Collection & Processing of

Electronic Information

25th, January; 2011

EDRM

Know Your Landscape

Questions:

Who are the “Players”? Secretaries/Executive Assistants? Network type Devices/Media Corporate Issue vs. Personal?

CollectionTraditional

Original HD

Bit-stream Imaging

Forensic Copy

Password Recovery

HASH

Signature Analysis

History

Extraction

Email Internet History Passwords

Network

Examples:

File Servers Server Farms

Issues:

Dynamic Geographical

Locations Size Use

Archival Media

Examples:

Tapes Hard Drives

Issues:

Reliability Archival Schemes Costs

Mobile Devices

Examples:

Cellular Phones Tablets GPS

Issues:

Ownership Channels

Cloud Computing

Examples:

Google Mail Google Docs MS Office Web Apps

Issues:

Ownership Geographical Collection

Social Media

Examples:

Facebook Twitter LinkedIn

Issues:

Ownership Geographical Collection

Forensic Imaging

Forensic Imaging:

the entire drive contents are imaged to a file and checksum values are calculated to verify the integrity (in court cases) of the image file (often referred to as a “hash value”).

Forensic images are acquired with the use of software tools. (Some hardware cloning tools have added forensic functionality.) – EnCase, FTK, DD, etc.

HASH – MD5 or SHA

Forensic Imaging

Data are stored in “bucket” like storage

Empty Empty EmptyData Data DataData Data

Data

UASpace

Forensic Imaging

Advantages Disadvantages

Relatively Inexpensive Intrusive

Complete Picture High Volumes

Essential to Investigation Privacy Issue

Forensic Imaging

Collection

Covert vs. Office Hour

Forensic Imaging vs. Logical File Imaging vs. Manual Collection

Chain of Custody

Collection

Media Collection Method

Desktop & Laptops Forensic Imaging

Server Computers Logical Copy

Online Data (Cloud Computing)

Hybrid?

Q&A

Kevin Lo

Email: klo@ffpl.caTwitter: kevin_loPhone: +1 (416) 926-4215