view collection from a forensic expert's point of › wp-content › uploads › 2017 › 07...
TRANSCRIPT
Matt DannerFlashback Data
Preservation Strategies and Data Collection from a Forensic Expert's Point of
ViewBest practices on executing preservation and administering
collection protocols with emphasis on forensically sound methods
● Webinars take place monthly and cover a variety of relevant e-Discovery topics
● If you have technical issues or questions, please email [email protected]
● Lexbe webinars are available for viewing (streaming video), and downloadable as a PDF Presentation or an MP3 podcast. This Webinar and a complete listing of other onDemand webinars is part of the: Lexbe eDiscovery Webinar Series
● For notices of future live and on-Demand webinars as part of this series please email us at [email protected] or: Follow us on LinkedIN
eDiscovery Webinar Series
Preservation Strategies and Data Collection from a Forensic Expert's Point of View
About our Webinars
eDiscovery Webinar Series
We are an Austin, TX based eDiscovery software and services provider, specializing in serving small & medium-sized law firms and organizations. We provide:
● Cloud-based DIY eDiscovery processing & document review software
● High-speed ESI document processing and data conversion services
● Experienced eDiscovery specialists and expert consultants
Lexbe Sales [email protected]
(800) 401-7809 x22
Preservation Strategies and Data Collection from a Forensic Expert's Point of View
‘Cost-effective eDiscovery’ “A powerful litigation document management service”
‘Secure, easy-to-use and a great review tool for consideration’
About Lexbe
○ Current position Digital Forensics with FlashBack Data, LLC
○ Prior experience: ■ Special Investigations Unit with Texas State
Auditor's Office ■ Special Investigations Unit with Texas Workforce
Commission
○ Regularly presents on digital evidence collection and the analysis to legal organizations and law enforcement
○ Frequently testifies as an expert witness related to analysis of computers and mobile devices. His background in criminal investigations makes him a specialist in both criminal defense and prosecution cases related to digital evidence.
○○
Matt Danner
eDiscovery Webinar Series
Preservation Strategies and Data Collection from a Forensic Expert's Point of View
Matt Danner bio
WHAT IS DIGITAL FORENSICS?
•Scientific Working Groups on Digital Evidence
(SWGDE) Definition
•The scientific examination, analysis, and/or
evaluation of digital evidence in legal
matters.
•Digital evidence is information of probative
value that is stored or transmitted in binary
form.
DF FOUNDATIONS
•Forensically sound acquisition of digital
evidence data
•How do we ensure this?
•How do we know the data is accurate?
•Procedure
•Methodology
FORENSIC IMAGES
•Bit-for-bit copy of data stored on a digital device.
•Physical Vs. Logical Images
• Software used to accomplish this:
• AccessData FTK Imager
• Guidance Software EnCase
• X-ways Forensics
• Cellebrite Forensic Hardware/Software (Mobile devices)
• Hardware based imaging devices
WRITE BLOCKING
•Prevent changes to data during acquisition
•Prevents operating system write commands from
reaching digital device
•Software write blockers
•Hardware write blockers
HASH VALUES•Mathematically generated values that are unique to
specific data patterns
•Examples:
• MD5: 3688499CB2711B9ECEA8A0075C6EEBA0
• SHA-1:
5D30BA22A0C8A411F9CFF9376D21F447D0D2D679
• SHA-256:
4C1A379B3C62A38524545424A02E043C8AAB5CFA5219129D056784D
192560230
•Commonly referred to as fingerprints for digital data
such as storage devices, forensic images, and files.
EVIDENCE PRESERVATION
•Best method is forensic imaging
•Forensic images are industry standard
•Backups are not as useful and may not contain
crucial system artifacts
•Computer should be turned off
•Remove hard drive and acquire forensic image via
write blocker
•Possible to use forensically sound Boot software
OPTIONS FOR REVIEW
•Get the forensic image first!
•After imaging, a preview of the system files can be
conducted
• Evidence is preserved through the image process
• Any changes made by preview will not affect the
preserved image
• If imaging is not possible, do not review the device
files
•Turn off device and store it in a secure place
•Wait until a forensic examination can be conducted
BASIS FOR CONCLUSIONS
•Conclusions should be based on evidence
•Speculation is not evidence
•Assumptions should not be made
•BIG DIFFERENCE
• “This text message was never sent from this mobile
device”
• “Using the forensic methods described, no evidence was
found to indicate that the text message was sent from this
mobile device.”
DELETED DATA
•Data is not instantly gone after deletion
•Overwrites with new data has to occur
•Rate of data loss is variable and difficult to predict
•Typically, the sooner data has been deleted the
easier it is to recover
•This applies to most types of data
•Computers are easier than mobile devices
• Email clients
• Microsoft Outlook
• Thunderbird
• Apple Mail
•Archive Files
• Personal Storage Table (PST) - Outlook
• Offline Storage Table (OST) - Outlook
• MBOX - Thunderbird
• Email files – Apple Mail
EMAIL (CONT.)
