chevron-down Created with Sketch Beta.
August 19, 2014 Articles

What Kind of E-Discovery?

You must be able to spot the circumstances in which either an active-file or a forensic approach is needed.

By James Berriman

There are two major categories of e-discovery. The first is traditional e-discovery, also known as “active-file” e-discovery. The second is forensic e-discovery. The two categories are highly dissimilar in purpose, methodology, and content. To be an effective litigator, you must be able to spot the circumstances in which each is appropriate.

Active-File E-Discovery
The great bulk of e-discovery involves the review and production of the normal electronic records of a litigant. Such files have three characteristics:

  • They are active files (as opposed to deleted files).
  • They are ordinary user-type files (as opposed to system files).
  • They meet the criteria for legal relevance within the context of the dispute.

“Active” files are those you see listed in a computer directory such as Windows Explorer—they have file names, extensions, and defined sizes. “User” files are the types of files created and reviewed by ordinary end-users in the course of performing their jobs; they include emails, word-processed documents, spreadsheets, presentations, PDFs, graphics, media files, and the like.

The active user files of a company comprise its correspondence, memos, reports, financials, advertising, invoices, and other business records. Active-file e-discovery is therefore the electronic equivalent of traditional paper discovery. It is part of virtually every commercial litigation because most corporate communications and business activities tend to be reflected in electronic documents.

In active-file e-discovery—like traditional paper discovery—the focus is on the substantive content on the face of each document:

  • What are the terms of this lease?
  • What are the warranties in this contract?
  • What is the scope of this specification?
  • What is stated in this communication?
  • What invention is claimed in this patent?
  • What is represented in this advertisement?

Such determinations require no technical expertise regarding the underlying digital format of the document. Rather, such determinations are made by the reviewing attorneys based on traditional legal issue-spotting and knowledge of the claims and defenses at issue. These are questions of law, not of the technology with which the file was created.

The main challenge in active-file e-discovery is to find the subset of relevant and material documents in the most cost-effective manner in light of the large size of corporate document repositories. This is typically done by identifying the relevant custodians and the repositories most likely to contain relevant documents, and then using keywords, date filters, and perhaps other techniques (such as clustering or predictive coding) to separate wheat from chaff. The resulting universe of potentially relevant documents then becomes the review set from which the attorneys will make the final subjective determinations of relevance in preparation for production.

Forensic E-Discovery
Forensic e-discovery involves a different goal and methodology. Rather than focusing on the substantive content of the document, forensic e-discovery looks behind the document to focus on technical clues in the digital environment. The objective is to determine not what a document says on its face, but rather what the user did with the document or did with the computer:

  • Did the user copy a document to a memory key? Upload it to a web repository?
  • Has a document been altered? Deleted? Can a deleted document be recovered?
  • Did the user attempt to gain unauthorized access to a system?
  • What websites did a user visit? What searches did a user run?
  • When did the user last log on? What applications did the user launch?

These questions require analysis of arcane technical clues in the digital environment, not legal issue-spotting based on the substantive content of an electronic business record. Such analysis must be done by a specialist trained in the tools of computer forensics. These are the circumstances that might call for the services of the forensic expert:

  • Spoliation: Does the matter involve spoliation or deletion of critical electronic evidence?
  • Alteration: Does the matter involve alteration of critical electronic evidence?
  • Authenticity: Does the matter involve questions about the authenticity of electronic evidence?
  • History: Does the matter involve ascertaining the history of critical electronic evidence?
  • Access: Does the matter involve questions of who accessed critical electronic evidence?
  • Transmittal: Does the matter involve questions of whether data were transmitted or copied?
  • User activity: Does the matter involve questions of how digital equipment was used?

Forensic e-discovery involves looking at things like system logs, fragments of partially deleted records, caches that contain copies of old data, system databases (such as the Windows registry) that provide evidence of user activity (for example, whether a user attached a USB device to the computer the day before quitting), analysis of system time stamps to determine when certain activities occurred, and other types of “under the hood” analysis. It involves ferreting out facts that you would not see by looking at the face of the active user files.

Accordingly, forensic e-discovery is typically used only in the relatively small percentage of cases involving elements of spoliation or user conduct (or misconduct). In my experience, most commercial litigation matters do not involve or require forensic e-discovery because most business disputes are based on the substantive content of ordinary electronic business records. In those instances when forensic e-discovery is required, the scope tends to be narrow and the focus tends to be on the computers and devices used by the people who committed the conduct or the spoliation at issue.

If we were to make a rough analogy to traditional paper discovery, active-file e-discovery would be similar to looking in file cabinets and manila folders to find the ordinary business records of the company. Forensic e-discovery would be more like looking in the company’s wastebaskets and shred bins to piece together the evidence that has been lost or hidden, or looking at the company’s security camera footage to see who was doing what and when. The former is part of virtually every litigation; the latter is usually reserved for special cases involving allegations of spoliation or misconduct.

Forensic e-discovery typically does not result in a document production. Rather, it results in an expert opinion or report describing the results of the expert’s analysis of these technical clues.

When to Use Each Kind of E-Discovery
The following chart summarizes the major differences between the two types of e-discovery and identifies the circumstances when each is appropriate:

Active-File E-Discovery

Forensic E-Discovery

Where is
the evidence?

Active user documents

(electronic business records)

Digital environment

of hard drive or device

What is
the focus?

Substantive content

on face of documents

User conduct (or misconduct)

behind face of documents

What is
the objective?

Find relevant documents

Find technical clues

What kind
of expertise?

Legal issue-spotting

Technical issue-spotting

Who does the


(with technical help)

Forensic expert

(with legal help)

What is
the result?

Document production

Expert opinion / report

Defining the Type of E-Discovery in Your Litigation
Due to the major differences between the two categories of e-discovery, it is important to distinguish them clearly when defining and disclosing the scope of e-discovery with opposing counsel. I have found the following provision to be a useful component of a joint-discovery protocol.

Active-file e-discovery versus forensic e-discovery. The parties anticipate that e-discovery in this case will be limited to traditional active-file e-discovery, which involves collecting and reviewing active electronic documents located on desktops, laptops, servers, and local digital-storage devices. The parties will not be obligated to conduct forensic preservation and analysis of digital-storage devices unless a specific showing is made of need in limited circumstances.

This provision puts opposing counsel on notice that your default approach is not to conduct forensic e-discovery except when warranted by appropriate circumstances. Disclosing this position in advance gives opposing counsel an opportunity to identify such circumstances at the outset (when there is still time to act on them) and reduces the risk that opposing counsel will later claim that your production was deficient.

James Berriman is chief executive officer of Evidox Corporation. He is an attorney admitted to practice in Massachusetts and has been appointed lecturer in law at Boston University School of Law.