|
|
|
 PenrodEllis FDD offers four distinct services to our clients: Data Preservation, Electronic Discovery (eDiscovery), Digital Forensics and Incident Response. Although some methods and processes are shared (such as Data Preservation procedures), eDiscovery, Computer Forensics and Incident Response are not the same thing. The forensic recovery and production of user generated Operative ESI is the primary focus in eDiscovery. When the focus shifts to the analysis of both Operative and Inoperative ESI the investigative process changes also, from eDiscovery to Computer Forensics. Incident Response is concerned with system generated Operative ESI as well as live volatile memory. The following information will assist you in understanding the differences.   Data Preservation is the basis for eDiscovery, Computer Forensics and Incident Response. While approaching ESI from dissimilar perspectives, each process recovers it from the same source: a forensic bit-stream image. It is the "best evidence" at trial. Analysis of the original digital electronic device (DED) is not conducted. Exceptions exist of course, such as the initial phase of an incident response, but they are rare. The actual process of recovering ESI in eDiscovery, Computer Forensics and Incident Response is conducted on the forensic image.   Electronic Discovery involves the capture of user generated ESI, such as email messages, text documents, databases, etc., and file metadata from allocated space only. Allocated space is simply space on a digital electronic device that contains operative data. PenrodEllis refers to this type of data as Core ESI. After eDiscovery processing, which filters for relevance and eliminates duplicates, Core ESI is turned over to the client's attorney for privoCore ESI is turned over to the client's attorneys for privilege review and production. Analysis of the data set by the Electronic Discovery technician is not conducted.   Computer Forensics (or Digital Forensics) captures system, application and user generated ESI from both allocated and unallocated space. Unallocated space contains deleted files, temporary files and residual data from partially overwritten, deleted files. Digital forensics also recovers other ESI in the form of logs, index entries, link files and historical records. We call this type of critical information Ambient ESI (others call it file artifacts). Furthermore, forensic computer examinations include analysis of both Core and Ambient ESI by the computer examiner to establish its meaning and significance.   Incident Response is an emergency examination of network-linked servers, workstations, routers and attached storage that may have been compromised by a hacker or malicious software. The initial analysis is conducted on booted (online or "live") computers whereas subsequent examinations are conducted on forensic bit-stream images collected from the compromised computers. Live computer analysis is a complex processes as the ESI under review is volatile and is moving or changing while the examiner analyzes it. |
|
|
|
|
|
