eDiscovery Archives - Compute Forensics LTD London Computer & Mobile Phone Forensic Expert Witness Investigation Services

How is a Remote Forensic Collection or Analysis Conducted?

Alistair Ewing — Tue, 17 Jul 2018 14:13:01 +0000

Compute Forensics have been to over 20 countries such as the UK, France, Thailand, Singapore and USA performing collections and on-site investigations. In person is the most straightforward way to reassure none of the actions of the forensic examiner is going to harm the data or the organisation’s network.

It is like having a computer forensic expert in your office! Alistair Ewing Director Compute Forensics Ltd

As technology advances remote forensic services are being more commonly utilised in the eDiscovery or forensic sphere. Compute Forensics can collect and triage data remotely either 1) On the corporate network to a server or system on the same local IP range in a live state but a blocked mode. 2) Across the internet with a secure AES encrypted connection using a forensic operating system with a remote connection. The original disk is untouched as the OS or method blocks writes to the drive. The image and working copy is made to a Bitlockered or Veracrypted disk connected to the system by the client.

Travel costs and board costs can be out of proportion to the case, or the data may reside on a home connection so it may be required to perform a remote collection.

Situations when a Remote Aquisition is Useful

The budget doesn’t suit an onsite collection.
The data is in a far away location.
The data and the user is on the same corporate network. The physical and volatile data needs to be collected onsite but remotely without the culprit’s knowledge but with the authority of the organisation.
The collection or triage is on a tight schedule.
There are only 1 or 2 devices on the client site.

Is a Remote Collection Safe and Forensically Sound?

Yes, all the data packets sent and received during the remote collection at the client end including, keyboard and mouse signals, images and files transfers are encrypted. Only the Computer Forensic Expert has access to the AES-256 and RSA-1024 cryptographic keys. The internal disk is untouched should the instructions be executed diligently; a pre-briefing exercise ensures this.

The following steps display the methods entailed in a remote collection:

How a Remote Collection is Conducted on a Machine in an Off State

The client gives us information about the machine model etc. A contract allowing us to make a remote collection is to be completed by both parties before the forensic imaging. The technique works on Intel Based Macs as well as most PC Laptop models and tower PCs.
A bespoke digital forensic OS is uploaded to a secure location in an ISO format and made available for download. The client burns this to an optical disk or a USB using Rufus.
The CD or USB is added to the system along with a USB 3.0 destination drive that is larger in capacity than the internal drives.
The system is connected to an ethernet connection buy the client.
When switching on the system, the user at the client side presses a key, DEL/F12/F8 or similar, during the power on self-test stage as the machine is waking up. On the system’s BIOS or the UFEI, the boot menu. The attached boot USB or CD is booted from bypassing the OS on the system but using the system’s hardware to function.
In the forensic OS, the client right clicks and selects the ‘connect to network’ option.
From there the forensic examiner takes over the system and begins the collection process.
All system data such as disk serial numbers are seized by specialist software to help produce the analysis report.
Any forensic images, logs or findings are exported to the encrypted attached USB stick or…
Uploaded via SFTP to the eDiscovery firms remote storage box or direct to a cloud-based eDiscovery platform such as Goldfynch.

On an Apple Device

Start OS X
Hold the option key until CD is displayed as an option (takes a little bit to appear)
Release the option key
Use the arrow keys (or mouse) to select the CD
Press Return.
The investigation begins.

How a Remote Collection is Conducted onsite on a Machine in an On State

A machine connected to the corporate network with Accessdata’s FTK installed is prepared.
The IP of a culprit’s machine is entered onto the examination machine.
The evidential disk is connected to remotely without the user’s knowledge after a remote agent is pushed to the machine remotely.
The examiner gains access to the file system through the remote agent. The volatile data can be analysed for malware and passwords. The disk can be copied and triaged.

Should you require a forensic collection, please don’t hesitate to contact a member of our team.

Lower E-discovery Litigation Costs by Implementing a Decent ESI Governance Strategy

Alistair Ewing — Thu, 28 Jun 2018 18:31:45 +0000

Businesses need to be proactive and improve their processes of storage and release of information rather than be reactive. It is better to have essential retention and storage policies in the event of litigation. We have performed too many collections where the IT department has no idea where the data is stored; this is usually the case in smaller firms where they outsource the IT department. Having well organised easily locatable ESI electronically stored information will not only save you money and time in the likely event of litigation it may also have other effects such as being able to source key IP intellectual property assets in the event of an employee investigation or disastrous loss as the result of rogue malware or hardware failures.

