eDiscovery with Belkasoft

© Belkasoft Research

Individual and businesses, more than ever, store their data in electronic formats. Regardless of where the data is stored, the ability to extract the necessary information and present it to the appropriate parties while keeping to rules and guidelines—especially in civil or legal proceedings—is crucial. Well, this is where computer forensics and eDiscovery come in.

In this article, we intend to examine eDiscovery, first on the basis of it being an important concept in litigation. Then, using Belkasoft Evidence Center—a digital forensics tool—at important flashpoints, we will review the processes that define the typical eDiscovery procedure (a model), describe its data storage peculiarities (formats), and also walk you through important use cases.

What is eDiscovery?

eDiscovery (Electronic Discovery) refers to the process of identifying, collecting, legally validating, and analyzing electronic data with the aim of using it as digital evidence in a civil or criminal case. It encompasses the discovery procedures in litigation that is performed in electronic formats.

These are the typical eDiscovery objects: emails, database information, voicemail messages, chat information from instant messengers, image files, video files, information from social networks, and so on.

The primary purpose of eDiscovery—especially in the initial phase of litigation—is to ensure that parties in a dispute provide each other with the relevant electronic information, records, and details, which can serve as evidence.

  • Technical experts work to store digital evidence securely to ensure that the other party does not get the basis to bring forth charges that the evidence was somehow tampered with, destroyed in the process during which it was obtained, or make claims that the evidence was acquired in violation of procedural rules.
  • The highly sought-after digital existence often exists in an array of poorly structured data, which may be stored in several or multiple sources such as company's servers, on a cloud, in databases, in archives, IoT (Internet of Things) devices, and others.

    It is impractical to expect an individual (lawyer, in most cases)—who is not trained in eDiscovery—to find the necessary data while having to examine and search through many evidentiary sources. For this reason, technical experts are usually tasked to assist lawyers. The former helps the latter by isolating the large volumes of data and then extracting and presenting only the information relevant to a case. This way, the time needed for audits or investigations gets significantly reduced.

  • Most judges, lawyers, and other legal practitioners are poorly versed in technical terminology. Therefore, technical specialists have to emphasize the importance of the forensically-sound processes and methods used to detect, consolidate, and seize digital evidence to them. The experts, using language that legal practitioners can understand, also have to stress the usefulness of discovered information—which may not be obvious to untrained eyes—for cases or investigations.

Why is eDiscovery important?

Human activities in today's modern world, regardless of their wishes, produce large volumes of digital footprints. The footprints—which intrinsically tend to exist in varying amounts and formats—can always be detected and documented procedurally by technical experts. A client or their lawyer can then use the discovered information against the other party in court proceedings.

In the eDiscovery process, technical experts help to detect or find the digital footprints, process them appropriately, fix and analyze them (where necessary), and also evaluate the results and materials, which get presented in court. Furthermore, technical specialists may help develop a model for the correct presentation of digital evidence in court, provide legally sound arguments, and also construct solid lines of defense based on discovered data.

Essentially, eDiscovery guarantees secure and instant access to a client's business information with respect to a strict access model while providing the means to search, view and/or analyze data and legally select specific documents or the items relevant to a client's request.

Model for detection and storage of electronic evidence

eDiscovery corresponds to all the processes and technologies that aid clients in discovering and securing digital evidence. This way, the relevant parties get to analyze the data they need quickly and efficiently. The eDiscovery setup ensures that clients and their lawyers understand the value of acquired information used in winning court cases and settling different forms of litigation.

eDiscovery encompasses 9 key stages:

Figure 1. The 9 key stages in eDiscovery

Stage 1: Preparation

In this stage, a client's policies, procedures, and electronic turnover policies are studied. You get to determine the wide range of sources holding the client's information: workstations, servers, clouds, mobile devices, data storage systems, virtual storage mediums, etc.

Stage 2: Identification

Here, you search for sources that may contain data potentially relevant to a client's request.

Stage 3: Information security

Having identified potential sources of information, you get to perform certain tasks to ensure that the information contained in the evidentiary sources is protected from damages—accidental or not—and alterations.

Stage 4: Gathering information

In this stage, you collect information from the provided sources based on the request and perform legal registration tasks. Besides the needed information, you get to collect metadata, which may point to a file's creation date and size, its cryptographic hash, and other facts. These details can later be used to confirm that the information collected did not get modified.

Belkasoft Evidence Center allows you to collect evidence from a wide range of sources, such as

  • Physical storage media (hard drives, flash drives, servers, mediums attached to networks, etc.).
  • Mobile devices (phones, smartphones, fitness bracelets, etc.).
  • Cloud storage (cloud service providers: Google Drive, OneDrive, iCloud, and others; social networks; and email servers).

Figure 2. The data types that can be extracted using Belkasoft Evidence Center

Stage 5: Information processing

In the processing phase, you prepare the collected information for analysis tasks to be conducted on it. As a general rule, a special forensics tool is used to process information. In this information processing stage, files can be extracted from different directories; artifacts can be obtained from forensics copies and redundant system files; duplicates can be removed.

With Belkasoft Evidence Center, you can process information drawn from different sources. The tool will present results in a format convenient for further analysis.

