Rather listen than read? Play the audio below
ORIGINALLY PUBLISHED BY EVERLAW: https://www.everlaw.com/blog/everlaw-partners/running-forensic-investigations-information-age/
Written by Petra Pasternak, Everlaw
When Steve Davis was starting out as an investigator 30 years ago, forensics work required travel by, as he says, “planes, trains, and automobiles.” Forensic investigators lugged around pelican cases – sturdy, shock-resistant, waterproof luggage – to transport the equipment needed to scan devices for evidence on location.
That was back before information moved to the cloud and computing power increased multifold. Today, it’s all about electronically stored information. And the tools have evolved to match the changing nature of data.
Steve, a Licensed Private Investigator & Vice President of Forensics & Investigations at professional services provider Purpose Legal, can now send a remote-assisted collection kit to carry out a forensic collection or extraction. The data is then sent back to the lab for evaluation. His team never has to leave their remote offices.
“Nowadays, we can do really 95%-plus of our work remotely,” he said during an interview with Everlaw.
Steve says that the voluminous yet elusive nature of digital data, and all the places it may be stored, are among the things clients often underestimate. Purpose Legal, provider of legal support and ediscovery solutions and one of Everlaw’s leading partners, walks corporations and law firms through how to frame an approach to a collection or investigation, the modern tools and techniques that may be needed, and ways to deploy them effectively.
We discussed the biggest changes, challenges, and where forensics and ediscovery are headed next.
Tell us about your background – how did you get started as a private investigator?
I actually broke into the business as a banker after I got my Master’s degree in finance and securities analysis. I moved to Dallas, met my wife, and I wanted to work for a bank because someday I wanted to start my own company and I had to figure out how finance worked in the banking business.
I ran a company for about 20 years that my wife and I owned that was involved with investigations. It was really pre-ediscovery in a lot of respects. So, a lot of what we did was paper based. We used to dig through boxes and basically come up with theories about why things happened having to do with straw borrowers and fraud and a lot of banking-esque type theories.
Things then segued from the world of coding and imaging and lit support into forensics when the world became more about electronically stored information. Then you had to have practitioners that were educated in how to access information from data sources and physical devices. It was kind of a natural segue for me to get involved with the forensics business.
What was forensics work like when you first started?
Thirty years ago – I call it planes, trains, and automobiles – we were going out on the road and people had pelican cases that we put all our equipment in. We went places and watched the asphalt dry while they were doing an imaging project. It never made sense because a lot of us who are in the forensic business can really be spinning six or seven plates at one time when we’re in the lab.
How have you seen forensics work change over the years?
So, partly because it didn’t make economic sense, and partly because of the changing character of data, nowadays, we can do 95% of our work remotely. Data sizes have grown dramatically, but a lot of it has been pushed to the cloud or endpoints. For those things that are in repositories or archival locations, we’re able to get behind the firewall and access them with the necessary credentials or permissions and download the data.
For those items that are a terabyte in size for a computer or a large phone or something, we can go ahead and send out remote technology, like a remote-assisted collection kit – which is something Purpose Legal uses – and send it to a destination, connect with an end custodian and actually do the forensic collection or extraction needed, and then have the data sent back into our lab for any slicing or dicing or parsing that has to be done.
How does being a private investigator help you in ediscovery and litigation support work now?
In many states, including Texas, you must be a private investigator in order to perform forensics. I’m an investigator by trade, that’s my background, which is really helpful because nowadays it’s like, “Where’s Waldo?” to try and identify where data lives.
It’s very important to identify not just whether something exists on my laptop or my phone, but is it also contained in an iCloud backup or on a sync on a tablet? Or are there thumb drives that have been plugged into a device or an outboard external hard drive?
There’s a lot of different places data can live. You can’t just go to one location and say, “Eureka, I found it.” You have to do a lot of sleuthing and investigating to figure out all the places data may exist – and then where it may have been backed up.
What are some of the biggest challenges facing your clients today?