What Businesses Need to Consider Before an E-discovery Exercise

Invest Time Preparing Now The amount of time spent organising a proper governance strategy and migrating to an E-discovery friendly office platform will significantly reduce costs in the future. It is a false economy not to invest time money and resources into this endeavour now.
Record Trail Policies of must be in place, you must record when they were approved and by whom. Example “We back up the exchange server every eight months, it is stored in this location and is deleted after X amount of time.” This will display to litigators that you are well organised leading to them giving you less hassle as the case progresses.
Deletion Policy It is not efficient to hold onto ESI forever, but you must adhere to retention that has met the regulatory requirement. The deletion should be documented by explaining why an archive was deleted and the action must conform to the particular need in your industry or country. Missing project emails, gaps in dates and undocumented deletions are all unacceptable.
Intentional Withholding is Hiding or withholding information will cause you added hassle and undermine you organisations credibility. You must explain why specific emails were withheld from a date range or a custodian’s data has been deleted before the time that has been allocated. If a forensic preview discovers ESI that was not disclosed after the pre-collection questionnaire this, it undermines the credibility of the company and can lead to further financial losses. I have worked on a case where a denied an email was sent by an ex-employee. Other custodians that have left the company emails were archived, but this person’s emails were not available. I was presented with a drive that they said this individual used. They were bluffing as no user profile belonging to this person existed; they handed me a computer that was never used by this individual. Additionally, they stated that they migrated servers and didn’t bring forward the custodian in question but the other employees that had left the company before this custodian exited had their PST email archive files in the migration in a PST backup folder. I discovered that the custodians PST file was on the server at some point, it had been present after examining migration logs and other records. As a result, they received a hefty fine for hiding this information and had to pay back the claim.
Standardisation of Backups I have worked on a case where sometimes emails were available on the server, others were in a backup folder, other on the custodian’s hard disk and even some in VHD disk clones. Having ESI in multiple areas is haphazard. Each forensic image had to have every archive and backup examined for case ESI. Users had the admin rights to take emails off the server when they backed up leading to fragmented loci of the documents and email files involved in the case. The outsourced IT firm engaged in the business had no backup policy in place. This leads to an expensive long drawn out investigation, extraction and comparison process to ensure I had the full range of emails and ESI. For the forensic collector, the process should be as simple as work files are stored on this location, backups here and the rest is on the server along with all the logs and audits. It should all be auditable and defensible. Only admins should be allowed to perform backup tasks and records must be kept to show a full transversal expired. If this isn’t the case, then the email system used should automatically retain all the emails sent and received regardless of the user actions.
Using BYOD in an Organisation Allowing your staff to use their own devices not only opens up the door to security risks but leads to the embarrassing prospect of having to encroach on their privacy and investigate their device to source potential ESI that may be stored in personal Gmail or online Outlook accounts. This lowers staff morale and gives the impression of lax policy. Just look at the recent Hilary Clinton scandal where she used personal email for government matters. A leak here could cost your company embarrassment for the sake of not allowing them to use their home mobile phone or computer. Just fork out for the devices. Prep and provide digital work items for staff that have been selected for security and retention in mind. iPhones backup to iCloud this way ESI can be retrieved from the iCloud location using iPhone Backup Extractor and searched for ESI even if the phone has a forgotten code or the custodian is unavailable. Configure laptops to retain data and perhaps install monitoring software that tells you if a specific non-complaint action has occurred.
Consider Migrating to Gmail or Office 365 for Business These cloud-based options reduce time in collecting ESI and retention can be performed via a click of a button in the settings. Make sure devices have two-step authentication and mobile devices synced with these services have decent passwords to enter your assets as you are exposed to the web using these services. In many ways, these webmail platforms can act as review tools in themselves allowing you to triage and keyword search specific projects involved in the case reducing preview time before a collection which can be done remotely. In some cases, this reduces costs for a manual data acquisition. It must be noted though these searches don’t recognise characters in documents and don’t have the raw power and options of tools like my personal favourite Nuix. The knock effect is this will improve efficiency and stability in your business compared to using something debunked such as Lotus Notes. The only drawback is your data is stored offsite in Google’s or Microsoft’s server this may go against clients wishes in specific sectors.
Keep Asset Lists for Data Mapping A simple spreadsheet detailing hard disk serial numbers, locations of ESI, users assigned to a domain and if more than one user uses a specific computer cuts time when handed to an E-discovery company as needed. It additionally saves costly second collection attempts because of gaps in the contiguous layout of the ESI concerning date range. It may even be used to produce directory listings periodically of all your devices so one can quickly find where ESI is stored. This can work in harmony with your security audit as well. Early case assessments can then be conducted with precision and promptly. Compute Forensics can aid in this.
Regional Issues Some multinationals have used a ‘one size fits all’ for all the countries they are based and have opened themselves up to litigation. The governance programme must be suited to the particular jurisdiction. It is worthwhile to consult a local lawyer to run through the nuances of that specific jurisdiction or industry.

Please contact me if you need any advice regarding this topic, a few days of consultation could save your firm a small fortune in the future. Add me as a connection a.ewing@compute-forensics.com. Like and share if you found this useful.