Gone are the days when email and Microsoft Office files pulled from laptops were the primary sources of digital evidence. Legal teams must navigate a surge in the volume and variety of digital evidence, which presents unique challenges. In this article, we’ll walk through the key precautions legal professionals should take before initiating any data collection efforts and why getting it right matters more than ever.
Your data collection strategy needs an upgrade
The digital evidence landscape has undergone significant changes. Legal teams now face a flood of data from mobile devices, encrypted platforms, cloud storage, modern attachment formats, ephemeral messaging, collaboration tools and third-party chat applications like WhatsApp, Signal and Telegram.
With this shift comes new challenges. Strategies for collecting data in a defensible manner while anticipating downstream discovery needs must be established from the outset. It’s no longer just about grabbing files, it’s about preserving evidentiary integrity, maintaining compliance and minimising risk. Poorly planned forensic collections can lead to inadmissible evidence, expensive re-collection efforts, manual remediation and serious exposure for organisations.
If you work in compliance, internal investigations or complex litigation, it’s time for an upgraded evidence collection strategy.
1. Kick off the process with legal and technical planning
Before taking any action, it is essential to align IT and forensic teams. Key considerations for effective legal and technical planning include:
- An updated device inventory: Identify which equipment or device is allocated to each custodian
- Device usage period: Understand how long devices have been in use or if decommissioned
- BYOD policy: Establish if a bring your own device (BYOD) policy exists. I Are company devices issued or do employees use their own cell phones or laptops for work?
- Scope of collection: Define which data will be collected and from whom
- Consent: In jurisdictions such as the United Kingdom and several European Union countries, the General Data Protection Regulation (GDPR) protects personal data from being collected or used without consent. When personal data is involved, specific documentation may be required, such as consent forms in addition to the chain of custody, to ensure compliance with local regulations
- Location: If multiple custodians and devices are in scope, it’s essential to identify their locations early on, as this can significantly affect collection logistics. When custodians are spread across different geographies, consider whether they can be centralised for collection or if separate, location-specific efforts will be required
- Chain of custody (COC): Maintaining a strict chain of custody policy is essential when carrying out data or device collections. The COC process maintains integrity of the collection and preserves the admissibility of the collected data
2. Consider the forensic collection environment
While many forensic collections can now be performed remotely in a defensible and efficient manner, there are still situations where on-site imaging and data acquisition are necessary. This is especially the case when dealing with sensitive systems, large volumes of data or limited remote access.
Regardless of the method, forensic collections must occur in a secure, private environment with appropriate infrastructure. To preserve evidentiary integrity and support collection teams the following should be kept top of mind:
- Privacy: Safeguards the integrity of the legal matter and the individuals involved. Data collection should take place in a secure corporate setting with controlled or restricted access to ensure confidentiality
- Infrastructure: From power outlets, power cables, network access to physical space, the necessary infrastructure must be in place to accommodate digital forensics teams, their devices and equipment
- Legal and jurisdictional issues: Consider country-specific legal requirements or jurisdictional issues, e.g., is the GDPR applicable?
3. Multiple devices present unique challenges
Data collection from physical devices requires special attention. A single overlooked technical detail may prevent access to critical information or compromise the legal validity of the evidence. Moreover, missteps during collection, such as inconsistent metadata handling, unsupported file formats or improper imaging, can create significant hurdles during downstream eDiscovery stages like processing, hosting, review and production.
