Digital forensics

E-Discovery and Computer Forensics – How are They Different?

Hannah George
January 31, 2018 by
Hannah George

Introduction to E-Discovery

E-discovery is the procedure by which parties involved in a legal case collect, preserve, review and exchange information in electronic format to use it as an evidence in that case. The parties involved in the case are required to exchange information and evidences in State or Federal courts, coming in the form of either recorded interrogations or testimony. Whether emails, spreadsheets, documents or any other electronic file of potential evidentiary value for investigators or attorneys, the court has identified it as admissible evidence.

E-discovery also involves sifting through a large amount of data to reduce redundancy and useless information. The data is brought to a single location so that it can be viewed by investigators and lawyers. This particular step in the process does not recover hidden or deleted data.

Learn Digital Forensics

Learn Digital Forensics

Build your skills with hands-on forensics training for computers, mobile devices, networks and more.

Typically, an E-discovery process includes the following steps:

Step 1: The process begins by creating and retaining ESI (Electronically Stored Information) according to ERM (Electronics Records Management) program and enforceable electronic records retention policy.

Step 2: Relevant ESI is identified and then preserved so that the gathered data cannot be destroyed or altered.

Step 3: Now, the ESI is further processed and filtered so that useless information and duplicates are reduced. When the volume of ESI is reduced, it also reduces the costs.

Step 4: The filtered ESI is reviewed and analyzed for the privilege.

Step 5: The remaining ESI is produced after excluding irrelevant, duplicate and privileged data. The ESI is produced in a specific format.

Step 6: This step involves a clawback agreement of the ESI and getting it approved by the court. Clawback agreement is an integral part of any production that involves ESI. Incorporating this agreement is a part of the court order. This agreement requires the parties to agree that unintended production of privileged information will not automatically constitute a waiver of privilege.

Step 7: If the case hasn’t been settled, then the E-discovery is taken to trial.

Computer Forensics vs. E-Discovery

Since both involve electronically stored information, many people think they are one and the same. The primary purpose of E-discovery is to collect active data and metadata from hard drives and other forms of storage media. This data, however, is limited. Computer Forensics is then used to perform a deeper recovery. Computer Forensics autopsies the hard drive and looks for hidden folders or unallocated disk space for identifying who, what, where, why from a computer. If there is not enough basic evidence accessible from a computer, then Computer Forensics is performed. The techniques used in forensics to gather legal evidence require specialized training. It is a more specific discipline that involves the analysis of electronic devices and computers to produce legal evidence for a crime. It involves technical procedures like data carving. Computer Forensics is used in fraud investigations, employment cases, civil ligations, criminal prosecutions, white collar crimes and even divorce cases.

What type of data is gathered by Computer Forensics?

It is the process of retrieving both accessible and inaccessible data like:

  • Automatically stored data, for instance, a file that was purged from the server and its copy still exists on the hard drive of the user.
  • Files that were deleted by the user and not destroyed. These files stay on the hard drive until they are wiped or overwritten.
  • Ghost data which is not readily accessible but recoverable.
  • System data which gives an electronic trail of all the activities performed on the computer or the network.
  • If wiping software was used on the computer to wipe data, then it can be detected using computer forensic software.

How Did E-Discovery help Google win over Oracle?

Remember when Oracle sued Google for infringing its copyrights by using its Java code in its Android OS? Google won this six-year battle through the E-discovery process. The company gathered multiple emails and presented it to the jury. Among the evidence was an email from the Chief Engineer of Google who suggested negotiating the license from Java. Another email revealed that Google bigwigs requested an alternative OS similar to Java be researched.

Common challenges facing E-discovery

E-discovery is a remarkable way of gathering legal evidences but there are some challenges associated with it too. A good thing is that technological progress is here to mitigate them too. Some of the common ones are:

Large volume of data

It is not easy to filter data when there are too many files to go through. What to pick and what not to pick can affect the quality of the evidence.

It’s expensive

E-discovery process can be complicated, expensive and time consuming. When dealing with complex transactions, fraud or dealing with a long history of communicating among the parties, the cost of e-discovery goes up. Processing ESI can be expensive because of the degree of accuracy required and there is a lot work to be done that too quickly. Certain tools and software are used to extract data which are costly themselves. Plus, experts are required to perform data recovery who are specially trained for this purpose.

Cloud e-discovery is not so easy

A number of challenges arise with cloud e-discovery starting from identifying the physical location of the server to determining the ownership of these servers which further leads to third party data discovery challenges. There is a widespread assumption that the information stored on cloud is easy for an organization to extract but it is not always the case. There are a number of places on the cloud where ESI can live. As per the Federal rules of a Civil Procedure, the party to litigation has to preserve and produce ESI which is in its custody, possession or control. When it comes to cloud, these duties are split. The ESI might not be in your procession or control. Depending on the relationship a company has with its cloud vendor, it may not know where exactly the data is stored. Even if you it does, it is extremely difficult to access the information in time and in the right format. If the company loses control over access to that particular data, the attorney of the opposing party can even send a subpoena to the company or even the cloud provider, making things more complicated.

Learn Digital Forensics

Learn Digital Forensics

Build your skills with hands-on forensics training for computers, mobile devices, networks and more.


Computer Forensics and E-discovery are two different procedures. When an investigation requires simple information, whether about an individual or business, E-discovery can be really useful. However, if the investigation grows and information needs to be uncovered, then Computer Forensics is used. In short, a legal team can benefit if both these processes are used hand-in-hand.

Hannah George
Hannah George

I am Hannah George. I am positivity engager, tech blogger & coffee addict. I have a degree in Journalism and Modern Greek Studies from San Francisco State University. Writing is my passion and I write about tech news, trends, new apps and other tangentially related topics with a particular interest in wearables and exercise tech. When I am not writing, I go out biking on long trails. I live in San Francisco with my pet cat Sushi.