eDiscovery: Forget the basics at your peril!

AI in eDiscovery has been a hot topic for some time now, and with generative AI emerging, the topic is only going to get hotter.   While there is no argument that AI makes eDiscovery faster and more cost efficient, it’s important to remember that the basics of the eDiscovery process are still crucially important. 

eDiscovery is based on the widely recognised framework, the EDRM (Electronic Discovery Reference Model).  The process consists of nine stages:  

1. Information Management 

2. Identification 

3. Preservation 

4. Collection 

5. Processing 

6. Review 

7. Analysis 

8. Production  

9. Presentation 

For the purposes of this article, we will focus on points 2-7. 

Identification & Preservation

The first step of any eDiscovery project is data identification.  It is essential to know what data is needed for the project and where it is located.  At this stage, questions around retention policies, legal hold, user polices, and use of devices will arise as it is important to understand the landscape of the data. 

Once the data has been identified and preserved, it needs to be defensively preserved which is where digital forensic teams come into play. 


Forensic collection ensures that data is collected in a defensible and verifiable manner, and that the integrity of the data is maintained throughout the collection process. If this process is not watertight, there could be a risk of failure and additional spiralling costs at a later stage.  Not to mention there can be severe sanctions for spoliation of data.  Specialised software and hardware are used to preserve the integrity of the data. 


Once the data has been collected, the next stage is to process the dataEssentially, this step involves putting the data into usable format so that it can be reviewed and searchedIt involves lots of machine time and can be amended according to the requirements of the projectHere are some of the standard activities which take place during processing: 

– DeNisting – the removal of system files, program files, and other non-user created data 

– Deduplication – the removal of identical document families 

– Document extraction – this involves extracting attachments from emails, unzipping container files and sometimes extracting embedded objects so that each document is displayed individually in the review platform 

– Metadata extraction – all the information about a document is extracted and put into separate fields, e.g. for emails the information such as, To, From, Subject, Body are captured in separate fields 

– Text extraction – all the text from a document is extracted and put into a field so it can be easily searched 

– OCR (Optical Character Recognition) – printed or handwritten text and images are converted into machine-readable text 

– Numbering – each document is assigned a unique identifier so that it can be easily referenced.  Document families are also assigned a unique identifier to ensure the relationship between the documents is preserved 

It is important to perform sufficient quality control (QC) checks to ensure documents were processed correctly and display as expected in the review platformAt this stage, we usually encounter some processing errors which could be due to corrupt files, password protected files, unreadable file types etc.  Discussions take place between the client and eDiscovery vendor to decide how to address these filesIn most scenarios, the errored files are reprocessed to try to resolve the issueIf the issue cannot be resolved, the files are labelled “processing exceptions and are not loaded to the review platform.   

Review and Analysis

And now onto the fun stuff…  

Once the data is loaded into the chosen review platform, we can start using all the bells and whistles to analyse, search and filter the data.  We work closely with the client to understand what they are looking for within the data set and then we design workflows to ensure they are able to see the relevant documents as quickly as possible.  Here, we can leverage a variety of tools, depending on the requirements of the project, such as: 

Near duplicate analysis 

Email threading 

Active learning 

Timeline analysis 

Image labelling 

Behavioural patterns 

Sentiment analysis 

Communication webs 

Thematic analysis 

And much more! 

The main aim of the eDiscovery provider is to help the client find the relevant material as effectively and efficiently as possible.  Most clients, understandably, want to spend as little time as possible reviewing documents – although manual review will always feature in an eDiscovery project, especially as it helps to refine the AI technology.    

(A future article will dive deeper into these tools and how to leverage them during an eDiscovery project) 


In summary, although AI is undeniably establishing its presence in eDiscovery, it’s crucial not to neglect the fundamentals, as mishandling eDiscovery can result in substantial financial and reputational consequences. Just as one wouldn’t invest in a house lacking a strong foundation, exercise caution when selecting eDiscovery services, ensuring that the chosen company employs a solid workflow and possesses a deep grasp of the essential. 

Is my top talent leaving with our company data?

