Rules of Evidence - Digital Forensics Tools

Searching for clues? Here's how to investigate and use digital forensics and e-discovery tools

Are you purchasing the tool to do more than forensics work? According to John Patzakis, vice chairman and chief legal officer at Guidance, customers are increasingly justifying the cost of its EnCase Enterprise product by targeting it not just at forensics but also at e-discovery. "They realize they're spending $30 million to $40 million on outsourcing their e-discovery function and another $10 million to $20 million in investigations, so the business case is more compelling when they combine [the two processes]," he says.

Both Guidance and Access Data offer an e-discovery module that automates keyword searching around the network to look for relevant documents in pending civil litigation suits or for regulatory compliance.

"If you're trying to collect all the files having to do with the XYZ merger, you may or may not need to do that in a forensically sound way. But, it's tough to make that decision, which is why many companies are simply buying products like EnCase," says Jason Priebe, Of Counsel in the Chicago offices of Seyfarth Shaw.

Evaluation Criteria for Digital Forensics Software
Here are some key criteria to include in your search for the best tool:
Courtroom admissibility. If there's any chance of needing to use the evidence you collect in court, you should look carefully at which tools have been tested in a courtroom and how much success they've had there, according to Rhodes-Ousley. "One of the most important factors to keep in mind is courtroom admissibility of evidentiary data," he says.

EnCase is not the only tool to fit that bill, but because it's used extensively by law enforcement, it's gained a lot of familiarity with judges, Priebe says. "It's stood the test of experts challenging its sufficiency," he says. "It's a little harder when you have to have the IT person saying, Let me tell you how the tool works."

Ability to preserve only relevant data. Some tools enable you to reduce the volume of data you preserve by filtering out certain types of files such as executables. Or you might be able to narrow down data by using keyword searches or context searching capabilities. "It's not the blunt instrument that grabs everything and then you sort through it later," Priebe says. "You can stage it on the storage device and de-duplicate it right then and there." E-discovery costs rise quickly during the attorney review stage; "Getting data from 2 terabytes to 5GB can save a company millions on one case," Patzakis says.