Representation of digital folders in 3d cyberspace.

Forensic Examination of Electronic Devices: Part 2

Contact: Antonio Rega

April 28, 2021

This Practice Point was originally published by the American Bar Association Section of Litigation Business Torts & Unfair Competition journal.

As we discussed in our last Practice Point, attorneys should be familiar with the use of forensic analysis of electronic devices in litigation. While our previous post addressed the basics of forensic examinations, this installment delves a bit deeper into key considerations of an examination.

1. First consideration: What is the scope of the examination?

Determining the scope of the forensic examination is a critical first step. Scope determinations will affect everything from the time necessary to complete an examination, to cost, to who will be best suited to conduct an examination.

The biggest things to consider are what devices will be examined, and what data to target. For example, a forensic examination may be limited to just a single device (such as a departing employee’s company-issued computer), or it can cover multiple devices, including mobile phones, USB drives, or other removable storage devices, as well as email accounts or cloud repositories. Also, the examination may apply to not just company-issued devices, but personal ones as well.

Focusing on the data to be targeted is key as well. Clients may want to focus on documents that contain specific search terms, evidence that files or emails have been forwarded to an external email account, or evidence that files have been altered, copied, shared, exfiltrated, or deleted (or that the device as a whole has been wiped). In some cases, all of this evidence is critical, whereas in others, a more limited analysis is appropriate.

2. Second consideration: Who will conduct the examination?

Having a certified forensic examiner engaged to conduct every forensic analysis may be cost-prohibitive, and there are certain scenarios in which in-house capabilities will suffice – provided the analysis is conducted competently. Even when an organization employs IT with the requisite experience and credentials for performing data captures, it may prefer to avoid the liability of an in-house employee potentially testifying in court.

To offset this concern, in certain instances companies may opt to perform self-collection of data, but with oversight and/or guidance from a forensic expert. This approach offers the benefit of placing the responsibility of formal court reporting and testimony on the expert. The forensic expert may also be retained to perform all of the services required for the litigation, including data preservation, analysis, reporting, and related consulting services. This may be preferred for high-profile matters or matters anticipated to be contentious.

These considerations should be weighed against the specifics of a given matter to determine the best course of action to minimize the potential for sanctions and increase the odds of a satisfactory outcome.

3. Third consideration: Drafting a protocol.

Where a business is analyzing a company-issued device returned by a departing employee, a forensic protocol will generally not be necessary, as the device belongs to the company. However, in scenarios in which a client seeks analysis of an adversary’s personal devices (or devices issued by a new employer), a protocol will often need to be negotiated. If counsel is not intimately familiar with drafting such protocols, they should involve their own forensic expert or an experienced e-discovery attorney. Key components of a protocol include identification of devices to be inspected, the method for imaging devices and accounts, what data the examiner is expected to report upon (including search terms if necessary), how costs will be apportioned amongst the parties, how disputes (including those related to production of potentially privileged material) will be resolved, and whether remediation will be required for information deemed to have been misappropriated.

4. Fourth consideration: Analyzing the results.

Perhaps the most important aspect of a forensic examination is interpreting the results. Reports can reveal evidence that data has been copied, uploaded, altered, or deleted, but they can often be hard to parse for those who aren’t familiar with interpreting them; thus, as noted above, attorneys who are not familiar with the sorts of reports generated by such examinations should engage their own expert or involve counsel who is adept at interpreting such reports. If you are receiving reports from an opposing party, in addition to evaluating the data in the reports, you’ll also want to evaluate the scope and method of the forensic review. If you identify gaps or missteps in the opposing party’s examination, you might retain a forensic expert to perform an independent examination of the devices or, at a minimum, to testify as to the deficiencies in the opposing party’s examination.


Sarah Horstmann is a partner with Maslon in Minneapolis, Minnesota. Dawn Mertineit is a partner with Seyfarth Shaw in Boston, Massachusetts. Antonio Rega is a managing director with Ankura in New York City, New York.

Forensic Examination of Electronic Devices: Part 2;” Horstmann, Sarah; Mertineit, Dawn;  Rega, Antonio.