The electronic forensic investigation starts with the application of a series of keywords to people’s electronic devices that, according to the information available, are thought to have had information of interest about the facts, may have had or not participation in them (the so-called ‘custodians’). Devices may include both computers and other electronics used by the custodians as well as data available in servers, in both emails and other files.
As a specialized firm PwC obtained this data using forensic methodology that is industry standard for these cases. The methodology includes cloning the device, obtaining a hash code to ensure data is not modifiable, analyzing the data in their labs, and more.
Keywords are selected by attorneys and the PwC forensic team, and they include all relevant words that the facts under investigation indicate they should. Both keywords and custodians are updated with the obtained evidence.
The selection of keywords is made with the intent that not a single email or relevant file goes undiscovered, which is why, the selection includes many words that may produce large numbers of non-relevant results or – false positives. In other words, the methodology prefers excess, not lack thereof. Items (emails, files, etc.) obtained through these electronic searches are called ‘hits’. It is very common that in an e-discovery the searches with keywords produce hundreds of thousands of hits, with most of them (more than 95 percent) being false positives. For example, BBVA has a branch in the town of Villarejo de Salvanés, which frequently appeared in different searches, and is not relevant to the case. To reduce the number of false positives Boolean combinations are used to refine the searches. These consist of combinations of keywords (X and Y; Y but not Z, and more).
After that, hits are subject to a document review, at several levels. During the first level, analyzers dismiss the hits that are clearly irrelevant – or those not relevant to the facts under investigation. Then, in a second level, other experts analyze the selected hits from the first review and choose those deemed relevant to the investigation. In our case, the analyzers were hired by PwC (first level) or the PwC forensic team (second level). As expected, an additional final review came from external attorneys.
All this is done with specialized software (for PwC, the Nuix software), which allows each hit obtained with keywords to be classified with lines of investigation, as well as an explanation as to why the hit is considered relevant.
Other interesting stories