The Pros and Cons of Physical and Logical Collections

When companies become involved in legal or regulatory matters, one of the most significant challenges they face is collecting and analyzing e-mail, documents, and the massive amounts of data stored on employees' and corporate computers. There are advantages and disadvantages of the two different methods of collection. Companies should understand both and know when and how to use each one to best effect.

A Critical Choice: Physical vs. Logical Collection

When personal computers are involved, companies generally have two options for tackling the challenge of forensic data collection: physical and logical.

The physical approach involves making a complete, mirror-image copy of the investigated computer's hard drive, including all sectors, directories, and files and their complete corresponding metadata. When used as evidence, this mirror image is effectively the same as the original hard drive itself.

The logical approach is a narrower, more targeted method in which the case team will collect a portion of the information on a hard drive ' typically the user-created documents that are deemed most relevant to the legal matter.

Physical Collection: Key Considerations

One of the major advantages of the physical approach is its completeness, which supports deeper, broader investigations as well as additional analyses as the scope of a legal matter evolves or changes. Physical collections record not only the active files on a given computer, but also deleted files and remaining file fragments, with which investigators can potentially reconstruct the custodian's activities ' including visited websites, settings, and software in use ' even if efforts were made to hide these activities.

The physical approach also gives investigators access to operating system artifacts such as the last time the computer was booted, whether external USB Flash or “thumb” drives were attached, and even if the disk has been “re-formatted.” With the right tools and techniques, teams using the physical approach can restore deleted files or older file versions for review by attorneys. These teams have the potential to boot up an exact copy of the custodian's system as he or she used it, thus gaining access to data tucked away in proprietary databases and other repositories.

Just as important, the physical approach allows investigators to re-analyze all of the data on a given hard drive as keywords and case parameters evolve, an action precluded by the narrower logical approach. And while both the logical and physical approaches are fully defensible when properly executed, the physical method makes defensibility more straightforward to achieve.

The image file that results from use of the physical method typically is in a standard format that has a verification hash associated with it. This means that at any point in the future, one can verify that the image is unchanged from the time it was captured which, in turn, strengthens the team's ability to demonstrate evidential integrity. And it is important to note that although a verification hash can be obtained through both physical and logical methods, one cannot know if anything was omitted from a logical acquisition. Likewise, because the physical forensic investigation approach has been in use for several years by both law enforcement and commercial entities, it benefits from well understood, widely accepted validation methods. Thus, this approach can be valuable for legal teams under pressure to meet stringent defensibility requirements.

However, the physical approach also has its drawbacks, including added time and expense. Because it involves collecting more data, the physical approach can take longer than the logical approach and adds to the workload of downstream reviewers who must wade through a greater volume of material. The physical method also can be disruptive, forcing company employees to give up their computers for longer periods of time compared to the logical method when only small numbers of files require collection. In fact, some collection teams using the physical approach will work overnight or on weekends simply to minimize disruption.

Privacy can be a significant concern as well. Because the physical method entails collecting all data on a computer, personal or otherwise sensitive data can be captured along with potentially relevant data, which is unacceptable in some instances (particularly in countries where personal data is strongly protected by law).

Given the preceding, criminal cases often are good applications for physical collection. Because the physical method is familiar to law enforcement agencies and gathers the most data, it can be best for matters in which a custodian is suspected of criminal activity and may have hidden or deleted critical information. In such instances, the physical approach gives teams the greatest ability to reconstruct a custodian's actions and uncover deception.

The full forensic image obtained via the physical approach also is usually the best way to gather social media artifacts such as Facebook and Twitter posts, which play an increasingly important role in many corporate legal matters. In particular, social media content can provide vital clues which can only be obtained through an analysis of operating system artifacts.

Likewise, the flexibility of the physical approach can make it optimal for cases in which the scope may change. As noted earlier, the physical method allows teams to perform subsequent analyses using new parameters and search terms, and relieves them from having to determine upfront which data and files are important to capture. Thus, if the scope of a case suddenly expands or changes course, investigators can simply redirect their efforts toward new data already in hand.

Logical Collection: Key Considerations

One of the biggest advantages of the logical approach is that it can be faster and often cheaper, as it typically involves fewer documents and lower data volumes. When custodians are willing and able to guide the case team toward the most important information and when that approach is advisable, the logical method only captures relevant data, leading to a cheaper and faster review of that data.

The logical approach also can make it easier to collect data associated with cross-border legal matters. When legal matters involve custodians in locations around the world, sending resources abroad to physically collect hard drive copies can be prohibitively expensive. Where local data privacy laws allow, experts performing logical forensic collections can use remote tools to access desktops anywhere in the world and gather only the data and files relevant to the case.

On the other hand, the logical approach's hoped-for speed advantage does not always materialize, particularly in complex, large-scale matters. Indeed, it can be simpler and faster to conduct physical imaging for a large group of custodians ' especially when they are all in the same location ' than it can be to target specific files and folders for logical collection. Depending on the scale and complexity of the case, it can involve interviews between the custodian and the legal team. Such interviews mean the legal team and custodians must speak a common language, which can be an issue when dealing with cross-border matters. Likewise, depending on the complexity of the case and the willingness of custodians to assist the team, identifying the right files to collect sometimes consumes more time than simply making a copy of the entire disk and searching through it.

