eDiscovery Investigations in the Age of Remote Work

Julia O’Shea: Hi, everyone. Thanks for joining today’s webinar: eDiscovery Investigations in the Age of Remote Work. My name is Julia O’Shea and I’m a Product Marketing Manager here at Cellebrite. Now I’d like to introduce our speakers today: Derrick Donnelly and Ashley Hernandez.

Derrick Donnelly founded Black Bag Technologies, now part of the Cellebrite family. Derrick previously worked for Apple and was a regular instructor for the FBI Computer Analysis and Response Team. He has taught and lectured at hundreds of forensic conferences around the world. Derrick has completed analysis and given testimony in connection with federal & state and criminal & civil cases.

Ashley is the Vice-President of Product for Enterprise Solutions at Cellebrite, and has worked in digital forensics for over 15 years. She has taught and certified investigators in digital forensics and security topics, including speaking at many digital forensics and law enforcement conferences. Thanks for joining us today, Derrick and Ashley. If you are ready, I’ll hand it over to you, Derrick, so you can get started.

Derrick: Thank you very much, Julie. I’m talking to you from beautiful Victoria, British Columbia. I want to thank you for that presentation, or that introduction I should say, and I want to give you a bit of an idea of what we will hope to do today.

As many of you know, I’ve been involved in a lot of collections, a lot of eDiscovery work over the years and now I’m going into more of a remote capability.

Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.

But I’m going to talk a bit about some of the changes and some of the advantages of doing remote collections, as compared to the more sort of face-to-face type collections and some of the things that can make your life a whole lot easier when you’re now considering doing collections, instead of, you know, doing this face to face.

And also, what may be some of the pitfalls and such, and what are some of the things to sort of think about, but also kind of sort putting this all together with a bit of a hybrid approach too, because there are some ways where we can take advantage of or steal some traditional techniques with some of the remote capabilities.

So as we get started here in the first slide, I want to sort of remind people that when it comes to doing collections, it’s still a very personal thing when you’re dealing with a custodian. People don’t like to give up their system and people are, you know, they’re always often a little bit nervous about sharing information and having you go through their systems to get to the data.

And having done many, many collections, there is a bit of a process where we’re trying to put people at ease with this whole process. Because again, you know, your laptop is this tool that you use for work, but it’s also in many cases now, it’s also potentially the same system; your laptop, your phone, you know, whatever systems you’re working with, are also used for personal things.

And that can be a tricky situation. People are not necessarily comfortable saying, “Okay, I’m just going to hand over my laptop to you and you’re potentially going to find the data that’s important to a potential case.”

And it makes it a little bit easier today that it may be a little easier for the user to, instead of doing this sort of face-to-face, especially as many things have changed in this last year when it comes to dealing with things like COVID and working from home, now there’s the possibility of doing collections where we can potentially do it remotely.

And it seems a little bit more like another process that might be running on your laptop, another solution that might be doing something similar to a virus scan and things like that.

So there is this really important phase where you have to potentially put the custodian at ease, you have to explain what you’re going to be doing, and potentially try to also explain what is the data that’s important? What are you actually going after?

And you hope you can try to target the data. You know, you want to avoid collecting all this data, and the traditional imaging of an entire system. You know, our average laptops now potentially have 1TB to potentially have 2TB of data on our laptop. So when we do remote collections, there’s also the possibility of getting very targeted, looking for maybe just the documents and the documents folder, and also avoiding all that personal data.

And then we have to make sure we’re protecting all this data. So whatever process we’re doing to potentially go into that system, even remotely to go get that data, we have to make sure we’re doing this in a secure manner, that there are policies in place, and that there is also some of the solutions that need to be in there for authentic and potentially directory services.

We’re going to talk a little further about the advantages of doing some of the remote collections, but in an infrastructure of a small company or a large company, you’re tying into hopefully some of that infrastructure when it comes to doing that collection and getting to that data.

And then when you go through that process of potentially putting the custodian at ease, you always learn more about the data, and I emphasise a little bit that this hybrid approach may involve you doing a remote collection, but it also potentially can still involve an interview.

And we’ll talk a little bit further about this, because the thing is, when you start talking to the custodian, you always learn more about, potentially the project, the things they’re working on, and some of the other things that may be important that you haven’t even thought about in your collections.

Ashley: Yeah, Derek, I know in collection times past, we definitely focused on getting maybe a full computer image or a full mobile image, but do you see any trends with trying to narrow down kind of what people are getting? Especially now that we have the ability to actually have more targeted information on the mobile devices? I know before, you know, just like computer, we kind of had to do full images. Have you seen any trends with those, with your experience over time?

Derrick: For sure. Because a lot of times when we’re doing a discovery work, a lot of times we’re potentially looking at maybe the project they worked on, the documents they worked on, but it also may be the communications they may have had with their colleagues or potentially with, like maybe the sales people in their company or something like that.