Below are device-specific challenges to consider to avoid delays, increased costs and unnecessary manual intervention:
Windows computers
- Password-protected BIOS: May prevent the use of forensic tools that require access to security settings
- Disk encryption (BitLocker, McAfee, VeraCrypt): Without the recovery key, the data remains inaccessible. In the case of BitLocker, for example, it is necessary to confirm whether IT holds the recovery keys
Mac computers
- Firmware password: This blocks system changes and may prevent the collection tool from being recognised
- FileVault password: This is native encryption that requires a specific password; without it, the collection tool will not be able to extract the user’s data
- ICloud or local user credentials: These are often needed to decrypt the local drive on newer Mac computers and to run collection tools
Linux computers
- Diverse architectures: Each distribution may have peculiarities in boot and security. BIOS or firmware passwords will also be required in case of lockout
- Encryption (LUKS, eCryptfs ): It is essential to identify the type used and obtain the correct password. To avoid issues, if the Linux system is encrypted, it is recommended to decrypt the system before collection to prevent processing incompatibilities, however it should be noted that this drastically increases collection time
Mobile phones
- Mobile device management (MDM): It may be necessary to disable or remove MDM prior to collection as this can in some cases prevent or hinder the collection process. It is important to work with the IT team to determine what steps need to be taken
- Screen lock password: Ensure the password is tested when the device is handed over to the digital forensics examiner
- Airplane mode: This must be enabled to prevent remote deletions or changes to the content of the device during the data collection. It should be activated as soon as the unlock password is tested
- Target applications: Inspect whether the target applications are installed, active and require a password to access their contents
iPhone particularities
- Stolen device protection (SDP): This feature is present in iOS 18 onward and requires the custodian’s biometrics to disable it; therefore, the custodian’s presence and cooperation will be necessary. Without this unlock, data collection from the device will not be possible
- WhatsApp local encryption: Needs to be unlocked within the app’s settings. Otherwise, WhatsApp data will not be readable
- iTunes backup: This may have a different password than the device unlock code. Ask the custodian if a local iTunes backup has ever been performed. If so, the password will be needed. It is possible to reset the password if this is unknown, but this will remove health data, payment methods and saved networks. Such removal must be agreed upon with the custodian
4. Navigating cloud complexities
As cloud platforms like Google Workspace, Microsoft 365, and Slack become central to business operations, data collection has grown more intricate. In these environments, technical access and user permissions are just as critical as the data itself.
To enable proper extraction, administrator-level access within the client’s cloud infrastructure is often required because without it, collections may be incomplete, delayed or nondefensible. Most platforms permit the creation of a global administrator account to obtain full access to tenant logging and allows for access to different user accounts, mailboxes, drives and metadata.
Before initiating cloud data collection, it’s essential to consult with technical teams to identify any platform-specific limitations. Most cloud environments impose certain restrictions on data extraction, but the nature and extent of these constraints can vary widely.
Here are the recommended administrative access levels by platform:
- Microsoft 365 (M365): A global administrator account is typically the best method to obtain full access to tenant logging and allows for access to different user accounts, mailboxes, and SharePoint/OneDrive
- Google Workspace: A superuser account allows for extraction of emails, files and logs and is preferable to the custodian collecting data themselves from their account, e.g., via Google Takeout, as this method doesn’t provide access to tenant logs
- Slack: Administrative access allows exporting chats with complete metadata. On the custodian’s side, only conversation fragments can be extracted through the computer
5.Set a well-defined targeted time range
Establishing a precise time frame relevant to the dispute or investigation is critical. Without it, data volumes can balloon unnecessarily thereby driving up costs, complicating review and causing delays in the overall engagement. Before initiating cloud data collection, it’s essential to consult with technical teams to identify any platform-specific limitations. Most cloud environments impose certain restrictions on data extraction, but the nature and extent of these constraints can vary widely. Here are two illustrative examples:
- WhatsApp data via the cloud: This only allows collection of the last three months of conversations, which should be considered depending on the project scope. Also, adding an extraction that depends on the network quality where the process is being executed can prove to be a challenging task
- Free Google services: The Google Takeout platform limits exports by size, format and number of attempts per day. The extraction needs to be very precise, as multiple failed attempts can delay the project timeline
- Microsoft 365 (O365)-specific requirements:
- Licensing: The client’s licence and environment configuration can greatly affect the type and duration of logging available as well as content retention, both of which can have a large impact on discovery in a dispute or investigation
- Permissions: The user account being employed must have the eDiscovery manager or eDiscovery administrator roles on the tenancy. This allows the account to perform the data extraction, which can then be shared with the digital forensics team for preservation
- Legal hold: A hold must be activated to preserve data before starting the collection. This prevents data deletion by the custodian while the work is in progress
Ensuring a defensible outcome from start to finish
Modern digital evidence collection is a foundational step in any legal dispute or investigation, but its success depends on careful preparation long before any technical work begins.
Legal and compliance professionals must collaborate closely with IT and forensic experts to ensure that every stage, from planning to execution, not only preserves the integrity and defensibility of evidence, but also anticipates downstream eDiscovery impacts such as processing, review and production challenges. Ultimately, successful data collection is rooted in proactive legal and technical coordination, attention to detail and a thorough understanding of both physical and cloud environments. By following these principles, legal professionals can minimise risk, maintain evidentiary integrity, control costs and enable a more streamlined review and analysis process.
Article written by: Guilherme Mattos and Stewart Trafford