Electronic discovery or e-discovery generally refers to any process in which electronically stored information (ESI) is searched for, collected, and analyzed with the intent of using it as evidence in a civil or criminal legal proceeding. In general, electronically stored information includes any type of computer-based information, typically represented as binary numbers, to include e-mail messages, word processing documents, voice mail messages, databases, and websites. Electronically stored information is generally stored on magnetic disks (e.g., computer hard drives and floppy disks), optical disks (e.g., DVDs and CDs), and flash memory devices (e.g., USB drives).
Electronically stored information differs from conventional, paper-based information in several respects. First, because there are so many sources of electronically stored information, the volume of electronically stored information available is typically significantly greater than that of paper-based information. Unlike conventional paper-based information, electronically stored information can be searched for and analyzed by automated computer-based processes. Electronically stored information is often accompanied by meta-data, which is data that relates to or describes the electronically stored information. For example, meta-data may include data that indicates who authored an email, when a file was created or last modified, and so on. Electronically stored information is easily modified, but is often difficult to destroy. For example, simply opening or accessing a word processing document may inadvertently modify meta-data associated with the document. However, deleting the word processing document may not result in permanently removing the document from a storage device of a computer system, thereby leaving open the possibility that the document may be recovered. For these and other reasons, electronically stored information is often extremely important for its evidentiary value in legal proceedings.
Searching for and collecting electronically stored information for use in a legal proceeding poses both legal challenges as well as technical challenges. From a legal perspective, there are rules governing how electronically stored information must be gathered, collected and maintained. Running afoul of these rules may result in sanctions for spoliation—the destruction, alteration or improper maintenance of evidence. From a technical standpoint, a variety of problems exist. The most obvious problem is analogous to the often cited problem of finding a needle in a haystack. That is, given the voluminous amount of electronically stored information available, it is difficult to locate and collect the most relevant information. A variety of issues may make it difficult to find the relevant information. For example, the set of possibly relevant electronically stored information may reside on several (hundreds or even thousands) of different computer systems in varying geographical locations, making it potentially cost prohibitive to perform the necessary searches. Additionally, the format of the relevant electronically stored information may not be known, making it difficult to properly target a search.
One of the more common methods of searching for and collecting electronically stored information involves first creating an exact duplicate of the original evidentiary media. This process is often referred to as imaging. For instance, to generate an image of a hard drive of a computer system, a standalone hard drive duplicator or software imaging tool is generally used to make an exact duplication of the data residing on a hard drive. This duplicate data can then be searched for the relevant information without the fear of inadvertently modifying, deleting or destroying the original. One drawback with this method is that it typically requires a relatively extensive technical expertise, which increases the cost associated with searching for and collecting the relevant information, especially in cases where several hard drives need to be searched on several computer systems. Furthermore, the person who generates the image may not have the skill and knowledge to perform the actual search. Consequently, there is often an increased cost associated with having a first technically skilled person generate an image, and a second person to perform a search of the image. Another problem with this approach is that it may temporarily, if not permanently, render the targeted computer system inoperative. In some circumstances, this may be an unacceptable option for the owner or operator of the target computer system.
Another approach that is often utilized for performing searches for electronically stored information is to install and execute a special search application on a target computer system. Once installed, the search application can be customized to search for relevant electronically stored information on storage devices of the target computer system. Here again, several problems arise. First, installing the search application on the target computer system modifies the file system and possibly components of the operating system, such as a system registry, of the target computer system. This may be undesirable from the perspective of the owner and operator of the target computer system, but more importantly it may give rise to a possible allegation of tampering with or modifying evidence, which can call into question the evidentiary value of any information obtained via the search process. Furthermore, installation of a search application may allow susceptible avenues of attack from malicious processes and nefarious executable agents on target computer systems. Additionally, administrative privileges on the target computer system may be required to perform the installation and/or search, and such privileges may not be available to the operator of the target computer system. In addition, installing and customizing a search application on several target computer systems may prove costly as it may require a person with technical skills to be present at the target computer system for the installation, and subsequent search. For instance, often with conventional search applications, the application must be installed before a search can be configured or customized to locate the relevant electronically stored information.
For the reasons set forth above, there is a need for improved systems and methods for searching for, and collecting, electronically stored information.