1 / 16

No Nonsense File Collection Presented by: Pinpoint Labs Presenter : Jon Rowe, CCE, ISFCE

No Nonsense File Collection Presented by: Pinpoint Labs Presenter : Jon Rowe, CCE, ISFCE Certified Computer Examiner Members:  The International Society of Forensic Computer Examiners. Session Objectives Understanding ESI Collection Methods Typical ESI Collection Mistakes

erek
Download Presentation

No Nonsense File Collection Presented by: Pinpoint Labs Presenter : Jon Rowe, CCE, ISFCE

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. No Nonsense File Collection Presented by: Pinpoint Labs Presenter: Jon Rowe, CCE, ISFCE Certified Computer Examiner Members:  The International Society of Forensic Computer Examiners

  2. Session Objectives • Understanding ESI Collection Methods • Typical ESI Collection Mistakes • Improve Vendor Selection • Avoid Client System Modifications • Common Problems with Existing Methods • Demonstrate Automated Job Process Using One Click Collect

  3. Custodial Collections: • 3 Common ESI Collection Methods • ‘Drag and drop’ • Alters file timestamps and metadata • No Chain of Custody • Missed search results • Hard drive imaging/cloning • Chain of Custody • Retains file timestamps and metadata • Required for most forensic exams • Remote collection • Creates forensic image or active files only • Can be remotely scripted • Custodians may perform “self collection” • Using the ‘drag and drop’ collection method is common, however, there are several related risks.

  4. ESI Active File Collection

  5. Incomplete File Collections • 8 Common Reasons Evidence is Missed • Many active file collection processes don’t: • Hash verify file contents • Copy files in paths greater than 255 characters • Log files in use • Easily apply settings across multiple jobs • Handle Unicode filenames • Handle network drops or extended outage • Effectively resume interrupted file copies • Identify all custodian systems and data sources

  6. Custodial Collections: • Potential Data Sources • Hard drives • Servers • Backup media • Email servers • Other hard drives and email servers in organization • Outside recipients (hard drives, servers, backups) • Laptop computers • Home computers • USB drives, CD’s DVD’s • Cell phones, smart phones, PDA’s • GPS

  7. Court Recognized Sources: • Sources ranked from most accessible to least accessible for purposes of e-evidence discovery: • Active, online data [on HDD or active network servers] • Near-line data[on removable media, optical disks/mag tape] • Offline storage/archives [on offline removable media] • Backup tapes [not organized for retrieval of individual files] • Erased, fragmented, or damaged data [tagged for deletion, but may still exist]

More Related