1 / 28

Data Collection and Forensics February 23, 2009

Data Collection and Forensics February 23, 2009. Coding & Scanning. Document Acquisition. 95% Settle. Review. Depositions. Complaint. Discovery Begins. Discovery Closes. Trial. Photocopy. Produce & Share. Electronic Discovery. Electronic Discovery Legal Issues.

briar
Télécharger la présentation

Data Collection and Forensics February 23, 2009

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Data Collection and ForensicsFebruary 23, 2009

  2. Coding & Scanning Document Acquisition 95% Settle Review Depositions Complaint Discovery Begins Discovery Closes Trial Photocopy Produce & Share Electronic Discovery

  3. Electronic Discovery Legal Issues • Chain of Custody/Data Integrity • “Chain of Custody” • Requires that “the one who offers real evidence…must account for the custody of the evidence from the moment in which it reaches his custody until the moment in which it is offered in evidence.” Black’s Law Dictionary, page 156 (6th ed. Abr. 1991) • Inexpert handling of electronic media (e.g., open, print, & scan) has serious drawbacks • Human error • Missing data or inadvertent changes • Time to produce • No detailed audits

  4. Electronic Discovery Legal Issues • Electronic Marginalia • Simple spreadsheets and word processing files contain an array of formatting elements including: • comments, headers, hidden rows/columns • Counsel should proactively ensure the process used provides at a minimum: • hidden rows and columns uncovered • comments exposed and converted • passwords broken • blank pages eliminated

  5. Metadata Media Tape Restoration Text Extraction Forensics/Collection De-duplication Data Culling Electronic Discovery Terms

  6. Reduce Convert Burn Receive Data Index Search Package Electronic Discovery Process

  7. Identify locations of all data and prescribe systematic uniform collection of data Media is sent in many formats CD DVD DLT DAT Tape Media is signed in and a strict chain of custody process begins 1 - Receive Data

  8. 2 - Index Data • Extract • Unzip • Index • Copy • Rename (uniform fashion – while maintaining data integrity) • Capture valuable info. (metadata) • Each file is examined to detect any changes to file extension – possible smoking gun/file • another reason why you cannot “just print them”

  9. 3 - Reduce the Data Set • De-duplication option • Our process ensures accuracy and integrity • MD5 Hash – “bit” level count • Bit Level most accurate!! • Filtering Data • Narrow by a specific “date range” • Uses metadata to eliminate files outside of the discoverable date range

  10. 4 - Keyword Searching • Select keywords or phrases to narrow your search/discovery • Advanced searching using Boolean, proximity, etc. • Responsive files are flagged and continue through the process • Non-responsive files are still preserved • Saves Hours • Saves $s

  11. Full Text of files is extracted Hidden information is uncovered rows, columns, changes (if enabled) embedded comments exposed “electronic marginalia” Files converted to Tiff or PDF images 5 - Convert the Data

  12. 6 - Package the Data • Batchload Application Begins • Images bundled and a customized load file is created for uploading to client document management system • e.g., Summation, Concordance, etc.

  13. 7 - Burn & Return • Final (of several) quality checks performed • CDs Burned • Data Integrity still intact • CDs are shipped to client • Data remains on system

  14. Automation = Integrity & Speed Provides Data Integrity – Chain of Custody – Cannot “Just Print Them Out” Allows De-duping, Filtering, & Searching to Reduce Data Set Uncovers Hidden & Meaningful Data Examines all files for hidden file types Hidden Rows/Columns Uncovered Comments are Exposed Metadata Uncovered & Searchable Electronic Marginalia Key Considerations

  15. What is Computer Forensics? Forensics: Relating to the use of science or technology in the investigation and establishment of facts or evidence in a court of law. Computer Forensics: The scientific examination and analysis of data held on, or retrieved from computer storage media in such a way that the information can be used as evidence in a court of law.

  16. What can be found as digital evidence? Correspondence (electronic mail, Instant Messages) Graphic Files (Child pornography, scanned prescriptions) Audio Files (voicemail, recorded messages) Financial Data (Excel spreadsheets, Access databases) Video Files (home video, web cam, internet videos)

  17. Locations of Digital Evidence Evidence may be found on the Victim’s computer, as well as the Suspect’s computer. May be found at the Internet Service Provider (ISP) server level. The ISP server may be a web server or an email server The target server(s) may be located in another state or another country.

  18. How Digital Evidence Is Examined An exact, bit-by-bit, copy of the target media is created After verification, original is placed back into evidence A variety of forensic software is utilized, which is determined by the scope of the search (i.e. mp3 downloads, emails, digital photographs)

  19. Areas Searched: Files in directories in which the suspect had access Internet files (TIFs, History, .HTMLs) Registry, which holds programs, names, online links, Operating System And specific files within the scope of search (i.e. Excel spreadsheets, Word documents) Unallocated Space of the media

  20. Erased Files: A file “deleted” or “erased” is not actually removed from the media Recycle Bin: file is only renamed Operating System “sees” the file’s space as available. Pointer to file is removed Data may remain is File Slack for years Often fully or partially recoverable

  21. Allocated Space vs. Unallocated Space Allocated Space: files and data recognized and utilized by the operating system Unallocated Space: area of the media read as “available space” by the operating system

  22. Allocated Space Operating System Directories, programs, files Names, dates and times Easily viewable by most users

  23. Unallocated Space Raw Data No longer has names, dates or times Partial or complete files may be recovered

  24. Forensic Computer Examination Average Volume: 12Gb Gigabyte: 1,073,741,824 bytes Subtotal: 12,884,901,888 bytes Page size: 3000 bytes Pages: 4,294,967 Ream: 500 pages Ream height: 2” Total Height: 17,180” Total Height in feet: 1431’ 8” Sears Tower (Chicago): 1450’

  25. Recovery from Damaged CD/DVDs Before After

  26. Recovery from Fire

  27. Recovery from Submersion

  28. Video Forensics

More Related