What Every Attorney Needs to Know about Computer Forensics, Part 2: The Difference between Electronic Discovery and Computer Forensics

    G. Hunter Jones

    Read Part Two as a PDF

    Electronic Discovery and Computer Forensics seem pretty similar at first glance: both involve the location, recovery, and review of electronically stored information (ESI), and both deal with the responsible preservation of that data.

    But the two fields are actually quite different; they require different types of expertise, and they have markedly different goals and outcomes.

    “E-Discovery” refers to the identification and preservation of electronic files for litigation with the goal of allowing counsel to make determinations about which electronic files are relevant or privileged. Specialized software from E-Discovery vendors allows for the identification, capture, de-duplication, indexing, storage, retrieval and commenting of electronically stored documents, including emails.

    “Computer Forensics,” on the other hand, refers to the investigation and analysis of computers, networks, and digital storage devices to determine how that device was used (e.g., to access terrorist websites; to send threatening emails; to distribute pornography). Such uses, historically the realm of law enforcement, are now used extensively in (a) investigations (e.g., does examination of a CEO’s computer indicate she had knowledge of and approved a particular decision?); and (b) litigation (e.g., was a will modified after the decedent’s death?; was a medical report altered after the patient’s death?).

    Specialized equipment and software is also used in the computer forensics field, but it is quite different from E-Discovery software. Computer forensics equipment and software provides tools for “imaging” a computer’s hard drive (i.e., making an exact bit-for-bit copy without turning on the computer and without altering any data on the hard drive). Computer forensics software also provides tools for analyzing the hard drive and reporting on the results of the analysis. A qualified computer forensics expert reports the source and content of the data and may also offer opinions and interpretations about its meaning in deposition or at trial.

    A qualified computer forensics expert reports the source and content of the data and may also offer opinions and interpretations about its meaning in deposition or at trial.

    If the objective is to identify and preserve electronic data and to make a determination about its relevance and privilege for production purposes, the situation requires E-Discovery. If counsel needs an expert to find evidence of computer-related actions, such as data alteration or deletion, and to provide opinions or interpretations of forensically acquired data, the situation requires a computer forensics expert. Equally often, a computer forensics expert will be needed to assist counsel in understanding reports or testimony by an opposing expert, including forensic specialists working for law enforcement, and to provide rebuttal reports or testimony.

    Read Part One: What is Computer Forensics?

    Read Part Three: What Criminal Defense Attorneys Need to Know about Computer Forensics

    Read Part Four: What Trusts and Estates Attorneys Need to Know about Computer Forensics

    Other Insights from G. Hunter Jones

    Read G. Hunter Jones' review of “Electronic Medical Records and Litigation," a reference and practice manual valuable for both attorneys and forensic experts involved in medical malpractice litigation.
    DisputeSoft was engaged by the LA Times in this software license dispute involving the illegal use to develop a proprietary database, Integrated Circulation Information System (ICIS).
    This installment of DisputeSoft's Computer Forensics series sheds light on how a computer forensics expert can uncover factual information that exposes medical mistakes or cover-ups.

    G. Hunter Jones

    Managing Director & Forensic Examiner

    Hunter Jones has over 40 years of experience as a systems engineer, working in IT consulting and computer system development. As a systems developer, he is intimately familiar with the internals of computer systems, both operating systems and application programs. As a certified computer forensics specialist (EnCase Certified Examiner and GIAC Certified Forensic Examiner), Hunter has established credentials in the fields of computer forensics and electronic discovery. Hunter also has deep knowledge of computer forensics as it relates disputes concerning medical malpractice, video files, patent infringement, and internet misconduct.