Missing the critical version of a document can make or break a case.
In today’s digital landscape, organizations rely heavily on cloud platforms such as Google Mail and Drive to create, share, and manage corporate information. These platforms support collaboration but add complexity when it comes to collecting data for investigations, legal matters, and Electronic Discovery.
It is essential to gather accurate and comprehensive electronic evidence, as the changing nature of cloud-stored files, commonly called “modern attachments”, can result in missing versions, incomplete metadata, or compromised forensic reliability.
Background – The Modern Attachments Challenge
Modern attachments refer to files stored and managed within cloud-based platforms, such as Google Drive, that are linked or referenced in communications (like emails) rather than being physically attached as static copies. Modern attachments exist as dynamic documents in the cloud, supporting features like versioning, collaborative editing, and real-time updates. Meaning, when a document is shared as a modern attachment, recipients may access the latest version, multiple historical versions, or even see changes as they occur, depending on their permissions and platform capabilities.
However, collecting a defensible record may require capturing not only the current version but also the complete revision history and associated metadata to ensure the integrity of the evidence. The seamless versioning feature has resulted in an increase in data.
Testing Protocol and Evaluation Metrics
To identify a reliable and defensible collection methodology, our testing focused on data stored in Google Drive as modern attachments to Google Mail. We evaluated the use of Google’s built in tools (e.g., Google Takeout, Google Vault) and other leading Forensic and eDiscovery tools on the market (i.e., Aid4Mail, Forensic Email Collector (FEC), Axiom Cyber).
The testing involved multiple scenarios of an attachment. Specifically, attachments were deleted, moved, and edited. It was also important to evaluate the ability to capture file details, revisions, permissions, and metadata, at a specific moment.
A good result depends on the needs of the case and tools and processes should be flexible enough to handle numerous scenarios. For example, a case may just need the contemporaneous version of an attachment to an email (i.e., the attachment originally sent with the email), the latest version, or all versions.
Findings
Our review revealed significant performance variances across the tested tools and strategies, particularly concerning historical file collection. While FEC demonstrated the highest fidelity in capturing all revisions, the latest version, the actual attached version, and the complete revision history. Moreover, FEC organized this output in an auditable zip file, bundling the email and its attachments for seamless review.
In contrast, Google Vault and other tools collected the latest revision and associated metadata but did not natively capture earlier revisions. Retrieving older file versions via Google Vault requires a manual, time-intensive search-and-export process using specific version dates and time zone queries. Furthermore, Google Takeout proved unsuitable for legal purposes, as it entirely lacks support for collecting modern attachments or document revision history. Critically, we found that none of the tools preserved the original Drive folder path, and the collection scope was limited by permissions: recipients without edit access could access only the latest version, while those with edit access could access all revisions.
Conclusion
The scope of preservation is broad and generally organizations have an obligation to retain all existing file versions that are potentially relevant to a legal matter. However, the obligation to produce every version is typically limited unless explicitly requested. The effective collection of modern attachments from Google Mail and Drive requires changes to the traditional collection strategies. It is essential to use capable tools and a defensible collection process. Capable tools enable the automated collection all revisions of attachments and cloud documents with organized and useful output. Less capable tools require manual effort to accurately reflect the original Drive structure and validate metadata integrity.
Gemean, a global consultancy, provides the highest standard of service for every investigation and legal matter. By drawing on deep multidisciplinary expertise in digital forensics and eDiscovery strategy, we develop comprehensive, defensible solutions.
Key Takeaways
- Modern attachments are edited, moved, and deleted resulting in multiple versions.
- Access control is key as versions of attachments and files are only available with “Edit” permissions.
- Standard tools have limitations and cannot effectively capture all potentially relevant versions. Tools, such as Vault and Takeout, require resource-intensive, manual steps for historical data and thus are not practical for large collections.
- Optimal collection requires a process and a capable tool to completely collect all the potentially relevant versions and metadata in a useable and organized output.
What is eDiscovery?
eDiscovery is the process of identifying, collecting and reviewing electronically stored information (ESI) like emails and cloud files for legal matters, now powered by AI for faster compliance.
How does the eDiscovery process work?
What role does AI play in modern eDiscovery?
AI automates review for relevance and privilege, handling first-pass work while humans oversee for accuracy and defensibility.
What are key eDiscovery trends?
Expect increasing use of AI for document review with human oversight and quality control checks.
How to ensure eDiscovery compliance?
Use defensible processes and experienced professionals to meet ABA ethics and court standards.
