There are a lot of posts around the web on the differences between Computer Forensics and Ediscovery. I've spent a lot of time thinking about this, and it seems to me that there are clear areas of difference - most forensics involves in depth analysis of one hard drive. Ediscovery usually involves readily available information across networks or groups of custodians.

But I'm really having trouble with the way that documents are collected for Ediscovery much of the time. When I do a forensic collection I take several carefully documented steps to ensure the authenticity of what I collect and to maintain the chain of custody. Ediscovery often involves the undocumented, non forensic collection of loose files and emails. If someone gives me a Word document that they simply copied onto a thumb drive it may have the OLE data, but I've lost any meaningful file system or operating system data, I can't verify the times on the documents and there isn't much that can be done with it forensically.

There are an incredible number of really interesting white papers available free on the web that are great ediscovery and forensics resources.

Some of my favorite places to find them are:

http://www.guidancesoftware.com/resources-whitepapers.htm

http://www.craigball.com/articles.html

http://www.fiosinc.com/e-discovery-knowledge-center/electronic-discovery-whitepapers.aspx

http://www.applieddiscovery.com/ws_display.asp?filter=White%20Papers%20%26%20Fact%20Sheets

I hate reading white papers on my computer, and I hate printing them. My solution - I load them onto my Sony Reader or Amazon Kindle.

The Sony Reader accepts the pdf documents in native format, but only the Kindle DX does. Sometimes though, the print is too small to read so I often prefer to convert the pdf to formats for the Kindle or Sony Reader. I rarely read books on my Kindle DX, but it has become a portable library of Forensics and Ediscovery papers.