So we’re starting to look more at things like the apps that were used to communicate, how they were communicating, you know, we’ve done a lot of collections with emails over the years, but now we have all these chat apps that might be critically important, and there may be these other apps used where it’s possible that we can get very targeted and maybe go after specific apps or specific types of data.

Now, yes, there’s potentially gonna be lots of, let’s say Microsoft Word documents and PowerPoint presentations and things like that, and sometimes some people are really organized, and they, you know, they break down their projects or the types of data that they do.

So they can also sort of help you get to the right data and potentially get to the data that’s going to be important to the case because they’re really organized and some people are not. And then that may involve a little bit more digging, but we definitely want to take these steps to try to get as targeted as possible, and also try to make sure we’re not collecting, over-collecting, or collecting personal data.

Ashley: Yeah. I know with mobile phones, what we often hear about is, you know, the desire to not have to collect their videos or their pictures, right? Like, people don’t necessarily wanna share their family photos that are on their phone, but they would be willing to have sort of those third-party chat apps that you talked about.

One of those is, you know, some of those like WhatsApp and Signal and Telegram and all of those. Specifically targeting those chat apps are some of the things that are, highly requested by our customers and things that we’re really happy to be able to offer as part of the solution.

Derrick: And again, it makes a huge difference because again, if you can go after the specific things and again, stay away from the personal day, the family pictures, it’s all going to be part of that process of putting the custodian at ease.

Ashley: Yeah.

Derrick: And what I was saying before too, now that there’s the possibility of having remote collections, there may be some big infrastructure that might be put in place where you have these collection type machines, and it can remove some of the human factors.

Now, in the past, when someone goes and talks to a specific custodian, there’s going to be tendencies of how they collect data. And they may think that some piece of information might be more important than another.

So if we have a solution where we can have a server that can potentially go collect data and do searches based on maybe keywords or even specific targeted folders, or even date ranges, you can remove a little bit of human factors where there can be some biases.

So in collectors in the past, you know, when they sit down with a custodian, they kind of have a script in their mind and they kind of have an idea of what they want to collect. But if you have a central server that might be doing some of this work, and there’s also the aspect that some of this work can potentially be done at night, and maybe the custodian doesn’t even have to be on their system, it could feel a little bit more like solutions that are even doing like a virus scan or a security scan.

Now, for some people that might make them nervous, for other people, it may not. And you can potentially say, “Hey, we’re going to be collecting data from your system this evening. Just be aware that maybe it’d be easier if you’re not on your system at that time.”

Maybe you’ve already done a bit of an interview and you know what to go after, but again, if you have this solution in the background that can potentially do this in a more automated fashion, again, it might make some people a bit more comfortable, especially now that we’re in the middle of COVID.

A lot of people are working remotely, they don’t necessarily want to sit down face to face just because there’s risks of COVID or things like that, or they don’t necessarily want you to come into their home to do this collection because they’ve got their family stuff going on, they’ve got kids, they’ve got all kinds of stuff going on.

And if it can be done remotely, it may make a difference from the standpoint that again, and may put them at ease. There are all kinds of people in the world, and it may have different effects.

But it can also, you know, some of this stuff can have some huge impacts on their schedule. So a remote collection might make that process a little bit easier, especially if potentially you can do things where it’s off hours. And again, maybe you’ve already had an interview or something like that. And you might even be able to try to schedule your collection in the middle of the night.

There’s also the possibility you might be collecting from someone in a completely different time zone, or even in a different country across the ocean. And you may be able to take into account, where you might be collecting in the middle of the day, but it might be the middle of the night for that person.

And also, you’re taking away this sort of big step of potentially minimizing impact on their schedule from the standpoint of taking a system away from them. You know, maybe they have to do a whole bunch of work that day, and you can potentially do a remote collection without impacting the work they need to do that day.

Ashley: So, I know a couple of questions on this one have come up and just, when you’re looking at checking in with a custodian, are you really looking to try and make the collection consistent between one custodian to the other? Or when you’re trying to kind of set up these scheduled collections, is it always different for each person, or do you kind of normalize that in some way?

Derrick: You do try to normalize that, because in theory, before you got to this collection state, you probably have spent a lot of time with legal folks. And you’re kind of coming up with a script and a profile of what you need to collect. So usually you figure out, “Okay, we need to collect these type of files associated as patent,” or something like that.

And so there is a bit of a script from the standpoint, “Okay, we’re looking for files with maybe these keywords with this date range, and we need to find out, even if this custodian is potentially even important to the case.” Because sometimes you always find out some people it’s like, “No, you know, I never really worked on that project, or you really need to talk to Bob. He was the guy that did all the work on that project.”