•Web Based Email
• Google Gmail
• Yahoo! Mail
• Hotmail
• Several Others
• Fragments can be recovered via Web Cache
• Web browsers will store data related to webmail sessions
• Includes Senders/Recipients, dates, subject, and message content
• Not as simple as email archive files
METADATA
• Information about data
• Author
• Creation/modified timestamp
• Editing time
• Last printed timestamp
• Creation Tool
• Microsoft Office Metadata
• Adobe PDF Metadata
• Image Metadata (EXIF data)
• Device information
• Creation timestamps
• GPS data
USER ARTIFACTS (WINDOWS)•User names
• Last logon timestamp
•Recent file activity
• Did a user view a file? – w/timestamps
• Folder activity
• Did a user view a folder – w/timestamps
•Did they delete any files?
• Recycle Bin
• Recycle Bin Bypass
• USN Journal
• External storage devices
EXTERNAL STORAGE DEVICES
•Was a thumb drive connected?
• Manufacturer
• Device name
• Device serial number
• Volume serial number
• First connected date
• Last connected date
• Files on device
•Great evidence for IP theft cases
MOBILE DEVICES
• Issues with forensic imaging
• Logical Vs. Physical
•Text messages
•Call logs
•Contacts
• Images and videos
•Application data
MOBILE DEVICES (CONT.)
• Internet history
•Deleted Items
•GPS data
•Timestamps
MOBILE DEVICE SECURITY
•Passcode lock or Damaged
• Boot Loaders
• Chip-off acquisition
• JTAG
•Encryption
• iOS operating system
•Android operating system
CASE EXAMPLES
•Fraudulent email
•Computers provided with wrong hard drives
• iPhone text message screen shot sends man to jail
•Homicide Phones
•Attempted Destruction of Phone
FRAUDULENT EMAIL
FLASHBACK DATA, LLC
• ISO/IEC 17025:2005 Compliant
•ASCLD Accredited
• Same as FBI and Texas DPS
•Digital Forensics
•Data Recovery
• In Operation since 2004.
● We work with Forensic partners, like Flashback ● Extensive network of partners spans all major markets
● Seamless transition of data from forensics firm to the Lexbe platform
● Our eDiscovery consultants can help you determine if you need forensic collection
Full Disk Acquisition
Preservation Strategies and Data Collection from a Forensic Expert's Point of View
Data Collection
● Parties to a litigation are generally required to use reasonable, good faith, and proportional efforts to preserve, identify, and produce relevant information
● Defensible remote collection of ESI by Lexbe’s technical services team
● Limited to certain file types on a computer and/or certain standard directories on a computer where files are usually stored
● Metadata can be preserved to an extent, we can help you determine whether additional steps (hardware/ software) are need to be taken to preserve sensitive metadata
Remote Collection
Preservation Strategies and Data Collection from a Forensic Expert's Point of View
Data Collection
● Remote log-in to work stations
● Specialty email collection software
● Cloud Based-storage Collection
● Media Report for Chain of Custody
Remote Collection, cont.
Preservation Strategies and Data Collection from a Forensic Expert's Point of View
Data Collection
We’ll be making the following available to webinar attendees:
● A recorded streaming version● MP3 podcast● PDF
Please let us know if you have any questions or comments about this webinar or suggestions for future topics. This webinar is part of the Lexbe eDiscovery Webinar Series. For notices of future live and on-Demand webinars as part of this series please email us at [email protected] or Follow us on LinkedIN.
Thank You For Attending
Preservation Strategies and Data Collection from a Forensic Expert's Point of View
Thank You
Presenter: Matt [email protected]
Moderator: Frank [email protected](512)649-2440
Webinar Questions: [email protected]
Lexbe Sales [email protected]
(800) 401-7809 x22
‘Cost-effective eDiscovery’ “A powerful litigation document management service”
“Because of the Lexbe software, the entire playing field has been leveled for my firm.”
‘Lexbe cost advantages, SaaS convenience and search capabilities appeal to many small firms
“Lexbe is the easiest eDiscovery software I have ever used’
‘Secure, easy-to-use and a great review tool for consideration’
Preservation Strategies and Data Collection from a Forensic Expert's Point of View
Lexbe eDiscovery PlatformLearn More About Lexbe
● The Lexbe eDiscovery Platform, is our cloud-based processing, review and production tool. Designed for Attorneys/legal staff to be DIY and easy to use, with no users fees or case fees. Free standard loading with annual plans.
● Learn about our high-speed/high-capacity eDiscovery services, and expert professional services.
● Request a personalized demo and expert consultation today!