Whether you’re required to preserve data for an eDiscovery request, internal investigation, or government subpoena, remote digital forensics may be the best solution.
 
Remote collections allow forensic analysts to preserve electronically stored information (ESI) regardless of where the custodian is located. Let’s explore some of the most common questions we receive:
 

When Should a Remote Collection Be Performed?

The first step is to determine whether a remote collection should be performed. Questions to consider:

  • What is the scope of the project?
  • Where are the custodians and data located?
  • What types of devices are involved and are they encrypted?
  • How quickly does the data need to be preserved?
  • Is deleted data a consideration?

An experienced digital forensic analyst will be able to work closely with you to help choose the right collection methodology for your project so that the engagement is completed in a timely and cost-efficient manner.

How is Evidence Collected Remotely?

If remote collection is the right choice for your project, TCDI digital forensic analysts will:
  • Ship a remote collection kit to the custodian’s location;
  • When the hard drive arrives, forensic analysts will perform a screen share with the custodian to setup and initiate the forensic collection;
  • Once the collection is completed and verified, the custodian will mail the encrypted hard drive back to TCDI’s forensic lab using the return slip included in the original packaging; and
  • When the remote collection kit arrives at TCDI offices, the data will be checked into evidence and subsequent analysis will begin.

What Questions Should You Ask Your Provider?

Engaging an experienced forensic analyst is key to ensuring your data collection process is defensible. Some other questions you may want to consider are:
  • Do you need chain of custody documentation?
  • What kind of forensic images are you creating?
    • Is it a .zip file, E01 image, or another format?
  • After you collect the data, can you confirm the data has not been altered?

If Evidence is Collected Remotely, is it Admissible?

Long story short, yes. Remote collections are admissible in court as long as the process and methodology used by your forensic analyst is:
  • Repeatable: The methodologies used by the digital forensic analyst can be replicated;
  • Reproducible: The data obtained using the original collection methodology will match the initial results; and
  • Defensible: If the methods are repeatable, and the results reproducible, you can maintain a defense that the data represents what you say it represents.
An important thing to note, however, is that it is essential to resist the urge to take a peek or attempt to preserve the data internally (e.g., in-house IT staff).
 
Both of these scenarios have a chance of overwriting evidence or removing data that is critical for a digital forensic investigation. Thus, it is essential that the person preserving the data is properly trained in digital forensics.

What Types of Devices Can Be Preserved?

Laptops / Desktops

TCDI’s digital forensic analysts can preserve a bit-by-bit image of Windows machines or perform a live collection of Macs remotely.

So what does that mean? A bit-by-bit preservation will clone the hard drive of a device in its entirety, including the deleted / unallocated space. A live collection, on the other hand, may only include certain targeted data, such as the User Folder, My Documents, etc.

Examples: Windows, Mac OS X, Linux, and more.

Cell Phones / Tablets

Mobile devices, such as iPhone and Android devices, store a wealth of important information relevant to litigation matters and internal investigations.  TCDI’s forensics team can preserve and analyze a variety of devices and provide user-friendly reports on data sources such as text messages, call history, contacts, and geolocation information. 

Examples: Apple, Samsung, Google, Microsoft, and more.

Servers

Servers store an abundance and variety of data such as department shares, user shares, applications, databases, websites, email, and log data.  Furthermore, a single physical server may be hosting several virtual servers as well. 
 
The TCDI team is familiar with the intricacies and unique requirements to forensically collect and analyze server-based data.

Email

Email data stored in the cloud oftentimes cannot be recovered directly from the computers or cell phones used for accessing it.  In these instances, TCDI can access the email directly from the cloud-based email account and download a forensically sound copy for subsequent analysis.

Examples: Outlook 365, Gmail, Yahoo, and more.

Cloud-Based Accounts

Companies are rapidly adopting cloud-based services and storage such as Microsoft OneDrive and Google Drive.  Given their prevalence and ease of data transfer, it is important to consider these potential sources of evidence during forensics investigations or eDiscovery matters.

Examples: Office 365, Dropbox, Google Drive, iCloud, and more.

Social Media

Social media posts, direct messages, and other activity can occasionally be relevant to a legal matter.  TCDI utilizes specialized tools to collect, search, and analyze social data in the event it needs to be submitted as evidence in court.

Examples: Facebook, Twitter, Instagram, YouTube, and more.

What are the Pros and Cons of Remote Forensics?

Pros:
  • No travel expenses, reducing the overall cost;
  • Evidence can be collected from anywhere with minimal interruption to your workflow;
  • Faster turn-around time when custodians are spread across multiple locations; and
  • Compliments the transition to triaging data, as well as the transition to a remote workforce.

Cons:

  • May be more difficult to preserve certain devices (i.e., Android phone)
  • Collection type may vary by device (i.e., bit-by-bit preservation vs. live collection)
  • Requires additional communication and custodian cooperation