Presentation is loading. Please wait.

Presentation is loading. Please wait.

No Nonsense File Collection Presented by: Pinpoint Labs Presenter: Jon Rowe, CCE, ISFCE Certified Computer Examiner Members: The International Society.

Published byPhoebe Lynch Modified over 9 years ago

Similar presentations

Presentation on theme: "No Nonsense File Collection Presented by: Pinpoint Labs Presenter: Jon Rowe, CCE, ISFCE Certified Computer Examiner Members: The International Society."— Presentation transcript:

1 No Nonsense File Collection Presented by: Pinpoint Labs Presenter: Jon Rowe, CCE, ISFCE Certified Computer Examiner Members: The International Society of Forensic Computer Examiners

2 Session Objectives Understanding ESI Collection Methods Typical ESI Collection Mistakes Improve Vendor Selection Avoid Client System Modifications Common Problems with Existing Methods Demonstrate Automated Job Process Using One Click Collect

3 Custodial Collections: 3 Common ESI Collection Methods ‘Drag and drop’ Alters file timestamps and metadata No Chain of Custody Missed search results Hard drive imaging/cloning Chain of Custody Retains file timestamps and metadata Required for most forensic exams Remote collection Creates forensic image or active files only Can be remotely scripted Custodians may perform “self collection” Using the ‘drag and drop’ collection method is common, however, there are several related risks.

4

5

6

7

8

9

10

11

12 ESI Active File Collection

13

14 Incomplete File Collections 8 Common Reasons Evidence is Missed Many active file collection processes don’t: 1)Hash verify file contents 2)Copy files in paths greater than 255 characters 3)Log files in use 4)Easily apply settings across multiple jobs 5)Handle Unicode filenames 6)Handle network drops or extended outage 7)Effectively resume interrupted file copies 8)Identify all custodian systems and data sources

15 ESI Collections 3 Important Questions 1) What hard drive imaging tools do you use? Imaging tools effect turnaround time and cost to clients. Approximate turnaround time varies based on approach. The following statistics demonstrate the difference imaging a 100GB hard drive using hardware vs software. Additional time for setup, tear down and documentation is required Using hardware may not be an option for custodian files located on network drives and file shares Hardware (Logicube MD5, Logicube Talon, HardCopy, ImageMasster) 2-3GBPM (Gigabytes per minute) or approximately 30-60 minutes Software (FTK Imager, Helix, EnCase) 300-500MBPM (Megabytes per minute) or approximately 300-500 minutes (potentially 5-8 hours)

16 ESI File Collections 3 Important Questions 2) What do you charge? Ask them to specify Hourly Daily Per drive Additional media cost Common Expenses $100-$200 per hour (plus media) $350-$500 per drive (plus media) Hard drive imaging Restored image to clone drive (5-10 hours) Live acquisition (can take at least several hours to several days) Travel related expenses

17 Electronic File Collections 3 Important Questions 3) Do you offer computer forensic images AND hard drive cloning? Many computer forensic examiners are trained to create forensic images which are used during investigations. These same files aren’t natively supported using common electronic discovery and litigation support applications. TIPS AND TRICKS 1)Request hard drive clones (if possible) for files used in electronic discovery 2)Purchase Mount Image Pro which allows access to computer forensic image files (www.mountimage.com)www.mountimage.com 3)Restore computer forensic images to a clone drive

18 Custodial Collections: Potential Data Sources Hard drives Servers Backup media Email servers Other hard drives and email servers in organization Outside recipients (hard drives, servers, backups) Laptop computers Home computers USB drives, CD’s DVD’s Cell phones, smart phones, PDA’s GPS

19 Court Recognized Sources: Sources ranked from most accessible to least accessible for purposes of e- evidence discovery: Active, online data [on HDD or active network servers] Near-line data [on removable media, optical disks/mag tape] Offline storage/archives [on offline removable media] Backup tapes [not organized for retrieval of individual files] Erased, fragmented, or damaged data [tagged for deletion, but may still exist]