The logical approach also can be less flexible than the physical option. Collection criteria (such as date range cut-offs) must be established by the team upfront, and if they change as a legal matter evolves, a new collection is required. When new evidence comes to light that makes additional types of files or data relevant, teams using the logical approach must start over, while those using the physical approach can simply re-analyze the copied hard drive.

A number of situations can benefit from the inherent speed and simplicity of the logical approach. Predictable, well-scoped matters ' particularly when time is of the essence ' are one example. Hart-Scott-Rodino “second requests” from government agencies, for example, typically require companies to produce a well-defined body of information related to a merger or acquisition.

In general, the logical approach is appropriate for matters in which deception or wrongdoing is not suspected. When deception or wrongdoing is not suspected, there typically is not a need to collect operating system artifacts and deleted files that would be helpful in re-creating the actions of the custodian.

Because the physical approach can be intrusive for some custodians, the logical approach can be optimal for matters that involve personal or privileged data. Its more selective nature is well-suited to legal matters involving defense contractors, for example, which often possess volumes of classified information that cannot “leave the building,” let alone be copied in a wholesale fashion during an investigation. Similarly, the logical approach works well for legal matters in which personal devices and data are at play, which often are protected by stringent privacy regulations. This is particularly vital in legal matters that cross jurisdictions.

Conclusion

In the wake of the ruling in National Day Laborer Organizing Network, corporations need to assess which collection methodology should be used. How much scrutiny the collection process is likely to receive, the scope of the matter, employee cooperation, data privacy, and in-house tools and training are all important factors for answering those two questions. No matter what individual corporations decide to implement, Judge Scheindlin's ruling is likely to generate widespread attention to the importance of defensible collection processes ' a game change for the industry, indeed.

Veeral Gosalia is a senior managing director in the FTI Technology segment and is based in New York. He greatly acknowledges the assistance of his FTI colleagues Dan Roffman, Ian Smith and Eric Hammequist in the preparation of this article.

In a July, 2012 decision, Judge Shira Scheindlin found custodial self-collection inadequate in certain circumstances (National Day Laborer Organizing Network et al. v. United States Immigration and Customs Enforcement Agency, et al., 2012 U.S. Dist. Lexis 97863 (SDNY, July 13, 2012). As she stated in her opinion: “Most custodians cannot be 'trusted' to run effective searches because designing legally sufficient electronic searches in the discovery or FOIA contexts is not part of their daily responsibilities. Searching for an answer on Google (or Westlaw or Lexis) is very different from searching for all responsive documents in the FOIA or e-discovery context.”

The specific decision related to government collections in support of Freedom of Information Act (FOIA) requests, but this opinion may have a wide-ranging impact on corporate collection practices. Companies involved in legal proceedings or investigations will likely need to reevaluate their current policies in the coming months to ensure that important information is collected in a defensible manner, and one initial question to answer is which collection methodology should be used.

The Challenges of Discovery

When companies become involved in legal or regulatory matters, one of the most significant challenges they face is collecting and analyzing e-mail, documents, and the massive amounts of data stored on employees' and corporate computers. There are advantages and disadvantages of the two different methods of collection. Companies should understand both and know when and how to use each one to best effect.

A Critical Choice: Physical vs. Logical Collection

When personal computers are involved, companies generally have two options for tackling the challenge of forensic data collection: physical and logical.

The physical approach involves making a complete, mirror-image copy of the investigated computer's hard drive, including all sectors, directories, and files and their complete corresponding metadata. When used as evidence, this mirror image is effectively the same as the original hard drive itself.

The logical approach is a narrower, more targeted method in which the case team will collect a portion of the information on a hard drive ' typically the user-created documents that are deemed most relevant to the legal matter.

Physical Collection: Key Considerations

One of the major advantages of the physical approach is its completeness, which supports deeper, broader investigations as well as additional analyses as the scope of a legal matter evolves or changes. Physical collections record not only the active files on a given computer, but also deleted files and remaining file fragments, with which investigators can potentially reconstruct the custodian's activities ' including visited websites, settings, and software in use ' even if efforts were made to hide these activities.

The physical approach also gives investigators access to operating system artifacts such as the last time the computer was booted, whether external USB Flash or “thumb” drives were attached, and even if the disk has been “re-formatted.” With the right tools and techniques, teams using the physical approach can restore deleted files or older file versions for review by attorneys. These teams have the potential to boot up an exact copy of the custodian's system as he or she used it, thus gaining access to data tucked away in proprietary databases and other repositories.

Just as important, the physical approach allows investigators to re-analyze all of the data on a given hard drive as keywords and case parameters evolve, an action precluded by the narrower logical approach. And while both the logical and physical approaches are fully defensible when properly executed, the physical method makes defensibility more straightforward to achieve.