When an ex-employee steals data and tries to pass the information to a competitor or use it to start their own business, it can be a race against the clock to identify exactly what data was taken. This is the situation which one of our clients faced, and we were able to help them through the process of identifying and removing their stolen data from their competitor’s systems. Here’s how we did it:

Step 1: Forensic Data Collection & Initial Analysis

When our US client’s former employee left, the company suspected that they had taken sensitive and proprietary company data with themThe company alerted counsel and got us involved. We immediately began the process of forensically imaging the ex-employee’s laptop and work phone, collecting emails, file shares, messages and associated log files. We performed an initial analysis on the collected data using forensic tools and identified that a USB device had been plugged into the ex-employee’s laptop for four hours on the day before they left the companyDuring that same time window, the ex-employee had accessed sensitive documents on the file share and taken a local backup of their email.  At this stage, we could not be sure that this data had been copied to the USB; however, things did not look good for the ex-employeeAll signs were indicating theft of company data. 

Definition Forensic Analysis

Step 2: Analysis and Retrieval

We notified the client and counsel of our initial finding and counsel were able to order the ex-employee’s USB devices to be handed over to us for further analysis.  We analysed the USBs and found the stolen documents.  

We then had to determine two questions:

 1. Did the ex-employee share this information with anyone else?  

2. Did the ex-employee access the USB from any other devices?

In order to answer these questions, we imaged the ex-employee’s personal laptop to look for indications that they had copied the data to this device or to online file sharing systems (such as DropBox, Gdrive etc.) or had shared the information with others via email, social media, blog posts etc.  In this instance, the data had not been shared further and remained on the USB devices.  However, we did determine that the former employee did plug in the USB devices into his personal computer and did review some of the client’s data that he stole. 

By looking at several pieces of evidence, the Orbital team were able to build a picture of the ex-employee’s intent to distribute the data.

Step 3: Forensic Deletion

Once we had identified the stolen data, our final step was to ensure that it was forensically deleted.  This means that we wiped the ex-employee’s USB devices clean of any traces of the stolen data, ensuring that the data could not be accessed again. 

Top Tips


Data theft is a serious issue that can have severe consequences for businesses.  Companies can take proactive measures to prevent theft of data by having proper procedures in placeIf you or your company suspects that company data has been taken, it is crucial to act quickly and to work with experts in this field to ensure that the data is collected and analysed in a forensic and defensible manner.

A governmental authority has seized our data, now what?

After a few quiet years due to covid, it seems like dawn raids are back on the cards for authoritiesRecently, we have seen several cases where an authority has turned up at a company at the crack of dawn, taken all their data for an investigation and has left employees shocked as what to do next. 

What is a Dawn Raid?

A dawn raid is an unannounced, often early-morning, surprise inspection or search conducted by a government authority, typically law enforcement or regulatory agencies. These raids are carried out to investigate potential legal violations, such as financial misconduct, antitrust violations, or breaches of regulatory compliance. During a dawn raid, authorities may seize documents, data, or physical assets and interview employees as part of their investigation. It is a legal procedure aimed at uncovering evidence of wrongdoing and ensuring compliance with laws and regulations. 

What do I do?

If your company experiences a dawn raid, it is important to take immediate steps to protect your interests. Here’s a step-by-step guide on what to do: 

1. Appoint a designated Response Team within your company to manage dawn raids, should they ever occur. 

2. Immediately contact internal and or external lawyers and digital forensic specialists 

3. Ensure the officials remain accompanied at all times. Any questions should only be answered in the presence of a lawyer or in-house counsel. 

4. Ask the officials to wait until legal counsel has arrived, but do not obstruct the investigation. 

5. Verify and record the officials’ identifications (names & ID numbers) and their time of arrival. 

6. Designate & accompany the officials to an empty conference room or dedicated space (one without files or computers) where they can set up their equipment and work. 

7. Confirm the reasons for the investigation and whether the company is required to comply. 

8. Contact your IT experts and clarify what information is available on-site. 

9. When legal counsel arrives, provide a full report on everything that has happened up until that point. 

10. Ask for a copy of all materials gathered by the officials during the dawn raid. 

Orbital to the rescue – How can we help?

The role of digital forensic or eDiscovery experts can be crucial. A digital forensic expert can monitor the work performed by the investigators and explain to company stakeholders and legal counsel what is happening in non-technical jargon. As experts, we work closely with legal teams to ensure any data we collect is collected in a forensically sound and legally defensible manner. This may involve the additional copying of data from systems to allow the company to get a head start on conducting its own investigation.