Figure 3. The artifacts from an Android device presented in known formats in Belkasoft Evidence Center

Stage 6: Results evaluation

In this stage, a digital forensics expert—alongside with the client and/or their lawyers—can analyze the results obtained from the information processing tasks to figure out the most useful artifacts (and irrelevant items). Artificial Intelligence (AI) may be employed to speed up things here.

As a digital forensics tool, Belkasoft Evidence Center uses artificial intelligence to separate or group objects from the results. For instance, Belkasoft uses AI to assign detected images to set categories (pornography, for example).

Figure 4. Belkasoft using AI to place images into different categories or groups

Stage 7: Analysis

This stage may be considered a variation of stage 6. In this stage, you get to initiate deeper searches for useful content and relevant contexts in the analyzed information and artifacts. Here, you may utilize search templates, key topics, known data about people, and knowledge from discussions about the results.

Belkasoft Evidence Center provides a wide range of functions for performing the tasks in this stage. You can use Belkasoft to filter data based on given criteria or apply certain search functions for keywords.

Stage 8: Production

In this stage, you get to identify documents and information that a client and/or their lawyers can use as evidence. You may also have to prepare documents for the parties relevant to a case.

Stage 9: Presentation

This stage encompasses the processes for the presentation of the analyzed results to the relevant parties (clients, their lawyers, and/or courts).

Belkasoft Evidence Center provides a standard interface for the presentation of results. In this interface, all parties can view the results conveniently. The results of any analysis work can be presented using the Belkasoft Evidence Reader format. The latter—as a tool—is a free utility embedded in the delivery package. You can use it to present the results of your research or work to the appropriate parties.

Figure 5. Research results presented in Belkasoft Evidence Reader's interface

Formats for the presentation of results

In eDiscovery, technical experts can present the results of their work in these formats:

  • Native format files: These files are saved in the format in which they originally existed. For example, a document in the .docx format gets saved in the same .docx format; an email in the .eml format is saved in the same .eml format; and so on.
  • Similar format files: These files are converted (or extracted and then saved) to another format that displays the data in ways very similar to the native format. The new format, however, does not require people to use specialized software to view them, and it also provides the means for convenient search tasks (through keywords or based on specific queries).

    For example, information from emails—especially those originally in .htm, .mht, or .rtf formats—and databases are saved as text files or in the .csv file format.

  • Graphic format: All graphic files are converted to images files, which typically exist in the .tiff format.
  • Paper format: All the extracted electronic evidence is printed on paper.

Belkasoft Evidence Center allows you to create reports in several formats accepted in courts and used by clients' lawyers.

Figure 6. Choosing the appropriate format for a report in Belkasoft

Typical use cases

The projected procedures and processes are often used in these scenarios:

  • Certifying the contents of private chats.
  • Figure 7. Using Belkasoft Evidence Center to certify chats

  • Establishing the fact that an email was received or sent.
  • Figure 8. Emails presented in Belkasoft Evidence Center

    With Belkasoft, you can not only extract email data from various sources, but you can also instruct the tool to present the results of its analysis in a convenient format.

  • Establishing the fact that a document was modified on a specific computer and showing the editing history for the document.
  • Figure 9. Analyzing a document's properties in Belkasoft

    Belkasoft Evidence Center provides comprehensive information on a document's metadata (that lies in the file itself) and details on the metadata from the file system. With the file recovery function, a researcher can reconstruct events to events showing changes made to a file.

  • Establishing the fact of a user's visit to the internet on a computer.
  • Figure 10. A user's browsing history presented in Belkasoft

    Besides finding and presenting users' browsing histories, Belkasoft Evidence Center provides recovered web data, search queries, and clogged or broken items.

  • Establishing the fact that a user performed a sequence of tasks on a computer.

Figure 11. A user's timeline displayed in Belkasoft Evidence Center

You can use the Timeline function to view a user history. This way, information corresponding to a user's activity can be presented as a graph or in a tabular format.


Advancements in technology definitely created new challenges in terms of larger data volumes, increases in the complexity of information, and a wider range of evidentiary sources. Fortunately, computer forensics—through eDiscovery—can help researchers and investigators deal with the difficulties.

eDiscovery corresponds to a collection of tools, methods, and technologies that must be used in the correct manner to get optimal results. The identification, collection, processing, and production stages are the most important phases in any eDiscovery procedure.

It is imperative that technical specialists acquire sufficient knowledge and skills in eDiscovery. This way, they get to help clients and interested parties through the discovery process while arming them with information, data and analysis points, and the higher level of understanding that is needed to win cases or achieve the best legal outcomes.

With regards to the methods, processes, and events described in this paper, Belkasoft Evidence Center is equipped with all the functions a technical expert needs to conduct comprehensive research along these lines: collecting digital evidence, analyzing information, and then presenting the results in a court (or to a client).

Different organizations—especially law enforcement agencies, military and security bodies, and private firms—trust and use Belkasoft products. The results of research and forensics tasks conducted in Belkasoft Evidence Center have repeatedly been accepted and used in courts as evidence.

For further reading

  • Building a Timeline: A Case for Belkasoft Evidence Center
  • How to Use Connection Graphs by Belkasoft for Complex Cases with Multiple Individuals Involved: a Real-life Scenario and Guide
  • Carving and its Implementations in Digital Forensics
  • Countering Anti-Forensic Efforts
  • Other useful links

    © Belkasoft Research