It has become increasingly clear that digital forensics providers must provide flexible forensic imaging and collection options for companies and law firms engaged in discovery and investigations. While remote digital forensics was a relatively uncommon service just ten years ago, modern software and improved methods now provide investigators with a powerful, cost-saving tool to aid ESI collection efforts. Legal teams need to understand what remote collection methods are available, when they are most appropriate, and what limitations exist. This article will focus on what is possible in modern remote digital forensics, as practiced here at Data Narro.
What is Remote Digital Forensics
In general, remote digital forensics refers to the service provided by forensic investigators that allow for the collection of ESI from a geographic location where the investigator is not. For instance, a Milwaukee-based forensic investigator can still make a court-admissible, forensically-sound image of a laptop located in Idaho without ever leaving the state of Wisconsin.
Investigators use remote collections when the cost to send a forensic professional is prohibitive or the downtime created by shipping a device is unacceptable.
Understandably, people and companies are reluctant to give up their digital devices for forensic investigations, even when the examinations are initiated on their behalf. It’s one thing to sequester a laptop for a few days, but it’s entirely different when the device is someone’s personal mobile phone. Very few of us would feel comfortable being without our mobile phone for more than a few hours. Remote collections can minimize the disruption that digital forensics can cause for businesses and individuals.
When Can You Use Remote Forensics and Remote Collection?
The decision to use remote collection methods will always depend on the unique set of circumstances within a collection effort – including the scope of the project, the sensitivity of the data, the urgency to preserve the data, the e-discovery budget, and the willingness of the data’s custodian to participate in the collection process. Talking to an experienced forensics expert is essential to determine if a remote collection is appropriate for the task at hand. (As always, give us a call, it’s no cost to you.)
Let’s Get into Specific Remote Collection Methods
Full collection/Targeted Collection for laptops, workstations, and servers:
Data Narro will express ship a forensic collection kit to the device custodian – this typically consists of a USB encrypted hard drive with specialized forensic software. Once the kit arrives, the forensic professional will guide the custodian through simple steps using a screen share application. The collection process is then run entirely by a remote forensic expert. Once the collection is complete, the encrypted hard drive is shipped back to the lab in the provided shipping label and box. Once the drive is received back at the lab, it is verified and subsequent analysis can begin.
Targeted collections only look to preserve specific files and folders located on a hard drive. The method to selectively collect these files is nearly identical to the steps taken during a full collection.
For years, a forensically-sound remote collection of mobile phone data was nearly impossible; however, some powerful new tools are on the market. Data Narro can perform a remote collection on most mobile devices, including iPhones and Android devices.
Performing a remote collection on a mobile phone is somewhat similar to the technique used to collect a hard drive/SSD. Because of the highly technical and constantly shifting nature of mobile device collection, we will often utilize a third-party partner to assist. In these cases, we will have a specialized collection device sent to the device’s custodian. The custodian will connect the collection device to the target device under the guidance of a forensic expert. Once connected, the forensic expert will take over and perform the collection. After the collection is complete, the collection device is shipped back to the lab in the provided shipping label and box.
Chromebooks are an interesting exception in the digital forensics world. It turns out that Chromebooks are extremely secure devices. Google has put considerable effort into locking these devices down, making both direct and remote forensic examination very difficult. Fortunately, these devices depend on Google Cloud services for data storage and application execution. As a result, the most relevant data you need is found in the Cloud. In cases that require forensic collection of Chromebook devices, we would simply perform a collection of that device’s data through its Cloud account.
Email, Cloud Accounts, and Social Media.
While this wasn’t the case years ago, email is increasingly hosted in Cloud accounts rather than company network servers. As a result, individual digital devices and computers are usually no longer the best source for preserving and collecting email and other corporate data. Of course, a remote collection of Cloud data is easy to perform anywhere.
Forensic analysts have specialized collection tools that can interface directly with most email, Cloud, and social media accounts. These tools ensure that data is collected in a manner that is consistent with forensic principles.
Well, Can’t my IT Person Do This?
Sometimes the answer is yes, but often the answer is no, especially if you expect to admit this evidence in court. Forensic analysts are trained to use repeatable, reproducible, and defensible methodologies. That includes documenting the methods used and maintaining a proper chain of custody. The analyst’s foremost concern is collecting data in as pristine a state as possible and performing a defensible collection.
Our advice to legal professionals is to consult with a digital forensics professional before you initiate a collection effort. You may be surprised how much time and money is saved when utilizing the right blend of forensic collection techniques. Recent technological advances have made remote collection a much more viable option than ever.
As always, call Data Narro if you have ANY questions concerning digital forensics, mobile phone forensics, ESI collection, or data recovery. Initial consultations are always at no cost or obligation to you.