Defensible Forensics for Electronic Discovery
The Federal Rules of Civil Procedure dictate that reasonable efforts must be made to preserve, collect and produce to adversaries any evidence related to anticipated litigation and where forensic services are typically required. However, civil litigation typically does not require the same order of magnitude as criminal matters, and appropriate tools, processes and economies of scale can be applied to increase speed and reduce cost and risk throughout the process. By combining Iris’ forensic expertise with its experience in electronic discovery—and by working with its clients to determine the specific case needs and potential risks—Iris creates the right defensible forensic solution for each particular matter.
Iris’ Forensic Culling Can Save Up to 50% on Electronic Discovery Costs
Iris provides its clients with cost efficiency in the forensics process by designing a specific solution based on the needs of the client and the matter. In addition, Iris helps its clients save throughout the discovery process by forensically and defensibly culling data.
Forensic Culling reduces the amount of data that must be subsequently processed and searched from custodian hard drives after they’ve been collected and imaged. Typical forensic reduction only involves the elimination of system files by using NIST or NSRL known system file lists as a guide, but Iris’ Forensic Culling goes beyond traditional de-NISTing. Iris’ process offers an option of exclusionary, inclusionary, and customized culling that is defensible and can be reproduced over multiple custodians and media storage devices.
- Inclusionary Culling extracts all user created files using the most common user created file extensions.
- Exclusionary Culling excludes any files and folders that cannot be created by a user such as system folders, system, executables, fonts, code, plug-ins, and 0 byte files.
- Customized Culling gives the choice of using dates ranges for any timestamps, including or excluding deleted files, including or excluding file paths, including or excluding multimedia files, including or excluding specified hash values, and proprietary file extensions.
For example, a PC may contain files and folders that cannot be created by a user such as system folders, system, executables, fonts, code, plug-ins, and 0 byte files. Iris individually can confirm each such case and omit them from the data extractions where appropriate. Typically, less than 50% of the data remains to be forensically extracted, resulting in a greater than 50% reduction in downstream processing, hosting and review costs.
Speed. Iris forensic engineers are able to simultaneously image multiple computer systems, effectively doubling or tripling the speed of other service providers. Overall electronic discovery project velocity is further increased by Iris’ Forensic Culling process, which safely and effectively isolates essential data and funnels out the extraneous items.
Cost. Iris understands the balance between eDiscovery and forensics and can design a cost-effective – yet still reasonable and defensible – approach for any matter. Also, by employing Forensic Culling, Iris can significantly reduce the base population of data that is ultimately subjected to processing, reviewing, hosting and production, reducing overall electronic discovery costs by up to 50% or more.
Defensibility. Iris follows law enforcement guidelines for the handling of all evidence. Each step of the discovery process is fully documented and all findings are supported by facts obtained during examinations. Iris’ professionals have a variety of certifications including CCE, CHFI and EnCE. Certified and reliable experts handle all planning and work.
Documentation. For all evidence collected, the chain of custody is properly documented to assure integrity and provide an audit trail back to the original source. This includes numbering and tagging of evidence, photographing computer systems and relevant components, and thoroughly recording all descriptive details such as the make, model, serial number, employee name, and asset ID that are associated with each device from which evidence is collected.
Security. Iris’ standard best practices for handling evidence include measures to ensure that it is not altered in any way during the collection process and can be safely preserved. Iris employs the latest advanced tools and software such as write blocking appliances which prevent change or damage to originals. Specialized forensic tools and processes such as hash comparisons are used to verify that an exact copy is acquired and preserved.
Expert Testimony. Iris’ experts cannot only develop a defensible process based on best practices and the Federal Rules, they will also testify in hearings or in court as to the validity of that process. Iris can also provide expert services to audit and analyze the preservation efforts of opposing parties and provide documentation in support of briefings.
Iris’ Computer Forensic Services include the following disciplines:
- Collection planning
- Data preservation and collection
- Computer user profiling
- Data imaging
- Email server mailbox collection & verification
- Evidence custody chain and inventory tracking
- Preliminary forensic culling & filtering
- Deleted file recovery
- Registry analysis
- Link analysis
- Advanced forensic analysis
- Password decryption
- PDA/Cell phone seizure and data acquisition
- Cellular phone analysis
- Advanced email investigation
- Digital investigation reporting
- Expert testimony
- Declaration and reporting
- Exhibit production