no nonsense file collection presented by: pinpoint labs presenter : jon rowe, cce, isfce
DESCRIPTION
No Nonsense File Collection Presented by: Pinpoint Labs Presenter : Jon Rowe, CCE, ISFCE Certified Computer Examiner Members: The International Society of Forensic Computer Examiners. Session Objectives Understanding ESI Collection Methods Typical ESI Collection Mistakes - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: No Nonsense File Collection Presented by: Pinpoint Labs Presenter : Jon Rowe, CCE, ISFCE](https://reader035.vdocument.in/reader035/viewer/2022070502/56814d62550346895dbaaffe/html5/thumbnails/1.jpg)
No Nonsense File Collection
Presented by:Pinpoint Labs
Presenter:
Jon Rowe, CCE, ISFCECertified Computer Examiner
Members: The International Society of Forensic Computer Examiners
![Page 2: No Nonsense File Collection Presented by: Pinpoint Labs Presenter : Jon Rowe, CCE, ISFCE](https://reader035.vdocument.in/reader035/viewer/2022070502/56814d62550346895dbaaffe/html5/thumbnails/2.jpg)
Session Objectives
Understanding ESI Collection MethodsTypical ESI Collection Mistakes Improve Vendor SelectionAvoid Client System ModificationsCommon Problems with Existing MethodsDemonstrate Automated Job Process Using One Click Collect
![Page 3: No Nonsense File Collection Presented by: Pinpoint Labs Presenter : Jon Rowe, CCE, ISFCE](https://reader035.vdocument.in/reader035/viewer/2022070502/56814d62550346895dbaaffe/html5/thumbnails/3.jpg)
Custodial Collections:3 Common ESI Collection Methods
‘Drag and drop’•Alters file timestamps and metadata•No Chain of Custody•Missed search results
Hard drive imaging/cloning•Chain of Custody•Retains file timestamps and metadata•Required for most forensic exams
Remote collection•Creates forensic image or active files only•Can be remotely scripted•Custodians may perform “self collection”
Using the ‘drag and drop’ collection method is common, however, there are several related risks.
![Page 4: No Nonsense File Collection Presented by: Pinpoint Labs Presenter : Jon Rowe, CCE, ISFCE](https://reader035.vdocument.in/reader035/viewer/2022070502/56814d62550346895dbaaffe/html5/thumbnails/4.jpg)
![Page 5: No Nonsense File Collection Presented by: Pinpoint Labs Presenter : Jon Rowe, CCE, ISFCE](https://reader035.vdocument.in/reader035/viewer/2022070502/56814d62550346895dbaaffe/html5/thumbnails/5.jpg)
![Page 6: No Nonsense File Collection Presented by: Pinpoint Labs Presenter : Jon Rowe, CCE, ISFCE](https://reader035.vdocument.in/reader035/viewer/2022070502/56814d62550346895dbaaffe/html5/thumbnails/6.jpg)
![Page 7: No Nonsense File Collection Presented by: Pinpoint Labs Presenter : Jon Rowe, CCE, ISFCE](https://reader035.vdocument.in/reader035/viewer/2022070502/56814d62550346895dbaaffe/html5/thumbnails/7.jpg)
![Page 8: No Nonsense File Collection Presented by: Pinpoint Labs Presenter : Jon Rowe, CCE, ISFCE](https://reader035.vdocument.in/reader035/viewer/2022070502/56814d62550346895dbaaffe/html5/thumbnails/8.jpg)
![Page 9: No Nonsense File Collection Presented by: Pinpoint Labs Presenter : Jon Rowe, CCE, ISFCE](https://reader035.vdocument.in/reader035/viewer/2022070502/56814d62550346895dbaaffe/html5/thumbnails/9.jpg)
![Page 10: No Nonsense File Collection Presented by: Pinpoint Labs Presenter : Jon Rowe, CCE, ISFCE](https://reader035.vdocument.in/reader035/viewer/2022070502/56814d62550346895dbaaffe/html5/thumbnails/10.jpg)
![Page 11: No Nonsense File Collection Presented by: Pinpoint Labs Presenter : Jon Rowe, CCE, ISFCE](https://reader035.vdocument.in/reader035/viewer/2022070502/56814d62550346895dbaaffe/html5/thumbnails/11.jpg)
![Page 12: No Nonsense File Collection Presented by: Pinpoint Labs Presenter : Jon Rowe, CCE, ISFCE](https://reader035.vdocument.in/reader035/viewer/2022070502/56814d62550346895dbaaffe/html5/thumbnails/12.jpg)
ESI Active File Collection
![Page 13: No Nonsense File Collection Presented by: Pinpoint Labs Presenter : Jon Rowe, CCE, ISFCE](https://reader035.vdocument.in/reader035/viewer/2022070502/56814d62550346895dbaaffe/html5/thumbnails/13.jpg)
![Page 14: No Nonsense File Collection Presented by: Pinpoint Labs Presenter : Jon Rowe, CCE, ISFCE](https://reader035.vdocument.in/reader035/viewer/2022070502/56814d62550346895dbaaffe/html5/thumbnails/14.jpg)
Incomplete File Collections8 Common Reasons Evidence is Missed
Many active file collection processes don’t:
1) Hash verify file contents2) Copy files in paths greater than 255 characters3) Log files in use4) Easily apply settings across multiple jobs5) Handle Unicode filenames6) Handle network drops or extended outage7) Effectively resume interrupted file copies8) Identify all custodian systems and data sources
![Page 15: No Nonsense File Collection Presented by: Pinpoint Labs Presenter : Jon Rowe, CCE, ISFCE](https://reader035.vdocument.in/reader035/viewer/2022070502/56814d62550346895dbaaffe/html5/thumbnails/15.jpg)
Custodial Collections:Potential Data Sources
Hard drivesServersBackup mediaEmail serversOther hard drives and email servers in organizationOutside recipients (hard drives, servers, backups)Laptop computersHome computersUSB drives, CD’s DVD’sCell phones, smart phones, PDA’sGPS
![Page 16: No Nonsense File Collection Presented by: Pinpoint Labs Presenter : Jon Rowe, CCE, ISFCE](https://reader035.vdocument.in/reader035/viewer/2022070502/56814d62550346895dbaaffe/html5/thumbnails/16.jpg)
Court Recognized Sources:
Sources ranked from most accessible to least accessible for purposes of e-evidence discovery:
Active, online data [on HDD or active network servers]Near-line data [on removable media, optical disks/mag tape]Offline storage/archives [on offline removable media] Backup tapes [not organized for retrieval of individual files] Erased, fragmented, or damaged data [tagged for deletion, but may still exist]