So it is important to have a bit of a profile and a bit of a script from the standpoint that you said, “Okay, we identified 30 people and we applied the same process to collect the data from those 30 people.” But it’s still fairly dynamic. You usually find out about other people you may need to collect from.

And as I mention a little bit later on too, it’s like, things like keywords may change because you find out new things about the case that now you may need to add some new words to the case. And as part of this whole process, you want to have sort of this standard approach, because it is a collection that is basically still going to have a chain of evidence.

You want it to be defensible, and you want to say that you didn’t do something drastically different with this person because later on when you finally do discovery, you basically have to say, “These are the steps we took to collect from these files, and we followed this process.”

Now there may be some caveats, there may be some specific things that have to be changed, but typically there’s going to be a whole sort of collection process, even a bit of a write-up of saying how we’re going to collect the data from lots of different people.

Ashley: Yeah, and I think the process is different when it’s talking about computers versus mobile devices. I know we’ll get into that a little bit later, but as much as we’re able to kind of making that as a central place, that they can kind of track the chain of custody I know is a helpful thing across these different sources, whether it’s computers or cloud sources or mobile sources, having them all through one way to access them, one set of solutions is really helpful.

Derrick: And it helps the whole process, your validation of your collection.

Ashley: Yeah, absolutely.

Derrick: So, some other things to sort of keep in mind when you’re looking at remote collections is that you want to also work probably pretty closely with the IT folks because potentially with a remote collection, there are usually many times where there may be an agent that needs to be installed.

And if you can potentially get the IT folks on board, you might even be able to take steps to in pre-install agents, maybe in advance of, you know, an upcoming legal case, but you can potentially get them involved to get things installed in advance so that when you’re in a hurry and you need to go start collecting data from users that some of the work has already been done to make sure that you’ll have access to the system, including making sure you have proper authentication, the directory services and such.

And there can be cases like examples of HR investigations where suddenly, boom, you need to get a lot of data quickly. And if you can work sort hand in hand with the IT folks, they may even be able to take some of the stress of getting the software installed at the end point to go get this data.

And there may be also other cases that you may work with IT to potentially even collect and you may need to make some firewall changes, or you may need to have access over a VPN to make sure that you can get to these systems, and if they’ve taken all the steps to get that access ready for you, because you may be also working as a consultant where you might be collecting from this system, but you’re not actually on the same network.

So again, it may be important to have access in advance. And you may also want to do some small runs, even some small triage examples where you might say, “Okay, this is what we want to collect, this is what we’re thinking.” You select maybe a couple custodians, and you do some smaller collections to get a sense of what kind of files they have, what kind of data is sitting on their system, what kind of apps are used, and this can go for the desktop, it can go for the mobile device.

And that can make a huge difference later on when you’ve done some small test cases almost, with a couple of custodians, doing some triage to get a sense of, you know, what do they typically have on their system? What are their main tools that are going to be used? What are the main tools used for communication? And then that may also be used or crafted that collection policy for later on when you potentially have to collect from a hundred people or so.

Cross platform is really important when it comes to remote collections, because you’ve got people that might have all kinds of different operating systems, all kinds of different laptops, all kinds of different hardware out there. They may have Windows, they may have Mac OS10, they may have a Linux system.

And because we have a lot of people working remotely, and we had the possibility of people having BYOD where they’re potentially bringing their own device to the workplace or are having their own device in the workplace but they’re actually doing it from home, it can make a huge difference.

You want to make sure that your solution is cross-platformed, so it can handle lots of different file systems. Make sure it handles mobile devices, make sure it’s handling desktops and laptops and such, can also handle older versions of the operating system.

Because a lot of times you’ll talk to these custodians and they say, ”Oh, that was on my older laptop. That was a laptop I was using two years ago. I still happen to have it here at home, but it could potentially be a much older operating system.” So you want to make sure that you’re across platforms, that you’re across OS versions and that you’re also supporting the mobile devices and doing this all in a very standard manner.

Ashley: Yeah. I mean, I think we have a couple of just notes in here about questions on, can we handle collecting from mobile and cloud and some of those computers and within our solutions that you can handle gathering data from each of those types of sources.

And I think for eDiscovery, Derrick, you can tell me what you think about this, but primarily we are going to be looking for those documents, emails, but communication is the one, you know, when we think about this, like, live always-on communication, that is really where the focus of a lot of this discussion happens now.

Those are gonna be on things like Slack and on things like, you know, Teams or other messaging applications like WhatsApp. I think we start to see now that we need maybe a couple of different types of sources to really get the full picture around communication specifically. Is that kind of what you’re seeing as well?

