forensic world, including best exploring the many aspects

An Overview of Digital Forensics

Defining Digital Forensics and exploring the many aspects of the Forensic world, including best practices and methodologies.

eDiscovery Webinar Series

About Our Webinars

An Overview of Digital Forensics eDiscovery Webinar Series

● Webinars take place monthly and cover a variety of relevant eDiscovery topics

● If you have technical issues or questions, please email [email protected]

● Lexbe webinars are available for viewing (streaming video), and downloadable as a PDF Presentation or an MP3 podcast.

● This Webinar and a complete listing of other onDemand webinars is part of the: Lexbe eDiscovery Webinar Series

● For notices of future live and on-Demand webinars as part of this series please email us at [email protected] or: Follow us on LinkedIN

mailto:[email protected]

http://lexbe.com/resources/ediscovery-webinars/?LEX=Webinar-PDF-15010-28-eDiscProcs

http://lexbe.com/resources/ediscovery-webinars/?LEX=Webinar-PDF-15010-28-eDiscProcs

https://www.linkedin.com/company/lexbe

About Lexbe


◼ Serving boutique law firms for more than 15 years

◼ Based in Austin TX

◼ Developed a Native End-to-End eDiscovery Application Hosted at Amazon Web Services

◼ Lightning Fast, Feature Rich & Highly Affordable

◼ Purpose-Built for DIY eDiscovery for Boutique Law Firms

“Cost-effective eDiscovery” “Secure, easy-to-use and a great review tool for

consideration”

“A powerful litigation document management service”

G2 Crowd finds that Lexbe “delivers best ROI in the industry and leads in 6 key metrics.”

Speaker


● Nick Marrero -Lead Digital Forensics Examiner with Lexbe

● Digital Forensics Expert and Consultant

● 10+ years Experience in Digital Forensics

● Bachelor of Science - Computer Forensics○ Bloomsburg University of Pennsylvania

● Certified Cellebrite Operator | Certified Cellebrite Physical Analyst

● Forensic Experience within the Oil & Gas, Retail, and Healthcare Industries

Nick MarreroDigital Forensics [email protected]

eDiscovery Webinar SeriesLexbe Confidential

MOBILE DEVICE GROWTH & EVOLUTION

Mobile Application Downloads

Cisco Annual Internet Report (2018–2023) White Paper


COLLABORATION APPS ON THE RISE THANKS TO COVID


MOBILE DEVICE GROWTH & EVOLUTIONForensic & Discovery Considerations

● Corporate owned / Personally owned / Bring Your Own Device (BYOD)

● Wireless carrier services and data

● Shadow IT

● Data portability

● Location-based data

● Encryption

● Social media apps

● Ephemeral messaging apps


MOBILE DEVICE GROWTH & EVOLUTIONEphemeral Messaging

● Messages that exist for a limited period of time and then

self destruct

● Waymo LLC v. Uber Technologies


Common Texting & Messaging Services

Apple iChat

Android Message

GROWTH IN NON-EMAIL ESI EVIDENCE


BREAKDOWN BY APPLICATION


VARIOUS APPLICATIONS EQUALS VARIOUS FILE TYPES

Agenda

● What is Digital Forensics● Digital Forensic Best Practices● Planning and Executing Collection● Types of Digital Media● Computers and Hard Drives ● Mobile Devices● Cloud and Webmail● Hash Values● Deleted Data● eDiscovery Integration


What is Digital Forensics


● The identification, preservation, recovery, and analysis of digital media.

● Protection of Data Integrity

● What data and information can uncovered?

● What data can be changed or altered?

● Why need a Digital Forensics Examiner?

Digital Forensic Best Practices


● Documentation - Chain of Custody, Photographs, Condition of the Device

● Proper Evidence Handling

● Write Blockers - Prevents the evidence from being modified during preservation.

● Coordination and strategy agreed upon between the requestor and examiner.

● Examinations should not be performed on the original media but rather on the forensic image.

