a, b, c, d … eDiscovery: eDiscovery for the Novice

a b c

Section 1: Introduction
Introduction
Information technology has come a long way such that virtually everything
we do, whether at work or leisure, is connected one way or another to a
digital device or platform. This is even more evident in modern corporate
working environments where virtually everyone has a digital workstation –
whether PC, laptop, tablet, smartphone, etc. Use of electronic and digital
devices leave traces, digital footprints, these digital footprints can be called
upon in legal proceedings when trying to prove or disprove a claim.

When digital devices (like PCs, smartphones, tablets) or platforms (like local
area networks, the Internet, social media) are used they generate data
which are stored there, this is the digital footprint, digital evidence. These
digital footprints are referred to as electronically stored information (ESI).
ESI can be of immense benefit when carrying out investigations, not just as
relates to an IT issue like a digital breach or attack, but also normal day-to-
day civil or criminal issues. However, there are legal guidelines pertaining
to how such digital evidence is to be handled and presented for it to be
accepted legally – this is where digital forensics and eDiscovery come in.
This course introduces eDiscovery.

Digital Evidence – ESI

So what is this electronically stored information that can serve as digital
evidence? ESI was simply defined as data created, altered, communicated
and stored in digital form by Rouse (2103). ESI was also defined by Sule
(2015) as data and information constantly generated on IT media and
devices – like PCs, mobile devices, the Internet, CCTV footage – in the
normal course of organizations’ business or personal use by individuals. The
data is usually stored on the devices and media as information and data are
input in them or pass through them; traces remain. Some of these data and
information can be easily retrieved, while some may require specialized
tools and techniques. These information and data can serve as evidence in
the event of an investigation, whether simple in-house, criminal or civil.

Digital evidence was described as “information stored or transmitted in

binary form that could be relied on in court” which can be found on various
devices and media by the National Institute of Justice (2105). The digital
evidence (usually in the form of ESI) is the essential ingredient required in
 a, b, c, d … eDiscovery: eDiscovery for the Novice
a b c

any investigation relating to computer related crime, however, it can also

assist in non-computer crime related investigations. CCTV footage,
geolocation coordinates, even Internet history can all serve as evidence in
offences and crime that are not computer related.

There have been cases, of things like murder and kidnapping, that were
solved based on digital evidence. Digital evidence, like the location of a
suspect during the crime based on mobile phone data, history on search
engine on suspects’ systems on ways to kill and dispose of body or
drug/hypnotize a person and so on, could be used to prove a suspect to be
guilty or could be used to establish innocence. There was a disturbing case
that occurred in Canada where a couple of teen boys raped and murdered a
teen girl. The culprits were apprehended based on digital evidence which
included GPS data of mobile phone at the time of the murder,
communication on messaging applications – notably a confession made on
online gaming platform World of Warcraft’s chat – to mention a few
(Kushner, 2011). Similarly in the case of Dr. Conrad Murray, digital
evidence in the form of iPhone call records was used by the prosecution
against the doctor. The call was played in the court which had a discussion
between the doctor and Michael Jackson prior to his death (Crimesider
Staff, 2011). In the case of Zubulake v. UBS Warbug LLC, digital evidence
was used to prove employer’s maltreatment of employee.

It is important to note that the law of evidence in a particular jurisdiction

has to recognize and specify what is considered to be digital evidence for it
to be accepted legally. There have been cases in the past, for example graft
cases, where digital evidence like account statements and CCTV footage
where provided as evidence against a suspect, but their attorneys took
advantage of loopholes in the law that didn’t recognize such as evidence,
end the suspects went scot-free. It is developments like this that led to
review and evolution of existing laws to capture digital forms of evidence so
as to ensure that such occurrences don’t happen again. Apart from the
evidence itself being recognized, it is also pertinent that processes of
acquiring, preserving, storing, analyzing and presenting this evidence is
also approved and recognized by the law (warrants to acquire and process,
use of approved tools and techniques, and so on), as we shall come to see.

Digital evidence can be used in investigations, whether civil, criminal or in-

house, to prove or disprove an act. Digital evidence can also be used to
profile suspects and victims; and also can be used to reconstruct a scene to
get an idea of how an incident might have occurred, and possibly mitigate
 a, b, c, d … eDiscovery: eDiscovery for the Novice
a b c

against reoccurrence. Digital evidence is collected, processed and analyzed

using digital forensics techniques.

