Digital forensics may seem scary, but it doesn’t have to be. We’re highlighting specific digital forensic scenarios that may seem frightening but want to make them simple to understand and navigate.

All treats, no tricks.

The Horrors Of Self Collections

Whoever collects the ESI (electronically stored information) data for a matter may be called to testify in court. Of course, the thought of going on the witness stand produces butterflies and cold sweats for many. But the horrifying reality is that IT professionals are often asked to collect vital data for a case and risk the potential of testifying.

Most IT individuals don’t want to be on the stand. That’s not their area of expertise or within their comfort level. These professionals know technology and their organization’s systems but don’t have the tools, software, and experience to produce a forensically sound image.

An important distinction is that just because someone is technologically adept and able to does not mean they should preserve ESI from a computer, email address, cloud account, or local server.

Asking someone from IT to collect ESI is not thinking through all the different facets and complications that may come from a technical or legal perspective.

In contrast, your standard IT individual or your technologically savvy office member will not know the best course of action. It may save on a budgetary side, but the risk and repercussions as a case moves into litigation are very scary.

A prudent approach is bridging the gap between technology and legal. The main reason to have a digital forensics expert involved is that they’re thinking it through from all elements and the scope of the matter. Plus, they have the tools and experience to handle the job right the first time.

Don’t Let Your Data Die

Critical data can be gone for good, even when it’s in good hands at a company. For example, this can happen when a departing employee returns a company-issued laptop, and the organization proactively wipes the drive. As a result, that device’s data and activity are effectively dead and gone forever. How does this happen?

When employees resign, they leave their computer at their desk, bring it to an exit interview, or ship it back to their employer. Those devices typically end up with the IT department, which has a process for deleting the device’s hard drive and preparing it for another employee. This event can create a scary scenario.

After an employee has resigned, they can potentially cause more financial and reputational damage to their former employer. For example, if there’s a suspicion that an ex-employee took sensitive company files, has gone to work for a competitor, or engaged in activities that violate an NDA, the data trail of evidence would no longer exist.

Even scarier, if proprietary data did leave the company, there would be no way of identifying where it went and how to get it back.

Avoiding the self-destruction of company data is simple. Proactive steps include aligning IT and HR during employee resignation and offboarding.

Don’t let company data die. When in doubt, preserve the data with a forensic collection of a laptop. The data is intact, available for analysis if needed, and ready to prepare for another employee’s use.

Skeletons In The Closet

Computers, smartphones, and tablets record every user activity. 


If someone picks up their iPhone and a lock screen with a background image lights up, there is a data record on the phone of that activity.

Multiple data points are recorded on both devices when a USB flash drive is plugged into a desktop computer. Data points include a time stamp, serial ID, and a log of file transfers.

If a company’s client list is uploaded to a personal drive cloud account, the ESI (electronically stored information) documents in detail what was uploaded, when, by whom, and where it went.

Many ESI skeletons reside in the proverbial closets of our digital devices and accounts. Computers and phones remember everything we do.

Ghosts Can Disappear, Just Like Cell Phone Data

Collect and preserve cell phone data before it disappears. Here’s why:

  • Data on iPhone and Android devices are continuously syncing with cloud-based platforms, such as emails, documents, and photos. 
  • Phones have default settings for text messages that automatically remove them from the device. 
  • When updating an iPhone to iOS 16, data has the potential to be deleted. 
  • When powered on, some cell phones will automatically delete and overwrite information.

The lengthy process of determining what data to collect from a custodian’s devices can be an issue.

The back-and-forth conversations and negotiations on the scope of data to preserve from a custodian’s cell phone can take weeks or even months.

In the meantime, data and evidence on the cell phone delete automatically, are inadvertently destroyed, or even overwritten remotely. 

If data is needed from a cell phone, isolate the device, and preserve the data as soon as possible. 

Data has a way of ‘disappearing.’

Custodians Get Spooked Without A Protocol

It can be heart-pounding going through a haunted house, waiting for something to jump from around the corner and scare you. Custodians can feel the same about providing their email credentials or cell phone to a stranger for forensic data collection.

Most people are creeped out by the concept of handing over all of their data from a device or cloud-based account to support a legal matter. The reason is that so much personal information on these devices and accounts is irrelevant to the case.

For example, a person’s Inbox may contain tens of thousands of emails which may include: Tax returns, baby photos, grandma’s popcorn ball recipe, medical history, and vacation itineraries. 99.99% of the emails in a person’s account are irrelevant if the matter doesn’t pertain to any of these topics.

This is where the power of protocol can ensure that a custodian isn’t spooked out but the request for collection. It assures them of their privacy and sets their expectations of what will be produced for both sides.

Drafting a unique cell phone protocol per matter isn’t unusual, but a generic protocols general includes:

  • An NDA / confidentiality agreement to counter the opponent’s objections related to security or privacy and non-related mobile phone data.
  • Ensure that non-relevant and personal information will not be produced or reviewed. 
  • An In-Camera review and a Special Master. Handling security & privacy issues.
  • Many smartphones and accounts are in use outside the reach of corporate security controls.

Nowadays, people store everything on their cell phones. This includes nudes, social security numbers, photos of family, garage door codes, location data, financial information, and passwords. The list could go on and on.

Because all of this sensitive and personal information exists in one place, it is the main reason there is a fight over the imaging and analysis of mobile devices.

A well-crafted protocol will help alleviate these concerns. It’s a win for everyone involved.

Trick or Treat – Forged PDFs

Few participants are disappointed when they receive a treat instead of a trick when engaging in trick-or-treating. No one wants to be tricked when the objective is authenticating an email.

