Hashing, as used in this context, is the process of calculating a large number that represents every byte of a forensic image. There are many different hash types, and some of them have been theoretically compromised. To that end we would recommend that two hashes be made – MD5 and SHA256. To date, there has never been a reported case where both hashes were comprised at the same time. This step alone will certify that the image collected is an accurate copy.
Now that you have an authenticated image, it is time to extract the relevant data that you require. If you are only pursuing a case for e-discovery, then you will need to use your tool of choice for performing relevant searches for data that is responsive to your requests. Common tools would be Summation by AccessData, Concordance by Lexis Nexis, or Recommind by Axcelerate. There are many tools in this market, so if you need recommendations, let us know. You can also use a service provider to do the heavy lifting for you, if you prefer. In any case, you should have created a list of terms that each side agrees to, and then submit those terms to search the forensic images that you have.
We have been asked before “Can’t we just search a hard drive for documents without imaging it?” The short answer is no. The simple act of searching and opening documents to see if they are relevant may change the “modified” date and cause the evidence to be called into question.
Once the data has been selected, it is typically subject to review by opposing counsel. This is another area of concern. If you have done the collection for your client, extracted the information, and selectively gave the results to the other side, it may be questioned as to whether or not everything was made available. This is a great scenario to have a third party make the image, acquire the files, and submit everything to counsel for privilege. Once that process is completed, the third party can then forward the responsive information to opposing counsel.
If, however, you believe that it will be necessary to engage the services of a forensic examiner, there are other steps that they will take before releasing the data to counsel. They will search the imaged data for files that have been deleted, files that have dates that are unexpected, files that are encrypted, files that are password protected, and also search for evidence of anti-forensic software (which is used to obfuscate or completely destroy information on the drive that may be exculpatory or inculpatory). This type of examination will require that you work closely with the forensic examiner to make certain that privilege is protected, and that the desired data sought has been made available.
Whether you need to pursue the path of e-discovery or forensic discovery followed by e-discovery, we believe that it remains in the best interest of counsel to retain a certified forensic examiner as a qualified person for the purposes of acquisition, authentication, and examination. Just as there are armchair lawyers, there are also plenty of IT people who hold no certifications in their craft. Choose wisely.