There are a lot of posts around the web on the differences between Computer Forensics and Ediscovery. I've spent a lot of time thinking about this, and it seems to me that there are clear areas of difference - most forensics involves in depth analysis of one hard drive. Ediscovery usually involves readily available information across networks or groups of custodians.

But I'm really having trouble with the way that documents are collected for Ediscovery much of the time. When I do a forensic collection I take several carefully documented steps to ensure the authenticity of what I collect and to maintain the chain of custody. Ediscovery often involves the undocumented, non forensic collection of loose files and emails. If someone gives me a Word document that they simply copied onto a thumb drive it may have the OLE data, but I've lost any meaningful file system or operating system data, I can't verify the times on the documents and there isn't much that can be done with it forensically.