eDiscovery: Forget the basics at your peril!

AI in eDiscovery has been a hot topic for some time now, and with generative AI emerging, the topic is only going to get hotter.   While there is no argument that AI makes eDiscovery faster and more cost efficient, it’s important to remember that the basics of the eDiscovery process are still crucially important. 

eDiscovery is based on the widely recognised framework, the EDRM (Electronic Discovery Reference Model).  The process consists of nine stages:  

1. Information Management 

2. Identification 

3. Preservation 

4. Collection 

5. Processing 

6. Review 

7. Analysis 

8. Production  

9. Presentation 

For the purposes of this article, we will focus on points 2-7. 

Identification & Preservation

The first step of any eDiscovery project is data identification.  It is essential to know what data is needed for the project and where it is located.  At this stage, questions around retention policies, legal hold, user polices, and use of devices will arise as it is important to understand the landscape of the data. 

Once the data has been identified and preserved, it needs to be defensively preserved which is where digital forensic teams come into play. 


Forensic collection ensures that data is collected in a defensible and verifiable manner, and that the integrity of the data is maintained throughout the collection process. If this process is not watertight, there could be a risk of failure and additional spiralling costs at a later stage.  Not to mention there can be severe sanctions for spoliation of data.  Specialised software and hardware are used to preserve the integrity of the data. 


Once the data has been collected, the next stage is to process the dataEssentially, this step involves putting the data into usable format so that it can be reviewed and searchedIt involves lots of machine time and can be amended according to the requirements of the projectHere are some of the standard activities which take place during processing: 

– DeNisting – the removal of system files, program files, and other non-user created data 

– Deduplication – the removal of identical document families 

– Document extraction – this involves extracting attachments from emails, unzipping container files and sometimes extracting embedded objects so that each document is displayed individually in the review platform 

– Metadata extraction – all the information about a document is extracted and put into separate fields, e.g. for emails the information such as, To, From, Subject, Body are captured in separate fields 

– Text extraction – all the text from a document is extracted and put into a field so it can be easily searched 

– OCR (Optical Character Recognition) – printed or handwritten text and images are converted into machine-readable text 

– Numbering – each document is assigned a unique identifier so that it can be easily referenced.  Document families are also assigned a unique identifier to ensure the relationship between the documents is preserved 

It is important to perform sufficient quality control (QC) checks to ensure documents were processed correctly and display as expected in the review platformAt this stage, we usually encounter some processing errors which could be due to corrupt files, password protected files, unreadable file types etc.  Discussions take place between the client and eDiscovery vendor to decide how to address these filesIn most scenarios, the errored files are reprocessed to try to resolve the issueIf the issue cannot be resolved, the files are labelled “processing exceptions and are not loaded to the review platform.   

Review and Analysis

And now onto the fun stuff…  

Once the data is loaded into the chosen review platform, we can start using all the bells and whistles to analyse, search and filter the data.  We work closely with the client to understand what they are looking for within the data set and then we design workflows to ensure they are able to see the relevant documents as quickly as possible.  Here, we can leverage a variety of tools, depending on the requirements of the project, such as: 

Near duplicate analysis 

Email threading 

Active learning 

Timeline analysis 

Image labelling 

Behavioural patterns 

Sentiment analysis 

Communication webs 

Thematic analysis 

And much more! 

The main aim of the eDiscovery provider is to help the client find the relevant material as effectively and efficiently as possible.  Most clients, understandably, want to spend as little time as possible reviewing documents – although manual review will always feature in an eDiscovery project, especially as it helps to refine the AI technology.    

(A future article will dive deeper into these tools and how to leverage them during an eDiscovery project) 


In summary, although AI is undeniably establishing its presence in eDiscovery, it’s crucial not to neglect the fundamentals, as mishandling eDiscovery can result in substantial financial and reputational consequences. Just as one wouldn’t invest in a house lacking a strong foundation, exercise caution when selecting eDiscovery services, ensuring that the chosen company employs a solid workflow and possesses a deep grasp of the essential. 

