Read the entire article, and use the links below to jump to that specific ediscovery category.
- Ediscovery and Preserving Digital Evidence
- Ediscovery Costs and Consequences
- Ediscovery: What Information Should You Preserve?
- Preserving Email
- Tools for Preserving PC and Server Content
- Preserving Smartphone and Tablet Data
Legal disputes frequently have to do with who communicated what to whom and when, which often makes email a fertile source of relevant information. As it happens, it can be among the easiest data to preserve, because almost all email servers have a function called Legal/Litigation Hold (or a similarly-named feature) that prevents messages from being deleted—either indefinitely, or for a specified duration.
You can enable this on a per-user/mailbox basis so it applies only to relevant individuals, and it will override any mail storage quotas those people may have (so watch your free disk space if you're running low). The most recent versions of Microsoft Exchange have an enhanced feature called In-Place Hold that lets you preserve messages based on a search query and pinpoint the specific messages that contain relevant subject matter in lieu of preserving an entire mailbox.
When you need to preserve the contents of a desktop or laptop PC (or a Mac for that matter), cloning the hard disk seems like a logical way to proceed. However, standard cloning tools (such as Clonezilla) clone only the used disk space. They ignore the free space, which may be chock full of recently-deleted—and potentially relevant—files and configuration data. To clone the entire disk, free space and all, requires a forensic cloning tool such as the free and open-source OSFClone.
Bear in mind that forensic cloning a computer with a large hard drive—it doesn't matter if it's mostly empty—can take many, many hours during which time the system will not be available for use. You can get your systems back in service a bit quicker by using standard cloning tools to clone the original disk to a new replacement disk, then swap in the replacement and preserve the original disk. This obviously adds some hardware cost, and it may not be practical for systems where you can't easily access the hard drive, such as certain laptops.
Preserving data on a server where lots of people constantly add and update data can be a challenge especially if the server isn't set up to provide some type of file versioning (where it retains earlier iterations of data files whenever anyone makes a change to them). Here's a relatively straightforward, albeit somewhat blunt, way to preserve a server's contents: adjust your backup rotation (you are backing up your data, right?) with additional disks, tapes, or whatever media you use so that you don’t overwrite previous backups. Be sure you physically secure your backup media at all times—and remember to preserve that chain of custody.
If you backup data to the cloud or to a network attached storage (NAS) device, rather than to removable media, alter your configuration to ensure that it doesn't overwrite the backups. Keep in mind that this may eventually require provisioning/adding more space as your backups start to pile up.
Preserving data on these devices can be problematic, because they're not as easily to manipulate as PCs and servers. Plus many of the features (such as text messages and voice mails) may be under the control of the mobile carrier or device/OS manufacturer rather than the device's user or owner.
You can make partial or full backups of mobile devices and store them locally as opposed to in the cloud (with iOS devices you can do it with iTunes or other utilities, but Android devices typically need to be rooted). However—depending on what you need to preserve—you may need to contract a mobile forensics professional to get the job done properly.
And be warned that if your business practices BYOD (bring-your-own-device) and you allow employees to use personal devices for work, it may be legally required to preserve relevant data on those employee-owned devices. "Discovery obligations typically apply to all information within the possession, custody, or control of the party receiving the request," points out attorney Diaz. "A party is deemed to have 'control' of information that they have the right, authority, or practical ability to obtain, even if it's held by third parties."
Speaking of third parties, it's important to note that if your business uses any kind of hosted services, such as Office 365, Google Apps, a hosted database or CRM, etc. you need to get those providers involved early on because you may not always have the direct administrative control necessary to preserve relevant data. In some cases, you may not be able to preserve certain kinds of data in-place on hosted services—for example, you currently can't put a hold on files stored in Google Drive.
Also, in some cases you may need to upgrade your hosting plan in order to gain access to features that allow you to preserve data (providers typically refer to these as ediscovery or compliance features). The same may be true of on-premises software—for example, you're not allowed to use Microsoft Exchange's Litigation/In-Place hold on a mailbox unless the user has an Enterprise (rather than a Standard) license.
[Learn more about data security: 6 Ways to Improve Small Business Data Security]
One last thing—some courts have found that the duty to preserve relevant information doesn't begin when a legal claim is filed, but rather when you can reasonably foresee one on the horizon. Therefore, it behooves you to get your business ducks in a row at the first sign of a dispute that might progress into legal action.
Joseph Moran is a technology writer and IT consultant specializing in services for consumers and small businesses. He's written extensively for numerous print and online publications, and is the author of File Management Made Simple, Windows Edition from Apress.
|Do you have a comment or question about this article or other small business topics in general? Speak out in the SmallBusinessComputing.com Forums. Join the discussion today!|