160 likes | 273 Views
No Nonsense File Collection Presented by: Pinpoint Labs Presenter : Jon Rowe, CCE, ISFCE Certified Computer Examiner Members: The International Society of Forensic Computer Examiners. Session Objectives Understanding ESI Collection Methods Typical ESI Collection Mistakes
E N D
No Nonsense File Collection Presented by: Pinpoint Labs Presenter: Jon Rowe, CCE, ISFCE Certified Computer Examiner Members: The International Society of Forensic Computer Examiners
Session Objectives • Understanding ESI Collection Methods • Typical ESI Collection Mistakes • Improve Vendor Selection • Avoid Client System Modifications • Common Problems with Existing Methods • Demonstrate Automated Job Process Using One Click Collect
Custodial Collections: • 3 Common ESI Collection Methods • ‘Drag and drop’ • Alters file timestamps and metadata • No Chain of Custody • Missed search results • Hard drive imaging/cloning • Chain of Custody • Retains file timestamps and metadata • Required for most forensic exams • Remote collection • Creates forensic image or active files only • Can be remotely scripted • Custodians may perform “self collection” • Using the ‘drag and drop’ collection method is common, however, there are several related risks.
Incomplete File Collections • 8 Common Reasons Evidence is Missed • Many active file collection processes don’t: • Hash verify file contents • Copy files in paths greater than 255 characters • Log files in use • Easily apply settings across multiple jobs • Handle Unicode filenames • Handle network drops or extended outage • Effectively resume interrupted file copies • Identify all custodian systems and data sources
Custodial Collections: • Potential Data Sources • Hard drives • Servers • Backup media • Email servers • Other hard drives and email servers in organization • Outside recipients (hard drives, servers, backups) • Laptop computers • Home computers • USB drives, CD’s DVD’s • Cell phones, smart phones, PDA’s • GPS
Court Recognized Sources: • Sources ranked from most accessible to least accessible for purposes of e-evidence discovery: • Active, online data [on HDD or active network servers] • Near-line data[on removable media, optical disks/mag tape] • Offline storage/archives [on offline removable media] • Backup tapes [not organized for retrieval of individual files] • Erased, fragmented, or damaged data [tagged for deletion, but may still exist]