eDiscovery Daily Blog

eDiscovery Best Practices: When Collecting, Image is Not Always Everything


There was a commercial in the early 1990s for Canon cameras in which tennis player Andre Agassi uttered the quote that would haunt him for most of his early career – “Image is everything.”  The quote haunted him because, as a young player, he was considered to be more style than substance and unable to “win the big one” – a reputation that he ultimately overcame.

When it comes to eDiscovery preservation and collection, there are times when “Image is everything”, as in a forensic “image” of the media is necessary to preserve all potentially responsive ESI.  This is especially true when one party is suspected of deleting ESI to avoid producing it in Discovery.  For example, a forensic copy of a hard drive will include every byte of data on that drive, including data in unallocated space and file slack – these are locations on the drive that may contain data that was once actively used, but is now available to be overwritten after that data was “deleted”.

However, forensic imaging of media is usually not necessary for Discovery purposes. When it is necessary, the parties (usually in coordination with the court) must establish a protocol for how that inspection will take place. This protocol must be conducted in a manner that is verifiable and is usually conducted by an experienced professional, trained to collect data in a forensically sound manner and qualified to testify in court to that process if required.

For most cases, collection involves straightforward copying of the active targeted ESI as it exists on the producing party’s system.  However, to maintain the integrity of the metadata, not just any means of copying will do.  Copying files with “drag and drop” using Windows Explorer may get the files from one place to another, but key metadata (such as file creation date, which reflects the date of the copy, NOT the original) may be changed.

Fortunately when doing a targeted collection, there are several applications that, if used correctly, will copy files quickly and effectively while preserving the metadata.  Here are a few:

  • SafeCopy 2: Easy to use file copy utility created by Pinpoint Labs specifically for eDiscovery.
  • Robocopy: Microsoft utility for copying files from one location to another.
  • Upcopy: An “intelligent” file copy utility specifically suited for eDiscovery.

Also, FTK® Imager is an imaging and forensic image preview tool that is a free download and part of AccessData’s Forensic Toolkit®.  FTK® Imager also has the option to forensically acquire specific files using the custom content image option.

With any of these utilities, you can support the targeted collection needs for most cases.

So, what do you think? Have you used any of these utilities for eDiscovery collection?  Please share any comments you might have or if you'd like to know more about a particular topic.