Collecting Electronically Stored Information (ESI): Traditional Computer Forensics vs. Online Captures

Modern investigators and litigators are no stranger to computer investigations. Electronically stored information (ESI) is becoming more and more a part of both criminal and civil cases. Often the first question asked is, “What incriminating piece of information was found by the computer forensics examiner?” But ESI is more that just data found on a computer. It can and does involve a growing number of cases in which data was collected off the Internet. What is the difference between the two? To consider that question we first need to define ESI. A good definition is:

Any information created, stored, or utilized with digital technology. Examples include, but are not limited to, word-processing files, e-mail and text messages (including attachments); voicemail; information accessed via the Internet, including social networking sites; information stored on cell phones; information stored on computers, computer systems, thumb drives, flash drives, CDs, tapes, and other digital media.” (Department of Justice (DOJ) and Administrative Office of the U.S. Courts (AO) Joint Working Group on Electronic Technology in the Criminal Justice System (JETWG), 2012, pg. 12)

Notice this definition includes “information accessed via the Internet, including social networking sites.” Lets refer to this type as online ESI and data collected from computers, cell phone or other storage devices as digital ESI. We started this discussion assuming that online ESI was different from digital ESI. But are they really? They both can contain metadata and can be quite voluminous. The difference between the two involves the dissimilar manner in which they are collected as well as how each are susceptible to modification in a different manner.

The computer forensics benchmark for years has been to avoid acquiring data from a live machine and to never examine original data. In recent years this gold standard has been relaxed but not eliminated. We are starting to see some acquisitions and even examinations of computers that are “on”. Additionally, the computer forensics examiner, even in remote data acquisitions, has control over the target system. Online ESI acquisitions are quite different. They are always “live.” The investigator has no control over the original media that hosts the online data. The original data is on a server, which might not even be in the same jurisdiction, let alone the same state, province, or country, as the investigator.

Both digital evidence and online evidence are susceptible to modification. However, digital ESI found on a hard drive or electronic media can be seized and maintained. Even in a civil setting, once pertinent digital ESI is identified, it is secured until it can be provided to opposing parties, with potential penalties for spoliation. Seizing digital ESI is either done by an on scene computer forensic examiner or by “pulling the plug” and providing the device to an expert for later acquisition and examination. As long as chain of custody and proper procedures are in place there is little chance the data will be altered and/or done so without detection.

Contrast this to online ESI collection, which is merely a snapshot on a particular date and time, of a website, social networking site, etc. The online ESI may also only exist temporarily, such as in the case of instant messaging or chat session, and could be gone unless it is captured in some manner. The best computer forensic examiner might not retrieve the entire chat or instant message communication. A website or social networking site might change minutes after it was first captured. Online ESI can be changed remotely, such as with a mobile device, because the media containing the data has not been secured. Even if there were enough computer forensics examiners available, investigators can’t wait for them because online ESI is subject to change at any moment. If it not captured when it is discovered it might not be there again.

Both Todd and I believe investigators can be trained in the proper methods and procedures to not only collect online ESI but do so in a manner that it can be used as evidence in any legal proceeding. Online ESI can be preserved after its capture and “hashed” to answer any questions about it possibly being later altered. We discuss these methods and procedures and tools to accomplish this important investigative task in our book. On that thought, I am going to lite up a cigar and contemplate my next blog entry.


U.S. Department of Justice (DOJ) and Administrative Office of the U.S. Courts (AO) (Joint Working Group on Electronic Technology in the Criminal Justice System (JETWG)). Recommendations for Electronically Stored Information (ESI) Discovery Production in Federal Criminal Cases. (2012). Washington, D.C. Retrieved from


Former Special Agent in Charge, Criminal Division, USSS Loves Our Book!

“This book offers the most comprehensive, and understandable account of cybercrime currently available to all different skill levels of investigators. It is suitable for novices and instructors, across the full spectrum of digital investigations and will appeal to both advanced and new criminal investigators. It will no doubt become a must have text for any law enforcement or corporate investigator’s investigative library.” (Full Foreword Below)

Larry D. Johnson, Current CEO at Castleworth Global LLC, Former Chief Security Officer at Genworth Financial and Special Agent in Charge, Criminal Investigative Division, USSS, Retired.