220 likes | 312 Views
Data Acquisition & Forensics DAF 101 The Oliver Group October 2012. Agenda. About The Oliver Group The Data Acquisition Process Data Recovery Forensic Analysis The Cloud and Social Media Summary Q&A.
E N D
Data Acquisition & Forensics DAF 101 The Oliver Group October 2012
Agenda • About The Oliver Group • The Data Acquisition Process • Data Recovery • Forensic Analysis • The Cloud and Social Media • Summary • Q&A Please email any questions, requests or information to DAF101@theolivergroup.com before, during or after the presentation.
Company Overview and Highlights The Oliver Group provides focused expertise in helping clients navigate through the early stages of the electronic discovery process. For more than a decade, we have provided expert services in support of many high profile litigation and compliance related matters. Our clients include leading litigation support providers, law firms and corporations. With facilities in Connecticut (US) and London (UK) we offer the following services on a global basis: Please email any questions, requests or information to DAF101@theolivergroup.com before, during or after the presentation.
Data Acquisition & Forensics Agenda • Data Acquisition • Philosophy On-Site • The Interview Process • Scoping Process • Identifying Sources • On-Site or in conjunction with Remote Collections • Compliance with local/state/federal law (Safe Harbor certified) • Tools , Data Recovery • Where does evidence reside? • Options • Forensic Analysis • Tools • Options • Cloud and Social Media • Q&A Please email any questions, requests or information to DAF101@theolivergroup.com before, during or after the presentation.
TOG Data Acquisition & Forensics Data Acquisition & Forensics • Performed globally in a forensic and defensible manner. • Typically this means deploying a team of experts on-site at the clients facility to collect data deemed discoverable. • Over the years we have performed some of the largest and most complex data acquisitions involving 100s of custodians in multiple locations Please email any questions, requests or information to DAF101@theolivergroup.com before, during or after the presentation.
Philosophy On-site • Adhere to strict chain of custody • Minimally disruptive to the end user • Acquisition Documentation • Drives, folders and files that have been acquired • The date, time, and location of the collection • Full path names • Where data has been transferred from & to • Quantity of data • Notes about the collection Please email any questions, requests or information to DAF101@theolivergroup.com before, during or after the presentation.
Data Acquisition - Scoping • Preliminary Questions: • Where does data reside? • Number of custodians? • Timeframe(s)? • Policies? • Imaging v. copying? • IT Questionnaires • Scoping Calls with TOG Subject Matter Experts • Custodian Interview and Scheduling • Collection Options • On-site • Remote • Supervisory • Combination Please email any questions, requests or information to DAF101@theolivergroup.com before, during or after the presentation.
Data Acquisition – Identifying Sources • Custodian PCs/MACs/Laptops • Office – Home – Mobile • Server data collection • Email Servers • Network drive – home shares, departmental shares, project folders • Other – proprietary systems, SharePoint, Tracking systems, etc. • Tablets/Smart Phones/Cell Phones • Physical and Logical images • Other Data sources • Backup tapes • Anything with a hard drive • Flash/thumb drives • CD/DVD Please email any questions, requests or information to DAF101@theolivergroup.com before, during or after the presentation.
Data Acquisition - The Basics • Forensic Capture • Utilize tools that maintain metadata • Consider scope and size of matter • Forensic imaging • Bit level copy • Never have to go back to the custodian’s PC • Logical, Deleted, Fragment Data • 2 copies: Preservation & Working • Required for forensic analysis • Chain of custody • Detailed documentation • Custodian interviews • IT interviews • Preservation • Critical for data as part of a Legal, Preservation hold that has a risk of spoliation or deletion Please email any questions, requests or information to DAF101@theolivergroup.com before, during or after the presentation.
Data Acquisition Terminology EVIDENCE DRIVE - Simply, the destination media, usually an internal or external hard drive that will contain a “forensic copy” of the suspect’s media. This drive will be used to process data based on the specifics of the case. SUSPECT DRIVE - The “original” source media or the custodian’s media. BIOS - Basic Input / Output System (Date / Time) – Forensic engineers always QC the BIOS before capture to ensure that it is set to the real date and time, and to rule out time zone issues. HASH VALUE - Signature generator is used to verify data integrated by generating a 32-bit (CRC) and one of the following: 128-bit (MD5) 160-bit (SHA-1) or 256-bit (SHA-2) signature “finger print” of the seized and copied data. FORENSIC IMAGE - A single container file with the complete contents and structure representing a data storage medium or device, such as a hard drive. A disk image file is usually created by making a sector-by-sector copy of the source media, ignoring its file system, and thereby perfectly replicating the structure and contents of a storage device. PRESERVATION - According to the EDRM ensuring that ESI is protected against inappropriate alteration or destruction IMAGE EXTRACTION - The process by which files are retrieved/extracted from a forensic image and copied to desired location whilst maintaining original metadata. Image extraction puts all logical and full recoverable deleted files into a format where they can be accessed, viewed, and processed without the use of forensic analysis software (FTK, enCase, etc.) Please email any questions, requests or information to DAF101@theolivergroup.com before, during or after the presentation.