Derrick: Absolutely. And there are tons of apps, right? There are all these social media apps. And sometimes these apps have been integrated into the businesses, sometimes they’re not. Sometimes they are kind of homegrown, too. Some tools actually may actually be developed by the company itself. And some people just decided, “Hey, I really like this app, let’s start using it.”

But all those methods of communication become quite critical. And it’s amazing how many examples of, you know, even an online chat session can have critical information about projects because people are just saying, “Hey, I finally got this working.” or something like that. And that happened, let’s say in Slack or something like that.

And all of those formats of communication are going to be really important and they’re not necessarily going to have a really nice server you can go to, and that server could be controlled by a third-party vendor.

So, solutions like Slack and Discord, it may be much more difficult to go and get that data from the source, let’s say a central server. So you may need to get that data directly from the app on the mobile device. And there are always going to be occasions where there are going to be examples that just were non-sanctioned apps. There’re just apps that, you know, people just start using.

And some of these smaller groups will say these great examples. It’s like, “Oh, I just found this new app. It’s really great. And it allows me to share files quickly.” Another great example of this is note-taking apps. Almost every time when you have collections there’ll be people that use some note-taking app.

And you know, it’s an app that was really never put forward by the IT folks, they just start using it. And then you always find out that, oh, you know, critical data about the project was all stored in this note-taking app that you’ve potentially never heard before.

And the one other thing that’s really important is that a lot of times collecting email from these devices may not be easy. It might be a little bit easier to collect from some of the apps, but a lot of times the OS is locking down email these devices. So you may have to go more to the desktop or laptop for email, or maybe go from the central server.

Ashley: Yeah, I think we’re seeing that, you know, organizations kind of need a solution that allows them to target all three different types of sources and then being able to bring that data together is critical, because if you’re going to see the full communication trail, that might need to have some things from the desktop, some things from the mobile apps and then some things from the servers.

And so kind of providing that end-to-end visibility is something that, you know, we’re seeing more and more, and the way that we’re able to do some of that with allowing that actually to happen remotely, I think is going to help us, especially with mobile phones, as you were talking earlier, custodians being, hesitant to give up their devices, before, that was kind of really the only option is for you to hand over your device to someone to do a collection.

So I think this really opens up with the ability collect from mobile devices remotely, the ability to get that data without having to have that custodian actually lose access to the device, whether it’s an executive or, you know, someone in legal, it’ll really help us get the full picture of kind of what’s happening.

Derrick: And I think you brought up an interesting point. There is a lot of syncing that happens between the laptop and the mobile phone. Like, I tend to use Slack a lot, and I’ll do a lot of messaging on my phone in Slack, but every once in a while when I need to add an attachment, I always find that a little bit more difficult doing attachments or something like that on the phone.

And whereas I often switch to my laptop, then use the desktop version of Slack and then actually do my attachment on the laptop. So again, it may be very important to collect from both. And some data may not be synced in the same app between the desktop and the mobile environment.

Ashley: Yeah, there are a lot of challenges. And I think for the next section, we’re going to talk about a few of the challenges about where all this data can be and the different ways that we’ll need to kind of work around some of the challenges to getting to that data. So let’s start talking about some of the challenges with mobile data.

Derrick: So, with all these apps out there, some of those apps are storing data on the phone, some are not. Some are actually storing it in an encrypted format and the data may be local on the phone, but the data may also be on some kind of central server that is out of the control of let’s say the company.

And some of those solutions may have some enterprise capabilities where they can do collections, but a lot of them don’t. And there may be occasions where you can’t even dump the data because it’s in a proprietary encrypted format or such, and it might be important to do things as simple as maybe even a screenshot or a copy and paste, because it just may not be as easy to even collect from that specific app because the company might be encrypting the data.

And even if it’s local, it might be encrypted or it may be fully stored on a central server. So there are definitely some things to start being aware of that when you’re doing remote collections, it may not answer everything, but it could actually add some other difficulties in how you collect that data.

Ashley: So some of the things that we’ve introduced recently that I think are going to help with this is, we’ve introduced the ability to do like those remote screenshots in an automated way. For some of the mobile apps, you can have it go through and collect the screenshots of say, the chats, but we also have the QR code access, which is helpful for things like WhatsApp and I think we have it for Telegram, which basically lets you have the user authorize you to do a collection out of their server account.

And so, kind of integrating that into the remote collection, get what we can off the phone, but then supplement that with data pulled directly from some of these chat apps and doing that all in a central way, I think is really going to help kind of automate the manual process of tracking all these different components you need to bring together to complete the collection for a specific custodian or specific matter.

Derrick: Absolutely.

Ashley: All right. So I think next we’re going to talk about encryption, cause that is one we had asked lots of questions about.

Derrick: So we know we have solutions like file vaulting and we have examples like BitLocker and different solutions that can be involved in the encryption on desktops, including the mobile devices. And remote collections can also help with some of those situations when we’re dealing with encryption, especially when it comes to trying to target specific information.

