Top Tips:

WARNING:   If you suspect an employee of foul play, it is a BAD idea to take a quick look through their e-mail outbox for proof.   Doing so may irreparably damage the evidence and may make it inadmissible in court.  

To avoid spoliation issues, it is critical that the source data is not altered when extracted from hard drives or other media.

It is vital to understand that digital forensics is not just about technology.

  • Operating a computer for any reason changes and destroys evidence if it is not handled forensically!
  • Business owners need to understand this growing risk and what to do if they think a current employee is up to wrongful activity.
  • Don’t Tamper With Evidence
  • Preserve the Chain of Evidence
  • Secure computers, mobile devices, USB devices and information system assets
  • Conduct a proper and professional digital forensic imaging and an ECA investigation
  • Don’t rely on internal or external IT staff. Chances are they aren't handling data in a forensically sound manner 


If the computer is  ON – DO NOT TURN IT OFF
If the computer is  OFF – DO NOT TURN IT ON

Quick response is critical:  nothing is more important than in-person contact, especially when cyber investigations require a qualified first responder to a computer security incident. 

It is essential to collect volatile information (information that is lost after a period of time or when a computer is turned off), to perform digital forensics and to establish proper chain-of-custody as soon as possible.

Attention to detail at this stage can decide the strength of any evidence to be used later.   The legal system,and judges in particular, look favorably on organizations that bring in third-party digital forensic specialists from the outset.

Sedona Principles, 2nd Ed.


1. Electronically stored information is potentially discoverable under Fed. R.Civ. P. 34 or its state equivalents. Organizations must properly preserve electronically stored information that can reasonably be anticipated to be relevant to litigation.

2. When balancing the cost, burden, and need for electronically stored information,courts and parties should apply the proportionality standard embodied in Fed.R. Civ. P. 26(b)(2)(C) and its state equivalents, which require consideration of the technological feasibility and realistic costs of preserving, retrieving,reviewing, and producing electronically stored information, as well as the nature of the litigation and the amount in controversy.

3. Parties should confer early in discovery regarding the preservation and production of electronically stored information when these matters are at issue in the litigation and seek to agree on the scope of each party’s rights and responsibilities.

4. Discovery requests for electronically stored information should be as clear as possible,while responses and objections to discovery should disclose the scope and limits of the production.

5. The obligation to preserve electronically stored information requires reasonable and good faith efforts to retain information that may be relevant to pending or threatened litigation. However, it is unreasonable to expect parties to take every conceivable step to preserve all potentially relevant electronically stored information.

6. Responding parties are best situated to evaluate the procedures, methodologies, and technologies appropriate for preserving and producing their own electronically stored information.

7. The requesting party has the burden on a motion to compel to show that the responding party’s steps to preserve and produce relevant electronically stored information were inadequate.

8. The primary source of electronically stored information for production should be active data and information. Resort to disaster recovery backup tapes and other sources of electronically stored information that are not reasonably accessible requires the requesting party to demonstrate need and relevance that outweigh the costs and burdens of retrieving and processing the electronically stored information from such sources, including the disruption of business and information management activities.

9.Absent a showing of special need and relevance, a responding party should not be required to preserve, review, or produce deleted, shadowed, fragmented, or residual electronically stored information.

10. A responding party should follow reasonable procedures to protect privileges and objections in connection with the production of electronically stored information.

11. A responding party may satisfy its good faith obligation to preserve and produce relevant electronically stored information by using electronic tools and processes, such as data sampling, searching, or the use of selection criteria,to identify data reasonably likely to contain relevant information.

12.Absent party agreement or court order specifying the form or forms of production,production should be made in the form or forms in which the information is ordinarily maintained or in a reasonably usable form, taking into account the need to produce reasonably accessible metadata that will enable the receiving party to have the same ability to access, search, and display the information as the producing party where appropriate or necessary in light of the nature of the information and the needs of the case.

13.Absent a specific objection, party agreement or court order, the reasonable costs of retrieving and reviewing electronically stored information should be borne by the responding party, unless the information sought is not reasonably available to the responding party in the ordinary course of business. If the information sought is not reasonably available to the responding party in the ordinary course of business, then, absent special circumstances, the costs of retrieving and reviewing such electronic information may be shared by or shifted to the requesting party.

14.Sanctions, including spoliation findings, should be considered by the court only if it finds that there was a clear duty to preserve, a culpable failure to preserve and produce relevant electronically stored information, and reasonable probability that the loss of the evidence has materially prejudiced the adverse party.

Copyright©2007 The Sedona Conference®. All Rights Reserved. - Reprinted courtesy of The Sedona Conference®

Go to to download a free copy of the complete document for your personal use only.

Real Time Analytics