● Reporting - provide all relevant and pertinent information in a clear and concise manner

● Return of Devices

Digital Forensic Best Practices- Proper Evidence Handling


● Coordination between sender and receiver should be discussed prior to exchange ● Standard shipping practices are insufficient

○ Ensure that a signature by the named receiver is requested● Tracking numbers should be logged and communicated● All handling of material should be properly logged, including on the chain of custody ● Devices should be securely stored

Digital Forensic Best Practices- Write Blocker


● Absolutely critical to ensure that data is not altered● Creates a read-only version, preventing anything from being “written” to the original ● 2 types, physical device or software

○ Physical device connects to device being examined and the forensic examiner’s workstation for review■ Tableau■ CRU Wiebe Tech■ Cool Gear

○ Software installed on forensic workstation allows them to review the connected hardware without disturbing the data■ Safeblock■ USB Write Blocker■ SoftBlock (specifically for Mac’s)

Digital Forensic Best Practices- Coordination & Strategy


● Scope should be agreed upon between the requestor and examiner, including timelines● Passwords and Pins should be requested and shared● Agree upon what can and can’t be performed ● The delivery of devices as well as the return should be discussed and coordinated before exchange. ● Clear line of communication with point person on both sides

Digital Forensic Best Practices- Forensic Imaging


● Forensic tools make a bit for bit copy of the original data● The forensic image is an exact copy for the examiner to review● Source device should always be imaged if possible

Formats include:.RAW (DD).EO1 .LO1 .AD1 .SMART

Digital Forensic Best Practices- Reporting


● May or may not be necessary depending on circumstances

● Crucial when an actual analysis or investigation is occuring

● Criteria for a report include:○ All aspects of the case○ Every part of the documentation○ All evidence and findings uncovered in analysis○ Err on the side of being overly inclusive

Digital Forensic Best Practices- Return of devices


● Should be done as soon as possible● Ensure the device goes back to correct party● Closes chain of custody

Planning and Executing Collection


● What needs to be acquired?

● Physical Collection vs Remote Collection.

● Coordination with the client and the custodian.

● The right tools for the job.

● Chain of Custody.

● Best Practices.

● Return of Devices.

Chain of Custody


● All device details○ Device Type○ Device Manufacturer, Make, and Model○ Serial Number○ Device Description and any other identifying features.

● Signatures○ Printed and Signed names of the received by and

received from parties.

● Dates and Times○ When was the device collected?○ When was the device transferred to another party?○ When was the device returned or stored?

● Case Information

○ The case or company the device is tied to.

Types of Digital Media


● Computers and Hard Drives○ Desktops○ Laptops○ External Hard Drives○ USB Thumb Drives○ Gaming Systems

● Mobile Devices○ Smart Phones○ Cell Phones○ Tablets○ GPS

● Cloud○ Google○ Apple○ Microsoft

● Webmail○ Gmail○ Yahoo○ Office 365

Computers and Hard Drives


● Computer Operating Systems○ Windows○ Mac○ Linux

● Remote PC and Mac Collections

● Portable Devices○ USB Thumb Drives○ External Hard Drives○ CDs, DVDs, Blu-Ray

● File Systems○ NTFS○ FAT (FAT12, FAT16, FAT32)○ exFAT○ APFS

● Gaming Systems

● Forensic Imaging and Analysis Tools○ Magnet Axiom○ EnCase○ FTK○ X-Ways○ Sleuth Kit (+Autopsy)

Mobile Devices


● Mobile Device Operating Systems○ iOS○ Android○ Windows○ RIM (Blackberry)

● Forensic Tools○ Magnet Axiom○ Cellebrite○ EnCase○ Oxygen

● Data Acquisition Types○ Physical○ Logical○ FileSystem○ Manual

● Data Extractions○ Chats/Messages○ Photos/Videos○ Call Logs○ Locations○ Email○ Contacts○ Calendar○ Notes○ Web Browsing

Cloud and Webmail


● Cloud○ Apple iCloud○ Google Cloud ○ Microsoft OneDrive○ Dropbox○ Box.com

● WebMail○ Gmail○ Hotmail○ Yahoo○ Office 365

● Social Media○ Facebook○ Twitter○ Instagram○ Uber○ Lyft

● Business

○ Slack○ Teams

● Cloud Collection Tools○ Magnet Axiom○ Cellebrite

Hash Values


● A hash value is a numeric value of a fixed length that uniquely identifies data.