But you potentially want to avoid some of the situations where, again, you’re taking a laptop maybe away from a user, you might need their password to get into it, the company may have set up some master passwords that might allow you to get back into the system.

But a remote collection can also potentially be used to just get onto that system and maybe install the agent, and because the system is still live and you can potentially install the agent on it, even if it’s just local right beside you, it can help you to get around some of the encryption issues.

So instead of potentially trying to image, let’s say, a whole drive or take steps to work with that image and then provide the password and potentially try to mount the file system and try to go after specific files, it could be really interesting to take advantage of remote collections or even the installation of an agent on a system to potentially go get the specific files, even though the underlying whole file system may be encrypted.

And this also kind of comes into play with virtualized environments. In some ways, these virtual containers are very similar to encryption, and again, they can be difficult to manage and there are some tools out there to allow you to work with them.

But when a user has a virtualized environment, you kind of have to think of potentially a whole other operating system sitting on a laptop, you know, hosted on a laptop, and you have to get into that virtualized environment to go collect the files.

And it can be really difficult to actually copy over that entire virtualized container and then go after specific files, whereas you potentially can run in a live environment where the person has brought up their virtualized environment and you can use a remote collection tool to actually again install the agent and go after specific files that may be of interest.

So again, you’ve talked to the custodian and they say something like, “Yeah, I’ve got my regular laptop, but on that project, I actually had the whole thing virtualized.” And they may need to bring it up and then you go install maybe an agent and then go after the specific files that might be important to the collection.

Ashley: Yeah, I think it’s really important, kind of what you’re pointing out here is you have so many different situations you could run into. You could have machines that are totally offline, you could have virtual machines, encrypted machines, kind of giving them the flexibility to handle everything from full-disc imaging of machines that are completely turned off all the way through to mobile collections or virtual environment collections.

eDiscovery now requires you to kind of handle all these different types of systems. They could all have relevant information. I think that is a challenge in making sure you have something that’ll handle the breadth of the different types of systems you might run into.

Derrick: And it kind of goes in hand too, I was saying the sort of cross platform and making sure you’re supporting multiple file systems and multiple operating systems, because there are lots of developers out there that’ll have all these different environments sitting right on the same desktop or laptop.

And we know virtualized environments have become very, very popular and are being even used more for some of the remote work where people are actually logging back into the company and using a virtualized environment.

Ashley: Yeah, that’s definitely something we’ve had customers ask us about; how can we help handle workers who don’t really actually have a laptop dedicated for their work at home? They’re actually connecting in virtually to systems back at headquarters.

So, you know, having something like an agent that runs on those allows you to kind of have real-time access, which is great. So let’s focus on how we can get more targeted data and utilize some of those remote collection capabilities to handle some of the challenges with people being at home.

Derrick: You have to remember that everything you collect there is going to be multiple steps to potentially normalize that data, get it reviewed. The more you collect, the more your overall discovery process is going to be challenging and probably take more time.

So there can be less bias when you use remote collection tools where you potentially use date ranges and go after specific folders and keywords and such. So those keyword lists and ranges become particularly important.

Now, hopefully that’s reducing the amount of files, but also there’s always going to be some false positives. You use one word that you think, “Oh, this is specific to the project.” And then it starts to collect a whole bunch of other emails that are really not associated with the collection.

So targeting your data is important. Again, you want to try to avoid getting personal data, you want to avoid over-collecting. Because at some point, if you over collect, someone is still potentially going to have to review it and then decide, this is not responsive, it’s not part of my case.

So the more time you can spend potentially going after the specific areas, the specific types of documents, the specific project names, it’s going to reduce that whole process from normalizing this data, producing the data and then potentially funneling it down to what actually gets produced.

Because you have to remember, you’re just collecting or potentially collecting and adjusting to get the right collection, but there’s still going to be other people involved, there’s a full review. And the more you collect, the more time it’s going to take to get all this stuff produced when you actually get ready to potentially set it up where then the legal team is spending a lot of time on it.

When it comes to remote collections, you still have basically a chain of evidence to maintain. Yes, it may be a civil case, it’s not a criminal case, but you still have to have validation and you still have to be able to prove what you did. You want to make sure you have really good logs for validation, and remote collections can actually maybe reduce some of the note taking that maybe you may have had to do in the past when you did collections.

Because a good remote collection tool will create some logs for you and can help generate that chain of evidence. So it may actually tell you what time it was scheduled, you know, who you collected from, what date you actually collected from, where you collected, what types of files you collected.

A lot of this stuff would typically normally be in maybe a collection brief that you do at the end, whereas remote collection tools that might be centralized on a server where the repository is, can actually generate a lot of this information.

