Remote ESI Collection

This technical note discusses methodologies of a remote directed collection of ESI from Custodians.  This is the procedure followed by the Technical Services department when conducting a remote directed collection.

Collection Obligations Generally

Parties to a litigation are generally required to use reasonable, good faith, and proportional efforts to preserve, identify, and produce relevant information. This includes identifying appropriate limits of discovery, such as custodians, identification of relevant subject matter, time periods for discovery collection and similar parameters to guide preservation and discovery issues.

Discovery should be "proportional," so that the burden or expense of the proposed discovery does not outweigh the likely benefit, considering the needs of the case, the amount in controversy, the parties’ resources, the importance of the issues at stake in the action, and the importance of the discovery in resolving the issues.

ESI data collections should be comprehensive without being unnecessarily over-inclusive. The process should preserve the integrity of the data and preserve a chain of custody, but also be cost and time efficient, and not unreasonably disrupt the Custodian or business. 

Collection Questions

The following are some questions to consider when conducting an ESI Collection:

Who are the Custodians?
How many computers and types have ESI (by Custodian)?
What email system is used by the organization (e.g., MS Exchange)?
Do personal email accounts (e.g., Gmail, Yahoo, Hotmail) need to be collected?
Will email archives (e.g., PSTs/OSTs) be collected from individual workstations/laptops, or will the organization's IT department generate PSTs from the server?
Does collection need to be done from smartphones, tablets, and similar devices?
Does collection need to be done from LAN shares?
Are there any special ESI file types like accounting databases that might need to be converted?
For Workstation/laptop collection will a directed collection of email container files (PST, OST), Windows or MAC Documents folders and applications folders be sufficient, or does a forensic image need to be made for preservation or processing?
Are there any cloud data sources that need to be collected (e.g., Dropbox, Google Drive)?

ESI Collection Methodologies

There are two general methods of collection: full disk acquisitions and directed collections. The choice of one or the other will depend on the circumstances of the case.  A full disk acquisition involves making bit-by-bit forensic copies of Custodian computers, phones, and other electronic devices. 
Forensic copies are also known as "images" or "imaged copies" of ESI, collected from multiple custodians and data sources.

A full-disc, or forensic collection method preserves and replicates all data on a computer or device, including deleted files and information in the slack/unallocated space of a computer drive. Forensic collections are defensible but expensive and may be overkill in many cases.

Directed collections limit the scope and size of an ESI collection from a Custodian instead of acquiring entire drive images. A directed collection is limited to certain file types on a computer and/or certain standard directories on a computer where files are usually stored.  Directed collections can be flexible to expand collection to other parts of a computer as identified.

Whatever collection method is used, it should be performed without altering application metadata, such as the last saved date, author, track changes,  and who last accessed or printed the document.  Some collection methodologies can preserve OS metadata as well, but that requires special copy procedures and software, and may be required only in cases where proportionality justifies it.  The collection process should also be adequately documented to show the methodology used for chain of custody and in case challenged. 


Directed Collection Protocol

The following documents a remote directed collection methodology using remote access software. 

Step 01: Custodian Identification

Identify the Custodians from whom ESI will be collected, including name, position, and email addresses used.  Enter these as Case Participants/Custodians in the applicable case in the Lexbe eDiscovery Platform (LEP). 

Step 02: Computer/Account Identification

Identify the individual computers and/or email accounts from which collection will be conducted. Enter this data in the notes field of the Custodian in LEP. Obtain login credentials and passwords used to secure accounts, email archives, and other ESI.

Step 03: IMAP Collection from Cloud-Based Email Accounts

For cloud-based email accounts like Gmail, Yahoo, AppleMail, Hotmail, etc., log into the Custodian's account, enable IMAP connections, and sync into a new MS Outlook archive PST file.  Document available information from the server sufficient for chain of custody identification.

Step 04: Remote Collection of Workstations

For remote collection of workstations, laptops, and other Custodian computers that are connected to the Internet, remotely login to identified custodians' computers using remote access software that allows (with Custodian permission) remote control of the device.

Once access has been achieved, install, if needed, WinRAR (to archive collected data) and FileZilla (to FTP collected ESI off the subject computer).
 
Search (enabling access of hidden files) the computer for PSTs, OSTs, MSGs, and other common email file types.  Archive all found as RAR.

Identify and RAR the standard document directory from Windows and Mac OS X computers and RAR for collection.  This is usually C:\Documents and Settings for Windows computers and Home<username>/Library/Preferences/documents or /library/mail for Mac OS computers.

Step 05: ESI Data Transmission

ESI collected as a result of a remote session should be securely copied from the subject via FTP, or alternatively copied to a local flash or USB drive and returned. 

Step 06: Remove Installed Software and Archives

Remove all installed software for the collection (e.g., WinRAR and FileZilla) and evidence RAR archives created as part of the remote collection.

Step 07: ESI Media Report for Chain of Custody

Technical Services will generate an ESI Media Report documenting the collection to support evidence admissibility.

See Defensible Collection of Web-Based Email for more information and to view and/or download a sample Chain of Custody Report.