no nonsense file collection presented by: pinpoint labs presenter: jon rowe, cce, isfce certified...
TRANSCRIPT
No Nonsense File Collection
Presented by:
Pinpoint Labs
Presenter:
Jon Rowe, CCE, ISFCECertified Computer Examiner
Members: The International Society of Forensic Computer Examiners
Session Objectives
Understanding ESI Collection MethodsTypical ESI Collection Mistakes Improve Vendor SelectionAvoid Client System ModificationsCommon Problems with Existing MethodsDemonstrate Automated Job Process Using One Click Collect
Custodial Collections:3 Common ESI Collection Methods
‘Drag and drop’•Alters file timestamps and metadata•No Chain of Custody•Missed search results
Hard drive imaging/cloning•Chain of Custody•Retains file timestamps and metadata•Required for most forensic exams
Remote collection•Creates forensic image or active files only•Can be remotely scripted•Custodians may perform “self collection”
Using the ‘drag and drop’ collection method is common, however, there are several related risks.
Incomplete File Collections8 Common Reasons Evidence is Missed
Many active file collection processes don’t:
1) Hash verify file contents2) Copy files in paths greater than 255 characters3) Log files in use4) Easily apply settings across multiple jobs5) Handle Unicode filenames6) Handle network drops or extended outage7) Effectively resume interrupted file copies8) Identify all custodian systems and data sources
Custodial Collections:Potential Data Sources
Hard drivesServersBackup mediaEmail serversOther hard drives and email servers in organizationOutside recipients (hard drives, servers, backups)Laptop computersHome computersUSB drives, CD’s DVD’sCell phones, smart phones, PDA’sGPS
Court Recognized Sources:
Sources ranked from most accessible to least accessible for purposes of e-evidence discovery:
Active, online data [on HDD or active network servers]Near-line data [on removable media, optical disks/mag tape]Offline storage/archives [on offline removable media] Backup tapes [not organized for retrieval of individual files] Erased, fragmented, or damaged data [tagged for deletion, but may still exist]