And again, it helps with the whole process of how you’re validating this later on for discovery. And it’s also properly collecting all that metadata for you in a forensic manner. So, you get that documentation, you want to make sure it’s collecting all that metadata, like all these important dates; the creation date, modification, date, and access date.

All those things are important, including where it was actually collected from; the path that was taken from. And all those things are really important on top of just collecting the file, there’s all kinds of metadata about the file that may be very important.

It may also help in the duplication later on too, because you might get files from different places; they’re all the same file, but I find that always interesting that you have to have things as simple as the path that it came from. Because you can have one file that was stored in project X folder, and just the fact it was stored in project X folder, and that path is important because it reminds you that, you know, this file for some reason, at some point became part of project X.

Ashley: Yeah. I think the response to having kind of like centralized logs for what collections you’ve done across all the different types really does speak to how people are having to kind of say, “Okay, this is when I did this one, here’s the person who did it.” and having those available, and our solution has been really well received.

Because it does take away some of the burden of just managing; what have I done for which custodians, who did it, when was it done, and kind of keeping track of that project management side, that’s really also connected to the chain of evidence. So I think that’s one thing that I’ve really appreciated about having some of the new logging technology.

And then, there was a question about what we’ve used as collection within our solutions. And we do use the standard Cellebrite evidence file formats, whether that’s the computer side or the mobile side, you’re really going to see just the same type of collection that you would see that, you know, can be hashed and validated as opposed to like, just loose file collection. So, some of those you’re going to see as we move forward with our solution offering some of these capabilities.

Derrick: Yeah, we definitely want the files in a container, right? Because that container is also, you know, used for the validation and it’s hashable and things like that. And that makes, again, it all contributes to that chain of evidence.

We all also want to make sure that this whole process is easy, right? Remote collections are tricky and again, there are a lot of steps involved in getting to it, but there’s also, we want to make sure it’s secure, where we want t make sure that the correct people can do the collections, we want all that data to be in some kind of forensic container.

It probably needs to be encrypted. And some countries may even have specific requirements of how data is handled in transit. We want the proper trail of evidence so it’s all properly documented. And there may be central servers that are receiving this data and we’ve got to take steps to make sure that those central servers are secured, too.

Because again, you can have some potentially very sensitive data. I’ve had lots of examples like in patent disputes and things like that where products haven’t been released yet or things like that. So when you’re collecting this data and putting it on a central server, the server itself has to be secure.

So you also want to, again, put the user at ease that when you’re collecting these files, you know, you’re treating this custodian and their data and you’re taking steps to protect it. And I also make sure that if some personal data is collected, that it’s also protected.

So most likely, it will get weeded out by the legal team, but there are always going to be occasions when some personal data may be collected. You’ve taken steps to target as much as possible, but if you can remove that personal data, you want to make sure that when some personal data was collected and it will get weeded out that you’ve taken steps to protect that data, too.

Ashley: Yeah. I think that’s part of, you know, you talked about it being encrypted. We want to make sure anything we collect is protected when it’s transferred back and forth, that it’s protected, all of those kind of like, security first kind of postures that you can take with the process that you’re doing with this. You want to make sure it’s not just, you know, openly available to folks and it’s, you know, stored in a secure way.

So let’s talk about some of the challenges since we’ve had COVID and having travel restrictions and people not working in the offices. Can you talk about how you’ve seen some of the collection capabilities change very specifically with some of these pieces?

Derrick: Well, we know that, you know, under lockdowns or where companies have basically told employees work from home, we don’t want you to come in, even now, just in the last couple of weeks, we’re seeing that open up a little bit, and it was kind of really opening up a little bit more during the summer, and now it’s slowing down again.

Whereas a lot of people thought they were going to be coming back into the workplace this month or next month, you know, with some of the resurgence of the Deltas and such, we know there’s more people still working from home. And we want to be very aware of those situations that whenever possible it might be best to do that as a remote collection.

Now that could still be tricky because there may be some issues connecting to that system at home. Maybe that’s done over the corporate VPN, maybe they have to open up something at home so we can make sure we can connect to them. And we have to be really aware that, you know, some people are still very nervous about this. They’ve got their kids at home, some people may not be vaccinated, and, you know, doing that face-to-face collection could be really, really difficult.

So remote collections really come into play right now in COVID. And it could also be complicated with your schedules; again, kids at home schools, things like that. If work can potentially be done when it’s the middle of the night or, you know, they’re not involved with the kids or stuff like that, that can make a huge difference.

And we know that with remote collections, when we’ve done in the past more sort of face-to-face stuff, there’s all kinds of challenges with traveling.

As I mentioned, right now I’m in Victoria, British Columbia. You know, I had to do a lot of documentation just to fly into Canada. It’s expensive to fly, you know, it’s very expensive to potentially fly to some country just to collect from one laptop, there could be language issues on the ground, there may be data restrictions or privacy policies.

