view collection from a forensic expert's point of › wp-content › uploads › 2017 › 07...

Matt DannerFlashback Data

Preservation Strategies and Data Collection from a Forensic Expert's Point of

ViewBest practices on executing preservation and administering

collection protocols with emphasis on forensically sound methods

● Webinars take place monthly and cover a variety of relevant e-Discovery topics

● If you have technical issues or questions, please email webinars@lexbe.com

● Lexbe webinars are available for viewing (streaming video), and downloadable as a PDF Presentation or an MP3 podcast. This Webinar and a complete listing of other onDemand webinars is part of the: Lexbe eDiscovery Webinar Series

● For notices of future live and on-Demand webinars as part of this series please email us at webinars@lexbe.com or: Follow us on LinkedIN

eDiscovery Webinar Series

Preservation Strategies and Data Collection from a Forensic Expert's Point of View

About our Webinars

eDiscovery Webinar Series

We are an Austin, TX based eDiscovery software and services provider, specializing in serving small & medium-sized law firms and organizations. We provide:

● Cloud-based DIY eDiscovery processing & document review software

● High-speed ESI document processing and data conversion services

● Experienced eDiscovery specialists and expert consultants

Lexbe Sales sales@lexbe.com

(800) 401-7809 x22

Preservation Strategies and Data Collection from a Forensic Expert's Point of View

‘Cost-effective eDiscovery’ “A powerful litigation document management service”

‘Secure, easy-to-use and a great review tool for consideration’

About Lexbe

○ Current position Digital Forensics with FlashBack Data, LLC

○ Prior experience: ■ Special Investigations Unit with Texas State

Auditor's Office ■ Special Investigations Unit with Texas Workforce

Commission

○ Regularly presents on digital evidence collection and the analysis to legal organizations and law enforcement

○ Frequently testifies as an expert witness related to analysis of computers and mobile devices. His background in criminal investigations makes him a specialist in both criminal defense and prosecution cases related to digital evidence.

○○

Matt Danner

matt@flashback.com

eDiscovery Webinar Series

Preservation Strategies and Data Collection from a Forensic Expert's Point of View

Matt Danner bio

WHAT IS DIGITAL FORENSICS?

•Scientific Working Groups on Digital Evidence

(SWGDE) Definition

•The scientific examination, analysis, and/or

evaluation of digital evidence in legal

matters.

•Digital evidence is information of probative

value that is stored or transmitted in binary

form.

DF FOUNDATIONS

•Forensically sound acquisition of digital

evidence data

•How do we ensure this?

•How do we know the data is accurate?

•Procedure

•Methodology

FORENSIC IMAGES

•Bit-for-bit copy of data stored on a digital device.

•Physical Vs. Logical Images

• Software used to accomplish this:

• AccessData FTK Imager

• Guidance Software EnCase

• X-ways Forensics

• Cellebrite Forensic Hardware/Software (Mobile devices)

• Hardware based imaging devices

WRITE BLOCKING

•Prevent changes to data during acquisition

•Prevents operating system write commands from

reaching digital device

•Software write blockers

•Hardware write blockers

HASH VALUES•Mathematically generated values that are unique to

specific data patterns

•Examples:

• MD5: 3688499CB2711B9ECEA8A0075C6EEBA0

• SHA-1:

5D30BA22A0C8A411F9CFF9376D21F447D0D2D679

• SHA-256:

4C1A379B3C62A38524545424A02E043C8AAB5CFA5219129D056784D

192560230

•Commonly referred to as fingerprints for digital data

such as storage devices, forensic images, and files.

EVIDENCE PRESERVATION

•Best method is forensic imaging

•Forensic images are industry standard

•Backups are not as useful and may not contain

crucial system artifacts

•Computer should be turned off

•Remove hard drive and acquire forensic image via

write blocker

•Possible to use forensically sound Boot software

OPTIONS FOR REVIEW

•Get the forensic image first!

•After imaging, a preview of the system files can be

conducted

• Evidence is preserved through the image process

• Any changes made by preview will not affect the

preserved image

• If imaging is not possible, do not review the device

files

•Turn off device and store it in a secure place

•Wait until a forensic examination can be conducted

BASIS FOR CONCLUSIONS

•Conclusions should be based on evidence

•Speculation is not evidence

•Assumptions should not be made

•BIG DIFFERENCE

• “This text message was never sent from this mobile

device”

• “Using the forensic methods described, no evidence was

found to indicate that the text message was sent from this

mobile device.”

DELETED DATA

•Data is not instantly gone after deletion

•Overwrites with new data has to occur

•Rate of data loss is variable and difficult to predict

•Typically, the sooner data has been deleted the

easier it is to recover

•This applies to most types of data

•Computers are easier than mobile devices

EMAIL

• Email clients

• Microsoft Outlook

• Thunderbird

• Apple Mail

•Archive Files

• Personal Storage Table (PST) - Outlook

• Offline Storage Table (OST) - Outlook

• MBOX - Thunderbird

• Email files – Apple Mail

EMAIL (CONT.)