Digital Forensics
Normally digital evidence is meant to be presented in a court of law. As a
result, the evidence has to be collected and handled in a manner the court
finds acceptable for the evidence to be admissible. Digital forensics was
defined as the controlled extraction and analysis of legally admissible
evidence from digital devices by Defiance College (2017). The definition
alludes to the fact that the collection, processing and analysis of digital
evidence has to be done in a controlled manner so that the evidence does
not get contaminated; due care has to be taken when carrying out these
processes to ensure the evidence is not altered or damaged, which could
affect the outcome of a case and all the processes should be recorded to
give weight to the value of the evidence (using a chain of custody). The
definition also refers to the evidence being legally acceptable. Legal
admissibility of digital evidence depends on its being extracted, processed
and analyzed in a way that is acceptable by the law of the land – the tools
used have to be recognized and accepted by the law, those engaged in the
processes of digital forensics also need to be authorized by the law. Digital
evidence that meets these requirements making it legally acceptable in
court is said to be forensically sound.

Digital forensics was also defined as the application of computer science

and investigative procedures for legal purposes using analysis of digital
evidence following proper authorization for search, chain of custody,
mathematical validation, using validated tools, repeatability, reporting and
expert presentation by Zatyko (2007). This definition, similar to the first
one, emphasizes legality and legal acceptance (proper authorization and use
of validated tools). It, however, adds the use of computer science and also
the element of reporting and presentation. Definitely there has to be use
and knowledge of information technology and systems to be able to properly
acquire and analyze digital evidence; and such has to be approved and
recognized by the law. Once all analyses have been carried out, the
evidence would have to be presented in a court of law or the relevant
authority (depending on the type of case) in a manner acceptable to the law.
The presentation/report shows what was determined from analyzing the
evidence, this also has to be done in a legally acceptable manner and also
establish that all processes were carried out in accordance with the law and
best practices to avoid alteration/contamination of the evidence. As
 a, b, c, d … eDiscovery: eDiscovery for the Novice
a b c

previously mentioned, a chain of custody can help give reasonable

confidence that the digital evidence was properly handled from point of
collection up to presentation.

A chain of custody is document that records everything that affected

evidence collected from the point of collection, through storage, analysis, up
to the point of presentation. It keeps track of the movement of the evidence;
when, where, why and how it was collected, who handled it, how it was
stored, the tools used in analyzing it, any movement, and how it was
handled. The chain of custody helps prove that the evidence was properly
handled and preserved avoiding tampering and contamination (for example
stating that write blockers were sued when extracting evidence from a PC),
and that these were done in a legally acceptable way; hence helps establish
that the evidence is forensically sound.

As was mentioned under digital evidence, the law of the land has to
recognize and accept the digital evidence as evidence, and also the way and
manner the evidence was extracted, analyzed and presented, otherwise the
whole investigation would be an exercise in futility. To start with, the
collection of evidence has to be approved usually with warrants or any legal
authorization to collect, tools and techniques used to acquire, extract and
analyze, preserve and store also have to be approved by the law. In fact, the
person doing the acquisition, analysis and all handling of the digital
evidence also has to have some form of legal approval. The format in which
the digital evidence is presented also has to be in line with what the law of
the land accepts. These ensure forensic soundness.

Based on the foregoing, we can see digital forensics as the law and
computer technology collaborating – it has to be in tune with the law and
requires knowledge and use of information technology. Hence, digital
forensics can be said to be the application of IT knowledge and techniques
as well as legal knowledge to extract, store, process and analyze, interpret,
and present digital evidence in a legally acceptable manner.

eDiscovery
eDiscovery is short for electronic discovery, which can also be stated as e-
discovery or e discovery. In the event of litigation, there is a need for
parties (plaintiff and defendant) involved to gather, preserve, analyze and
present evidence that is relevant to the case at hand; both parties can
review what evidence is in the opposing party’s possession to get a feel of
the strength which can determine whether or not they would go ahead with
 a, b, c, d … eDiscovery: eDiscovery for the Novice
a b c

court proceedings or settle out of court. This process is simply referred to

as discovery (or disclosure in the UK). Traditionally, such evidence had
consisted mainly of documents in paper form, however, in recent times the
surge in use of electronic devices for virtually all activities at home and at
work has made ESI to be the major source of evidence; and hence a new
development in discovery – electronic discovery, eDiscovery (or eDisclosure
in the UK).

