The Litigants

Litigants have responsibilities relative to digital forensic evidence, and the expert may be asked to help to identify the failure of others to fulfill these responsibilities as well as to help their clients identify and fulfill these responsibilities

Due Care: There are specific legal duties associated with retention and disposition of DFE and other materials related to digital forensic matters. The pre-legal requirements are largely described above under the "Legal Process" section above in the "Pre-legal" subsection, and the post-legal requirements are discussed briefly in the "Disposition" subsection of that same section. The interested reader should read [9] thoroughly and look for updates as they become available.

Retention: Before the first paper is filed for a legal proceeding, entities have responsibilities to preserve evidence that could be reasonably anticipated to be involved in litigation. For corporate entities, this entails the creation and operation of a policy and process associated with records retention and disposition. For individuals, the standards are far more lax; however, any situation in which a legal matter is anticipated leads to duties to preserve evidence. The simplest strategy for individuals is to do regular backups of digital information and, if a legal matter seems to be looming, make a copy of everything and put it somewhere safe. For corporate entities and other businesses, government entities, or organizations, the issue is far more complicated.

Entities have a responsibility to preserve their records for many legal reasons as well as for reasonable and prudent operations. [9] Some records, such as contracts, publications, historical data associated with patents and other intellectual property, prices charged, and fees paid, are retained for business and legal reasons as evidence of the activities of the entity. Other records, such as records of expenditures and income, are retained for external legal reasons such as government regulations and meeting reporting requirements. Still other records, such as electronic mail, internal memoranda, operating manuals, and notes on when what happened, are retained for internal use, entity long-term memory, and convenience.

Where there is a legal mandate to retain records associated with regulatory bodies, such as tax records, records of controlled substances, employee records, and so forth, entities must retain these records for the legally mandated period, and the entity record retention and disposition process should define these minimum times and identify disposition processes and times after legal limits are reached. Where no such mandate is in place, entities should operate for their own operational efficiency, effectiveness, and convenience, should codify these operational, efficiency, and effectiveness requirements and decisions, and should follow these decisions rigorously. In addition, statute of limitations requirements limit the utility of certain information in certain circumstances, and these statutes should be built into the records retention and disposition process in helping to make decisions about time frames. In all cases, a well-defined retention and disposition process should be in place, operated, and verified in its operation. A legal hold process should also be defined and put in place to assure that prior to disposition of any records that can reasonably be anticipated to be required for any legal proceeding, all legal holds on those records are cleared, and when a legal hold has cause to be in place, appropriate records are preserved and prevented from being disposed of.

Prior to the first filing, and contemporaneous to events of interest, it is important to identify, collect, and assure the proper storage and handling of any content that might be involved in a legal matter. Perhaps the most important things to do contemporaneously are things that can preserve evidence that tends to change over time or will not exist past a particular time frame. For example, network traffic and voices disappear as they are consumed unless explicit preservation is undertaken at the time they occur. When investigating or acting on digital forensic evidence or matters related thereto, it is often helpful to take notes at the time the activities are undertaken and to retain them as contemporaneous evidence of what took place. Similarly, things like network addresses and host names, network-based lookups, and related information, including versions of software in use and other related configuration information, should be collected contemporaneously because these things tend to change with time, and records of their changes are not uniformly kept. Contemporaneous time and date information, when relevant, performance levels, as measured at the time, and justifications for decisions, as they are made, are best documented contemporaneously.

Digital forensic experts brought in prior to the legal process may be used for a wide range of efforts, including without limit, internal investigations, preparation for potential legal work, the creation of forensic data collection and processing capabilities, analysis of potential evidence, and so forth. While these may seem like they have a lower standard of care than work during the legal process, the DFE expert should realize that the work they do in preparation may end up questioned at trial, and reasonable and prudent efforts should be applied, proper contemporaneous information should be collected as appropriate to the matter at hand, and all of the elements of the evidence process should be respected, even though no legal action has been filed.