eDiscovery in investigations: emails, chat and laptops
21 January 2021
Chat is an ever-increasing source of communication data in investigations and disputes. It poses unique challenges as it does not readily lend itself to export and review. Understanding the features of different chat platforms is key to effective data recovery. For example, some instant messaging platforms automatically archive messaging transcripts in an email format in a folder within a custodian’s mailbox. This folder and all of its current contents, can be extracted together with normal email collection.
There are numerous factors to consider when deciding on a strategy that balances the likely fruitfulness of chat against the potentially high cost of recovering it, including:
- Export format—how chat data is exported from the source may affect the features available in the review phase;
- Need for pre-processing—not all chat data can be fed directly into standard processing tools, some may require treatment from a third-party tool; and
- Unitisation or parsing—how a days-long chat conversation can be broken up has an impact on subsequent search and review efficiency.
Email systems across a corporate group can vary. eDiscovery experts understand the functionality of different email systems and thus how relevant emails can be found (even those that someone has tried to delete). In a large company you could have a mix of local, server-based systems (e.g. MS Exchange) and newer cloud based-systems (e.g. Office 365).
A sound approach would be to request senior email administrators of each of the environments to extract what’s called a “PST” container of the sought after message files from each key custodian’s MS Exchange or Office365 mailbox for the given time period. Avoid the use of keyword search terms at this stage, as how individuals referred to potential illegal activity among themselves is usually not known until the review stage.
Once collected, email data from each of the relevant locations is centralised for processing in order to maximise de-duplication of redundant emails and files and to gain insight across the data set. I will talk in a later blog post in this series about the various tools that can be used to efficiently find relevant emails. Beware any local laws (e.g. data protection, state secrecy, confidentiality) which may restrict movement and / or processing.
Electronic files such as MS Word documents and PDFs may be found on collaboration sites such as MS SharePoint or company file servers often referred to by drive letters such as the H drive or in other instances called a “home” share or drive. They are notoriously difficult to search in situ and are often very large. A thoughtful and targeted approach is required. Interviewing custodians to learn where they filed work product related to the given matter is the best guide to rich pockets of data. In other cases, use directory listing and apply old-fashioned logic to the names of the folders.
Laptops and phones
Many employees are provided with company laptops and mobile phones, or perhaps there is a “Bring our Own Device” policy in place for the latter. Consider:
- Whether or not data is synchronised to centralised locations, for example an MS Exchange server for email. If it is, files can be collected at their corresponding centralised location for all relevant data custodians, making for a much more efficient process;
- Company data policies and practices: while data is synched to a centralised server, users may also be allowed to save their work to the local drive in the laptop. Data custodians should be questioned to learn whether unique files reside solely on their laptops and would therefore not be found on file share or as email attachments;
- Suspected theft: a computer forensic examiner can find out if any data has been copied to external storage media such as a USB drive or if any data has been emailed to personal accounts. The laptop would need to be physically removed from the data custodian for a period of time, so executing this analysis may tip off the malfeasant, although to avoid suspicion or tipping off, it may be possible to implement an early ‘tech refresh’ to take place across an entire department; and
- For mobile phones, the use of additional communications applications such as WhatsApp. The consideration here is whether potentially relevant information found in such conversations necessitates collection of individuals’ phone data. Data of this sort may be collected remotely from the individuals’ cloud-based repositories such as iCloud which omits the need for in-person collection.
Structured data – e.g. HR / Accounting software
Structured data sources include enterprise software for business needs related to HR, accounting and finance, customer relationship management and sales. These systems may be cloud-based or hosted on a local server. In most instances, the best way to get meaningful information from a large, enterprise database is to work with administrators to interrogate the databases(s) to, for example, demonstrate a trend or provide pricing data or obtain something specific relating to the transactions under investigation.
Next time… review, and how e-discovery can cut time and cost (in the right hands)
Once all the relevant data has been collected and processed, the review phase begins. Our next article considers processing and analytics tools that can be used to reduce the quantity of data requiring costly and lengthy human review.
A&O’s in-house eDiscovery team offers assistance in navigating all these issues during an investigations. Working as one team with our lawyers, the eDiscovery team leverages technology to get to the facts of a matter more efficiently. This translates to better, quicker and more informed legal decisions and therefore better value for our clients. To learn more about the services we offer, please contact Scott Robson or Christina Zachariasen.