CEDS Domain 3: Collection - Complete Study Guide 2027

Understanding Collection in E-Discovery

Domain 3 of the CEDS certification focuses on Collection, a critical phase in the Electronic Discovery Reference Model (EDRM) that bridges preservation and processing. Collection involves the systematic gathering of electronically stored information (ESI) from various sources while maintaining data integrity, chain of custody, and defensibility. This domain tests your understanding of collection methodologies, technologies, and best practices that ensure legally sound data acquisition.

The collection phase is where theory meets practice in e-discovery. Unlike CEDS Domain 2: Identification and Preservation, which focuses on locating and protecting data, Domain 3 deals with the actual acquisition of ESI from its original locations. Understanding collection is essential for anyone preparing for the CEDS exam, as it represents one of the most technically complex areas covered in the complete guide to all 11 CEDS content areas.

Collection activities must balance competing demands: thoroughness versus efficiency, forensic integrity versus practicality, and completeness versus proportionality. The Federal Rules of Civil Procedure and international discovery standards require collection to be reasonable, proportionate, and defensible, making this domain particularly important for legal professionals and e-discovery practitioners.

Collection Planning and Strategy

Effective collection begins with comprehensive planning that considers scope, methodology, timeline, and resource requirements. Collection planning requires understanding the case requirements, data sources, technical constraints, and legal obligations. This strategic approach ensures efficient resource utilization while maintaining defensibility.

Scope Definition and Data Mapping

Collection scope defines what data will be collected, from which sources, and within what timeframes. Data mapping identifies all potential sources of relevant ESI, including servers, workstations, mobile devices, cloud applications, and backup systems. This process often involves collaboration between legal teams, IT departments, and external vendors.

Data Source Type	Collection Method	Key Considerations
Email Systems	Live collection, backup restoration	Metadata preservation, deduplication
File Servers	Forensic imaging, logical collection	Volume size, network impact
Workstations	On-site imaging, remote collection	Business disruption, user access
Mobile Devices	Physical extraction, logical acquisition	Device encryption, app data
Cloud Services	API collection, export tools	Access permissions, data completeness

Collection Methodology Selection

Choosing appropriate collection methods depends on factors including data volume, source accessibility, business impact, and defensibility requirements. Forensic collection provides maximum data integrity but may be unnecessarily complex for routine matters. Logical collection offers efficiency but may miss deleted or system-level data.

Forensic Collection Methods

Forensic collection creates bit-for-bit copies of storage media, preserving all data including deleted files, system artifacts, and metadata. This method provides maximum defensibility but requires specialized tools, expertise, and significant time investment. Understanding when and how to employ forensic collection is essential for CEDS candidates.

Disk Imaging and Physical Acquisition

Disk imaging creates exact copies of hard drives, solid-state drives, and other storage media. Physical acquisition captures every sector of the storage device, including unallocated space where deleted data may reside. This method requires taking systems offline, which can impact business operations but ensures data completeness.

Modern forensic imaging tools create hash values (MD5, SHA-1, or SHA-256) that verify image integrity and provide cryptographic proof that collected data remains unchanged. These hash values become critical evidence in litigation, demonstrating collection defensibility.

Live System Collection

Live collection gathers data from running systems without taking them offline. This approach minimizes business disruption but may miss certain system artifacts or risk data alteration during collection. Live collection is particularly important for servers that cannot be taken offline or systems with full-disk encryption that would be inaccessible after shutdown.

Network-Based Collection

Network collection involves gathering data over network connections rather than physical access to storage devices. This method is essential for geographically distributed environments and can be more cost-effective than on-site collection. However, network collection requires careful bandwidth management and may face security restrictions.

Remote Collection Technologies

Remote collection has become increasingly important as organizations adopt distributed work models and cloud-based systems. These technologies enable collection from devices and systems without physical access, expanding collection capabilities while reducing costs and timeline pressures.

