Skip to main content
Find a Lawyer
Please enter a legal issue and/or a location
Begin typing to search, use arrow keys to navigate, use enter to select

Find a Lawyer

More Options

Understanding e-Discovery Data Types and Collection Costs

By Kevin Fayle | Last updated on

In this post, Corporate Technology Counsel for Fios, Mary Mack, discusses the differences between electronic discovery and computer forensic services, and gives some tips for choosing which service to employ for different types of matters.

With the rapid growth of electronically stored information (ESI), even well-informed lawyers and support teams are often unclear about the differences between computer forensics and electronic discovery. The differing processes of collecting and reviewing ESI involve varying levels of technological sophistication, data interpretation and costs. The choices made about which type of collection service to use will depend on the matter at hand.

While negotiating the scope of discovery in the early "meet and confer" stages, you may already have limited the potentially responsive data universe to a certain type of data. The following table outlines the four main types of data and their characteristics:

Data Type Cost of Collection Characteristics

Data Type

Cost of Collection




Easiest to get, least costly.

Documents that "actively" reside on the custodian's computer hard drive or other storage device. Active documents are generally those that you can see in a file manager or explorer type of tool. Examples include e-mail and standard office documents like word processing and spreadsheets.


Active files are generally easy to access and collect. Challenges include dealing with large volumes of data and preserving file date information. Most requests for production ask for active files.




Requires restoration, costs vary on volume and backup

Documents and files stored, often in a compressed format, on off-line devices, including backup tapes or disks, floppies, and optical media. Archived documents are harder and more expensive to retrieve than active documents because they often require restoration, have complex file structures or are on media that can't be accessed at high speeds. Challenges include dealing with old backup formats or tapes that are not cataloged.


De-duplication is an additional challenge when faced with multiple backups of the same set of data over time.


Lines are being blurred with the widespread acceptance of "near line" storage where "archives" are written to an online media, for speed of disaster recovery or automatic failover.


This data is often deemed "not reasonably accessible". Sampling may be helpful for quantifying costs, time and likelihood of non duplicative discoverable data.



Most expensive, Requires special tools

Documents and files that are hidden or have been erased, fragmented, or damaged, and that can reside on either on-line or off-line storage devices. Forensic collection provides the most detail and is the only approach for retrieving deleted or fragmented files; however, it requires an expert to operate special tools and is time consuming.


Collect forensically when you need maximum preservation protection, such as when you are responding to a specific event like a wrongful termination law suit. Often, the only way to collect data from a PDA is forensically. Due to cost and/or exposure, opposing counsel is usually not willing to provide forensically collected data, but as with archival data, will need to document this burden in the FRCP 26(f) meet and confer conference. Typically, the requesting party will be required to bear the cost of forensic collection.



Tools may no longer be available; may need experts


Documents or files contained in very old systems that are no longer in use, but may have been mothballed and still can be turned on. Many systems from prior to Y2K fall into this category. Also data on extremely old media where equipment is no longer common to read them.


Sedona Principle 9:

Absent a showing of special need and relevance, a responding party should not be required to preserve, review, or produce deleted, shadowed, fragmented, or residual electronically stored information.

Is It Always Necessary to Collect Forensically?

There are many factors to consider before collecting forensically. The legal team will need to assess the case, the jurisdiction, the custodians, data types and the judge to determine whether forensics are warranted. Factors include whether sanctions have already been applied, the trust level for custodians, whether the case is criminal or quasi criminal and other such considerations.

The following chart can assist your decision making:

e-Discovery vs. Computer Forensics



Computer Forensics


Number of reviewers

Hundreds at a time

One at a time

Location of reviewers

Geographically dispersed

One place

Type of data

Live (unless other data provided by forensics partner)

Live, resurrected, reconstructed fragments

Recover deleted files

No (unless provided by forensics process)


Recover Web-based e-mail, instant messages

No (unless provided by forensics process)


Encrypted and password-protected files




Fact (protocol)

Opinion (expert)

Who conducts and refines aearches

Legal team and/or vendor

Forensic technician

Search time


Hours or days

Type of collection

Bit image and/or copy

Bit image only

Downtime of client computers



Chain of custody forms



Special collection tools



Testifying expert necessary



Cooperation of IT staff



File Listings and structures







Native file, print, Web review, litigation support load files with images and searchable text

Native file, print

The above information comes from Chapter 6 of Fios' newly re-written book, "A Process of Illumination: The Practical Guide to Electronic Discovery" by Mary Mack. The completely re-written book will be available for purchase in mid-July on

Additional Resources

Instant Messaging, Preservation and e-Discovery Collection Obligations

Instant messaging presents a new set of technical and legal issues in the discovery process, much like e-mail did a few years ago. Download now >

About the Author:

Mary Mack, Esq.

As Corporate Technology Counsel for Fios, Mary Mack has more than 20 years experience delivering enterprise-wide electronic discovery, managed services and software projects with legal and IT departments in publicly held companies. She is a hands-on strategic advisor to counsel for some of the largest products liability class actions, government investigations and intellectual property disputes. A member of the Illinois Bar, ACC and the ABA's Section on Litigation, Mack received her J.D. from Northwestern University School of Law (1982) and a B.A. from Le Moyne College in Syracuse, NY. She holds certifications in Computer Forensics and Computer Telephony. Mack is one of the leading speakers and authors on e-discovery issues, technology and the law. She is co-author of eDiscovery for Corporate Counsel, published by West; author of the popular book, A Process of Illumination: The Practical Guide to Electronic Discovery; and hosts the blog, Sound Evidence, featured on

Was this helpful?

You Don’t Have To Solve This on Your Own – Get a Lawyer’s Help

Meeting with a lawyer can help you understand your options and how to best protect your rights. Visit our attorney directory to find a lawyer near you who can help.

Or contact an attorney near you:
Copied to clipboard