Is my top talent leaving with our company data?

When an ex-employee steals data and tries to pass the information to a competitor or use it to start their own business, it can be a race against the clock to identify exactly what data was taken. This is the situation which one of our clients faced, and we were able to help them through the process of identifying and removing their stolen data from their competitor’s systems. Here’s how we did it:

Step 1: Forensic Data Collection & Initial Analysis

When our US client’s former employee left, the company suspected that they had taken sensitive and proprietary company data with themThe company alerted counsel and got us involved. We immediately began the process of forensically imaging the ex-employee’s laptop and work phone, collecting emails, file shares, messages and associated log files. We performed an initial analysis on the collected data using forensic tools and identified that a USB device had been plugged into the ex-employee’s laptop for four hours on the day before they left the companyDuring that same time window, the ex-employee had accessed sensitive documents on the file share and taken a local backup of their email.  At this stage, we could not be sure that this data had been copied to the USB; however, things did not look good for the ex-employeeAll signs were indicating theft of company data. 

Definition Forensic Analysis

Step 2: Analysis and Retrieval

We notified the client and counsel of our initial finding and counsel were able to order the ex-employee’s USB devices to be handed over to us for further analysis.  We analysed the USBs and found the stolen documents.  

We then had to determine two questions:

 1. Did the ex-employee share this information with anyone else?  

2. Did the ex-employee access the USB from any other devices?

In order to answer these questions, we imaged the ex-employee’s personal laptop to look for indications that they had copied the data to this device or to online file sharing systems (such as DropBox, Gdrive etc.) or had shared the information with others via email, social media, blog posts etc.  In this instance, the data had not been shared further and remained on the USB devices.  However, we did determine that the former employee did plug in the USB devices into his personal computer and did review some of the client’s data that he stole. 

By looking at several pieces of evidence, the Orbital team were able to build a picture of the ex-employee’s intent to distribute the data.

Step 3: Forensic Deletion

Once we had identified the stolen data, our final step was to ensure that it was forensically deleted.  This means that we wiped the ex-employee’s USB devices clean of any traces of the stolen data, ensuring that the data could not be accessed again. 

Top Tips


Data theft is a serious issue that can have severe consequences for businesses.  Companies can take proactive measures to prevent theft of data by having proper procedures in placeIf you or your company suspects that company data has been taken, it is crucial to act quickly and to work with experts in this field to ensure that the data is collected and analysed in a forensic and defensible manner.

A governmental authority has seized our data, now what?

After a few quiet years due to covid, it seems like dawn raids are back on the cards for authoritiesRecently, we have seen several cases where an authority has turned up at a company at the crack of dawn, taken all their data for an investigation and has left employees shocked as what to do next. 

What is a Dawn Raid?

A dawn raid is an unannounced, often early-morning, surprise inspection or search conducted by a government authority, typically law enforcement or regulatory agencies. These raids are carried out to investigate potential legal violations, such as financial misconduct, antitrust violations, or breaches of regulatory compliance. During a dawn raid, authorities may seize documents, data, or physical assets and interview employees as part of their investigation. It is a legal procedure aimed at uncovering evidence of wrongdoing and ensuring compliance with laws and regulations. 

What do I do?

If your company experiences a dawn raid, it is important to take immediate steps to protect your interests. Here’s a step-by-step guide on what to do: 

1. Appoint a designated Response Team within your company to manage dawn raids, should they ever occur. 

2. Immediately contact internal and or external lawyers and digital forensic specialists 

3. Ensure the officials remain accompanied at all times. Any questions should only be answered in the presence of a lawyer or in-house counsel. 

4. Ask the officials to wait until legal counsel has arrived, but do not obstruct the investigation. 

5. Verify and record the officials’ identifications (names & ID numbers) and their time of arrival. 

6. Designate & accompany the officials to an empty conference room or dedicated space (one without files or computers) where they can set up their equipment and work. 