Authentication of a sent email is common practice in trade secrets, corporate litigation, and employment matters. Some of the blanks to fill in include when an email was sent and who was it sent to? Any email’s metadata fills these blanks.

Simply said, metadata is the data that describes a piece of data. When a document, like an email, is created, edited, modified, or deleted, it’s reflected in the metadata. It documents what, when, and how something was changed in a document file, image, spreadsheet, video, audio recording, CRM database, and website page.

Access to the original email is necessary to review an email’s metadata. Metadata is stored in the email, and having access to it in an email address’ Inbox or Sent folders will suffice. This can be accomplished by collecting and preserving an entire email Inbox. 

If a party attempts to authenticate an email through a PDF file, there is room for pause. While straightforward, creating a PDF file to verify email communication takes many more steps than forwarding the original message. It also provides the opportunity for manipulation.

There are a few situations involving electronically stored information (ESI) where metadata can’t answer questions in a digital forensic investigation. So when emails are a part of the ESI for your matter, take the necessary steps. Ensure that nothing is missed and that you obtain a treat, not a trick. Here are three takeaways:

  1. The metadata doesn’t lie – Always get the original email/file
  2. Validating emails shouldn’t be complex
  3. When in doubt, engage with a digital forensic expert 

Be Afraid Of Call Detail Records

It’s terrifying knowing that in auto accident cases, attorneys still rely on call detail records as their primary source for cell phone activity.

A typical scenario involves a plaintiff attorney representing their client in a distracted driver matter.

The attorney planned to access the defendant’s cell phone activity by subpoenaing the Call Detail Records from the cell phone carrier.

While these cell phone records can be helpful, they provide this information:

  • Call logs
  • SMS messages, sender and recipient
  • Data usage summaries

Here’s what data would be missing that may be critical to the case:

  • Chats and iMessages senders and recipients (not registered as an SMS message with the cell phone provider)
  • Copy and contents of SMS messages
  • Application (apps) usage on the phone
  • Geolocation from the phone and 3rd-party apps

A key takeaway for litigation of a distracted driver: Someone doesn’t have to be talking on their phone to be distracted by it.

Drivers can be distracted by their cell phone at the time of an accident by:

  • Playing a song on Pandora
  • Reading an email
  • Looking at a TikTok notification

The data on a cell phone doesn’t lie. Don’t be afraid to use that to your advantage.

When Will It All End?

There are horror films that keep you guessing, sitting on the edge of your seat, and wondering what will happen next. And then there are scary movies that are just so awful that they beg the question, when will this be over? While each matter is unique, there shouldn’t be a mystery or shock factor with how long a digital forensics project should take.

No two matters are exactly alike, and every device or account is different. Still, there are some general timelines for how it takes to preserve ESI through a digital forensic collection. Below are general timelines based on 4Discovery’s experience preserving thousands of devices and accounts. *Consult with a digital forensics expert for an estimate on preserving ESI for your matters.*

Email accounts have hundreds to hundreds of thousands of messages. Depending on the amount, the size, and the number of attachments, collecting a single email account can take as little as an hour or over an entire day. Cloud-based accounts, including iCloud, Google Drive, and social media accounts like Facebook and Twitter, are similar. But, again, the number of files and the amount of data in the account will dictate the collection duration. A benefit to the custodian during the collection process is they will have full access to and functionality of the account.

Desktop, laptop, and external hard drives are built to collect specific data or preserve the entire drive. Because of what might be needed for a specific matter, preserving a forensic image for a hard drive can range from one (1) to four (4) hours, but on average, it takes two (2) hours. Use of the hard drive is not available while it’s being collected.

Smartphones and tablets differ from computers because the entire device must be preserved to collect a forensic image. This means that the custodian would not be able to access or use the device during the collection process. On cell phones, this includes receiving phone calls and text messages. Most of the time, the cell phone’s age can impact the collection process. For example, preserving a newer iPhone 14 in Q4 of 2022 would presumably take less time because of the limited data on the device due to the time the custodian owned it. In general, cell phones and tablets take one (1) to six (6) hours to collect, but on average range be two (2) and four (4) hours.

It’s important to note that email Inboxes and Cloud accounts are almost exclusively collected remotely. A remote collection is possible for desktops, laptops, external hard drives, iPhones, Andoird cell phones, and tablets like iPads. This means preserving the ESI while the device remains in the custodian’s physical possession.

When collecting the ESI from any account or device, a general timeline should be established for how long the process might take. The device’s state and connectivity speed can impact the collection duration. Once the collection has begun, an updated estimate should be provided. There shouldn’t be anything shocking about how long it will take.

What’s In Box? WHAT’S IN THE BOX?!

Mystery and suspense aren’t necessary when determining what types of data are on a computer or smartphone. Certain types of ESI reside physically on the device, and other data is stored in the Cloud.

If there is a matter that requires collecting and preserving the data on a custodian’s computer, here are additional questions to address.

Q: Is the preservation of emails necessary?

The majority of the time, emails do not reside on the computer. Instead, they are stored on a company’s internal server(s) or remotely in the Cloud.

Q: Do they have any other storage devices?

Examples of this include USB devices like thumb drives and external hard drives. This is important as this is a common means for copying or removing files from a computer.

Q: Is any of the custodian’s data stored in the Cloud?

The Cloud data, like Google Drive and DropBox, and the data on the computer are most likely slightly different. Knowing this may impact the collection approach.

Different data types are in different places. Therefore, knowing what you’re looking for will help determine the data’s location and the best way to collect it for your matter.

Nothing Has To Be Scary

There doesn’t have to be a mystery surrounding ESI and your matters. There are many variables, but ultimately a prudent approach is available based on the details. The next time a matter includes ESI, reach out to the digital forensic expert at 4Discovery.