What to Expect During A Forensic Data Collection

For those who do not work in digital forensics or deal with forensic data collections and investigations on a regular basis, the thought of going through a collection can be daunting. Both for the law firm charged with setting up the collection and subsequently reviewing the information, and the custodian who is getting their device collected.  

In this post, we will cover what to commonly expect when going through a forensic collection, both from the point of view of the vendor as well as the client and custodian. While this is not an exhaustive breakdown of what goes into forensic collections, the goal of this is to provide a basic understanding of the various areas of concern that go into setting up the collection of a device.  

Forensic collection is the most common digital forensic procedure because it leads to others by necessity. Without collecting the data in a forensically sound manner you cannot complete forensic analysis, investigation, or reporting tasks. 

First, we should define a few common terms such as forensic data collection and custodians. For the purposes of this post, we will only be referring to digital forensics and the collection of ESI from devices or cloud-based sources. Forensic data collection is the process of defensible collecting or imaging information from a device or cloud-based source for the use of forensic analysis, investigation, or review. There are several methods of forensic collection, but the two most common are on-site collections and remote collections. When done improperly, collections can lead to a myriad of issues that can affect the overall outcome of a matter ranging from lack of defensibility to the need to recollect, or even sanctions. 

A custodian is the person having administrative control of a document or electronic file. This is commonly the owner and/or creator of the electronically stored information being collected. An example of a custodian would be a corporate employee involved in litigation, where the employee’s workstation is sought for collection as it is believed to contain information relevant to the case. In this scenario the corporate employee whose workstation is being collected is the custodian. 

Next, for the collection to be scheduled there are commonly some administrative steps that need to take place first. Typically, law firms will engage a third-party vendor to run the collection. This is both because it avoids a conflict of interest, as well as firms sometimes do not prefer to retain a certified forensic examiner and the licenses needed for these forensic collections in-house. Once engaged, the vendor will gather information relating to the client, the case, and the custodians being collected from. 

Once a collection is scheduled between the vendor and the custodian, the vendor will obtain information relating to the specific device that will be collected. Common information they will ask for includes device information (make, model, serial number, operating system, etc.), if there is a pin or passcode on the device, if the device is encrypted or has two-factor authentication enabled. Additional information that can be helpful is knowing whether the device is a personal or work device, if the device is backed up to the cloud, and if there is any mobile device management software involved.  

This is important because many custodians are wary of providing their login credentials and information relating to their device to a third party, and rightfully so. Personal and work devices contain sensitive information and custodians want to know their information is safe. To mitigate this, some vendors require NDA’s during digital forensic stages to protect the firm, the custodian, and the vendor.  

Additional layers of security that are common, if not standard, are vendors having enacted physical security measures in place as well as secure computer forensic labs that only certified forensic examiners have access to too. A chain of custody is another required document that provides transparent and clear documentation of everyone who has handled the device.  

Once device and custodian information are collected, the forensic examiner may have additional questions specific to the collections. These can include asking what information is being collected, where the device is located, inquiring about the initial collection request, asking if the custodian aware of the collection, if any media being targeted or excluded, if this part of a forensic investigation, and various other questions. The forensic examiner will also keep a forensic journal with information such as the name of the forensic examiner, the date of collection, notes and documentation of the collection, software used in the collection, and an internal job or tracking number for the collection.  

Following completion of the forensic collection, the vendor will provide the custodian back with their device and any other items that were given to them initially such as charging cables or cases. Commonly, this is the end of the custodian’s journey relating to the vendors’ need for their involvement, but this does not mean their involvement with the case is necessarily over. From there the vendor will share the information collected via Secure FTP with the law firm and work with their case team for any analysis, investigation, or reporting that is required for the case. 

For more information on forensic data collections or how the TERIS Forensics team can assist your matter, reach out today to learn more.