The Major Differences Between Digital Forensics and eDiscovery

Almost every litigation now involves some sort of digital evidence, whether it’s a criminal case, IP theft or even family law. Depending on the unique details of the case, there are two different ways that digital evidence can be obtained, analyzed and used – eDiscovery and digital forensics. Electronic discovery will be used in almost every case. Digital forensics is used when you need to dig deeper into the digital evidence.

Electronic Discovery

Electronic discovery or eDiscovery generally collects active data. Active data is classified as information and data that is easily available through file storage and program managers utilized by a business or individual.

When collecting data through electronic discovery, the data usually goes to the legal counsel who then performs his or her own review on the data. The professionals collecting this data are simply transferring information and do not discuss the intent of the user or business. They also do not provide legal advice. Electronic discovery is useful when the only information needed involves easily accessible files such as email, calendars, documents, and databases.

If some of the information required by eDiscovery has been deleted or if there is a suspicion that it has been tampered with or altered in some way, then you’ll need to engage the assistance of a digital forensics expert.

Digital Forensics

A forensic analysis of data is needed when the litigation requires a deeper look at the information on a digital device, especially if there is a suspicion that digital evidence has been deleted or altered in some way.

A digital forensics examiner uses specialized tools and interfaces to analyze both the visible and “invisible” data on a specific piece of digital media. The “invisible” data includes things like deleted or edited files, old emails, deleted browsing or social media history, etc. In some cases these old files may not be recoverable, but a digital forensic expert may be able to demonstrate that certain files were actually deleted by a specific user at a specific time and may also uncover programs that are frequently used to encrypt, hide or delete data that a user wants to keep secret.

Common examples of data that can only be retrieved through digital forensics are:

  • Evidence that a user accessed or copied specific files from a computer network via their desktop computer. This is useful in IP theft cases.
  • Copies of files/emails that have been deleted or files/emails that used to be part of a backup process. These files are often used in family law cases.
  • Evidence of wiping software used to permanently delete large amounts of data. This information is often useful in criminal cases and some family law cases.
  • Location or activity data from a mobile device – can be used in almost any type of court case.

Digital forensic experts are brought in to produce more than data for a case. They analyze that data in hopes of finding evidence that can be used for a client. Typically, they partner with a legal team to determine what type of data they are seeking before the forensic examination takes place. Digital forensic experts are often active throughout a case and can be called on in legal proceedings to defend their claims about the information.

Maintaining Data Integrity

Regardless of what method of data collection is used, it is important that the data remains protected. When collecting data through electronic discovery, large amounts of information are transferred from the original source. Copies of the relevant files should be made to ensure that no changes are being made to the original files.

Maintaining data integrity requires more specialized tools and processes in the world of digital forensics. By definition, you’re focusing on data that is not easy to find and is often controlled by background processes on a computer. Digital forensics experts use tools to ensure that information is accessed safely.  They also create what is called a “verified forensic image” of a specific device or piece of media. Unlike a standard file copy, a forensic image is a bit for bit copy of all of the contents of a drive, even the data that is hidden from users. Maintaining a verified forensic image is a critical component of professional forensic exam that can hold up in court.

When to Consider Digital Forensics

The use of digital forensics in IP theft, family law and criminal cases is increasing rapidly. As digital devices become a constant fixture in our lives, any investigation of a person or entity’s activities must include an investigation of their digital footprint.

Courts are less willing to grant blanket access to all the data associated with a person or company and require details of the specific information that will support a specific case.

If you expect your case to be contentious or you suspect that data has been altered or deleted, it helps to bring in a digital forensics expert as soon as possible. They can help preserve data from the start and find deleted data or evidence of deleted data to help make your case.

The experts at Flashback Data have helped hundreds of law firms in the areas of IP theft, family law and criminal defense. Our digital crime lab is accredited under the same program as the FBI and state labs and we offer fast turnaround time to support the needs of your case. Contact us for more information or

CALL US AT 866-786-5700 FOR A FREE CONSULTATION.

UPDATED 7/16/18; ORIGINALLY POSTED 6/30/17