Five Advanced Techniques for Self-Service eDiscovery | Association of Certified Electronic Discovery Specialists (ACEDS)
You have taken the plunge; either you are starting to do eDiscovery yourself, or you are a seasoned eDiscovery veteran who has a higher workload, strange data, or has to deal with a new platform. Or all that! As long-time experts in this field, we have seen some issues arise for people in this situation. We’ve identified them and share some practical tips for solving them.
Mobile phone data
Data extracted from cell phones can be difficult to load into an eDiscovery tool in a way that makes it easy to find and integrate with pre-existing project data. Since there are different tools to extract data from cell phones, some reliable and some that simply copy data, it can mean a different situation every time.
There are three ways to import cell phone data: screenshots, message database, or upload files. Screenshots do not provide any underlying metadata to facilitate loading or searching. A phone message database can contain text messages, conversations, multimedia messages, and other communications in the form of SQL Lite databases. However, one point to note is that text message data from most cell phones is not as rich in metadata as email. An email has very specific header information, while text messages can have as little as a date received. Most problematic is that they don’t have any thread data commonly seen in emails through a conversation index. This means that grouping conversations can be difficult.
There has been an argument in the past for using spreadsheets to review text messages. However, mobile phone data can be converted to load files directly or through middleware. This is made possible by modern processing techniques that make cell phone data similar to email by issuing family groups and conversation threads specially designed for cell phone messaging.
Keywords, dates and analytical tools help to research concepts, but it is also necessary to reliably search for sensitive information. It’s common for reviewers to assume they don’t have sensitive information, but they may forget that they’re getting things like tax returns (which have social security numbers) or internal reports with bank accounts.
Some platforms have built-in tools that can search for social security numbers, phone numbers, bank accounts, and even common names. This is more complicated than entity identification or finding regular expression patterns since the data must be validated by an algorithm using the context around the detected data. The most common use case is to determine if a data breach contained sensitive information, as a number of notifications and actions stem from this determination.
Modern tools have made finding PII as easy as keyword research, with results reporting, highlighting of results, and navigation within the platform. The combination of this search technology with automated redaction technologies creates an incredibly powerful filtering tool for productions, document requests or disclosures.
The most common workflow for automatic redaction – the eDiscovery tool receives a list of words or characters, locates them in documents, and applies black boxes to the items it finds. This workflow often does not allow for examining the automated process or determining what has been redacted if those redactions are “burned in”.
Some tools allow for either a review process or transparent redactions to serve as approval. In many ways, it’s like a blanket that you can temporarily remove to make sure it’s okay. Another option is “fuzzy” writing, combining text search, concept search and sensitive data search. This way, the search is extended beyond single words to redact entire phrases.
Expert data review
Uploading or emailing documents to experts was a common practice in the past. Most eDiscovery tools currently allow external users to view subsets of data loaded within them. Tools have recently adapted to allow this data to be shared via invites instead of creating completely separate projects or data repositories. This allows legal teams to easily share documents. They can further monitor access in a situation similar to a clean room, greatly reducing the possibility of uncontrolled (leaked or misplaced) data. You can use the same technique to share data with customers to maintain compliance with protective orders and other restrictive document designations. Keeping data in one place is much safer than creating multiple electronic copies or printing them out.
Forensic Timeline Data
Digital forensic investigations detail a series of events with exhibits. These attachments are evidence of the studied device (computer, mobile phone or server). Integrating a report into a typical discovery review is difficult because loading native data into the review tool may not produce the desired effect.
For example, forensic artifacts in timelines often come from system data registry entries (on Windows) or plist (on Mac), stored in single large files. Loading these files into an eDiscovery tool would not normalize the data against the rest of the existing information, such as sorting by document date, including the date a file was modified or the date a file was sent. text message. However, since forensic tools can convert these large files into discrete events, they can be added to loading files and used in the loading process. In this case, when sorting by document date, the reviewer could see that someone had logged on to a computer, opened their email client, received an email sent the day before, opened an attachment to the one of those emails, then plugged in a USB stick and saved that file. All of this would appear as “inline” with normal sorting when reviewing documents.
Deeper analytics, special loading, and user-specific access can help in scenarios where you have cell phone data, experts, or need to manage personal information. Although these situations don’t happen all the time, they happen often enough that it’s worth investigating the functionality of your eDiscovery tool. If your tool does not have the capabilities, it may be it’s time to consider a change.