What Every Attorney Needs to Know about Computer Forensics, Part 2: The Difference between Electronic Discovery and Computer Forensics

May 12, 2016 - from DisputeSoft's G. Hunter Jones

Electronic Discovery and Computer Forensics seem pretty similar at first glance: both involve the location, recovery, and review of electronically stored information (ESI), and both deal with the responsible preservation of that data. But the two fields are actually quite different; they require different types of expertise, and they have markedly different goals and outcomes.

“E-Discovery” refers to the identification and preservation of electronic files for litigation with the goal of allowing counsel to make determinations about which electronic files are relevant or privileged. Specialized software from E-Discovery vendors allows for the identification, capture, de-duplication, indexing, storage, retrieval and commenting of electronically stored documents, including emails.

“Computer Forensics,” on the other hand, refers to the investigation and analysis of computers, networks, and digital storage devices to determine how that device was used (e.g., to access terrorist websites; to send threatening emails; to distribute pornography). Such uses, historically the realm of law enforcement, are now used extensively in (a) investigations (e.g., does examination of a CEO’s computer indicate she had knowledge of and approved a particular decision?); and (b) litigation (e.g., was a will modified after the decedent’s death?; was a medical report altered after the patient’s death?).

Specialized equipment and software is also used in the computer forensics field, but it is quite different from E-Discovery software.  Computer forensics equipment and software provides tools for “imaging” a computer’s hard drive (i.e., making an exact bit-for-bit copy without turning on the computer and without altering any data on the hard drive). Computer forensics software also provides tools for analyzing the hard drive and reporting on the results of the analysis.  A qualified computer forensics expert reports the source and content of the data and may also offer opinions and interpretations about its meaning in deposition or at trial.

If the objective is to identify and preserve electronic data and to make a determination about its relevance and privilege for production purposes, the situation requires E-Discovery. If counsel needs an expert to find evidence of computer-related actions, such as data alteration or deletion, and to provide opinions or interpretations of forensically acquired data, the situation requires a computer forensics expert. Equally often, a computer forensics expert will be needed to assist counsel in understanding reports or testimony by an opposing expert, including forensic specialists working for law enforcement, and to provide rebuttal reports or testimony.