e-Discovery Processing

 

Forensic Data Acquisition

The Oliver Group (TOG) assists clients in developing and executing comprehensive, efficient and forensically sound data acquisition efforts, ensuring optimal return on investment. The technologies maintained by TOG represent the best-of-breed tools available on the market and custom capabilities developed internally to meet specific technical needs. TOG’s seasoned engineers are highly qualified; they possess years of practical experience and are certified professionals. All collection projects are approached as unique endeavors to which TOG applies the most suitable human and technical resources in an effort to yield a high-quality, defensible work product on an international scale.


What are some potential targets for data acquisition?

Electronically stored information can exist in a variety of different physical and logical locations within an infrastructure or custodian workspace.

  • Physical Devices: desktops, laptops, servers, mobile devices, tablets, network equipment, phone systems, USB storage devices, enterprise class storage systems, backup media, security appliances, alarm systems, surveillance equipment, previously deployed iterations of the above
  • Logical Systems: email platforms, document management systems, cloud-based resources, file storage services, file transfer systems, off-site hosted services, web-based applications, databases, system backups

 

What types of evidence may exist on acquisition targets?

Evidence could be located in many places, on many different types of media and systems. It is critical to tie this information to an understanding of the exact nature of each matter in an effort to identify the best sources of responsive data and define the most appropriate acquisition protocol. The following represent some of the artifacts that may exist within an acquired data set:

  • Active files from within a logical file system
  • Deleted full files from within unallocated space
  • Fragments of files that have been partially overwritten from within slack or unallocated space
  • Information related to the operating system and applications loaded on a device
  • Configurations and user activity information from the Microsoft Windows Registry or other operating system files
  • Logon information
  • Data residing within the system swap file
  • Internet history for multiple web browsers and cloud-based products
  • Lists of most recently used files
  • Network drive mappings
  • USB device use (external storage media, peripherals, etc.)
  • Evidence of any mass data copies
  • Information related to drive wiping activities
  • Temporary files created by various applications
  • Information indicating when applications were utilized
  • Microsoft Windows Recycle Bin activities
  • Print spooler information
  • LNK files pointing to things like actively used files, applications or external storage locations
  • Local archived or active email files (MBOX, EML, PST, MSG, etc.)
  • Chat history for a number of products
  • Apple Mac OS or Linux specific forensic artifacts
  • Evidence specific to mobile devices, such as call logs, SMS messages, MMS messages, mobile Internet history, location related information, chat data within 3rd party applications, etc.

Each piece of evidence may or may not exist on a specific piece of media or device. In a like manner, each piece of evidence may or may not apply to a specific matter. As such, it is critical to have experts who can provide not only the pre-sales and on-site technical experience needed to select an appropriate, defensible collection methodology but who can also explain, in user-friendly terminology, the downstream benefit to each acquired item. The ability to offer all of this in a cost-conscious framework is one of the core competencies of TOG.


Data Acquisition & Forensics - The Basics (Global On-site and Off-site capabilities)


The following provides an overview of the key considerations and some common terminology often associated with the data acquisition process.

Forensic Capture

  • The use of specialized hardware and software to acquire data in a generally accepted, defensible manner that maintains integrity and key information, such as file metadata.
  • Not every forensic capture requires a full forensic image to be created.
  • Data integrity is validated using commonly applied file hashing processes to confirm that the source and destination data sets reflect a perfect match.
  • Consider cost containment vs. risk mitigation when deciding on the capture methods. Unless absolutely certain, it is often advisable to collect more data than less, within reason, to prevent the need for additional collection efforts at a later date.

