Reporting is a critical part of e-discovery processing. From the beginning, the software should track the files received from collection and the actions taken on those files. An initial container file, for example, should be linked to the identity of the files extracted from it and those files should be tracked so an administrator can see every step taken on the files from ingestion to system output. All of this information should be available for searching, sorting and filtering, with the results available in a standard format for export or printing.
5.1 File Inventory Reporting
Processing systems should provide inventory reports showing the number of files contained on a given piece of media, the type of files contained on the media, and the size of the data contained on the media. In addition, directory lists of the file names should also be available and is generally referred to as a file inventory report.
5.2 Custodian Reporting
Custodian level reports provide data regarding files received for each custodian. A typical report will include the custodian’s name, records received and processed, file dates, types and sizes along with exception information for files that could not be processed.
5.3 Filtering Reports
Filtering reports are designed to show the volume of files removed or not promoted as a result of the different filters run against the data. This could include virus and NIST removal, along with date range and file type searches run.
5.4 Chain of Custody
Chain of custody is a term often used in criminal matters to reflect the rule that evidence should not be altered during the time it is in police hands. During processing, chain of custody refers to a report showing how each file was handled from reception to output. The purpose is to provide assurance that the file and its associated metadata has not been altered to the benefit of the party offering it as proof.
Chain of custody also refers to the receipt and maintenance of drives and other electronic media holding collected files and other data, which should be stored securely in a tamper proof vault when not in use.
Processing software should record all of the file handling steps taken during this phase of the EDRM for purposes of chain of custody tracking.
5.5 Exception Reporting
Files which cannot be processed should be identified in the processing database as exceptions. These are files for which no text or metadata can be extracted or for which no image can be rendered. This category may include encrypted or corrupted files, system files, program files or some other type that will not render information.
Exceptions information should be available for search and reporting. Ideally the report will provide the reason the files could not be processed. As an example, an exception report might include the following information:
File name, original directory location of the file, reason for exception (failure).
Reasons for file exceptions might include file corruption, encryption, password protected, virus infection, zero byte file, or NIST exclusion.
This article has not been revised since publication.
This post was created by JenW on January 27, 2022.