Electronic discovery is any process in which electronic or other non-paper forms of data is sought, for the purpose of using the data as evidence in a civil or criminal legal case. The electronic data can be electrical, mechanical, magnetic, wireless, optical, etc. The information may be stored on a hard drive, compact disc, digital video disc (DVD), flash drive, or with any other method or technology. This article is my opinion, and not legal advice. I am a judgment broker, and am not a lawyer. If you ever need any legal advice or a strategy to use, please contact a lawyer.
The stored data which might be discoverable is known as Electronically Stored Information (ESI). The ability to completely delete or destroy ESI is reduced when data is backed up either on or off-site. Completely deleting data is not a trivial task, because the most common way to delete a file is to remove its first file letter/number character and make that disk space available for other data. Until that specific file location has been overwritten, the deleted file is still accessible and recoverable.
Modern operating systems will offer to “securely” delete files, however that is not fail-safe. Commercially available scrubbing programs do more than merely delete files, they overwrite the file locations several times with random characters, so that the deleted file gets “scrubbed clean”.
However, the only “foolproof” way of destroying stored information is to physically destroy every hard drive or other storage device or system, where the file has ever been stored. Physical destruction of a device or computer file may include one or more actions to destroy the media the data file resides on; including shredding the media, burning or melting the media, liberal use of a sledge hammer, degaussing, etc. If a file has ever been sent over the internet, it might never get completely destroyed.
Discovery of electronically stored information (ESI) can be done onsite, offsite, online or offline. In civil matters, most information available offsite and offline is obtained through the use of a Subpoena Duces Tecum (SDT).
The data that can be asked for with a SDT is usually within the scope of Federal Rules of Civil Procedure (FRCP) 34(a). When the SDT requests document(s) and thing(s) that are not stored on paper, care must still be taken to insure the data stays usable, accessible, and admissible in the court. The witness or defendant is usually compelled to disclose the format of the ESI, and any required passwords, to enable the data to be examined by an agent of the court at the time the court specifies.
Whether civil or criminal, either in cases of trade secrets or with malware, or when any other data-related evidence is needed; the electronically stored information (ESI) must be captured. The handling of ESI, once secured, is subject to the same chain of custody challenges as all other evidence types are. However, in ESI situations, since there are no paper documents, the handling and storage of ESI must be carefully managed by people specifically trained for such matters. Analysis and evidence gathering by cyber-forensic technicians is conducted on a digital copy of the original drive or media which is subject to examination. The goal is to avoid any chance of harm being done to the original evidence.
In some instances, especially when law enforcement is involved, the court may order the seizure of computers for forensic analysis, or may order a surreptitious intrusion under the guise of a search warrant, or some other form of subpoena.
When critical evidence is needed, and there is a risk that such evidence may be deleted, modified, or destroyed; the means of electronic discovery may be expedited by hacking into a computer or network system. Most occurrences of hacking into a computer or network under such conditions is conducted by government agencies executing search warrants. The type of media most often examined is that which is suspected of storing evidence of financial crimes, theft of trade secrets, or other internet-related potential crimes.