•Web Based Email

• Google Gmail

• Yahoo! Mail

• Hotmail

• Several Others

• Fragments can be recovered via Web Cache

• Web browsers will store data related to webmail sessions

• Includes Senders/Recipients, dates, subject, and message content

• Not as simple as email archive files

METADATA

• Information about data

• Author

• Creation/modified timestamp

• Editing time

• Last printed timestamp

• Creation Tool

• Microsoft Office Metadata

• Adobe PDF Metadata

• Image Metadata (EXIF data)

• Device information

• Creation timestamps

• GPS data

USER ARTIFACTS (WINDOWS)•User names

• Last logon timestamp

•Recent file activity

• Did a user view a file? – w/timestamps

• Folder activity

• Did a user view a folder – w/timestamps

•Did they delete any files?

• Recycle Bin

• Recycle Bin Bypass

• USN Journal

• External storage devices

EXTERNAL STORAGE DEVICES

•Was a thumb drive connected?

• Manufacturer

• Device name

• Device serial number

• Volume serial number

• First connected date

• Last connected date

• Files on device

•Great evidence for IP theft cases

MOBILE DEVICES

• Issues with forensic imaging

• Logical Vs. Physical

•Text messages

•Call logs

•Contacts

• Images and videos

•Application data

MOBILE DEVICES (CONT.)

• Internet history

•Email

•Deleted Items

•GPS data

•Timestamps

MOBILE DEVICE SECURITY

•Passcode lock or Damaged

• Boot Loaders

• Chip-off acquisition

• JTAG

•Encryption

• iOS operating system

•Android operating system

CASE EXAMPLES

•Fraudulent email

•Computers provided with wrong hard drives

• iPhone text message screen shot sends man to jail

•Homicide Phones

•Attempted Destruction of Phone

FRAUDULENT EMAIL

FLASHBACK DATA, LLC

• ISO/IEC 17025:2005 Compliant

•ASCLD Accredited

• Same as FBI and Texas DPS

•Digital Forensics

•Data Recovery

• In Operation since 2004.

● We work with Forensic partners, like Flashback ● Extensive network of partners spans all major markets

● Seamless transition of data from forensics firm to the Lexbe platform

● Our eDiscovery consultants can help you determine if you need forensic collection

Full Disk Acquisition

Preservation Strategies and Data Collection from a Forensic Expert's Point of View

Data Collection

● Parties to a litigation are generally required to use reasonable, good faith, and proportional efforts to preserve, identify, and produce relevant information

● Defensible remote collection of ESI by Lexbe’s technical services team

● Limited to certain file types on a computer and/or certain standard directories on a computer where files are usually stored

● Metadata can be preserved to an extent, we can help you determine whether additional steps (hardware/ software) are need to be taken to preserve sensitive metadata

Remote Collection

Preservation Strategies and Data Collection from a Forensic Expert's Point of View

Data Collection

● Remote log-in to work stations

● Specialty email collection software

● Cloud Based-storage Collection

● Media Report for Chain of Custody

Remote Collection, cont.

Preservation Strategies and Data Collection from a Forensic Expert's Point of View

Data Collection

We’ll be making the following available to webinar attendees:

● A recorded streaming version● MP3 podcast● PDF

Please let us know if you have any questions or comments about this webinar or suggestions for future topics. This webinar is part of the Lexbe eDiscovery Webinar Series. For notices of future live and on-Demand webinars as part of this series please email us at webinars@lexbe.com or Follow us on LinkedIN.

Thank You For Attending

Preservation Strategies and Data Collection from a Forensic Expert's Point of View

Thank You

Presenter: Matt Dannermatt@flashback.com

Moderator: Frank Krafkafkrafka@lexbe.com(512)649-2440

Webinar Questions: webinars@lexbe.com

Lexbe Sales sales@lexbe.com

(800) 401-7809 x22

‘Cost-effective eDiscovery’ “A powerful litigation document management service”

“Because of the Lexbe software, the entire playing field has been leveled for my firm.”

‘Lexbe cost advantages, SaaS convenience and search capabilities appeal to many small firms

“Lexbe is the easiest eDiscovery software I have ever used’

‘Secure, easy-to-use and a great review tool for consideration’

Preservation Strategies and Data Collection from a Forensic Expert's Point of View

Lexbe eDiscovery PlatformLearn More About Lexbe

● The Lexbe eDiscovery Platform, is our cloud-based processing, review and production tool. Designed for Attorneys/legal staff to be DIY and easy to use, with no users fees or case fees. Free standard loading with annual plans.

● Learn about our high-speed/high-capacity eDiscovery services, and expert professional services.

● Request a personalized demo and expert consultation today!