eDiscovery usually applies in civil cases as opposed to criminal cases; civil

cases like domestic disputes, divorce cases, corporate cases, copyright and
intellectual property infringements, and so on. Corporate cases could be
internal issues within an organization like employee misconduct, unfair
treatment of employees by organizations; or could be disputes between
different organizations like trade disputes, corporate espionage and so on.
Judge Scheindlin was quoted to have said eDiscovery used to be considered
a subset of discovery, but it has now become the only form of discovery
(Volonino and Redpath, 2010). The statement arises as a result of almost
every activity carried out to would need to be investigated is one way or the
other connected to a digital device or platform. Use of digital devices and
platforms generates tons of ESI (big data), even more so in the corporate
environment. In the event of litigation, there will be a need to sort out
relevant data to the case from this big data, and even after that there would
be need to remove or at least mask some data that are not for public
consumption (like personally identifiable information, trade secrets, private
discussions not directly relevant to the case), that is privileged data.

D4 (2015) defined eDiscovery as a defensible, multistep process in which

electronic data is sought, located, secured, and/or searched in order to
serve as evidence in litigation. Phillips et al (2014) referred to eDiscovery as
simply gathering ESI for litigation, while Brecher and Childress (2009) said
it described the process of preserving, collecting, reviewing and producing
ESI. Phillips et al have a very brief definition, but all the definitions reflect
the collection of ESI, and although Brecher and Childress’ definition doesn’t
state it, it can be implied that the ESI is for litigation. D4 define it is a
multistep process, of which Brecher and Childress mention the processes of
preserving, collecting, reviewing and producing ESI, and these are some
the major steps involved in the eDiscovery process. eDiscovery consists of
nine steps: information governance, identification, preservation, collection,
review, analysis, production and presentation; we shall see these more
detailed in the third section. The mention of ESI or electronic evidence and
 a, b, c, d … eDiscovery: eDiscovery for the Novice
a b c

litigation signify that the evidence has to be recognized as legal, legally

acceptable as D4 state eDiscovery should be “defensible”. Defensible in the
sense that the processes involved all have to be carried out in a legally
acceptable manner taking due care not to damage/alter/contaminate the
ESI.

So the main theme of eDiscovery is ESI, how it is collected, handled,

analyzed and finally presented with regards to litigation, and eDiscovery
begins prior to a trial. And all these have to be done in line with legal
requirements to ensure admissibility, ensuring that the ESI does not get
contaminated – IT has to be applied to get the ESI in a legally acceptable
manner ensuring forensic soundness. So there is a convergence between IT
and the law in eDiscovery. eDiscovery can be summarized as sum total
processes of collecting, reviewing and analyzing, and presenting digital
evidence to opposing party and/or court in litigation which begin prior to a
trial.

Digital Forensics and eDiscovery: Comparison

Digital forensics and eDiscovery have some things in common; some part of
the eDiscovery process may even require digital forensic experts. For a
start both of them work with electronic evidence which has to be
forensically sound. They also might be carried out using the same tools and
software in some cases, for example digital forensics software can be used
for keyword searches in eDiscovery; moreover some tools and software are
integrated to be used for both eDiscovery and digital forensics. Both digital
forensics and eDiscovery require a combination of law and computer
technology to be carried out. However they are not the same, some of the
points in which they differ include:

Specific evidence requested: In eDiscovery, specific ESI are requested, so

it’s just a question of locating, analyzing and reviewing, then presenting the
evidence. In the case of digital forensics investigations, it may not be that
straight forward, there might have to be investigations first to discover
evidence to prove a case. For example, in the example of the teenage rape
and murder mentioned earlier, the necessary evidence was not known prior
to investigations, various potential evidence sources had to be analyzed to
get the evidence used to uncover what had transpired; this was a digital
forensics investigation. While in the case of eDiscovery, for example the
case of Zubulake v. UBS Warbug LLC, email evidence was requested, the
evidence source was already known before the process started.
 a, b, c, d … eDiscovery: eDiscovery for the Novice
a b c

Depth of investigations: Digital forensics requires more in-depth

investigations. Because as stated above the necessary evidence and its
source may not be known prior to investigations; hence more investigation
and analysis have to be carried out to get a “smoking gun”. eDiscovery
doesn’t require that level of investigation, if at all. eDiscovery is more of
processing and delivering digital evidence, while digital forensics requires
more in-depth investigations and analysis, and may even require restoration
of data.

