Data Acquisition & Forensics DAF 101 The Oliver Group

Data Acquisition & Forensics

DAF 101

The Oliver Group

2 l

Agenda

• About The Oliver Group & Your Presenters

• The Data Acquisition Process

• Data Recovery

• Forensic Analysis

• The Cloud and Social Media

• Summary

• Q&A

Please email any questions, requests or information to [email protected] before, during or after the presentation.

3 l

Company Overview and Highlights

The Oliver Group provides focused expertise in helping clients navigate through the early stages of the electronic discovery process. For more than a decade, we have provided expert services in support of many high profile litigation and compliance related matters. Our clients include leading litigation support providers, law firms and corporations. With facilities in Connecticut (US) and London (UK) we offer the following services on a global basis:


4 l

Data Acquisition & Forensics Agenda

•Data Acquisition – Philosophy On-site– Scoping Process– Identifying Sources

•Tools , Data Recovery – Where does evidence reside?– Options

•Forensic Analysis– Tools– Options

•Cloud and Social Media

•Q&A


5 l

TOG Data Acquisition & Forensics

Data Acquisition & Forensics– Performed globally in a forensic and defensible

manner.

– Typically this means deploying a team of experts on-site at the clients facility to collect data deemed discoverable.

– Over the years we have performed some of the largest and most complex data acquisitions involving 100s of custodians in multiple locations


6 l

Philosophy On-site

– Minimally disruptive to the end user

– Acquisition Documentation• Drives, folders and files have been accessed • The date, time, and location of the collection• Full path names• Where data has been transferred • Data volumes• Notes about the collection

– Adhere to strict chain of custody


7 l

Data Acquisition - Scoping

•Preliminary Questions:– Where does data reside?– Number of Custodians?– Timeframe(s)?– Policies?– Imaging v. copying

• IT Questionnaires

• Scoping Calls with TOG Subject Matter Experts

• Custodian Interview and Scheduling

• Collection Options– On-site– Remote– Supervisory– CombinationPlease email any questions, requests or information to [email protected] before, during or after the

presentation.

8 l

Data Acquisition – Identifying Sources

•Custodian PCs/Laptops• Targeted collection or Forensic Images

•Server data collection• Email Servers• Network drive – home shares, departmental shares,

project folders• Other – proprietary systems, SharePoint, Tracking

systems, etc.

•Other Data sources• Removable media• Backup tapes• Flash/thumb drives• CD/DVD• Home PCs• Blackberries/iPhones/Cell phones/etc.


9 l

•Forensic Capture– Utilize tools that maintain metadata– Consider scope and size of matter

•Forensic imaging – Bit level copy– Never have to go back to the custodian’s PC– Logical, Deleted, Fragment Data– 2 copies: Preservation & Working– Required for forensic analysis

•Chain of custody– Detailed documentation – Custodian interviews– IT interviews

•Preservation– Critical for data on preservation hold that has a risk

of spoliation or deletion

Data Acquisition - The Basics


10 l

Data Acquisition Terminology

EVIDENCE DRIVE - Simply, the media, usually an internal or external hard drive that will contain a “copy” of the suspect’s media. This drive will be used to process data based on the specifics of the case.

SUSPECT DRIVE - The “original” media or the custodian’s media.

BIOS - Basic Input / Output System (Date / Time) – Forensic engineers always QC the BIOS before capture to ensure that it is set to the real date and time.

HASH VALUE - Signature generator is used to help verify data integrated by generating a 32-bit (CRC) and one of the following: 128-bit (MD5) 160-bit (SHA-1) or 256-bit (SHA-2) signature “finger print” of the seized and copied data.

FORENSIC IMAGE - A single file containing the complete contents and structure representing a data storage medium or device, such as a hard drive. A disk image file is usually created by creating a sector-by-sector copy of the source media, ignoring its file system, and thereby perfectly replicating the structure and contents of a storage device.

PRESERVATION - According to the EDRM “ensuring that ESI is protected against inappropriate alteration or destruction

IMAGE EXTRACTION - The process by which files are retrieved/extracted from a forensic image and copied to desired location whilst maintaining original metadata. Image extraction puts all logical and full recoverable deleted files into a format where they can be accessed, viewed, modified, and processed without the use of forensic analysis software (FTK, enCase, etc.)


