Forensic Collection
Computer Forensics is the preservation, identification, extraction, interpretation, and documentation of computer evidence, to include the USDOJ rules of evidence, legal processes, integrity of evidence, factual reporting of the information found, and ability to provide expert opinion in a court of law or other legal proceeding as to what was found.
The forensic process starts before the collection of evidence. The LightSpeed collection team works with our clients to plan the collection process to ensure the highest degree of success. This process includes chain of evidence forms, which track all devices from their time of collection to their time of return. Forensic acquisition forms are also completed to track the details for every device collected. The information collected includes but is not limited to; computer serial number, hard drive serial number, date and time device is set to and actual date and time for comparison.
Forensic acquisition forms are also completed to track the details for every device collected. The information collected includes but is not limited to; computer serial number, hard drive serial number, date and time device is set to and actual date and time for comparison.
In computer forensics, there are three types of data that we are concerned with - active, archival, and latent.
Active Data, is the information that you and I can see. Data files, programs, and files used by the operating system. This is the easiest type of data to obtain.
Archival Data, is data that has been backed up and stored. This could consist of backup tapes, CD's, floppies, or entire hard drives to cite a few examples.
Latent Data, is the information that one typically needs specialized tools to get at. An example would be information that has been deleted or partially overwritten.
We often get the question of “Why forensically collect?” or “Why can’t we just gather the data ourselves”. Below are a few reasons that should impact the decision:
Admissibility in court
If the collection is done in-house, there is no independence and a company opens itself up to legal challenges from the other side of tampering, spoliation etc. Not only can this be far more costly than doing it right, it can harm your case so badly that the evidence may be inadmissible.
Spoliation of evidence
The collection is the most important part of the e-discovery process. If the evidence is not collected properly, you forever lose the ability to litigate these issues effectively. If for example, it is requested that deleted files be recovered to cover potential tampering or inadvertent deletion, but IT staff doesn't collect unallocated space you'll never know what vulnerabilities your client is exposed to. There about a hundred things that can go wrong, but only 1 or 2 ways to do it right.
Independent analysis
IT staff do not have any legal training and are not expert witnesses. Since the analysis is done in-house, they will be subject to extreme attack of bias from the other side. IT staff will often reach conclusions that are only favorable to their case and ignore evidence that they don't like.
Tools
IT staff do not have the training or the tools to conduct analysis properly. Important things will most certainly be missed or overlooked. Tools are expensive and require training. IT staff are focused on keeping the business running. They have little to no litigation experience and do not understand what is important in litigation and why.
Infrastructure
IT staff almost never have the tools, training or experience to dedupe, cull, DNIST or present the material for review to an attorney. It is extremely unlikely they will be able to provide tools for review. This all results in duplicates, junk files etc.
|
