Sometimes, the simplest of digital forensic workflows net the most time savings, and legal hold requests are no exception. Workflows that use repeatable manual processes, require little to no human input or advanced decision making, and often include batch processing, result in significant time savings.
Forensic Collections for Legal Holds: Fit for Automation
Automating the forensic collection of endpoints involved in a legal hold (or litigation hold) meets these criteria and is a particularly beneficial way to save investigators time to focus on higher-value tasks.
A legal hold is a process an organization uses to preserve electronically stored information (ESI) or paper documents which might be relevant to a new or impending legal case. It starts with a trigger event (i.e., the occurrence of an event that usually results in litigation like a records subpoena) followed by a notification from an organization’s legal team to custodians (or employees) requiring them to preserve potential critical evidence.
Rapidly Collect and Preserve Endpoints to Reduce Risk of Spoliation
In some cases, a custodian might ignore the request to preserve data. The legal team weighs this as a risk. In cases where there are highly applicable custodians who they know they’ll need to access their data at some point, it’s ideal to collect their data right away to avoid it being deleted or manipulated – commonly referred to as “spoliation.” Spoliation comes with significant risks, including costs sanctioned against the organization by the court.
Current Manual Digital Forensic Workflow
The organization’s legal team has just received a cease-and-desist letter triggering the organization’s duty to preserve potentially relevant evidence. The clock is ticking to quickly preserve critical evidence to show that good faith efforts were made to avoid evidence being lost, deleted, or modified. The legal team has identified several remote endpoints requiring forensic collection in this case. They provide details of the legal hold request to the digital forensics team.
As soon as possible, an investigator begins the collection–a time-consuming manual task requiring each endpoint to be collected one at a time, followed by processing and archiving. Delays are expected between each step in the process. In some cases, this might take a few business days, opening the organization up to risk should evidence become tampered with in that time.
New Workflow With AUTOMATE Enterprise
In this case, almost the entire forensic collection workflow is automated using Magnet AUTOMATE Enterprise. After the legal hold request is received and the investigator configures the collection, the rest of the workflow is kicked off and completed without any additional human interaction. To speed up the acquisition process further, the investigator can choose to collect from targeted locations so they only collect exactly what they need.
Additionally, AUTOMATE Enterprise allows for the concurrent collection of data from multiple endpoints. This means investigators can rapidly preserve data from several endpoints simultaneously in a consistent, repeatable manner promoting speed and efficiency.
With AUTOMATE Enterprise coordinating the forensic collection, an automated sequence of events may look like this:
- The legal team provides the investigator with the collection details, which the investigator uses to configure AUTOMATE Enterprise and kick off their customized legal hold workflow
- AUTOMATE Enterprise initiates automatic collection from several endpoints
- Upon completion of data collection, AUTOMATE Enterprise orchestrates the processing of evidence and pushes the output, which can be a load file for easy uploading into an eDiscovery platform, to cloud storage to be archived
Learn More About Automating Your DFIR Workflows
Check out other common digital forensic workflows that can benefit from automation in our “Automating DFIR Workflows” blog series:
- Automating Insider Threat Investigations with SIEM Integration in Magnet AUTOMATE Enterprise
- Automating Root Cause Analysis With EDR Integration in Magnet AUTOMATE Enterprise
Also, download the “Modernizing Digital Forensics Workflows with Magnet AUTOMATE Enterprise” guide to explore how automation transforms other common DFIR workflows, such as DLP, inter-department handoffs, and malware investigations.