Before starting an electronic discovery investigation, it is important to determine the scope of data to be collected and analyzed. Effectively determining what is in and out of scope can be key to cost containment and can have a significant or even substantial impact on the overall effort and time elapsed prior to final production. Needless to say, incorrect up-front scoping can even affect the overall outcome of a case.
How can you help determine the proper scope?
Custodian of Interest Checklist
The following checklist provides an example of the kinds of questions that need to be answered during an IT interview concerning the custodian(s) of interest in order to define scope.
| IT INTERVIEW - CUSTODIAL INVENTORY (COMPANY CONFIDENTIAL) |
| |
| INSTRUCTIONS For custodian "x", if this information has been collected and retained, could you please provide inventory lists of:
|
| |
| Security Principals |
| ___ |
All accounts associated with the custodian's identity, and any changes to those accounts that happened during the times of interest? |
| ___ |
All security groups of which the custodian was a part during the time period of interest? |
| ___ |
All users who had 'domain administrator', 'enterprise administrator', 'schema administrator', 'backup operator' or similar elevated privileges (either explicitly assigned or inherited through group membership) at any point in time during the time of interest. |
|
| |
| E-mail Scope |
| ___ |
All mailboxes associated with the custodian's identity, including any resource accounts (i.e., info mailbox, etc.) that the custodian used? |
| ___ |
All e-mail distribution lists that the custodian is on currently and whatever history is known regarding distribution list membership during the time periods of interest? |
| ___ |
All individuals with access to the custodian's mailbox during the time period of interest? |
| ___ |
Which mailboxes the custodian had access to? |
| ___ |
List of any mailbox moves or migrations that happened during the time of interest, along with specific tools and procedures used during the migration? |
| ___ |
All public folders or other similar collaboration objects that the custodian had access to? |
| ___ |
All backups in existence of the custodian's mailbox? |
| ___ |
Did the custodian have any PSTs in use anywhere and can these be recovered? |
|
| |
| File system Scope |
| ___ |
All network file shares that the custodian has access to and had access to during the time periods of interest? |
| ___ |
All files that were created, modified or deleted by the custodian during the time period of interest? |
| ___ |
All backups for file systems (network or local) used by the custodian, including lists of any external hard drives or thumbdrives used for backup purposes. |
|
| |
| Applications |
| ___ |
All Commercial off-the-shelf (COTS) applications in-house |
| ___ |
All Custom software solutions in-house |
| ___ |
Standard desktop PC configurations listing software installed and specifics for the custodian in question during the time of interest |
|
| |
| Database Scope |
| ___ |
All databases that the custodian had access to (proprietary or otherwise)? |
|
| |
| Physical Location |
| ___ |
All employees and consultants who worked in the proximity of the custodian during the time period of interest? |
| ___ |
All printers that the custodian shared with other users? |
|
| |
| Devices |
| ___ |
All corporate technology assets that the custodian had access to during the time period of interest, including: cell phones, laptops, home machines, desktop PCs, blackberries, PDAs, ZIP drives, external hard drives, removable hard drives, etc. |
|
| |
| Other Media |
| ___ |
All voicemail system backups and logs for the time period of interest? |
| ___ |
Any Unified Messaging backups and logs for the time period of interest? |
|
|
Environment Review Checklist
The following checklist illustrates the kind of "environment review" questions that should also be part of the IT Interview process in order to define scope.
| IT INTERVIEW - ENVIRONMENT REVIEW (COMPANY CONFIDENTIAL) |
| |
| INSTRUCTIONS Please answer the following questions:
|
| |
| Discovery Tools |
| |
Are there any analysis tools currently deployed on the network that perform any of: |
| ___ |
Full or partial content indexing of any sort for e-mail servers, file servers, IIS servers, etc.? |
| ___ |
Cross-server or cross-desktop search? |
| ___ |
E-mail content or attachment search? |
| ___ |
E-mail backup search or brick-level backup/recovery? |
| ___ |
Desktop search tools such as MSN Desktop Search, Google Desktop Search or MSN Lookout? |
| ___ |
E-mail or other archival solutions? |
|
| |
| Exclusions |
| Are there areas of the IT realm that can be excluded from scope, for example: |
| ___ |
Certain databases |
| ___ |
Certain e-mail systems |
| ___ |
Certain file servers |
| ___ |
Certain systems |
|
| |
| Standards |
| Are there documented standard operating procedures in place for any of: |
| ___ |
Incremental, differential, or full backups? |
| ___ |
Hourly, daily, weekly, monthly, or yearly backups? |
| ___ |
Onsite and offsite storage of backup media? |
| ___ |
Backup tape rotation in use (28 tape rotation; grandfather/father/son/ etc.)? |
| ___ |
Disaster Recovery and/or Business Continuity processes? |
|
|
Source: EDRM (edrm.net)