Hands on a laptop screen displaying graphs

A Lawyer’s Guide to Data Preservation

A Lawyer’s Guide to Data Preservation

Synopsis
2 Minute Read

Newer hard drives in laptops and computers make it harder to recover deleted data, emphasizing urgency when seeking digital evidence.

Lawyers are typically the first people who get called when things go sideways. Therefore, it’s important you advise your clients wisely when it comes to data preservation and digital forensics.

The importance of timeliness

As mentioned in our previous article, A lawyers guide to digital forensics, when it comes to preserving evidence, the sooner the better. The quality of the evidence is directly related to how soon it is seized.

All too often, a digital forensics team member will receive a laptop that previously belonged to the employee of interest, but it has already been re-deployed to another employee for several months. Or a data breach was suspected but the server in question wasn’t taken offline and imaged until weeks or months later. By that time, all the interesting information (deleted data, log files, operating system artifacts) has either been overwritten by new data or purged by the operating system itself. This renders the device much less valuable as evidence, and often results in nothing useful getting extracted.

Solid state drives (SSDs) don’t retain a lot of deleted data

More and more, SSDs are being used in laptops and desktops, and with reason. They’re ten times faster than regular hard drives (magnetic spinning platter) and immune to magnetic fields, and shocks from being dropped. However, they become slower when the drive starts to fill up. To mitigate this, the industry has come up with a pair of complementary techniques called “trim” and “garbage collection” that erases so-called deleted data in the background while the device is being used. 

This results in faster overall performance because the operating system of the device doesn’t have to wait for an erase to occur before it writes new data – the erase has already happened in the background. The downside of this behaviour is that recovery of deleted data becomes difficult, if possible at all. See here and this article for more information on how it works and what can be done. The latter paper talks about some testing done where in some cases, absolutely no deleted data could be recovered.

To seize or not to seize

An average-sized SSD in a business laptop is about 256GB. When you factor in the size of Windows 10, Microsoft Office, and Adobe Acrobat, there’s not a lot of drive space left. This means that background garbage collection will start occurring relatively soon after a computer is deployed. If you suspect something is amiss, act quickly and decisively. If in doubt, consult with a forensic professional for advice and recommendations.

For more information, contact Ken Lew, Forensics and Litigation Support, at 778.309.4750 or [email protected].

Insights

  • Progress

    April 22, 2025

    A roadmap for passing the family dealership to the next generation

    For family-owned dealerships, passing ownership of the business to the next generation means considering more than just the financials.

  • Confidence

    Climate transition risk and financial institutions

    Canada's financial institutions are uniquely exposed to risk as domestic and global economies seek to address climate change. The results of a federal pilot project shed light on how the financial sector is responding, and the necessary steps to thrive in a net zero business environment.

  • Agility

    Three ways to create a more efficient practice with technology

    The Canada Digital Adoption Program (CDAP) can help your practice increase efficiency and overcome the barriers associated with digital transformation.