In-Person and Remote Collections – Collection Fundamentals Series, Part 7

7 / 8

A multi-part series on the essentials practitioners need to know about ESI collections

In “Collection and the Duty of Technology Competence,” we discussed lawyers’ duty of technology competence and the importance of understanding collection to fulfilling that duty.  In “The Broad Scope of Collection,” we discussed the potential legal and technological scope of collection.  In “How Computers Store ESI,” we discussed the operation of computer memory.  In “Collecting and Recovering ESI from Computer Memory,” we discussed the technical process of collection.  In “The Intersection of Technical and Legal Realities,” we discussed the intersection of that technical process with the legal requirements.  In “Self-Collection and Its Risks,” we discussed the first of the three common collection approaches, and in this Part, we review the other two.

Collection Approaches: In-Person Collection

Traditionally, the most common collection approach has been in-person collection, in which the person executing the collection is in physical possession of the device(s) to be collected.  This may be achieved by sending the devices to the person executing the collection, but is more often achieved by having the person executing the collection travel to where the custodian(s) and their device(s) are.  These collections are carried out using specialized hardware and software tools, such as EnCase Forensic or FTK.  As we discussed in “Collecting and Recovering ESI from Computer Memory,” these tools include features like write-blocking and hash verification to ensure accuracy and demonstrable forensic soundness.

In-person collection has many benefits.  Most importantly, it ensures proper collection from the original source overseen by a professional rather than by the custodian.  It can also give the person executing the collection an opportunity to interact with the custodians to gather useful information about the sources and what they contain, combining in-person custodian interviews with collection itself.  And, when multiple custodians are in the same office location, it can be efficient, even when travel to that location is required.

In-person collection is not ideal for all situations, however.  When custodians are distributed across multiple office locations – or when many employees work remotely from home – travel to all of those locations can quickly become too costly and time-consuming to make sense.  Having one or more collection professionals on-site can also be disruptive to normal operations and may not be as subtle an approach as you require in certain investigative contexts.

In-person collection also raises the question of who should perform the collections.  Instead of relying on third-party collection professionals, some organizations opt to acquire the relevant tools in-house and have one or more IT professionals carry out collections.  Not all organizations are willing to assume the tool costs, employee training and certification costs, and downstream testimonial obligations that come with insourcing collection, but for some serial litigants it makes good sense.  For everyone else, retaining the services of a third-party collection professional with their own tools, certifications, and ability to provide testimony is generally the best option.

Collection Approaches: Remote Collection

As geographically-distributed (and remote) employees have become more common, remote collection has grown in popularity as an approach.  Remote collection comes in three primary subtypes: self-executing devices with instructions, preconfigured drives plus remote access, and enterprise applications:

  • In the first subtype, a collection device is prepared in advance and shipped to the custodian who follows provided instructions to connect the device to their computer and initiate the pre-defined collection process. When the collection is complete, the custodian returns the device.
  • In the second subtype, a preconfigured drive is shipped to the custodian who connects it to the computer and then grants remote access to a remote collection professional to execute and oversee the actual collection to the drive. When the collection is complete, the custodian returns the drive.  (It is also possible for limited collection over the internet to be done by remote access, but typically the sizes involved make shipping drives a better choice for this approach.)
  • In the third subtype, an enterprise application (e.g., TotalDiscovery) is installed that facilitates manual or automated collections from devices connected to the company network. Collections may be executed with or without the custodians’ knowledge and may be administered by IT personnel or by third-party collection professionals.  Collections are copied over the network and later may be transferred to drives for shipping to a third-party eDiscovery services provider for processing and review.

Of these three, the second subtype is the most widely used, especially for small and mid-size organizations.  Large organizations are the most likely to consider investing in an enterprise application for the third subtype.  Any of the three can save time and money when dealing with distributed custodians, as long as there is no reason to mistrust the custodians’ cooperation.

Upcoming in this Series

Next, in the final Part of this series, we will touch on some more challenging collection sources, including: enterprise, mobile, social, and cloud sources.

About the Author

Matthew Verga

Director of Education

Matthew Verga is an electronic discovery expert proficient at leveraging his legal experience as an attorney, his technical knowledge as a practitioner, and his skills as a communicator to make complex eDiscovery topics accessible to diverse audiences. A fourteen-year industry veteran, Matthew has worked across every phase of the EDRM and at every level from the project trenches to enterprise program design. He leverages this background to produce engaging educational content to empower practitioners at all levels with knowledge they can use to improve their projects, their careers, and their organizations.

Whether you prefer email, text or carrier pigeons, we’re always available.

Discovery starts with listening.

(877) 545-XACT / or / Email Us