Data Collection: Selecting the Appropriate Method

Back to Blog Posts

A litigation hold has been issued, the data has been preserved, and you’ve prepared your collection plan. Now, it’s time to determine your collection method.

Note: The content of this article also appears in DISCO’s Data Collection Playbook. Download the full ebook here.

What is a collection method?

A collection methodology is the actual process by which data is collected from relevant sources for the purpose of legal review. 

The most common collection methodologies include:

  • Third party forensic collection
  • Direct cloud collection 
  • IT collection

I’ll explore each of these in further detail below.

Common collection methodologies

Third party forensic collection

A third party forensic collection is the optimal choice when forensic testimony may be required or the collection process may come under scrutiny.  This method provides the least amount of risk as an expert performs the collections and any burden of testimony rests on the expert instead of an IT professional, custodian, client, or end-client.

💡Pro tip: When evaluating third parties to conduct the collection, consider engaging one that has proven expertise and tooling to perform a collection that is both high-quality and defensible.

Questions to ask when considering third party collection:
  • Is it likely that forensic expert testimony needs to be provided in the future?
  • Will this data need to be forensically analyzed?
  • Are you looking to recover potentially deleted data?
  • Is there potential that targeted data or metadata has been potentially spoliated?
  • Do you require an examiner to identify artifacts that show where and when data was exfiltrated, transferred, or deleted?
  • Is there a forensic analysis/collection protocol or court order in place or expected?

Direct cloud collection

Many modern enterprise systems have collection capabilities built in which may be connected to the legal team’s systems. This connectivity allows legal team members or third party forensic/ediscovery providers to perform a direct cloud collection with centralized software application.  The risk associated with this method can range depending on the level of understanding and experience the collector has related to the system being used.  Even when this option is available using experts to either advise on best practices or perform the collections directly will present the least amount of risk. 

Legal teams or their forensics team can complete direct cloud collections by using programs that support targeted collections with search, filter, and/or preview capabilities.

Questions to ask when considering direct cloud collection include:
  • What access or licensing do you need for collection functions?
  • What filtering capabilities are available?
  • Do you have a method to estimate the total volume of data collected?
  • Does the source system maintain multiple versions of documents? If so, what version is the most important to collect?

💡Pro tip: Each enterprise system may have different options available at the time of collection. Carefully evaluate which options you should apply when pulling documents.

Download now

IT collection

IT collection is when the data collection is performed by members of the IT department, often at the direction of the legal department.  IT administrators will likely have the relevant administrative privileges to execute ‌collections across a wide variety of IT managed data sources.  This method contains high risk as many IT departments are low staffed and do not have a lot of experience with ediscovery or the industry requirements related to documentation or best practices.  

Coordination between the IT and legal departments is critical when developing your collection playbook. You can use our template to coordinate the collection plan between IT and the legal department. 

💡Pro tip: Consider investing in integrations or software that leverage existing APIs across your company’s applications. This decreases the burden placed on IT during a collection.

Identifying and notifying key stakeholders

Who these players are will depend largely upon which collection method you are using. Prior to implementing one of these methods, be sure to document the preferred approach for each case type or data type. 

💡Pro tip: Outside counsel could/should help inform the collection plan per matter, as each case will require different methodologies.

Third party, forensic, or remote collection

For a third party, forensic, or remote collection, if you do not already have an agreement in place, you will need to identify someone to source and hire an external party who can run the collection within your allotted time frame. 

🔑 Key information that a third party vendor will ask for includes: the data sources, relevant time frames, custodian, and location of the data.

You will also need someone to grant the external party access to your internal data. 

Key stakeholders could include:

  • IT
  • LegalOps/paralegals
  • Procurement (in the event they need to navigate the SOW)
  • Ediscovery managers

Direct cloud collection

For a direct cloud collection, if your systems are not already integrated, you may need to set up the integration. Ideally this is done prior to needing to execute the collection, as it will require IT/system administrators to integrate the collection tools. 

The legal team performing the collection should ensure that their processes and procedures are well documented prior to initiating the collection. 

Key stakeholders could include:

  • IT
  • LegalOps/paralegals
  • Ediscovery managers

IT collection

For an IT collection, you need to inform anyone on your IT team who may be responsible for finding and collecting relevant data. 

You will need to identify someone who can organize a place to safely move and store collected data while maintaining metadata. Your legal department will also need to inform IT of which data sources need to be collected and from whom. 

Key stakeholders could include:

  • IT
  • Legal team members (to track and monitor the instructions provided to IT) 

See a sample collection workflow: How to Plan and Execute Collections

Manage your collections with DISCO

We hope this article has prepared you to identify your collection method and stakeholder partners. And when you’re ready to automate ‌the tedious aspects of collection, check out DISCO Forensics and DISCO Hold’s collection capabilities.

DISCO Forensics is a full service forensics laboratory with expert staff that can collect traditional data sources (workstations, email, servers, mobile) and modern data sources (social media, cloud applications, custom data).  DISCO Forensics also provides analysis services, consultation, expert reports, and expert testimony.

DISCO Hold is an easy-to-use enterprise legal hold platform that automates the manual work necessary to comply with preservation requirements, empowering legal teams of all sizes to preserve data, notify custodians, track holds with a defensible audit trail, and collect data when ready – all from a single interface.

And that’s just the beginning. See what DISCO can do for you: Request a demo.

Subscribe to the blog
Dave Hendershott

Dave Hendershott is the Director of Forensics at DISCO, where he leads the forensic department via high-level project expertise and team management, including developing the strategy and execution of DISCO's forensic offerings. Dave has more than 20 years of experience in computer forensics and 1,500+ hours of forensics and technical training. His investigations have ranged from homicides to intellectual property matters, and he's testified 20+ times in support of digital forensics findings. He brings his deep passion for computer forensics to every engagement.