Forensic Imaging

  • The acquisition of a forensic image typically involves the creation of a bit-level copy of an entire piece of storage media or device.
    • The bit-level copy method captures active files and any recoverable deleted files, as well as file fragments. This is the most comprehensive method of acquiring all available data from storage media.
    • This approach also eliminates the need for future collections from the same device.
    • This method is required for the execution of a proper forensic analysis process.
  • As per TOG standards, a working and preservation copy of the media is created to protect the client from unintentional data loss due to drive failure.
  • Detailed acquisition documentation is maintained with information related to custodians, data sources, hardware identifiers, collection methods, and the process results.
  • Chain of Custody documentation is maintained for all evidence.
  • Documentation is developed for any custodian, legal or IT staff interviews that take place.

Targeted Approach

  • This method involves the identification of a subset of data located on a device or system for partial acquisition of a larger data set.
    • The data can be placed in a forensically sound container file to prevent unintentional spoliation of evidence.
    • As with forensic imaging, working and preservation copies of the data set are maintained.
    • This approach is recommended when the client is absolutely certain that the identified data contains everything required for processing and production related to a matter.
    • This approach also reduces the acquisition of unnecessary content that can drive-up processing and review costs.
    • This method does not allow for thorough forensic analysis or recovery of deleted items or file fragments.
  • Detailed acquisition documentation is maintained with information related to custodians, data sources, hardware identifiers, collection methods, and the process results.
  • Chain of Custody documentation is maintained for all evidence.
  • Documentation is developed for any custodian, legal or IT staff interviews that take place.

Remote Collection of Data

  • This approach allows for the collection of data from one-off custodians, or those in very remote locations, in an effort to minimize the impact of travel expenses on a project.
  • Remote collections are performed using a task-specific “Remote Collection Kit” that is sent to a custodian ahead of the collection process being executed.
  • The actual collection is performed by a highly-qualified TOG engineer using off-the-shelf screen-sharing technologies with session recording enabled (if requested). The custodian is only responsible for connecting a simple piece of physical hardware and then providing access to the engineer. Everything else is handled by TOG.
  • This method can be used for the creation of full forensic images or the acquisition of targeted data sets using the same defensible solutions employed for on-site collections.
  • With appropriate resources available on the client side, this method can also be used to collect data from enterprise-class resources, such as file and email servers.

Acquisition of Enterprise-class Systems

  • This involves the collection of data from systems such as Microsoft Exchange, Lotus Notes, Microsoft SharePoint, Documentum, etc.
  • The methods used to acquire enterprise-class systems will vary greatly depending on a number of factors including but not limited to the type of system, product version, available data access methods, data format and the availability of any native eDiscovery functionality.
  • TOG has extensive experience collecting data from a number of common and less common systems over the course of 18 years.
  • TOG maintains licensing for a number of specialized utilities that allow for forensically sound acquisition of data from a number of enterprise-class systems.

Mobile Device Acquisition

  • TOG has an array of tools that can be applied to meet the needs of nearly any mobile device acquisition request.
  • Some of the products employed by TOG come from reputable vendors such as Cellebrite, Oxygen Forensics, Paraben, and Katana Forensics.
  • TOG engineers are highly skilled and have years of experience in providing high-quality work products from each of these options.

Apple Device Acquisitions

  • TOG has a wide array of solutions aimed at addressing the unique challenges encountered when collecting data from Apple brand devices, including those running iOS and Mac OS X.
  • Some Apple devices require specific tools, hardware, software and encryption capabilities to allow for a successful and efficient device acquisition.
  • The acquisition of some Apple devices will only provide very specific results once the information is analyzed by an examiner.
  • Not all Windows-based utilities will properly handle Apple technologies thereby requiring that digital forensics engineers employ platform-specific technologies to make your project a success.
  • TOG has experience with Apple products that date back to pre-Mac OS X technologies.

Preservation vs. Selectiveness

  • Not all data that is collected will necessarily have to be processed or reviewed.
  • It is often more cost-effective to preserve more data during the primary collection effort than it is to be overly selective and risk the higher cost of re-collection at a later date.

Regardless of the scope or nature of your collection, TOG has the staff, methods, and experience required to develop a practical and streamlined protocol to meet your collection needs. Please feel free to reach out for a free consultation with our Sales Team.