Forensic Analysis and E-discovery Complexities in Cloud-Based Investigations

The corporate transition to the cloud continues to present significant, continually evolving challenges for discovery in disputes and investigations. The majority of enterprise data now resides in expansive cloud-based environments, and productivity suites, such as Microsoft 365, promise robust discovery and compliance features. As a result, there has been a growing trend towards conducting data collection and preservation only from cloud stores, rather than using the traditional approach of broadly collecting data from central server-based sources, hard drives and custodian devices.  

While cloud-based collections and built-in discovery features may offer the benefits of efficiency and convenience, they also bring the risk of incomplete collections or overlooked evidence, particularly given that shortfalls may not be immediately obvious within the platform or from its initial outputs.  

Moreover, files stored within cloud storage repositories can be shared as a cloud collaboration link, which serves as a pointer to access the file in situ (known as “cloud attachments” in the Microsoft environment). Using a link in place of traditional static document attachments — which are copied into the communication in question, such as an email or a chat message — dismantles established discovery concepts around document families and has introduced an array of technical and workflow issues into the e-discovery process.

Notably, courts have begun issuing opinions about how linked content is handled in the discovery process. In one case, the judge ruled that performing a “re-linking” exercise of matching linked content to its original message would cause undue burden.  

The ruling stated, “Given the potential technological challenges with producing linked documents in family relationships, the Court declines to order at this time that [Company] produce all linked documents referenced in relevant communications in family relationships.”

In an attempt to address this issue, Microsoft’s Purview eDiscovery (Premium) now provides an option for legal and IT teams to automatically retrieve files located across SharePoint and OneDrive repositories where an associated link is identified within communications (e.g., email and Teams chats/posts and replies) for users identified as in scope in an investigation. However, these features have a range of limitations and nuances that teams must address in order to ensure a defensible process.

Given the dynamic and complex nature of linked content — including the fact that a single cloud attachment is typically associated with multiple users, is stored in numerous versions, likely has variable levels of permissions for different users, and may have been deleted altogether since it was linked in a communication — there is a risk that automatic collections may not retrieve a wholly forensically sound set of data. Moreover, the anatomy of the linked content, including how links were generated, what they link to and how dynamic they are creates a tremendous amount of nuance in both how eDiscovery (Premium) collects or omits it, as well as how it is classified for document review purposes.  

In recent investigations, our team has performed testing on the current features within Microsoft’s Purview eDiscovery (Premium) offering compared to the Purview eDiscovery (Standard) features. Our findings from this testing are explained in a technical whitepaper here.  

As cloud-based productivity suites, collaboration platforms and file-sharing tools continue to see an upswing in enterprise adoption, legal and compliance teams will increasingly face challenges in e-discovery and investigations. To learn more about the technical issues and results of our team’s testing during active investigations, read Forensic Analysis and E-Discovery Complexities in Cloud-Based Investigations. 

The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.