Level of technicality: digital forensics requires much more technical

expertise than does eDiscovery. There is more likely to be the need, for
example, to restore deleted files in investigations in a bid to unravel what
may have transpired in the case of digital forensics. When such a method is
required in eDiscovery, a digital forensics expert is likely to be called upon.

Volume of data: eDiscovery may require high volumes of data to be

reviewed, but this is narrowed down as the specific ESI required is known.
Not so digital forensics; here the specific evidence required and even the
specific place to locate it may not be known prior to investigations,
therefore there would be a need to search and analyze a larger scope of
data.

Civil versus Criminal cases: eDiscovery is more applicable to civil cases,

while digital forensics is the requirement for criminal cases. However, civil
cases that involve computer use at the core would not require eDiscovery,
rather digital forensics would apply as there might be a need to recover
deleted or hidden data (IntaForensics, 2010). There are instances where
eDiscovery might end up changing to digital forensics; an example could be
a divorce case with pornography being the central cause for divorce, with
the spouse accused of indulging in pornography denying. The computer
system and mobile device of the spouse accused of indulging could be
reviewed and child sexual exploitation material could be discovered.
Automatically this evidence has brought up a criminal case (as child sexual
exploitation material is a criminal, not civil case) that has to be thoroughly
investigated using digital forensics. The eDiscovery case will be treated
separately as a civil case.

Digital forensics and eDiscovery may be similar, but they are not the same.
eDiscovery may use digital forensics tools and techniques, but not to the
extent of a full blown digital forensics investigation.
 a, b, c, d … eDiscovery: eDiscovery for the Novice
a b c

Definition of Key Terms

Chain of custody: the chain of custody is a document that records
everything that affected evidence collected from the point of collection,
through storage, analysis, up to the point of presentation. It keeps track of
the movement of the evidence; when, where, why and how it was collected,
who handled it, how it was stored, the tools used in analyzing it, any
movement, and how it was handled.

Civil case: civil cases are legal cases that usually involve disputes of
private nature between individuals or organizations (Reuters, 2018). The
dispute could be between two individuals, between organizations or
between individual and organization (the state can be considered as an
organization). The issues involved are usually not expected to have harmful
effects on the society as a whole. This includes things like copyright
infringements, divorce cases, employment disputes and so on.

Criminal case: criminal cases are legal cases that involve harm that can
have adverse effects on the society as a whole and are usually between the
defendant and the state. Issues like murder, kidnapping, rape, illicit drugs,
child sexual exploitation material are harmful to the society not just the
victims, hence the case would be by the state as criminal cases.

Defendant: the defendant is a party in litigation that is accused of wrong

doing and has to defend him/herself usually with the help of a lawyer, the
defense attorney.

Digital evidence: digital evidence are the digital footprints generated,

stored and transmitted when digital devices and platforms are used which
can be used to prove or disprove a claim in a court of law. The evidence has
to be acceptable by the law of the land, which means the tools used and
method collection and processing have to be approved by the law; and there
has to be reasonable proof that the evidence was not tampered with or
contaminated (usually a chain of custody can help to establish this, even if
just partially).

Digital forensics: digital forensics is the application of IT knowledge and

techniques as well as legal knowledge to extract, store, process and
analyze, interpret, and present digital evidence in a legally acceptable
manner.

Discovery: discovery is a process in which parties involved in litigation

gather, preserve, analyze and present evidence that is relevant to the case
 a, b, c, d … eDiscovery: eDiscovery for the Novice
a b c

at hand; both parties can review what evidence is in the opposing party’s
possession to get a feel of the strength which can determine whether or not
they would go ahead with court proceedings or settle out of court. The
process is carried out before court full proceedings.

eDiscovery: electronic discovery, known as eDiscovery for short, is the sum

total processes of collecting, reviewing and analyzing, and presenting
digital evidence to opposing party and/or court in litigation which begin
prior to a trial.

