• Dave Hulshizer

How to Ensure Defensible Forensic Data


Forensic data collections may range from a single email or social media account to a cell phone or laptop, to all the computers of an entire organization or company. Regardless of the collection size, all of it must be collected in a safe forensic manner.


You may wonder why it matters how it is collected. It matters because it is evidence, and in order for it to be used in court, it must be admissible. If it is not collected properly, it can be easily deemed as inadmissable.


Opposing counsel must be convinced that nothing has been deleted or altered from a document used as evidence in court. This is done by looking at the metadata. When data is not collected in a forensically sound manner, you inherently change the metadata, whether you mean to or not. Once opposing counsel objects because of spoiled metadata, it is out, and sanctions and/or summary judgment on your case can be right around the corner.


Data collections should be done by an independent third party, such as Key Forensics. Making sure the data is collected correctly is KEY to finding and using deleted data in your case.


Potential issues that could arise from improper colletion of data include:

  • When not done by a certified, trained digital forensic examiner, it is typically NOT done correctly, and is often just copied and pasted and saved on a thumb drive. This is not a good idea, and is likely not defensible in court.

  • If an organization, or a member of the organization’s IT staff collected the data, the argument can be made that there is bias. Opposing counsel would have reason to believe a KEY piece of evidence could have (and probably has) been left out. The solution is to outsource, moving the liability to a professional, such as ourselves.

  • Most people do not realize what is capable of being collected and typically miss KEY pieces of data that could serve as evidence.

Types of Forensic Data Collection Provided by Key Forensics


  • On-site Collections are the most standard form of forensic data collections. This is going on-site to collect data directly from laptops, servers, desktops, cell phones, etc. Everything should be collected in a sound court-approved manner. This is normally done for larger collection batches of data.

  • Remote Collections are collections much like an on-site collection, only smaller in nature, which allows them to be performed remotely. In order to perform remote collections, we would need to work with someone internally to gain secure access.

  • Targeted Collections are a collection of data performed either on-site or remotely for a specific set of data. This can be done by collecting a set of data by a certain time period or folder. This is best if you know exactly what it is that you need to be collected.

  • Cloud Collections are forensic data collections that require harvesting data from cloud storage areas. This would include Gmail, Yahoo, Hotmail, Dropbox, Google Drive, etc. It is possible to forensically extract cloud-based data for use in court.

  • Social media Forensic Data Collections have become more and more relevant in both civil and criminal cases. This is forensically collecting from Facebook, Twitter, Instagram, YouTube, to name a few.

  • Mobile Device Forensic Data Collections are the collections of cellphones and tablets. Multiple tools are available for collecting from thousands of different types of mobile devices. Deleted text messages and other social media are among a few of the types of items that can be retrieved.

  • Culled Forensic Data Collections are the combination of any of the above-listed collection methods, but with the ability to cull only the responsive data while the collection is taking place. Culling data is the practice of narrowing a large data set into a smaller one for review, based on specific criteria such as dates or keywords.

  • Deleted Data can be almost anything that once resided on a memory-based device. Pictures, videos, PowerPoint presentations, documents, audio files, call logs, text messages, emails—the list can go on and on, and all can be used in litigation.

Data collections are a key component in your case. Do it wrong and the evidence can be thrown out. Do it wrong and the key metadata can be altered and irreversible and potentially destroy your case.


Ensuring clients are satisfying their disclosure requirements, as well as making sure opposing parties or third parties are preserving relevant documents (we can assist with preservation letters and will cover that in a future blog post) is crucial to success. Common items such as internet history, deleted text messages, phone apps and social media all play a large part in a litigation case, but it must be collected in a forensically sound manner or you risk it being deemed inadmissable.


We are here to help you win by ensuring your evidence is solid, thorough and admissable. In addition, we can present it for you in way that the judge and jury can clearly understand.