● Hash Types○ MD5○ SHA-1○ SHA-256

● Hash values are used to verify the integrity of data

● Hash values of source data can be compared to the copied or transferred version of that data to determine whether or not that data has been altered.

Metadata


● Data about Data.

● Every single file on any digital device has some amount of metadata associated with it. The type and amount of metadata related to a file can vary.

● Metadata can provide specific information to further understand a timeline of events regarding a file..

● Information found in the Metadata:○ Creation Date/Time○ Last Modified Date/Time○ Author○ File Name

Deleted Data


● Oftentimes, files deleted by the user can still be found and recovered from the device.

● Data needs to be overwritten for it to be lost.

● Partial recovery of data is possible if only part of the deleted files’ original location is overwritten.

● Files that have been recovered from a drive’s free space may not include the metadata required to prove ownership of the file, timestamps, or original storage location

● Deleted files from mobile devices can be more difficult to recover due to their free space being unavailable to access.

● Solid State Drives can automatically overwrite deleted file storage locations with zeros.

eDiscovery Integration


● Data collected using forensic tools can be ingested into eDiscovery Review Platforms.

● Data forensically acquired directly from the source.

● Data can be uploaded in different formats○ Raw Data○ PDFs○ Spreadsheets

● Can be available for immediate client

review after forensic collection.

Key Takeaways


● Digital Forensic acquisitions can provide data from a range of digital devices.

● Always follow best practices.

● Types of forensic images.○ Physical○ Logical○ Targeted

● Forensic Analysis and the information that

can be found.

● Hash values - The “fingerprint” of a file.

● Metadata - Data about Data.

● Deleted files - they may still be uncovered.

● Forensics and eDiscovery


END TO END E-DISCOVERY IN THE CLOUD

Lexbe Confidential

◼ Full-Featured◼ DIY◼ Infinitely Scalable◼ Accessible with a Browser


THE LEXBE UBER INDEXNative Characters

Translated Characters

All Characters From Native Files are Extracted and Included in the Uber Index.

All OCR Characters are Extracted and Included in the Uber Index.

All Images are OCR’d, Characters Extracted and Included in the Uber Index.

Lexbe’s Translation Engine Feeds the Uber Index All Translated Characters

OCR Characters

Image OCR Characters

◼ Multi-source concatenated singular index

◼ Lightning fast

◼ Seamlessly add documents without re-indexing

Lexbe Confidential


Audio Files Transcribed in the Lexbe eDiscovery Platform

Lexbe Confidential

Review transcription files and quickly identify and tag where on the audio track the evidence resides.

Lexbe’s AI Powered Transcription automatically identifies and designates each speaker.


ADVANCED APPLICATIONS OF AI

Lexbe Confidential

Audio & Video File Transcription

LanguageTranslation

ImageRecognition

SentimentAnalysis

◼ Utilizing Neural Networks for advance machine learning and high-quality results


INDUSTRY LEADING PRICING

Lexbe Confidential

Service Relativity LexbeProcessing $125 per GB $0

User Fees $95 per User $0

Technology Assisted Review $30 per GB* $0

Near Duplication * Included with Relativity Analytics

$0

Email Threading * Included with Relativity Analytics

$0

Hosting $8 per GB per Mo. $5 per GB per Mo.

AI Insights N/A $0

Learn More About Lexbe


● The Lexbe eDiscovery Platform, is our cloud-based processing, review and production tool. Designed for Attorneys/legal staff to be DIY and easy to use, with no users fees or case fees. Free standard loading with annual plans.

● Learn about our high-speed/high-capacity eDiscovery services, and expert professional services.

Request a personalized demo and expert consultation today!

1-800-401-780 x22 | [email protected]

‘Cost-effective eDiscovery’

“A powerful litigation document management service”

“Because of the Lexbe software, the entire playing field has been leveled for my firm.”

‘Lexbe cost advantages, SaaS convenience and search capabilities appeal to many small firms

“Lexbe is the easiest eDiscovery software I have ever used’

‘Secure, easy-to-use and a great review tool for consideration’

forensic world, including best exploring the many aspects

Documents