Second, the client should be instructed not to access relevant devices or sources so that information may be collected in a forensically sound manner. For corporate clients, that should include express directions to the information technology team to avoid a “helpful” IT employee compromising forensic discovery—both in the litigation hold and in a separate communication from internal or outside counsel. Moreover, sources with hard drives may be encrypted or have right restrictions that may otherwise prevent the drive from being imaged without administrative user credentials. Any remote wiping or scheduled data deletion measures for the source should be disabled. Identifying whether these protective measures are in place will help avoid delays in the imaging process or—even worse—being locked out of the drive due to data loss prevention measures.
Third, if forensic data must be preserved, counsel should consider engaging an independent forensic examiner or, if appropriate, an attorney with e-discovery expertise to ensure that the relevant sources are collected and preserved in a forensically sound and complete manner. Independent forensic examiners or forensic experts are often preferable if the dispute may require the submission of an affidavit to substantiate the chain of custody and authenticate information collected from the sources.
Fourth, an active dialogue with the opposing party can prevent allegations of spoliation or concealing evidence. The parties may wish to specifically outline what will be searched and the search criteria used, preferably identified in an agreed protocol or other written agreement governing the production of forensic data.
In sum, initial preparation and analysis of forensic discovery can create efficiency and avoid problems from arising later.