Data Acquisition Tools • EnCase Forensic/FTK/Etc. • Both working and preservation copies created • Software based solutions • PC is used as “medium” for data transfer • Image MASSter Solo & Logicube Talon • Captures working and preservation copies simultaneously • Hardware based solutions • Creates DD or E01 images – can be extracted/read by forensic software tools • Forensic Write-Block hardware • Write protects suspect drive/original source data • Dozens of other utilities – Media/Matter dependent Please email any questions, requests or information to DAF101@theolivergroup.com before, during or after the presentation.
Data Recovery Where does evidence reside? • The logical file system • The event logs • The Windows Registry • Application logs not managed by the Windows Event Log Service • The swap files, which harbor information that was recently located in RAM • Special application-level files, such as Internet • Prefetch files • Unallocated space, slack space Please email any questions, requests or information to DAF101@theolivergroup.com before, during or after the presentation.
Data Recovery Where else does evidence reside? • Temporary files created by many applications • The Recycle Bin (a hidden, logical file structure where recently deleted items can be found) • The Printer Spool • Sent or received email, such as the .PST files for Outlook Mail • Slack space, where you can obtain information from previously deleted files that are unrecoverable • Free or unallocated space, where you can obtain previously deleted files, including damaged or inaccessible clusters. Please email any questions, requests or information to DAF101@theolivergroup.com before, during or after the presentation.
Data Recovery Options • Active Files • Commonly referred to as Active/Logical Files (files not deleted) • Deleted Files • Never over-written – seen in the file system as unallocated space, seen in forensic tools as deleted • Can either be “restored” to original location OR delivered separately from the logical files • Deleted & Partially Overwritten files • Rarely delivered to client – may be a small piece or a large portion of a file • Findings are reported • Requires forensic analysis to recover Please email any questions, requests or information to DAF101@theolivergroup.com before, during or after the presentation.
Data Recovery/Forensic Analysis Tools • Most common tools utilized – industry standard • Guidance Software’s EnCase Forensic • Acquisition • Data Recovery • Data Carving • Data Culling / Methods to filter results - Searches “on the fly” or “on-demand” • Analysis • AccessData’s FTK • Acquisition • Data Recovery • Data Carving • Data Culling / Methods to filter results - Data is indexed prior to searching • Analysis Similar capabilities - is really the consultant’s choice to determine which tools would work best for the job at hand. Please email any questions, requests or information to DAF101@theolivergroup.com before, during or after the presentation.
Forensic Analysis Options • Examine • Deleted Files • E-Mail • Internet Access / History • Search Terms • Search HASH Values • Header analysis • Specific software – i.e. Wiping programs • Custodian behavior & trends • Reporting • Chain of custody • Methodology • Findings • File Listings – USB attachments – etc • Affidavits/Testimony Please email any questions, requests or information to DAF101@theolivergroup.com before, during or after the presentation.
Dozens of Manufacturers: Acer Alcatel Apple ASUS Audiovox BenQ Siemens Blackberry Dell Garmin HP HTC Hyundai i-mate Kyocera LG Macintosh MIO Motorola NEC Nokia Thousands of Models O2 Orange Palm Panasonic Pantech Philips POZ Qtek Sagem Samsung Sanyo Sharp Siemens Sony Clie Sony Ericsson Telit T-Mobile Toshiba UBiQUiO VK Mobile Cell phones/Blackberries/iPhones/PDAs/Tablets Please email any questions, requests or information to DAF101@theolivergroup.com before, during or after the presentation.
Cell phones/Blackberries/iPhones/PDAs/Tablets • Acquisition Options • Logical acquisition (full files) • Physical acquisition (bit by bit) • Can perform forensic analysis and image extraction • Both (custom – hybrid) • Neither • Data Options • Simply, everything you can view when the antenna/signal is off • Call Logs • Text Messages • Emails • Pictures • Contacts • Memos/Notes • Other (Office files, application files, etc.) • Manufacturer/Model dependent • Dependent on the Operating System of the device • Some devices have their own tools for logical collection • Some providers lock down items such as text messages • Passwords/Encryption Please email any questions, requests or information to DAF101@theolivergroup.com before, during or after the presentation.
Cloud and Social Media Based Collections The Oliver Group has extensive experience acquiring data from internet based applications such as; Please email any questions, requests or information to DAF101@theolivergroup.com before, during or after the presentation.
In Summary • Need qualified EXPERTS • Administrative Collection Process JUST AS IMPORTANT as Technical • Testify to end-to-end process • Established, Defensible and Generally Accepted • Objective View Point (Supervisory or Deployed Team)
Q&A Please email any questions, requests or information to DAF101@theolivergroup.com before, during or after the presentation.