ClearData Forensics LLC

Home    |     Services    |       About Us    |     Contact Us
Types of Services
White Papers




The Importance of Electronic Discovery and Digital Forensics
Published in King County Bar Association Bar Bulletin March 2012

How they differ, how they should be conducted and why attorneys need to know

Electronic discovery and digital forensics continue to play ever-increasing roles in case law. Negligent e-discovery conduct has been sanctioned in all 12 federal judicial circuits.  Two local cases, Mechling v. City of Monroe and O'Neill v. City of Shoreline, highlight the importance of email metadata. In the latter case, the court ruled that if the defendant is obligated to provide the emails, then it also is obligated to provide the metadata.

Electronic Discovery vs. Digital Forensics

Electronic discovery is typically the gathering, filtering and production of large volumes of relevant data for legal review. It may leave important information undiscovered. The data are accessed, but not analyzed, and typically do not include discarded, hidden or deleted data. File time stamps - one form of metadata - are usually altered by the electronic discovery collection process.

In contrast, computer forensics, a subset of digital forensics, involves investigative and detailed analysis on one or more hard drives or PCs in search of both active and latent information to determine who did what and when. The data are preserved - unaltered - before analysis. Then during analysis, critical events are recreated and, if necessary, passwords or encryption are cracked.

Digital forensics uses these same techniques applied to networks, PDAs, cell phones, and even some printers and copiers that may retain copies of documents internally.

Because of the different objectives and strategies, electronic discovery frequently ignores useful information. In some cases, it may even destroy data that could be useful to a forensic analyst.

Some Data Are Available Only To Forensic Analysis

A forensic analyst examines all of the data that electronic discovery would reveal and then probes latent data, slack space and protected system files.  Metadata is far more important than what is implied in the first paragraph as it frequently enables determining when files were created, viewed, or printed. 

System files can indicate what external storage, such as USB or thumb drives, were attached and when, as well as what programs were run and when.  Analysis linking metadata across various files can often link a person with an activity.  Slack space can contain names of deleted files even if the files have been overwritten.

Case Study

In a recent case, a business owner asked his IT consultant to image a computer hard drive for a planned forensic analysis and to try to recover files. 

First, as is typical of electronic discovery, only active data were imaged for analysis.  These are files that the computer user has access to and hasn’t deleted and ignores latent data in unallocated space and slack space.  From a forensics perspective, the most interesting information is in the latent data.  Latent data are data from previous operations that the computer no longer uses or keeps track of.

Next the IT person looked around to see what was on the drive and what files might be recoverable.  Simply turning on the computer and looking at the directory listings changes the metadata a forensic analyst uses to reconstruct when events occurred.  In addition, some versions of Windows automatically defragment the drive when the computer is running.  This overwrites significant portions of deleted files and destroys the associated latent data.

Next, data recovery software was installed on the hard drive in an attempt to recover files.  This step overwrote and destroyed even more latent data and possibly even files that may have been recoverable before the software was installed.

In the end, no useful files were recovered and the case had to be based entirely on attempting to prove that the computer user deliberately destroyed data.  Although there was enough information to show that the disk had been overwritten and the operating system re-installed, the quantity of data destroyed by a well-intentioned, but uninformed IT team cast a cloud of uncertainty over who destroyed the data.

What Should Have Happened

In this case, because the concern was to recover files and prove that files had been deliberately destroyed, the computer should have been powered off and left off.  A forensic image should have been made of the hard drive by a digital forensic expert.  Then a forensic analyst would be able to analyze the data to determine what transpired and recover any recoverable files.  Any findings would not have had the burden of uncertainty.

However, if the concern is intrusion, the computer should be left powered on, disconnected from the network, and a digital forensics expert called.  Some forms of malware reside only in memory and will be lost by removing power.

The Possible Consequences

The Consequences of improper analysis can include lost cases and sanctions from the court.  In Chen V. Dougherty, the court reduced the rate for one attorney because her “inhibited ability to participate meaningfully in electronic discovery” was indicative of “novice skills in this area” and not “experienced council”.  As noted at the beginning of this article, negligent e-discovery conduct has been sanctioned in all 12 federal judicial circuits. 

In conclusion, it is important to understand the difference between Electronic Discovery and digital Forensics and to demonstrate expertise in managing the two approaches.


Active data

Data visible to the system's operating system.  Active data are accessible without modification or reconstruction.

Allocated space

Disk space that the operating currently considers in use.   Allocated space includes active data as well as slack space.


Also referred to as defrag,  Defrag is a Windows system maintenance tool.   It is normally used to improve system performance when a hard drive has become fragmented.  Defrag also has the effect of making it difficult to recover information that was previously deleted.

Latent Data

Latent data is any data that the operating system no longer accesses or uses.  It includes deleted files and, more importantly, information or metadata about the deleted files.  This metadata is often available long after the files have been deleted and overwritten.  Latent data can only be observed with special software tools.


Literally data about data.  Metadata is information about the history and management of a document or computer file.  It is generally not visible in the ordinary display or printing of the document.

Slack space

Space that is allocated but not currently in use.  It may contain information from previous usage, but is not accessible without special software tools. 

Unallocated Space

This is space that is marked by the operating system as available.   Unallocated space, however, can contain all or part of previously deleted files.  When a file is deleted, the operating system marks the space as available for use, but does not delete the file.   The file remains intact until the space once occupied by the file is partially or completely overwritten.   Data located in unallocated space is also called latent or ambient data.   Data in unallocated space are not accessible by normal methods, and requires special software tools to access it in a meaningful manner.

WAHTCIA logo></A>

          <a href= CSFA logo       IEEE logo      
Home | Top of Page | Privacy Policy | Contact Us
Copyright © 2011-2017 ClearData Forensics LLC all rights reserved.  Reproduction in whole or in part in any form or medium without the expressed written permission of ClearData Forensics LLC is prohibited.  CyberSecurity Institute, CyberSecurity Forensic Analyst (CSFA) and CSFA logo are trademarks of CyberSecurity Institute, used by permission.