PRO Partners

Optimizing ESI Investigations: Effectively unlocking the mysteries buried in electronic documents

Tracy DrynanWhere to start? That is the nagging question facing those tasked with managing a modern investigation involving electronically stored information (ESI). Gone are the days when an ESI investigation simply meant having the IT Department run a rash of search terms across the enterprise email system and farming the results out to a cadre of reviewers for a “quick” three- to six-month turnaround.

Today, data and device proliferation demands anticipatory planning as well as careful and thorough execution to ensure that all means of electronic evidence will be available and accessible, particularly in view of the continuing transition to a predominantly remote workforce driven by the global COVID-19 pandemic.

And the heightened global regulatory environment, as well as the economic pressures of modern litigation, are constantly constricting the window of time available to diligently interrogate the data and locate the critical evidence – mandating the utmost efficiency.

To answer the prefatory question, lets look at a roadmap for managing these practical constraints and optimizing modern ESI investigations to achieve results quickly, efficiently and effectively. It begins with observing how a remote workforce is affecting data proliferation, the need to examine now, corporate information governance, and identifies how both empower ESI investigations. 


The Not so New but Now Pervasive ‘Normal’: Remote Teams

It’s difficult to address the components of a successful ESI investigation without acknowledging the elephant in the digital room: the impact of remote work on the form, frequency, location, and ability to collect novel (and more frequently used) forms of data. Corporate data is simply living and proliferating in new spaces. While remote work is not a new trend(1), the increased requirement for remote teams is a new experience. Prior to the pandemic, organizations embracing the growing trend of remote work have had the benefit of analyzing the tools supporting remote work, both in their utility and security, as well how to incorporate this change into corporate policies. Organizations embracing remote capabilities after the pandemic have not had this luxury.  

The pandemic resulted in a fast and furious assembly of capabilities enabling organizations to continue “business as usual.” This new culture of remote working required organizations to identify applications, resources, and novel data architectural environments to continue operating as close to normal as possible. As a result, organization are now experiencing:

  • heavy adoption of collaborative applications such as Skype, Slack, Zoom, Teams, Hipchat, and Figma; 
  • increased demand for laptops at a time when supply is limited, resulting in an increased reliance on employee-owned, personal devices(2);     
  • orchestration of remote access to corporate devices physically located in corporate spaces (via VPN, Citrix, etc.); and, 
  • higher productivity and utilization rates(3) resulting in increased corporate-wide polices supporting prolonged(4) or permanent remote work(5)

The equation, outlined above, leads to a need to revisit corporate policies addressing the use of personal devices, expectations of privacy, security, and, in the world of ESI accessibility, collectability, and reviewability of sources of data, heretofore not utilized as heavily as they are today.

Oft Undervalued yet Critical Corporate Need to Update Policies: Information Governance (IG)

Implementing information governance for any organization is a monumental task. Yet, information governance empowers an organization to easily assess the location, form, accessibility and, for purposes of litigation or regulatory investigations, understand possession, custody, and control (PCC). 

More than six months into the new pervasive normal of remote workforces, the time is ripe to take a moment, not available earlier this year, to examine corporate policies and practices addressing the more prolific use of cooperative applications and personal devices for corporate purposes.


With the change in corporate remote culture, organizations ought to consider incorporating the following into efforts to update policies, procedures, and data mapping:

  • Do polices include the increased use of personal devices and social forums? 
  • Do policies affirmatively address whether employees are allowed to store corporate data on personal devices?
  • Do policies address who owns corporate data stored on personal devices?
  • Do polices address expectation of privacy when using social forums or personal devices? 
  • Do corporate administrators, IT directors and more, understand where corporate data is generated and stored? Does the organization have PCC over this data? If so, does the organization understand how to collect, properly, this data?

Why is this important now, more so than ever? Remote work has forced corporations to embrace a communication paradigm unlike any before the pandemic: social forums and a heavy reliance on personal devices. Collaborative communications applications are not novel, per se. What is novel is the more prolific use of these communication forums, necessitating a deeper understanding of the programing supporting these applications, user ability to share content, use of emojis, and even injection of more personal and private conversations in work related channels. 

The importance this has for any thorough ESI investigation is appreciating the growing importance of these data repositories as they begin to capture more critical information and communications than traditional email. Conducting information governance hygiene, assessing ability, ease, and access to these growing data repositories will only serve to save time and effort in identifying these data sources-- while also improving internal ability to collect this data, understanding how the underlying metadata differs from traditional email sources.  

Components of an Optimized ESI Investigation – The Hunt

Conduct Investigative Collection of Data

Investigations are characterized by a hunt for intelligence - actionable intelligence. Investigations, whatever the impetus, require the ability to target strategically those data sources that can either confirm, or disabuse, the organization of any notion of wrongdoing. Needing to identify the sources of any evidence of wrongdoing or prove the negative does not require a shock and awe approach to data collections; it does, however, require an analysis of where informative data resides and an ability to collect this data and cast a strategic, not wide, net.  That is where a thorough and detailed information governance protocol to support this strategic investigative collection with speed and accuracy. The hunt for actionable intelligence begins with the identification of data sources that enables an organization to determine risk, liability and more.  


If a robust programmatic approach to a corporate information governance endeavor, ahead of any investigation, is not feasible, then an investigative collection strategy-- capable of identifying data sources, including non-email sources--is essential. 