Lawyers are brilliant people, they’re very skilled at what they do, but technology is very elusive and changing. And you run into a lot of things like modern attachments or cloud attachments where it may not be readily obvious how they’re related to messaging, whether it’s Teams messaging, whether it’s inside email or M365 or the Google Workspace.
The same thing with structured data locations like collaborative platforms, like Jira or Confluence, or Teams, or Slack, or whether you’re dealing with mobile device data in an Android or an iPhone. All the data is in structured databases.
You have to extract out, normalize, and parse that data to make it more friendly or linear to get ingested into an ediscovery platform. Those are steps that a lawyer or a practitioner or a custodian, or a corporation downstream – they just look at a phone or the mobile user interface and they say, “Well, there’s my document right on the screen. Hand that to me.”
And it’s not that easy. That takes talent and technique, and tools to do that.
Where in the investigations or litigation process do you come in with clients?
My biggest role is in those early meetings with clients and their counsel and their outside IT agents, where you are trying to think through how to frame an approach to either a collection or an investigation, and what tools are necessary, what techniques should be considered, and how do you deploy those?
Then I turn around and go back to the lab and then work closely with our forensic analysts and investigators to disseminate what I’ve learned. And I help keep them on course to make sure that we’re doing things in a reasonable manner and that we’re also being responsive and communicative back to the people that engaged us originally.
When you’re assessing a client’s needs, what are some of the factors that inform your strategy and your choice of tools that you recommend for their situation?
It really depends on the size of the organization and what industry they’re working in and how often they get brought into litigation. So, it’s kind of a case-by-case basis, but we try to assess where people have been before we start telling them where to go.
The first step is really trying to understand, are you a serial litigant? Do you have an IT department? Do you have an ediscovery department? Do you have a playbook in your office that teaches you how to do things and what should be the next step?
It radically changes from company to company, partnership to partnership, depending on what their level of experience is.
What’s your philosophy on how integrated the ediscovery process should be with the managed review process?
It is very disjointed currently. We believe we’re going to see more cohesiveness and less of this elephant-by-committee in the future in terms of ediscovery.
In the old days, forensics was “go out and get a bit-by-bit forensic image of a system, and then extract out data, copy that data, upload the data to a partner, the partner processes it and downloads the data, ingests it into their tool, does the slicing and dicing and searching, promotes it into an early case assessment or to a review platform.”
That’s a lot of steps. I think what we’re going to see is less of a fragmented approach. We’re going to see a more unified approach where data can be seamlessly ingested through a connector directly to a platform that can do the processing, the searching, and house the data for review.
Everlaw is designed to be that single solution where customers can consolidate all their litigation and investigations work. What’s been your experience?
I think where Everlaw has really succeeded is in that ability for laymen – and not hyper-technical people – to get data rapidly into the system and get eyes on data. And then they can go ahead and work with either Everlaw, or with some of their service providers like Purpose Legal, to leverage the functionality around project management, search technology, and iterative attempts to get to the relevant data.
I’ve had the opportunity to test and do some beta work with Everlaw’s Storybuilder functionality. And it’s been amazing and it’s a differentiator compared to some other things in the marketplace. It shows Everlaw can be a more nimble platform than other alternatives that are out there.
And it seems to me that it gets you to the goal line faster. You’re getting to more relevant data faster and you’re getting eyes on data in a much more rapid way than we used to do years ago.
Everlaw’s motto is to help clients get to the truth faster. What counts as success for you?
To me, winning is getting the best result for a client. I called one of them this morning and told them that we had finished with an analysis of eight custodians out of 24 that we were working on, and here were the results. And to me, that’s exciting. I like sharing those things.
And they said, “Well, that’s great. That’s gonna make it a lot better for us.” And what I told them is that it does, but my job isn’t necessarily for them to be happy. My job is for the situation to get resolved. Sometimes that’s gonna be tremendous for them and sometimes it’s not gonna be so good for them, you know? And I can’t control that.
My job is to make sure I get to the end result and find all the puzzle pieces and put them together. And then whether or not they’re satisfied with the picture will be in the eye of the beholder.