20 Pinpoint Labs new One Click Collect technology allows you to be in control of an on-site collection without actually being there. Easily create file requests that automate both individual custodian, as well as large scale network collections. With Pinpoint Labs One Click Collect, forensically sound file collections just got easier. One Click Collect includes both portable (Onsite) or combined network and portable (Harvester) licensing options, allowing you to keep control of the collection without leaving your office. Feature Highlights: Instantly up and running because there is no shipping of hardware of software required Forensically sound ‘self collection’ No training required for your clients Scriptable ‘Hash list filtering, including “deNISTing” and deduping (Harvester Edition) Compatible with all electronic discovery and litigation support databases Easily transfer the licenses between locations Supports paths greater than 255 characters (up to 32,000)‏ Preserves file system timestamps, metadata and MD5 hash verification Filters by file extension (inclusion, exclusion and use file extension list)‏, signature and date range Provide clients a job summary and file lists for relevant sources

Download ppt "No Nonsense File Collection Presented by: Pinpoint Labs Presenter: Jon Rowe, CCE, ISFCE Certified Computer Examiner Members: The International Society."

Similar presentations

Electronic Evidence Joe Kashi. Todays Program Types of Electronically stored information Types of Electronically stored information Accessibility and.

Electronic Evidence Joe Kashi. Todays Program Types of Electronically stored information Types of Electronically stored information Accessibility and.
Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, ITIL Certified.

Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, ITIL Certified.
Microsoft ® Office OneNote ® 2007 Training Using your Notebook to its fullest potential Kent School District presents:

Microsoft ® Office OneNote ® 2007 Training Using your Notebook to its fullest potential Kent School District presents:
Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
Collaboration Model for Law Enforcement X-Ways Investigator (investigator version of X-Ways Forensics)

Collaboration Model for Law Enforcement X-Ways Investigator (investigator version of X-Ways Forensics)
Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, CRMA.

Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, CRMA.
Pinpoint Labs Software Presented by: Jonathan P. Rowe President and CEO Certified Computer Examiner Member: The International Society of Forensic Computer.

Pinpoint Labs Software Presented by: Jonathan P. Rowe President and CEO Certified Computer Examiner Member: The International Society of Forensic Computer.
1 A Practical Guide to eDiscovery in Litigation Presented by: Christopher N. Weiss Aric H. Jarrett Stoel Rives LLP Public Risk Management Association (PRIMA),

1 A Practical Guide to eDiscovery in Litigation Presented by: Christopher N. Weiss Aric H. Jarrett Stoel Rives LLP Public Risk Management Association (PRIMA),
E-Discovery for System Administrators Russell M. Shumway.

E-Discovery for System Administrators Russell M. Shumway.
Project Planning and Management in E-Discovery DAVID A. ELLIS – MAYER BROWN BROWNING E. MAREAN – DLA PIPER.

Project Planning and Management in E-Discovery DAVID A. ELLIS – MAYER BROWN BROWNING E. MAREAN – DLA PIPER.
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.

An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
Lesson 13 PROTECTING AND SHARING DOCUMENTS

Lesson 13 PROTECTING AND SHARING DOCUMENTS
SharePoint Migration Software. Why Need of SharePoint Migration Reason for doing the task -Migration of SharePoint Today every user wants to update itself.

SharePoint Migration Software. Why Need of SharePoint Migration Reason for doing the task -Migration of SharePoint Today every user wants to update itself.
April 11-13, 2011 www.techshow.com Session Title Presenters {Name} April 11-13, 2011 www.techshow.com PRESENTED BY THE Managing E-Discovery in Small to.

April 11-13, Session Title Presenters {Name} April 11-13, PRESENTED BY THE Managing E-Discovery in Small to.
Defensible Client File Collections 6 Common Roadblocks and Obstacles.

Defensible Client File Collections 6 Common Roadblocks and Obstacles.
Guide to Computer Forensics and Investigations, Second Edition

Guide to Computer Forensics and Investigations, Second Edition
Teaching Computer Forensics Using Student Developed Evidence Files Anna Carlin Cal Poly Pomona.

Teaching Computer Forensics Using Student Developed Evidence Files Anna Carlin Cal Poly Pomona.
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
Guide to Computer Forensics and Investigations Third Edition

Guide to Computer Forensics and Investigations Third Edition
1 E-Discovery Changes to Federal Rules of Civil Procedure Concerning Discovery of Electronically Stored Information (ESI) Effective Date: 12/01/2006 October,

1 E-Discovery Changes to Federal Rules of Civil Procedure Concerning Discovery of Electronically Stored Information (ESI) Effective Date: 12/01/2006 October,

Similar presentations

Ads by Google