The e discovery or electronic discovery is the act/process done in order to discover certain data from electronics and the internet, usually for the purpose of evidence and investigation. Electronic discovery is one of the base practices done by forensic computer professionals, it includes simple to complex processes in order to obtain certain data. The whole process is interested in the discovery of different types of data such as but not limited to: emails, text messages, chat messages, pictures, video, electronic documents, spreadsheets, and log files.
The Struggles of Discovering Data
Sometimes gathering data can be harder than it should be, there will be times where the investigator has to scour the internet(possibly using web crawlers) just to find basic information about a person or a company. It also doesn’t help that most of the files such as documents, csv, spreadsheets, and pdf’s can have the added security of having passwords, as well as messages being encrypted on fly. What’s more annoying is that these files have a good possibility of being corrupted or deleted from their drives. Investigators would not only need to go through all of the security measures implemented on the file, but also locate and recover them.
Even though electronic data are easier to hide and can have multiple security measures implemented on it, they are indeed difficult to destroy. Unlike physical/tangible evidence that can easily be destroyed, simple deletion of electronic data can still be recovered and pieced together. In fact, a lot of data recovery professionals are known to recover files that were originally thought to be impossible to recover.
When drives that are suspected to contain files that can be useful for evidence and investigation are found, the professionals will first have to make sure the drive is not to be contaminated or altered in any way. One way of avoiding drive contamination would be through a technique called as cloning. Investigators will have to clone all of the files from the original drive to another drive which they then can use to scrutinize. In order to make sure that the cloned drive is indeed containing all of the original drive’s files (no more, no less), the investigator will have to compare hashes. Hashes are basically the fingerprint equivalent for electronic data when hashes match, it is to be considered as the original file the same you would consider a person of the same fingerprint to be himself.
Investigators will have to go through all of the troubles of locating the electronic data, clone all suspected drives, recover files, decrypt messages and hack through all of the security features implemented on the file, none of which are easy to do. Exhausting as it may be, there is one more thing that specialists will have to do in e discovery, and that is to write a comprehensive report about the whole process as well as possibly verbally reporting it to court.