Agent-Based Collection Systems

Software agents installed on target systems enable remote collection with varying degrees of automation. These agents can perform targeted collection based on search terms, date ranges, or file types, reducing the volume of collected data while maintaining defensibility. Agent-based systems also provide detailed logging and chain of custody documentation.

Advanced agent-based systems offer features like de-duplication, encryption, and bandwidth throttling. These capabilities make remote collection practical even for large-scale matters or organizations with limited IT resources.

Cloud Collection APIs and Connectors

Application Programming Interfaces (APIs) provided by cloud service providers enable direct collection from platforms like Microsoft 365, Google Workspace, and Salesforce. API collection often provides more complete data than user-initiated exports, capturing metadata and system information that may not be visible through standard user interfaces.

Mobile Device Collection

Mobile device collection presents unique challenges due to device diversity, operating system variations, encryption implementations, and app-specific data storage. The proliferation of mobile devices in business communications makes this collection type increasingly important for e-discovery practitioners.

iOS Device Collection

Apple iOS devices present particular challenges due to strong encryption and locked ecosystems. Collection methods include iTunes backups, iCloud data extraction, and specialized forensic tools. The choice of method depends on device model, iOS version, passcode status, and available time for collection.

iOS collection often requires understanding of keychain data, app sandboxing, and Apple's security architecture. Recent iOS versions have implemented additional security measures that may limit collection capabilities, making it essential to stay current with mobile forensics developments.

Android Device Collection

Android devices offer more collection options due to the open-source nature of the operating system, but this diversity also creates complexity. Collection methods range from simple ADB (Android Debug Bridge) commands to sophisticated forensic tools that can bypass security measures.

Android collection must account for manufacturer customizations, different Android versions, and varying security implementations. Root access may be necessary for complete data extraction, but this process can be complex and may void device warranties.

Application Data Collection

Modern mobile communication increasingly occurs within applications rather than traditional SMS or email. Collecting data from messaging apps like WhatsApp, Slack, or Signal requires specialized techniques and may face encryption challenges. Understanding app data storage locations and extraction methods is crucial for comprehensive mobile collection.

Cloud and SaaS Data Collection

Cloud and Software-as-a-Service (SaaS) data collection has become a dominant concern in modern e-discovery. Organizations increasingly store critical business data in cloud platforms, making effective cloud collection essential for comprehensive discovery. This collection type requires understanding of various platforms, APIs, access methods, and data export capabilities.

Microsoft 365 Collection

Microsoft 365 represents one of the most common cloud platforms requiring collection in e-discovery matters. The platform includes Exchange Online, SharePoint, OneDrive, Teams, and other applications, each with distinct data structures and collection requirements. Effective M365 collection requires understanding of both native eDiscovery tools and third-party collection platforms.

Microsoft's compliance tools provide some collection capabilities, but third-party solutions often offer more comprehensive metadata preservation and better integration with downstream processing tools. Understanding the trade-offs between native and third-party collection methods is important for CEDS exam preparation.

Google Workspace Collection

Google Workspace presents different challenges and opportunities compared to Microsoft 365. Google's architecture and data storage methods require specialized collection approaches. Google Vault provides basic collection capabilities, but comprehensive collection may require Google's APIs or specialized third-party tools.

Multi-Tenancy and Data Sovereignty

Cloud collection must address multi-tenancy concerns where multiple organizations share infrastructure, and data sovereignty issues where data location affects legal requirements. These considerations become particularly important in cross-border discovery scenarios.

Collection Challenges and Solutions

Real-world collection faces numerous challenges that test practitioners' technical knowledge and problem-solving abilities. The CEDS exam includes scenario-based questions that require understanding of these challenges and appropriate solutions.

Encryption and Security Obstacles

Encryption has become ubiquitous in modern computing, presenting ongoing challenges for data collection. Full-disk encryption, file-level encryption, and application-specific encryption may prevent or complicate collection efforts. Understanding various encryption types and potential solutions is crucial for effective collection.

