When Should a Remote Collection be Performed?
The first step is to determine whether a remote collection should be performed. Questions to consider:
- What is the scope of the project?
- Where are the custodians and data located?
- What types of devices are involved and are they encrypted?
- How quickly does the data need to be preserved?
- Is deleted data a consideration?
An experienced digital forensic analyst will be able to work closely with you to help choose the right collection methodology for your project so that the engagement is completed in a timely and cost-efficient manner.
How is Evidence Collected Remotely?
- Ship a remote collection kit to the custodian’s location;
- When the hard drive arrives, forensic analysts will perform a screen share with the custodian to setup and initiate the forensic collection;
- Once the collection is completed and verified, the custodian will mail the encrypted hard drive back to TCDI’s forensic lab using the return slip included in the original packaging; and
- When the remote collection kit arrives at TCDI offices, the data will be checked into evidence and subsequent analysis will begin.
Our digital forensics team has the optimal blend of technical and eDiscovery professionals who have assisted clients in hundreds of remote collections across the United States.
While many service providers scrambled to come up with a remote digital forensics solution in 2020, it was business as usual at TCDI. We have been performing remote collections for our clients for years.
TCDI utilizes sophisticated tools and technology to facilitate the remote collections process. Our trained forensic analysts are adept at walking clients through the process from start to finish.
What Questions Should Your Ask Your Provider?
- Do you need chain of custody documentation?
- What kind of forensic images are you creating?
- Is it a .zip file, E01 image, or another format?
- After you collect the data, can you confirm the data has not been altered?
If Evidence is Collected Remotely, is it Admissible in Court?
- Repeatable: The methodologies used by the digital forensic analyst can be replicated;
- Reproducible: The data obtained using the original collection methodology will match the initial results; and
- Defensible: If the methods are repeatable, and the results reproducible, you can maintain a defense that the data represents what you say it represents.
What Types of Devices Can Be Preserved?
Laptops / Desktops
TCDI’s digital forensic analysts can preserve a bit-by-bit image of Windows machines or perform a live collection of Macs remotely.
So what does that mean? A bit-by-bit preservation will clone the hard drive of a device in its entirety, including the deleted / unallocated space. A live collection, on the other hand, may only include certain targeted data, such as the User Folder, My Documents, etc.
Examples: Windows, Mac OS X, Linux, and more.
Cell Phones / Tablets
Mobile devices, such as iPhone and Android devices, store a wealth of important information relevant to litigation matters and internal investigations. TCDI’s forensics team can preserve and analyze a variety of devices and provide user-friendly reports on data sources such as text messages, call history, contacts, and geolocation information.
Examples: Apple, Samsung, Google, Microsoft, and more.
Email data stored in the cloud oftentimes cannot be recovered directly from the computers or cell phones used for accessing it. In these instances, TCDI can access the email directly from the cloud-based email account and download a forensically sound copy for subsequent analysis.
Examples: Outlook 365, Gmail, Yahoo, and more.
Companies are rapidly adopting cloud-based services and storage such as Microsoft OneDrive and Google Drive. Given their prevalence and ease of data transfer, it is important to consider these potential sources of evidence during forensics investigations or eDiscovery matters.
Examples: Office 365, Dropbox, Google Drive, iCloud, and more.
Social media posts, direct messages, and other activity can occasionally be relevant to a legal matter. TCDI utilizes specialized tools to collect, search, and analyze social data in the event it needs to be submitted as evidence in court.
Examples: Facebook, Twitter, Instagram, YouTube, and more.
What are the Pros and Cons of Remote Forensics?
- No travel expenses, reducing the overall cost;
- Evidence can be collected from anywhere with minimal interruption to your workflow;
- Faster turn-around time when custodians are spread across multiple locations; and
- Compliments the transition to triaging data, as well as the transition to a remote workforce.
- May be more difficult to preserve certain devices (i.e., Android phone)
- Collection type may vary by device (i.e., bit-by-bit preservation vs. live collection)
- Requires additional communication and custodian cooperation