The image file that results from use of the physical method typically is in a standard format that has a verification hash associated with it. This means that at any point in the future, one can verify that the image is unchanged from the time it was captured which, in turn, strengthens the team's ability to demonstrate evidential integrity. And it is important to note that although a verification hash can be obtained through both physical and logical methods, one cannot know if anything was omitted from a logical acquisition. Likewise, because the physical forensic investigation approach has been in use for several years by both law enforcement and commercial entities, it benefits from well understood, widely accepted validation methods. Thus, this approach can be valuable for legal teams under pressure to meet stringent defensibility requirements.

However, the physical approach also has its drawbacks, including added time and expense. Because it involves collecting more data, the physical approach can take longer than the logical approach and adds to the workload of downstream reviewers who must wade through a greater volume of material. The physical method also can be disruptive, forcing company employees to give up their computers for longer periods of time compared to the logical method when only small numbers of files require collection. In fact, some collection teams using the physical approach will work overnight or on weekends simply to minimize disruption.

Privacy can be a significant concern as well. Because the physical method entails collecting all data on a computer, personal or otherwise sensitive data can be captured along with potentially relevant data, which is unacceptable in some instances (particularly in countries where personal data is strongly protected by law).

Given the preceding, criminal cases often are good applications for physical collection. Because the physical method is familiar to law enforcement agencies and gathers the most data, it can be best for matters in which a custodian is suspected of criminal activity and may have hidden or deleted critical information. In such instances, the physical approach gives teams the greatest ability to reconstruct a custodian's actions and uncover deception.

The full forensic image obtained via the physical approach also is usually the best way to gather social media artifacts such as Facebook and Twitter posts, which play an increasingly important role in many corporate legal matters. In particular, social media content can provide vital clues which can only be obtained through an analysis of operating system artifacts.

Likewise, the flexibility of the physical approach can make it optimal for cases in which the scope may change. As noted earlier, the physical method allows teams to perform subsequent analyses using new parameters and search terms, and relieves them from having to determine upfront which data and files are important to capture. Thus, if the scope of a case suddenly expands or changes course, investigators can simply redirect their efforts toward new data already in hand.

Logical Collection: Key Considerations

One of the biggest advantages of the logical approach is that it can be faster and often cheaper, as it typically involves fewer documents and lower data volumes. When custodians are willing and able to guide the case team toward the most important information and when that approach is advisable, the logical method only captures relevant data, leading to a cheaper and faster review of that data.

The logical approach also can make it easier to collect data associated with cross-border legal matters. When legal matters involve custodians in locations around the world, sending resources abroad to physically collect hard drive copies can be prohibitively expensive. Where local data privacy laws allow, experts performing logical forensic collections can use remote tools to access desktops anywhere in the world and gather only the data and files relevant to the case.

On the other hand, the logical approach's hoped-for speed advantage does not always materialize, particularly in complex, large-scale matters. Indeed, it can be simpler and faster to conduct physical imaging for a large group of custodians ' especially when they are all in the same location ' than it can be to target specific files and folders for logical collection. Depending on the scale and complexity of the case, it can involve interviews between the custodian and the legal team. Such interviews mean the legal team and custodians must speak a common language, which can be an issue when dealing with cross-border matters. Likewise, depending on the complexity of the case and the willingness of custodians to assist the team, identifying the right files to collect sometimes consumes more time than simply making a copy of the entire disk and searching through it.

The logical approach also can be less flexible than the physical option. Collection criteria (such as date range cut-offs) must be established by the team upfront, and if they change as a legal matter evolves, a new collection is required. When new evidence comes to light that makes additional types of files or data relevant, teams using the logical approach must start over, while those using the physical approach can simply re-analyze the copied hard drive.

A number of situations can benefit from the inherent speed and simplicity of the logical approach. Predictable, well-scoped matters ' particularly when time is of the essence ' are one example. Hart-Scott-Rodino “second requests” from government agencies, for example, typically require companies to produce a well-defined body of information related to a merger or acquisition.

In general, the logical approach is appropriate for matters in which deception or wrongdoing is not suspected. When deception or wrongdoing is not suspected, there typically is not a need to collect operating system artifacts and deleted files that would be helpful in re-creating the actions of the custodian.

Because the physical approach can be intrusive for some custodians, the logical approach can be optimal for matters that involve personal or privileged data. Its more selective nature is well-suited to legal matters involving defense contractors, for example, which often possess volumes of classified information that cannot “leave the building,” let alone be copied in a wholesale fashion during an investigation. Similarly, the logical approach works well for legal matters in which personal devices and data are at play, which often are protected by stringent privacy regulations. This is particularly vital in legal matters that cross jurisdictions.

Conclusion

In the wake of the ruling in National Day Laborer Organizing Network, corporations need to assess which collection methodology should be used. How much scrutiny the collection process is likely to receive, the scope of the matter, employee cooperation, data privacy, and in-house tools and training are all important factors for answering those two questions. No matter what individual corporations decide to implement, Judge Scheindlin's ruling is likely to generate widespread attention to the importance of defensible collection processes ' a game change for the industry, indeed.

Veeral Gosalia is a senior managing director in the FTI Technology segment and is based in New York. He greatly acknowledges the assistance of his FTI colleagues Dan Roffman, Ian Smith and Eric Hammequist in the preparation of this article.