BitLocker, FileVault, and similar full-disk encryption systems require recovery keys or user passwords for access. Collection planning must account for obtaining necessary credentials or keys before beginning collection activities. In some cases, live collection may be the only option when encryption keys are not available.

Legacy System Collection

Many organizations maintain legacy systems with obsolete hardware, software, or data formats. These systems may contain relevant ESI but present unique collection challenges. Legacy collection may require specialized hardware, vintage software, or data conversion processes.

Large Volume Management

Modern data volumes can overwhelm collection processes and downstream systems. A single user mailbox might contain millions of items, while file servers can hold terabytes of data. Effective collection must balance completeness with practicality, often requiring targeted collection strategies.

Data Volume	Collection Approach	Time Estimate
< 100 GB	Standard imaging/logical collection	1-2 days
100 GB - 1 TB	Targeted collection, filtering	3-7 days
1-10 TB	Distributed collection, processing at source	1-3 weeks
> 10 TB	Advanced filtering, sampling strategies	3+ weeks

Collection Validation and Verification

Collection validation ensures that gathered data is complete, accurate, and defensible. This process involves technical verification of data integrity and procedural confirmation that collection methods meet legal standards. Validation activities provide the foundation for defensible discovery processes.

Hash Value Verification

Cryptographic hash values provide mathematical proof of data integrity throughout the collection process. MD5, SHA-1, and SHA-256 algorithms create unique fingerprints for collected data. Matching hash values between source and collected data demonstrate that no alteration has occurred.

Hash verification should occur at multiple stages: initial collection, transfer processes, and long-term storage. Documentation of hash values and verification procedures becomes part of the collection chain of custody.

Completeness Testing

Completeness testing verifies that collection captured all intended data sources and met scope requirements. This process might involve item counts, date range verification, or sample testing of collected data. Completeness testing helps identify collection gaps that might require additional collection activities.

Chain of Custody Maintenance

Chain of custody documentation tracks who handled collected data, when transfers occurred, and what security measures protected data integrity. This documentation becomes critical evidence in litigation and must be maintained throughout the entire e-discovery process.

Modern collection tools often provide automated chain of custody logging, but practitioners must understand the requirements and ensure proper documentation. Chain of custody requirements may vary by jurisdiction and case type.

Domain 3 Exam Preparation Tips

Success on Domain 3 questions requires both theoretical knowledge and practical understanding of collection processes. The CEDS exam includes scenario-based questions that test your ability to apply collection concepts to real-world situations.

Focus your preparation on understanding the decision-making process for collection method selection. Questions often present scenarios requiring you to choose appropriate collection approaches based on factors like data volume, source type, business requirements, and defensibility needs.

Key Study Areas

Prioritize these areas when preparing for Domain 3 questions:

• Collection method selection criteria and trade-offs
• Forensic imaging processes and hash verification
• Mobile device collection challenges and solutions
• Cloud and SaaS collection approaches
• Chain of custody requirements and documentation
• Collection validation and verification procedures
• Remote collection technologies and limitations
• Encryption challenges and potential solutions

Practice with realistic scenario-based questions that mirror the CEDS exam format. Understanding how to apply collection concepts to specific situations is more valuable than memorizing technical details.

The comprehensive CEDS study guide for first-time success provides additional preparation strategies and connects Domain 3 concepts with other exam areas. Understanding these connections helps with questions that span multiple domains.

Practice Question Focus Areas

Domain 3 questions typically focus on practical decision-making scenarios rather than purely technical details. Expect questions about:

• Choosing between forensic and logical collection methods
• Addressing collection challenges like encryption or legacy systems
• Validating collection completeness and integrity
• Managing collection in distributed or cloud environments
• Balancing collection thoroughness with proportionality requirements

Review sample scenarios and practice explaining your reasoning for collection decisions. This approach prepares you for the exam's emphasis on practical application of collection principles.

Frequently Asked Questions