11 l

Data Acquisition Tools

• Software Capture (EnCase Forensic/FTK/Etc.)– Single copy is created– Software– PC is used as “medium” for data transfer

• Image Hardware Image Tool– Captures 2 copies at one time – Hardware– Creates DD images – can be extracted/read by forensic

software tools

• Forensic Write-Block hardware– Write protects suspect drive

• Dozens of other utilities – Media/Matter dependent


12 l

Data Recovery

Where does evidence reside?

• The logical file system

• The event logs

• The Registry, which you should think of as an enormous log file.

• Application logs not managed by the Windows Event Log Service.

• The swap files, which harbor information that was recently located in RAM (named pagefile.sys on the active partition).

• Special application-level files, such as Internet Explorer's Internet history files (index.dat), Netscape's fat.db, The history.hst file and the browser cache.


13 l

Data Recovery

Where else does evidence reside?

• Temporary files created by many applications

• The Recycle Bin (a hidden, logical file structure where recently deleted items can be found)

• The Printer Spool

• Sent or received email, such as the .PST files for Outlook Mail

• Slack space, where you can obtain information from previously deleted files that are unrecoverable

• Free or unallocated space, where you can obtain previously deleted files, including damaged or inaccessible clusters.


14 l

Data Recovery Options

•Logical Files – Commonly referred to as Active Files (files not deleted)

•Deleted Files– Never over-written – seen in the FAT table as unallocated

space, seen in EnCase as deleted– Can either be “restored” to original location OR delivered

separately from the logical files

•Deleted & Partially Overwritten files– Rarely delivered to client – may be a small piece or a large

portion of a file– Findings are reported– Requires forensic analysis to recover


15 l

Data Recovery/Forensic Analysis Tools

• Most common tools utilized – industry standard

• Guidance Software’s EnCase Forensic– Acquisition– Data Recovery– Data Carving– Data Culling / Methods to filter results - Searches “on the fly”– Analysis

• AccessData’s FTK – Acquisition– Data Recovery– Data Carving– Data Culling / Methods to filter results - Data is indexed prior to

searching– Analysis

Similar capabilities - is really the consultant’s choice to determine which tools would work best for the job at hand.


16 l

Forensic Analysis Options

• Examine– Deleted Files– E-Mail– Internet Access / History– Search Terms– Search HASH Values– Header analysis– Specific software – i.e. Wiping programs

• Custodian behavior & trends

• Reporting– Chain of custody– Methodology– Findings

• Affidavits/Testimony


17 l

Cell phones/Blackberries/iPhones/PDAs

•Acquisition Options

– Logical acquisition (full files)

– Physical acquisition (bit by bit)• Can perform forensic analysis and image extraction

– Both

– Neither

•Data Options

– Simply, everything you can view when the antenna/signal is off• Call Logs• Text Messages• Emails• Pictures• Contacts• Memos/Notes• Other (Office files, application files, etc.)

•Manufacturer/Model dependent

– Dependent on the Operating System of the device

– Some devices have their own tools for logical collection

– Some providers lock down items such as text messages

– Passwords/EncryptionPlease email any questions, requests or information to [email protected] before, during or after the presentation.

18 l

Cell phones/Blackberries/iPhones/PDAs

•Dozens of Manufacturers:– Acer– Alcatel– Apple– ASUS– Audiovox– BenQ Siemens– Blackberry– Dell– Garmin– HP– HTC– Hyundai– i-mate– Kyocera– LG– Macintosh– MIO– Motorola– NEC– Nokia

•Thousands of Models

– O2– Orange– Palm– Panasonic– Pantech– Philips– POZ– Qtek– Sagem– Samsung– Sanyo– Sharp– Siemens– Sony Clie– Sony Ericsson– Telit– T-Mobile– Toshiba– UBiQUiO– VK Mobile


19 l

Cloud and Social Media Based Collections

The Oliver Group has extensive experience acquiring data from internet based applications such as;


20 l

Q&A


Corporate Headquarters

595 Greenhaven RoadPawcatuck, CT 06379 US

European Office

London, United Kingdom

P: 860.599.9760 I F: 860.599.9768 [email protected] I www.the-olivergroup.com

Documents

Data Acquisition & Forensics DAF 101 The Oliver Group