7. Confirm the reasons for the investigation and whether the company is required to comply. 

8. Contact your IT experts and clarify what information is available on-site. 

9. When legal counsel arrives, provide a full report on everything that has happened up until that point. 

10. Ask for a copy of all materials gathered by the officials during the dawn raid. 

Orbital to the rescue – How can we help?

The role of digital forensic or eDiscovery experts can be crucial. A digital forensic expert can monitor the work performed by the investigators and explain to company stakeholders and legal counsel what is happening in non-technical jargon. As experts, we work closely with legal teams to ensure any data we collect is collected in a forensically sound and legally defensible manner. This may involve the additional copying of data from systems to allow the company to get a head start on conducting its own investigation.

Orbital Engages Reveal as Global eDiscovery Partner

Oct 19, 2020, 16:30 ET

CHICAGO, Oct. 19, 2020 /PRNewswire/ — Reveal, a global eDiscovery technology company, today announced that Orbital Data Consulting engaged Reveal as its preferred eDiscovery and investigations software provider.

Orbital is a global provider of eDiscovery consulting, digital forensics and incident response services in Europe and the United States. Founded in 2020, Orbital is primarily focused on white collar regulatory investigations & complex cross-border litigation.

Orbital chose Reveal after evaluating many of the major eDiscovery platforms through an extensive feasibility project. Reveal was selected after months of rigorous testing which included the use of large test data sets. The key reasons for choosing Reveal were because of its robust data processing capabilities, advanced workflow functionality, and industry-leading artificial intelligence capabilities. The software’s user interface is very straightforward to use, a novice reviewer can be trained and be working proficiently within 20 mins.

“Our clients have a growing expectation that technology should do more to reduce the burden of human first level review. Therefore, we set the bar very high when evaluating eDiscovery software tools,” said Andrew Hunniford, Orbital Co-Founder. “We sought a company that wanted to get in the trenches with us and help our clients solve their problems firsthand. With the team at Reveal we believe we have formed the perfect partnership.

“Reveal is uniquely positioned to fulfill Orbital’s need to easily and securely deploy eDiscovery solutions on a global scale,” said Wendell Jisa, Chief Executive Officer of Reveal. “Our international footprint, with support teams throughout North America and Europe plus 19 data centers worldwide, ensures Orbital is supported by a technology partner who understands European jurisdictions and increased GDPR scrutiny.”

The Reveal platform includes industry-leading processing, early case assessment (ECA), artificial intelligence, review and production functionality.  In August, Reveal announced the acquisition of NexLP, a key step in the company’s mission to use artificial intelligence to lead in the evolution of how law is practiced.

“The recent acquisition of NexLP by Reveal was a game changer for us,” said William Odom, Orbital Co-Founder. “Knowing an incredibly powerful AI and analytics suite sits under the bonnet in Reveal gives our clients immense analytical firepower to slice through vast data sets and uncover key insights much faster.”

About Reveal

Reveal is the industry’s only eDiscovery platform powered by artificial intelligence. As a cloud-based software provider, Reveal offers the full range of processing, early case assessment, review, infrastructure and artificial intelligence capabilities. Reveal clients include law firms, Fortune 500 corporations, legal service providers, government agencies and financial institutions in more than 40 countries across five continents. Featuring deployment options in the cloud or on-premise, an intuitive user design, multilingual user interfaces and the automatic detection of more than 160 languages, Reveal accelerates legal review, saving users time and money. For more information, visit http://www.revealdata.com.

About Orbital

Orbital Data Consulting was founded by Andrew Hunniford & William Odom in 2020.  Andrew and William have over 35 combined years of experience and have worked on several high-profile projects that have involved complex Digital Forensic, Data Privacy, eDiscovery & Data Governance issues. The company was built from scratch during the COVID-19 pandemic, which saw many organisations pivoting to support remote working capabilities. Orbital has been optimised to provide secure technology solutions that thrive in remote working environments. For more information, visit https://orbital.global.

Contact: [email protected]