Handling Native Documents in Litigation and Investigations

Have you ever received native documents for a litigation matter or an investigation in one of the following ways: 

• On a USB hard drive or thumb drive 

• Attached to an email or forwarded as an email 

• Sent as a text message 

• Uploaded to an SFTP site 

Documents are important to a legal matter or investigation; it is important to consider the impact of the delivery method on document metadata. 

Why Source and Device Matter

When consulting clients on collection and forensic examination of documents, we frequently ask: 

Is this the source document? Is the device we are collecting from where the document was created? The answers to these questions determine whether its metadata (created, modified, or last accessed) is reliable.  

Whenever a document is interacted with—for example, opened, copied, moved, or transferred from one device or storage location to another—the integrity of the document may be impacted. Metadata may be modified, and file types may be converted during the transfer process. This can affect the defensibility of the evidence. 

Recommendations for Handling Native Documents 

To help maintain metadata integrity and defensibility, consider the following best practices: 

• Use a write-blocker when accessing documents provided on a USB hard drive or thumb drive. 

• Request forensic image files such as .AD1 files, or container files such as ZIP files, when collecting documents. 

• Engage with a digital forensics practitioner to ensure that document handling is defensible, efficient, and preserves critical metadata. 

By taking these steps, legal teams can protect the integrity of documents and ensure that the metadata remains reliable for litigation or investigations.