Hands on a laptop screen displaying graphs

A Lawyer’s Guide to Data Preservation

A Lawyer’s Guide to Data Preservation

2 Minute Read

Newer hard drives in laptops and computers make it harder to recover deleted data, emphasizing urgency when seeking digital evidence.

Lawyers are typically the first people who get called when things go sideways. Therefore, it’s important you advise your clients wisely when it comes to data preservation and digital forensics.

The importance of timeliness

As mentioned in our previous article, A lawyers guide to digital forensics, when it comes to preserving evidence, the sooner the better. The quality of the evidence is directly related to how soon it is seized.

All too often, a digital forensics team member will receive a laptop that previously belonged to the employee of interest, but it has already been re-deployed to another employee for several months. Or a data breach was suspected but the server in question wasn’t taken offline and imaged until weeks or months later. By that time, all the interesting information (deleted data, log files, operating system artifacts) has either been overwritten by new data or purged by the operating system itself. This renders the device much less valuable as evidence, and often results in nothing useful getting extracted.

Solid state drives (SSDs) don’t retain a lot of deleted data

More and more, SSDs are being used in laptops and desktops, and with reason. They’re ten times faster than regular hard drives (magnetic spinning platter) and immune to magnetic fields, and shocks from being dropped. However, they become slower when the drive starts to fill up. To mitigate this, the industry has come up with a pair of complementary techniques called “trim” and “garbage collection” that erases so-called deleted data in the background while the device is being used. 

This results in faster overall performance because the operating system of the device doesn’t have to wait for an erase to occur before it writes new data – the erase has already happened in the background. The downside of this behaviour is that recovery of deleted data becomes difficult, if possible at all. See here and this article for more information on how it works and what can be done. The latter paper talks about some testing done where in some cases, absolutely no deleted data could be recovered.

To seize or not to seize

An average-sized SSD in a business laptop is about 256GB. When you factor in the size of Windows 10, Microsoft Office, and Adobe Acrobat, there’s not a lot of drive space left. This means that background garbage collection will start occurring relatively soon after a computer is deployed. If you suspect something is amiss, act quickly and decisively. If in doubt, consult with a forensic professional for advice and recommendations.

For more information, contact Ken Lew, Forensics and Litigation Support, at 778.309.4750 or [email protected].


  • Performance

    May 27, 2024

    [Podcast] Navigating 2023’s forestry challenges and charting the course for 2024

    How can you chart your forestry company’s path forward in 2024? MNP’s Chris Duncan provides valuable insights on the Canadian Forest Industries (CFI) podcast.

  • Performance

    May 23, 2024

    Preparing Taxes 101: Claiming GST / HST

    Is your business able to claim the input tax credit on GST/HST? Discover who can make a claim, how to meet the conditions, and what expenses are eligible.

  • Progress

    May 22, 2024

    Is your family prepared for the unexpected?

    Is your family prepared for the unexpected? Learn how building a serious illness plan can provide continuity for your business and your family.