Digital Forensics & Incident Management

eDiscovery & Litigation Support

  • May 8, 2025
  • 0

Sherlocked Security – eDiscovery & Litigation Support

Digitally Preserving, Processing, and Producing Evidence for Legal and Regulatory Proceedings

1. Statement of Work (SOW)

Service Name: eDiscovery & Litigation Support
Client Type: Legal Firms, Compliance Teams, Government, Enterprises with Regulatory Exposure
Service Model: End-to-End eDiscovery Process – ESI Collection, Processing, Review, and Production
Compliance Coverage: FRCP, GDPR, HIPAA, SEC/FINRA, ISO/IEC 27050

Engagement Types:

  • Early Case Assessment (ECA) & Legal Hold Workflows
  • Custodian & Communication Mapping
  • ESI Collection from Cloud, Endpoint, and Enterprise Platforms
  • Metadata Preservation & Chain of Custody Management
  • Review & Redaction Assistance

2. Our Approach

[Legal Hold Planning] → [Custodian Identification] → [Data Mapping] → [Targeted ESI Collection] → [Processing & Deduplication] → [Review & Production] → [Compliance Reporting]

3. Methodology

[Case Intake] → [ESI Source Scoping] → [Data Preservation Strategy] → [Forensic Collection] → [Processing Pipeline Setup] → [Legal Review Enablement] → [Load File Generation] → [Post-Production Reporting]

4. Deliverables to the Client

  1. Legal Hold and Custodian Identification Summary
  2. Chain of Custody Records for All ESI Collected
  3. ESI Inventory & Metadata Extraction Reports
  4. PST, NSF, MBOX, or native file exports
  5. Review Sets with Tags, Filters, and Privilege Flags
  6. Deduplication & Near-Dupe Cluster Reports
  7. Redaction Audit Trail & Production History
  8. Final Production Package (Load Files, Concordance, Relativity, etc.)
  9. Expert Witness Affidavit or Testimony (Optional)

5. What We Need from You (Client Requirements)

  • Scope of litigation or regulatory request
  • Custodian list and relevant departments
  • Data retention policy and existing legal holds
  • List of data sources (email, endpoint, chat, shared drives, SaaS)
  • Required export or load file formats
  • NDA and case-specific confidentiality

6. Tools & Technology Stack

  • Email Platforms: Microsoft 365, G Suite Vault, Exchange EDB
  • Review Platforms: Relativity, Nuix Discover, Everlaw, Logikcull
  • Collection Tools: FTK Imager, X1 Social Discovery, Magnet AXIOM, EnCase eDiscovery
  • Processing: Nuix Workstation, Law PreDiscovery, IPRO, dtSearch
  • Export/Load: Relativity .DAT, Concordance, CSV, native file productions
  • Secure Transfer: SFTP, AWS S3 (client-specific), Encrypted Media
  • Audit Trails: Forensic Notes, Custodian Audit Logs, Hash Logs

7. Engagement Lifecycle

1. Case Kickoff & Scope Analysis → 2. Custodian & Source Identification → 3. ESI Collection & Preservation → 4. Processing & Filtering → 5. Review Enablement → 6. Production Set Creation → 7. Post-Production Reporting & Testimony

8. Why Sherlocked Security?

Feature Sherlocked Advantage
Forensically Sound Collection Chain of custody & SHA-256 hashes ensure integrity
Platform-Agnostic Collects data from cloud, on-prem, mobile, and legacy systems
Legal Review-Ready Custom load files and tags for any review tool
Privacy & Redaction Workflows Includes PII/PHI filtering and automated redaction capability
Regulatory Alignment Compliant with FRCP, GDPR, HIPAA, and FINRA eDiscovery protocols

9. Real-World Case Studies

Cross-Border Litigation: Multi-Tenant M365 Collection

Client: International Law Firm
Challenge: Email and OneDrive collection across EMEA, APAC, and US users under GDPR.
Solution: Selective custodian export using Microsoft Compliance Center with full audit chain.
Outcome: Admissible ESI with zero data loss; defensible production.

Insider Trading Case: Slack + Endpoint Discovery

Client: Financial Institution under SEC Investigation
Challenge: Slack chat, Zoom transcripts, and endpoint logs needed.
Fix: Used Slack API for exports + X1 on endpoints; created unified timeline.
Result: Enabled timeline-based review with privilege tagging and redaction.

10. SOP – Standard Operating Procedure

  1. Scope Definition & Custodian Mapping
  2. Issue Legal Hold Notices (automated/manual)
  3. Identify and Classify ESI Sources
  4. Perform Forensic Imaging or Cloud API Exports
  5. Validate with Hashing (MD5/SHA-256) and Chain of Custody Logs
  6. Process with Deduplication, Indexing, Metadata Enrichment
  7. Enable Review Platform with Redaction, Tagging, Commenting
  8. Export in Requested Format (Concordance, Relativity, PDF, Native)
  9. Post-Production Audit Trail & Log Archival
  10. Optional Expert Witness Preparation

11. eDiscovery & Litigation Support Technical Checklist

1. Custodian Identification & Communication Mapping

  • Identify key stakeholders, departments, and devices
  • Map communication platforms: email, chat, VoIP, collaboration tools
  • Preserve HR metadata: join date, termination, role, manager hierarchy
  • Document legal hold issuance and acknowledgment

2. ESI Source Scoping & Collection Strategy

  • Inventory of systems: mail servers, file shares, cloud drives, mobile
  • Determine collection method: agent-based, API, remote or on-prem
  • Document platform-specific quirks (e.g., Slack threading, Teams folder structure)
  • Use write-blocked environments or snapshot imaging

3. Evidence Preservation & Hash Validation

  • Generate hashes (SHA-256, MD5) for each ESI file collected
  • Maintain original MAC timestamps (Modified, Accessed, Created)
  • Store hash manifests with signature (PDF or XML)
  • Log collector, tool version, timestamps of collection

4. Data Processing & Filtering

  • DeNIST and deduplicate corpus using hash comparison
  • Normalize timezones and convert to UTC or legal jurisdiction
  • Filter by custodians, date range, keywords, MIME types
  • Cluster near-duplicates and email threads
  • Generate processing audit logs with exceptions

5. Legal Review Enablement

  • Create review sets with pre-tagged categories (privileged, confidential, irrelevant)
  • Use threading and conversation analysis for emails
  • Provide redaction tools with version control and audit trail
  • Include dictionary/regex-based PII/PHI detection and filters

6. Export, Production & Testimony Preparation

  • Export to .DAT, .OPT, .LFP, or native format based on legal requirements
  • Validate integrity post-export (hash recheck)
  • Watermark redacted documents (optional)
  • Prepare affidavit detailing method, tools, hash values, and custody chain
  • Support expert testimony or court submission where required
Digital Forensics Lab Setup
Malware Reverse Engineering