ESI: ESI is an abbreviation of electronically stored information. ESI is made

up of data and information constantly generated on digital devices and
platforms – like PCs, mobile devices, the Internet, CCTV footage – in the
normal course of organizations’ business or personal use by individuals
which can serve as digital evidence if a legal case or in-house organizational
investigation comes up.

Forensic soundness: evidence is said to be forensically sound if it was

collected, stored, processed and presented in accordance with legal and
regulatory requirements, and with reasonable assurance that the evidence
was not tampered with or contaminated anywhere along the line. Evidence
that is forensically sound is legally acceptable.

Legally admissible: evidence that is legally admissible is one that

accepted in a court of law based on being recognized as evidence, and the
method by which it was collected and analyzed being approved by the law.
Such evidence is said to be forensically sound.

Litigation: litigation is the act parties in a dispute seeking legal redress;

usually a lawsuit is initiated by the aggrieved party (the plaintiff) against
the other party (the defendant).

Plaintiff: the plaintiff is the aggrieved party in a legal dispute who initiates
the lawsuit. The plaintiff tries to get his/her claim against the other party
(the defendant) settled in a court of law.

References
Brecher, A. and Childress, S. (2009) eDiscovery Plain & Simple. Indiana:
AuthorHouse, pp. xxi.
 a, b, c, d … eDiscovery: eDiscovery for the Novice
a b c

Crimesider Staff (2011) Investigator testifying about Conrad Murray’s

cellphone. CBS News. [Online]. Available from:
https://www.cbsnews.com/news/investigator-testifying-about-conrad-
murrays-cell-phone/ (Accessed: April 9, 2018).

D4 (2015) The eDiscovery Process Simplified – What Evert Legal Team

Should Know [Blog]. D4. Available from:
http://www.d4discovery.com/discover-more/the-ediscovery-process-
simplified-what-every-legal-team-should-know#sthash.t9c231yz.dpbs
(Accessed: April 11, 2018).

Defiance College (2017) Digital Forensics Science [Online]. Available from:

http://www.defiance.edu/academics/sm/digital-forensic-science/ (Accessed:
April 9, 2018).

IntaForensics (2010) The Distinction Between E-Discovery And Computer

Forensics [Online]. Available from:
https://www.intaforensics.com/2010/10/08/the-distinction-between-e-
discovery-and-computer-forensics/ (Accessed: April 18, 2018).

Kushner, D. (2011) Murder by Text. Vanity Fair, [Online]. Available from:

https://www.vanityfair.com/culture/2011/10/world-of-warcraft-text-murder-
201110# (Accessed: April 7, 2018).

National Institute of Justice (2015) Digital Evidence and Forensics [Online].

Available from:
https://www.nij.gov/topics/forensics/evidence/digital/Pages/welcome.aspx
(Accessed: April 7, 2018).

Phillips, A. et al (2014) E-discovery: An Introduction to Digital Evidence.

Boston: Course Technology, Cengage Learning, pp. 20.
 a, b, c, d … eDiscovery: eDiscovery for the Novice
a b c

Reuters, T (2018) Civil Cases vs. Criminal Cases. FindLaw. [Online].

Available from: https://litigation.findlaw.com/filing-a-lawsuit/civil-cases-vs-
criminal-cases-key-differences.html (Accessed: April 19, 2018).

Rouse, M. (2013) electronically stored information (ESI) [Online]. Available

from: https://searchcompliance.techtarget.com/definition/electronically-
stored-information-ESI (Accessed: April 5, 2018).

Sule, D. (2015) Forensic Readiness and eDiscovery. Handbook of Research

on Digital Crime, Cyberspace Security, and Information Assurance, CAP 12.
Hershey PA: IGI Global, pp. 192. DOI: 10.4018/978-1-4666-6324-4.ch012

Volonino, L. and Redpath, I. (2010) e-Discovery for Dummies. Indiana: Wiley

Publishing Inc., pp. 18.

Zatyko, K. (2007) Commentary: Defining Digital Forensics. Forensics

Magazine [Online]. Available from:
https://www.forensicmag.com/article/2007/01/commentary-defining-digital-
forensics (Accessed: April 10, 2018).