Experts in Electronic Discovery & Digital Forensics
PenrodEllis FDD offers four distinct services: Data Preservation, Electronic Discovery (eDiscovery), Computer Forensics (also called Digital Forensics), and Information Systems Security. Although some methods and processes are shared (such as Data Preservation procedures), eDiscovery, Computer Forensics and Information Systems Security are not the same thing. The forensic recovery and production of active, user-generated ESI, including both data and metadata, is the primary focus in eDiscovery. When the focus shifts to the analysis of both active and latent ESI, which is any salvageable deleted, temporary, discarded, and partially overwritten data), the investigative process changes also, from eDiscovery to Computer Forensics. Information Systems Security is concerned with the analysis of active, system-generated ESI as well as volatile, onboard memory.
The following information will assist you in understanding the differences.
Data Preservation is the basis for eDiscovery, Computer Forensics and Incident Response. While approaching ESI from dissimilar perspectives, each process recovers it from the same source: a forensic bit-stream image. It is the "best evidence" at trial. Analysis of the original storage media is not conducted. Exceptions exist of course, such as the initial phase of an incident response, but they are rare. The actual process of recovering ESI in eDiscovery, Computer Forensics, and Information Systems Security cases is conducted on the forensic image.
ELECTRONIC DATA DISCOVERY
ELECTRONIC DATA DISCOVERY
Electronic Discovery involves the recovery and production of active, user-generated files (email messages, documents, spreadsheets, databases, etc.), and file metadata. Active files are located in allocated clusters on a storage drive. Allocated clusters are simply the formatted storage units that contain operative, accessible ESI. After eDiscovery processing, which filters for relevance and eliminates duplicates, recovered ESI is turned over to the client's attorney for privilege review and production. Analysis of the data set by the e-discovery technician is not conducted.
A digital forensic examination captures system, application and user generated ESI from both allocated and unallocated clusters. Unallocated clusters on a storage drive contain latent data, including deleted, temporary, and discarded files as well as residual data from partially overwritten, latent files. Digital forensics also recovers other ESI in the form of logs, index entries, link files and historical records. We call these types of files File Tracking Records (others call them file artifacts) as they contain additional attributes and information about files, which we call ambient metadata, that are not found in system- and application-generated metadata. PenrodEllis digital forensics services include computer examinations (laptop forensics, desktop forensics, server forensics), mobile device examinations (cell phone forensics, smartphone forensics, tablet forensics), storage examinations (drive forensics, USB forensics, flash card forensics, cloud forensics), and security examinations (network intrusion forensics, computer compromise forensics).
The principal investigation involving Information Systems Security is computer incident response (IR). CIR is an emergency security assessment of network devices (routers, gateways, switches), servers, client workstations, & storage arrays that may have been accessed by a hacker or malicious software. The initial analysis is conducted on booted (online or "live") computers whereas subsequent examinations are conducted on forensic bit-stream images collected from the compromised computers. Live computer analysis is a complex processes as the ESI under review is volatile and is moving or changing while the examiner analyzes it.