Are you among the fortunate minority who haven't yet had to conduct a computer-forensics investigation? That doesn't mean you don't need a strategy. The production of electronic documents during a lawsuit--eDiscovery--is increasingly crucial in modern litigation. Helping drive this trend are recent amendments to the Federal Rules of Civil Procedure--the legal code governing discovery during civil litigation in federal court--which formalize and create new requirements regarding eDiscovery.
So what strategy should you take? A forensics product or service provider can fill a specialized niche unaddressed by eDiscovery vendors, which focus on restoring large amounts of data for searching, analysis and production to an opposing party (watch for our eDiscovery feature). However, within a particular lawsuit, an intense search of a particular system may be needed, requiring a dedicated forensic product. Recently, a Minnesota federal district court ordered a plaintiff to produce all relevant documents including those deleted and corrupted--a task beyond most eDiscovery products.
Having a forensics tool at the ready may provide flexibility that makes business sense. When preserving evidence in preparation for a discovery request, creating forensic-quality mirror images of systems provide numerous benefits. If the scope of the eDiscovery request concerns events or communications in the past, a properly created forensic image of the relevant systems' hard drives can help guard your company from claims of "spoliation" of evidence.
However, for all but the largest enterprises, justifying $100,000 for a good forensics tool is going to be tough. But forensic-quality imaging tools--rather than a full-blown forensics system--are available at a fraction of that cost, deferring the cost of analysis until you need it.
The advantages of having in-house imaging capabilities robust enough to withstand the rigors of litigation extend to other areas of IT as well. In particular, information security will get a shot in the arm. As any investigator will attest, in the rush to diagnose and respond to a security incident, well-intentioned IT staff often change or destroy critical evidence. In the heat of the moment, the scope and implications of a particular incident are notoriously difficult to assess, meaning that the window of opportunity to image a system usually slams shut. Proactively developing this capability lets you respond to security incidents with the full force of the law when required.