Is it me or does the rest of you also see some organizations attempting to blur the line between forensics and electronic discovery?
Electronic discovery, in my opinion is a sub-set of forensics - or more weekend forensics.
Although e-discovery processes can lead to forensic analysis, it is, again in my opinion and experience, a rare case. Few law-firms want to pour over a couple of terabytes of e-mail and readily available documents, just to get into unallocated or slack space, registry entries, log files, non-evident artifacts, partially reconstructed documents, etc.
Why do some organizations pretend that the two are the same? Since when does an e-discovery expert becomes a digital forensics expert?
It is like an ER nurse compared to a microvascular surgeon. mrgreen
ED is not less, it's just different. And just as there are varying degrees of skill in CF practitioners, the same can be said of ED professionals. There's a distinct difference between an ED tech who captures email and feeds it into a processing engine, and and ED team lead who works on process development and strategy, just as there's a difference between a CF entry level who only does capture vs a CF lead who does everything.
ED is not a subset of CF, it's just an application of some of the same tools and methods with a different goal. Now ideally, we'd change the system so the goal of CF and ED were the same, but that's not going to happen. It's more like comparing heart surgery to brain surgery, they both use the same tools and any of the same methods, but a cardiologist is not qualified to perform brain surgery, nor visa versa.
My bias in these comments I'm a CF expert by training and experience who's an ED expert for a fortune 500 because that's where my skills were most needed. I know plenty of CF guys who suck at ED, and plenty of ED guys who know nothing about CF.
I tend to agree with Tony Patrick - both important skills but different.
My exposure to ED was largely tape based. Tapes typically have no slack space, BUT they do record everything selected at a specific date and time. Without exceptional skills, data on tapes cannot be tampered with so they produce a nice snap shot of a data (and mainly e-mails) at a specific time.
Many ED skills are based around e-mails, and making sense from very large files, with many duplicates.
What organizations are attempting to blur the line? I know of some organizations (like
I completely disagree with the sentiment but couldn't stop laughing at the description of e-discovery as "weekend forensics".
First, I want to make sure I am clear - I am not attempting to disparage either eD or digital Forensics practicioners.
I disagree Patrick, but I do have to temper my statement of "set, subset".
I think that anything an eD expert does from technical perspective, by its nature a forensic expert will and can do - collect various data, help locate where other relevant data may be, correlate data, produce findings (information from data), and draw expert conclusions.
Indeed when i work on eD, there is much more back and forth between legal and I, and the conclusions are really just an intermediary piece which gets reviewed further by attorneys. This is not the same with my forensic cases.
Maybe the way I have structured work-flow for digital forensics and electronic discovery lends itself to seem to be set, subset.
When legal, HR, or audit approach me with a matter, they get a form, which includes a laundry list of check boxes and options.
The scope, and expected work product maybe different, but it does not matter to me if it is eD or digital forensics. The process underlying the checked task is identical.
Ergo my statement, eD work is a subset of digital forensics.
Anything an electronic discovery expert is qualified to do, a digital forensic expert is also qualified to perform, in the technical arena. (I am not referring to special circumstances such as unique systems or such.)
Maybe that was a bit harsh.
Do you remember the "paper CNEs"? That was the first thing that ran across my mind at my recent run in with some "experts".
I completely disagree with the sentiment but couldn't stop laughing at the description of e-discovery as "weekend forensics".
In my humble opinion the majority of "Big 4" have in some way blurred , or maybe a better description is to say, they have convinced themselves, that they perform "Computer Forensics".
I have always considered the skill set neccessary to understand raw data and the associated facts that can be derived from that, as different from those "used" in the ED world. That is not to say either is less or greater than the other. It's just different.
Popular TV plays a part in making the term "Computer or Digital Forensics" a sexy and lucrative term. Many organisations have what they call a Forensics unit where as in fact what they have is a data processing unit. All the real analysis is performed buy a review platform which merely spews out the answer to what a lawyer has asked. Rarely are you asked to provide details on the meta data, just can you confirm that you preserved it. It is, in my experience, an unusual request for keyword seraches to be specifically run across unallocated space as to do so would vastly increase the cost of processing the results for both sides.
So in some ways I tend to agree with the origional post…. and just ask yourself this. Are you excited to get a full blown investigation case like a juicy fraud or blackmail as opposed to another 30 custodian discovery collection matter ( ignore the financial returns) ………………….
"weekend forensics"!!!
I will henceforth rename my case handling paperwork from ED1 & 2's to WF's … lol
OB-1