And some countries may not have the infrastructure in place, and that can also be a bit of a challenge for the remote stuff. Sometimes they just don’t have a faster internet, or they might have a slow internet and you want to make sure your tool is working in that environment to potentially collect it at a slower pace, because it may involve multiple sessions.

You have to think too, if you send someone to another country, you know, you’re potentially losing them for a day or two, or you’re potentially losing them while they’re on the flight. And there’s also all the total expenses of travel; obviously, travel restrictions, COVID paperwork, all the COVID testing, visas, flight availabilities are low, and there’s lots of downtime when people are flying.

Ashley: And I know, during the last year and a half or so, where there even were periods of no travel, folks have tried to work around, you know, having face-to-face meetings or having people travel by like shipping computers with software installed on it, or trying to like walk people through things over the phone.

And all those are very time-intensive, and especially with shipping delays as they are, you know, just the investment to try and overcome getting that data remotely has been tricky. I know people have been frustrated and are looking for a way to make sure they can still get access to the data, but you don’t necessarily have to go through all these hoops of either sending people or sending equipment to wherever the custodian’s actually at.

Derrick: Having FedExed a lot of drives and laptops over the years, it can be fairly effective, but it can also be a little nerve wracking because someone is again sending their laptop by FedEx and from another country and sending it to you. People get really nervous about that.

And again, the laptop may be out of pocket for potentially days and people really hate that situation. And again, if their system has personal data on it and they have to ship it to you from another country, if you can do things remotely it makes a huge difference.

I talked a little bit about cloud collections, and with remote collections, there may be cloud tools used that become important; especially in the era of COVID and people working from home, there may be things that are really important to collect from Zoom; when certain meetings are occurred, who was invited to the meeting or GoToMeeting sessions; where all these solutions that are allowing you to work remotely, that allowed you to collaborate, they can potentially become particularly important to a new discovery case, especially also if there are transcripts that may have been saved or maybe the full video recording of that whole session.

And it may be possible to get that remotely from the system. You may also need to go to servers, you might have to talk to the IT folks, but they’ve become particularly important now with remote collections and people working remotely.

Ashley: Yeah, so many people, I mean, I know we worked remotely, not just during the pandemic, but people are working remotely regardless of the COVID situation. And so I think we’re going to start to see more and more of the data available for these meetings. Some of them do store like the chat data, being able to get access to those is important for, again, kind of that visibility to all the communications that were happening around a certain matter.

Derrick: I’d like to bring up the aspect of civil requests. Having spent a lot of time in law enforcement and working with different companies to do search warrants, it’s actually starting to become quite an opportunity also to do civil requests. Whereas in the past, this could potentially only be done as a search warrant.

Now in actual civil cases, people can actually make civil requests to get data from, let’s say, servers from Apple iCloud and Facebook and Google and things like that. So not technically a remote collection, but it’s becoming this new venue where people can go get data.

And again, in a civil manner, it usually involves a consent of the user. So let’s say we have to collect data from user A and they mention, “Well, I stored a whole bunch of stuff on Twitter.” They may have some of that stuff on the remote system, but there’s also now the possibility of doing a civil request to these companies, again with the consent of the user to go get that data collected and potentially get that reviewed and ready, normalized for your discoveries. So it is becoming this new venue to potentially be used in cases to get more data associated with your collections and discoveries.

Ashley: Yeah, I know consent and privacy are two of the larger challenges around eDiscovery, and we have a little bit on our privacy, some of the ways that we’re able to handle privacy with the new options, but what are some of the things they should be aware with when they’re talking about privacy and the data that we’re going to be collecting from?

Derrick: We know with different countries with some of the privacy policies that are coming into effect, including privacy policies that may be instituted by the company or the enterprise themselves, and then the personal data that may sit there and then making sure that everyone’s fully aware of those privacy policies, including you may be collecting from a country where there’s certain data you cannot collect.

And it becomes particularly important to talk to the lawyers in that actual country, not just your own lawyers, but the lawyers in that country, because I’ve done many collections where we were getting ready to collect something and said, “No, you guys can’t collect that here.”

And there may be specific encryption rules of how things are handled in transit, and there may even be requirements that data can only be reviewed by lawyers in the specific country, and some data may not even be allowed to leave the country.

And also think about your central server that might be doing these collections. It may actually have a requirement to be in that specific country. So think of, again, examples in the European Union that there may be a requirement your central servers doing a collection may actually have to reside in the EU and not be outside the country or in the United States.

I know during this whole presentation we’re talking a lot about dealing with remote collections, but there’s still great value in making sure you have that custodian interview. And this is where I can sort consider it the hybrid approach. So maybe you can have a Zoom call with the custodian at the same time as you’re doing a remote collection.

