The Difference Between Computer Forensics and eDiscovery
Friday, July 29, 2011 at 08:57AM 
GUEST BLOGGER
Phillip Rodokanakis, CFE, EnCE, ACE, DFCP
U.S. Data Forensics, LLC
Herndon, Va.
In my previous posts, “Computer Forensics: Following the Digital Bread Crumbs” and “eDiscovery: Digital Data Gives Birth to New Industry”, I covered computer/digital forensics and the emergence of eDiscovery as distinct and separate professions dealing with the handling of digital evidence. Although both these disciplines deal with digital data, there is some confusion as to how they differ. Digital forensics encompasses the entire universe of data stored on a hard disk drive (HDD), whereas eDiscovery usually only focuses on a smaller grouping of data stored on the drive.
Computer users are familiar with the meaning of used and free space on a HDD. In Microsoft Windows, a drive’s properties are depicted on a pie chart that shows the total disk storage capacity, as well as the used and free space. (See figure.)
In technical lingo, the free space is referred to as “unallocated clusters” while the used space is referred to as “allocated clusters.” In computer file systems, a cluster or allocation unit is the unit of disk space allotted for files and directories.
A simple way to understand the difference between eDiscovery and computer forensics is to think of the HDD allocation model. EDiscovery focuses on data stored in allocated clusters, while computer forensics deals with both allocated and unallocated clusters (i.e., the entire physical drive).
EDiscovery filters out program, temporary and system files, and processes only active user accessible files. This usually involves Microsoft or other Office Suite files (e.g., documents, spreadsheets, presentations, databases, PDFs, etc.) and emails. These types of files are then processed in an eDiscovery engine, where they are indexed and catalogued, and then usually loaded into a Litigation Support Platform (software designed to aid law firms in the process of document reviews in litigations; for more information see the American Bar Association website).
On the other hand, computer forensics investigates everything, including deleted files or remnants from former files that have been partially overwritten. A forensic examiner must pay particular attention to certain operating system and log files, temporary files and the file remnants found in unallocated clusters.
For example, data remnants (file artifacts) from web-surfing sessions, including accessing webmail accounts (e.g., Gmail, Hotmail, etc.) and chats, are usually found in temporary Internet files or unallocated clusters. Certain system files log information pertaining to external devices, accessed files, executable software, deleted files, etc.
Certified Fraud Examiners readily recognize the critical value of digital evidence in a fraud examination. They also need to fully understand the differences in eDiscovery and digital forensics in order to be able to seek appropriate technical advice and consulting services.
Reader Comments (6)
This was just superb and very interesting. Article of appropriate size and offering technical info. Please write more on forensics. Try giving a few technical tips like exactly how to do something, like for instace, unformating an HDD in xp.. That would be highly appreciated.
Thanks for your suggestions!
This is very useful information. Any further guidance on what forensic technologies that are currently on the market are best for eDiscovery would be much appreciated!
Zahid:
Thank you for the positive feedback. I plan on posting more columns to this blog that will cover some technical details; however, given that this isn't a technical blog, the items that are covered have to be understandable to non-techies and of relevance to CFEs.
Regarding your question about un-formatting a HDD: I'm not sure what you're trying to get at. If you mean recovering a lost partition, there are methodologies that forensic examiners follow which may result in being able to recover a partition. However, once a disk is formatted, that's pretty much an irreversible process. On the other hand, reformatting a HDD generally doesn't overwrite all the old data, so some of it may still be recoverable. However, references to the old file system are generally lost, so recovering intact files from the old partition may be difficult, particularly if the file was fragmented.
I hope this helps.
Best regards, Phil
BM:
Generally, forensic technologies are not applicable to eDiscovery and vice versa. Although both technologies deal with the recovery and preservation of data, they generally follow different protocols and use different tools to accomplish their respective goals. On the other hand, I do see more and more law firms asking that forensically sound images of Hard Disk Drives (HDD) be acquired during the collection of custodian data, even though these images are then used to export the custodian's files that will be reviewed using the eDiscovery software. Having the forensic image of the entire HDD available, may come into play at a later time, so it's a safe bet to acquire it in the first place.
Guidance Software, the maker of the EnCase software that was one of the first forensic applications made available commercially, has developed a robust eDiscovery application that is based on the EnCase approach to digital forensics. I presume there are others out there as well, possibly software made available by AccessData that markets both forensic and eDiscovery products. However, most eDiscovery applications are based on the premise that they will be processing logical file data that has been copied from custodians' workstations, servers, etc. Therefore, they don't make many provisions for the type of data that's generally available to forensic examination software.
I hope this answers your question.
Best regards, Phil
Phil,
I have noticed it is getting much harder to find web mail artifacts in TIF for most of the browsers out there. If I can recover them at all they are located in memory, hyberfile, pagefile, or fileslack. From what I have researched, this is due to the fact that (following gmail's lead), the developers are using java to render the web mail pages and as a result we don't see the cached pages in TIF anymore. Using tools such as Internet Evidence Finder seem to be the best bet for recovery. Also, this makes capturing RAM on seizure all the more important...any thoughts on this??
John