platform. In many cases, lawyers will turn to a digital forensics professional when they have reason to believe that potential evidence has been deleted or erased. Deleted emails, text messages, images, and other digital media could — and likely do — contain information that helps make one side’s case in a legal dispute. Experts can conduct a digital forensics investigation, thereby attempting to retrieve deleted documents, crack data encryption, and restore corrupted files, thereby fighting attempts to hide or obfuscate culpability or guilt in a legal matter.

From that perspective, it’s a critical step in the eDiscovery process, especially when data needs to be preserved in pristine condition or when attorneys need to confirm the authenticity of collected evidence.


What does digital forensics cover?

With the increase in digital platforms in recent years, there are a lot of different sources of information that could be applicable to the discovery process. Some notable examples include:

  • Desktop computers.
  • Hard drives.
  • Laptops.
  • External drives such as USB drives.
  • Storage media like CD-ROMs.
  • Smartphones, tablets and other mobile devices.
  • SD cards and memory cards.
  • GPS systems.


That’s a lot of ground to cover, and thanks to the Internet of Things, the scope of eDiscovery has increased even more. The IoT encompasses a wide variety of products that connect to networks and are able to capture, store, and transmit data. IP-enabled cameras, smart speakers, and wearables are all examples of IoT technology that might be relevant to a civil case.

Network-connected devices are growing in numbers, and IDC predicts that by 2025, there will be 41.6 billion IoT devices in the world. At that time, the entire IoT will produce 79.4 zettabytes of data. For reference, a single zettabyte is equivalent to 1 billion terabytes. Digital forensics and eDiscovery is likely going to become much more complicated and intensive over the next few years.


Digital Forensics Best Practices. What are the main steps to digital forensics?

In many ways, digital forensics parallels typical eDiscovery processes. As outlined by the International Organization for Standardization, there are four primary steps to follow in digital forensics:


  • Identification: As with eDiscovery in general, digital forensics begins by diligently reviewing data, records, and files and determining which documents and information provide evidentiary value and are relevant to the case or lawsuit.
  • Collection: Once relevant data has been identified, the next step in the digital forensics process is to collect the physical devices storing that information. 
  • Acquisition: Extracting data from hard drives, storage media, and other devices needs to be handled with the utmost diligence to prevent corruption and maintain integrity.
  • Preservation: Digital forensics necessitates strict preservation methods. The only difference between this process and eDiscovery preservation is the rationale. Digital forensics experts need to create a clear and unimpeachable chain of custody so their collection and digital forensics analysis methods will hold up in court. Lawyers involved in civil cases, meanwhile, are more concerned with preventing counter suits or allegations of negligence.


Both digital forensics and eDiscovery are extremely involved processes requiring a meticulous eye for detail and clear understanding of what data is relevant to a given case and should be collected, preserved, and shared with the opposing counsel.


Follow digital forensics best practices

It’s important that lawyers work with digital forensics professionals who adhere to the lengthy forensics guidelines laid out by the American Bar Association. If not, they run the risk of having evidence that would support or even prove their case excluded from a trial.

Chain of custody is an important matter for both criminal and civil cases when dealing with digital forensics. Legal teams need to be able to demonstrate precisely how data was collected and preserved so there’s no question regarding its authenticity. Because it’s relatively easy to change or alter digital records, any data gathered through forensics that cannot be fully accounted for is likely to be removed from consideration.

Another issue to account for is data diffusion. Due to the widespread use of IoT devices and wireless internet, many individuals may share network connections and machines containing relevant information. As such, it can be difficult to determine conclusively who owns data that is transmitted between devices and across publicly accessible networks. 

Also keep in mind when selecting a digital forensics partner that they may be asked to testify in court to speak about their collection methods and affirm that they followed forensics protocols to the letter. The more experienced and respected your digital forensics team is, the more persuasive they will be when giving testimony.


Make room for a digital forensic plan within your greater discovery plan

There’s no telling what information will come up during the discovery process. It’s not unusual for parties involved in a legal pursuit to attempt to obfuscate critical information by deleting digital correspondences, erasing computer files, or encrypting documents. Depending on the exact circumstances, this activity may be considered criminal activity and punishable as such.

In other cases, however, data with evidentiary value is unavailable through no fault of the owner. Hard drives can be damaged, files can be corrupted and records can be lost through the normal course of business. When such events occur, it’s important that legal teams have the ability to retrieve lost or erased documents to help support their case. Partnering with expert digital forensics specialists is a smart long-term strategy that will ensure lawyers can make their case even when the evidence needed seems lost for good.


If you found this article interesting, be sure to subscribe you and your team to our monthly blog distribution email. This email list is solely for blog distribution purposes and we promise to only send one email per month. To subscribe, simply scroll down and fill out the "Subscribe" form below the comment box.

Topics: Glossary

Comment On This Article

Featured Blogs

Recent Blogs

Product Updates

Subscribe To Monthly Blog Distribution List

The content on this blog is not intended to be legal advice.

Subscribe To Monthly Blog Distribution List