Now that may not always be possible, but I really want to emphasize that again, talking to the custodian, we want to potentially do things remotely, but you always learn more about what they worked on and the types of data they may have. And you always learn about potentially other custodians you may need to collect from.

And the example of potentially using keywords too, you always find out new keywords. I’ve had many cases that started with 25 keywords, and at the end after collecting from multiple custodians, now we had like 100 keywords because people would refer to the project by some other name. So again, some of the traditional techniques may still need to go hand in hand with an actual remote collection.

Some other recommendations I also want to make when you do remote collections, always try to do some dry runs, some smaller runs with a smaller set of custodians, make sure you review the results, including a full legal review. So even though you think the collection might be right, you want to make sure they’re actually reviewed by the lawyers so they can actually decide if the process is still valid.

You may need to adjust date ranges and keyword lists, you may need to look for specific folders, and some companies will have very detailed folder structures, especially on some of their servers and things like that. And it may be important to apply that to potentially your next collection.

So if you can sample different types of custodians and have the lawyers completely review what was collected and try to potentially identify things like maybe there are some unsupported file types, or there are some apps that don’t have an easy way to parse that data.

And always tell the user, it will take more time to do the collection. If you think it’s going to take an hour, let them know that you’re probably going to need two hours, cause you want to adjust if there’s a requirement to adjust, you don’t want to cut yourself short.

And you want to make sure that you have a proper window, so the custodian can maybe not be at the system or it can be done at night, but always sort of overestimate a little bit of how long it’s going to take. And you have a little bit more of a capability here to play with that, because again, hopefully you’re doing a remote collection and you’re not taking the laptop away from the person.

And by doing that remote collection, you can say, “Yes, you know, it may take us about an hour or two or three hours.” but hopefully you’re not tying up their system, you’re not taking it away from them, you’re just basically letting them know that we’re going to be on it for a while, and we’ll let you know, as soon as we’re complete with the collection.

Ashley: I appreciate you sharing kind of how collections have changed over time. You know, from now us needing to consider even more sources beyond just like the computer or the email server to how we can take some of the traditional methods of making sure you do an interview and make sure you get the scope being done and doing those targeted collections into this now new way that we can do remote collections across those types.

So it’s exciting to see that, you know, some of the ways that we’ve done it are still useful, you know, we’re still going to have to sometimes do the offline collections, but that these new options, especially around allowing us to do it for mobile devices are really going to help solve some of the challenges we’ve seen come up in the last year or two with more and more folks working remotely.

So I appreciate you taking the time, Derrick. Are there any other tips you wanted to share before you wrap up? I know we’re almost at the end of the time.

Derrick: Well, you know, Ashley, I know you’ve travelled a lot in the last little while and then, you know, a lot of our travel was put on hold. But I like staying home, and I like avoiding a lot of long flights and you know, these flights are particularly congested.

So anything that kind of avoids me having to fly to, you know, long distances to just collect from like one custodian and one laptop, remote collections make a huge difference. It’s going to be cheaper in the long run, but also, it can be a lot of downtime for a little bit of data.

And remote collections can make a huge difference. And I still like some of that face-to-face stuff, which is always interesting, but it can just be a whole lot easier to go get this data, especially when that person is potentially at home and, you know, we want to avoid some of that and make sure we’re still doing some of that social distancing.

So it probably, remote collections again, sort of really helps with a lot of that social distancing, even though I still want like to see those people face to face.

Ashley: Yeah. I think face to face is going to be mostly Zoom screen to screen for a little while still, but making it easier on the custodian is one of the pieces that I think this will help because they don’t have to give up that phone and they don’t have to travel or lose their devices for a time while we do this collection.

So I think those are going to be things that, start to shift how we do it, especially around mobile devices with not having to get all their personal data, too.

Derrick: Anything that puts that custodian at ease makes for a better collection.

Ashley: Absolutely.

Julie: Great. Thanks so much, Ashley and Derrick. I see we have had a few more questions come in that we didn’t get to answer throughout the presentation, but we will reach out to you individually after the webinar to answer those.

And also, to get started with our new remote mobile capabilities, please reach out to our sales team via the sales inquiry URL in your console. After the webinar today, you’ll see a prompt asking for some feedback on what topics you’d like to see. If you have a minute, please fill that out and help us decide what our next webinar should be.

Thank you again, Ashley and Derrick, for walking us through these powerful new remote mobile collection capabilities and really showing us how those features can help enhance eDiscovery investigations, especially in the age of remote work. So thank you again, Derrick and Ashley. Thanks again for joining us today, everyone, and have a great day.

Leave a Comment

Latest Videos

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feeds settings page to add an API key after following these instructions.

Latest Articles