This means looking beyond email, the traditional initial go-to source for communications or evidence of wrong-doing and recognizing that, in light of the pandemic, as well as the habits of a younger workforce, email is not the only immediate source of evidence, or lack thereof, that confirms or refutes any suspicion of questionable behavior. Therefore, the investigative collection strategy aims to probe custodians and employees regarding how they use data outside of email. From there, determine what may be outside the normative protocols of an organization that, nevertheless, may be probative and/or later imputed to be within the PCC of an organization, despite a lack of immediate awareness of this data repository. The location of the richest and most damaging communications outside of email will only increase.  

Connect New Data Repository Collection, Processing, and Analysis Capabilities 

An investigation, going forward, will require the collection of novel sources of data that have yet to receive the guidance of industry standards, in contrast to now traditional sources such as email, PDFs, Word documents and more. Therefore, it is critical to work closely with collections and processing teams as well as those managing database analysis applications to address the differences between traditional sources of data and those not commonly collected though now, due to the pandemic, used more frequently.

An Investigation is a Hunt – not a review.  Develop an Empowered Strike Team for an Investigation

An investigation is not a document review, as is employed during efforts related to productions of data, though both can occur simultaneously. Investigations are marked by a temporal sensitivity, time constraints, and a requirement to sleuth out the nuances connecting initially unrelated communications or documents that become evidence and clues. A review often compartmentalizes pieces of “clues,” robbing a collective team of any ability to stitch together the factual pattern, as each clue is segregated from its relative. Investigations require a strike team of individuals capable of living and breathing the data, for days on end, collectively examining each clue and not dismissing any crumb as not informative – in real-time.  This means empowering the team to collectively pour through available data en masse without any constrictions. 

A strike team conducting evidentiary hunting is a small team of individuals capable of committing time to the data and the questions requested thereof, communicating frequently and identifying the clues. For instance, identifying whether something nefarious occurred or uncovering the “unknown unknowns.” Communication and the ability to live within the data is essential to enabling the team to become the ‘data whisperer’ capable of stitching together the evidence held by the data set.  

Leverage Analytics Tools – without Losing Sight of the Value of the Team

Analytics software offers a wealth of capabilities for analyzing data and supporting an investigation.  Communications analytics are often critical in identifying early on the behavioral patterns of individuals that prove critical in an investigation. These are often an immediate go-to analysis to uncover personal email or pseudonym email accounts critical to uncovering personal, financial, or marital stressors that are either central to or prove informative in an investigation. 

Timeline histograms are also a powerful tool for identifying when key players communicate, when communications lag, or even when they simply do not exist.  This is often powerful in developing a behavioral analysis of key individuals that informs when an individual acts out of character – which may raise additional questions. 

A key point: Every data set responds differently to the tools available in a toolbox, and that includes the addition of collaborative data to the larger corpus subject to an investigation (e.g., Teams with multiple contributors). Additionally, any investigation should not lose sight of one of the most powerful tools used during an investigation: the team. The team will be the first to identify where an analytics tool, while utilized in a prior investigation, may not be the appropriate tool in a current investigation. Additionally, a skilled team will be able to identify and overcome any analytical challenge experienced with new data sources that do not fit into the existing data analysis paradigm.  

Successful investigations, collecting the actionable intelligence, consist of several key elements: an access to key information, an understanding of data characteristics, use of an organized strike team, and experience in the uses and limitations of available analytics tools. Revisiting information governance protocols—including updating polices--enables an organization to assess its current capabilities, know its data repositories, and identify challenges in collecting data from applications used more frequently today.  Crafting investigative collections strategies and enabling a strike team for investigations is critical to identifying actionable intel that will enable organizations to develop strategic responses to any need for an investigation- even in today’s remote work environment.

1 - U.S. Bureau of Labor and Statistics (last modified June 25, 2020) Table 6. Employed persons working at home, workplace, and time spent working at each location by full- and part-time status and sex, jobholding status, and educational attainment, 2019 annual averages. Retrieved from
2 - Graham, Jefferson. (Aug. 25, 2020) Another pandemic shortage: What to do if you can't find a laptop? Retrieved from
3 - Westfall, Chris. (May 20, 2020) New Survey Shows 47% Increase In Productivity: 3 Things You Must Do When Working From Home. Retrieved from
4 - Siemens. (July 16, 2020) Siemens to establish mobile working as core component of the “new normal”. Retrieved from
5 - Britton, Diana. (April 30, 2020) Nationwide to Make Remote Work Permanent for Some. Retrieved from

Tracy Drynan - senior consultant, OpenText - leads the Recon Investigation team at OpenText™. She has extensive experience across the eDiscovery lifecycle, including 12 years conducting and managing investigations, interpreting Requests for Information and Complaints to identify sources of relevant information, developing strategies for targeting and gathering data, performing custodial interviews, and managing information collection. Prior to joining OpenText, Tracy was a senior attorney with Drinker Biddle & Reath LLP.  

Copyright © 2023 Legal IT Professionals. All Rights Reserved.

Media Partnerships

We offer organizers of legal IT seminars, events and conferences a unique marketing and promotion opportunity. Legal IT Professionals has been selected official media partner for many events.

development by