by Larry Lieb
Organizations historically have struggled with addressing terminated employees’ important evidence sources such as company-issued laptops, oftentimes materially affecting the organization’s ability to deal effectively with disputes that arise after an employee leaves the company.
This article will provide a documented, transparent, and repeatable process with actual tools to identify and correctly preserve key evidence. There is also a SlideShare which runs through some of the best practices, along with case studies; and at the end of the article you can find some highly useful handout record request samples.
1. How To Create A Legal Hold External USB Drive To Hold Forensic Images
Preparation of the “Target” Drive to hold the forensic image
Before beginning the forensic imaging process, please prepare a Bitlocker encrypted external USB drive which will be used to hold the forensic image; this external USB drive will be known as the “Target” drive, to which the forensic image of a workstation’s internal hard drive will be written.
Applying BitLocker Encryption to the Target drive
Once the Target drive is plugged into your workstation, open Windows Explorer and navigate to the Target drive.
Right click on the Target drive, and then left click on “Turn on BitLocker”.
When the below BitLocker menu opens, check the box “Use a password to unlock the drive”Â
Enter the same password into the “Enter your password” and “Reenter your password” boxes. Â
A good password naming convention is YYYYMMDD_[COMPANY NAME];Â for example 20181119_[COMPANY NAME]
Once you have entered and reentered the password, click “Next”
Save the BitLocker Recovery Key to a file by choosing “Save to a File”
Save the Bitlocker Recovery Key file to a folder named “BITLOCKER RECOVERY KEY” on your computer desktop. This BitLocker Recovery Key file will be required to unlock the target drive in the event that the BitLocker password is forgotten.
Select “Encrypt used disk space only” (faster and best for new PCs and drives).
Choose “Compatible mode” (best for drives that can be moved from this device) and click “Next”.
Click “Start encrypting.”
The BitLocker encryption process should take less than one minute to complete. Once encryption is complete, the following message will appear:
When looking at the “Target” drive in Windows Explorer, one will now see a silver padlock next to the drive indicating that the drive has been successfully BitLocker encrypted:
2. Creating A Forensic Image
In order to create a forensic image of employee workstations, we will be using AccessData’s FTK Imager Forensic Imaging tool. FTK Imager is a forensic imaging tool commonly used by US and international law enforcement professionals.
FTK Imager may be downloaded from the following location:
After you have downloaded FTK Imager Lite Version 3.1.1, please copy the entire software folder to the target drive so that the folder holding the FTK Imager Lite software is at the root of the target drive:
Once you have launched FTK Imager Lite, click on the “File” choice at the top left of the screen, which will bring up a drop-down menu with the the below options. Click on “Create Disk Image….”
When the next menu pops up, click on the fourth choice from the top, “Logical Drive”.
In the “Source Drive Selection” drop-down menu, please select “C:\ – [NTFS]” and then click on the “Finish” button.
In the “Create Image” menu, please make sure that the “Verify images after they are created”, “Precalculate progress statistics” and “Create directory listings of all files in the image after they are created” boxes are checked. Then, please click on the “Add…” button.
In the “Select Image Type” menu, please select the “E01” option seen below. Then click on the “Next>” button.
- In the “Evidence Item Information” menu, enter the following information:
- “Case Number:” Enter a Case Number, if available, which will be provided by the company’s Counsel.  If there is no case or related law suit, please enter the same information found in the below “Evidence Number:” field in the “Case Number:” field.
- “Evidence Number:” Enter a unique number based upon the type of device being imaged. For example, the first laptop of five laptops being imaged for a specific matter would be “PUSL42125-JDOE”. NOTE: “PUSL42125” is the company’s internal workstation tracking number and “JDOE” is the first initial and last name of the employee to whom the workstation was assigned.
- “Unique Description:” Enter the of the workstation being forensically imaged Make, Model and Serial Number here.
- “Examiner:” Enter your first and last name here.
Click “Next>”
On the “Select Image Destination” menu, click on “Browse” at the top of the “Select Image Destination” tab in order to select the folder location that the forensic image file will be saved to.
Select the BitLocker encrypted drive, in the below example “[COMPANY NAME] (G:)”. Click on the “Make New Folder” button and create a new folder to hold the forensic image file. In the below example, the forensic image file will be saved to the “PUSL42125-JDOE” folder.
In the “Select Image Destination” menu, in the “Image Filename (Excluding Extension)” box in the second row down from the top, type in the company’s workstation tracking number, then a dash, then the first initial and last name of the employee who used the workstation. In the below example we see “PUSL42125-JDOE”. This will allow for easy identification of the forensic image.
Change the “Image Fragmentation size (MB)” value to “0”.
Change the “Compression” value to “9”. Â
Do not check the box called “Use AD Encryption”.
Click “Finish”.
In the “Create Image” menu, click on the “Start” button to begin the forensic imaging process. In the screenshot below, one can see that a forensic image file named “PUSL42125-JDOE.E01” will be created on the “G:\” drive in a folder named “PUSL42125-JDOE”.Â
Once the forensic image has been successfully created, a window will appear called “Drive/Image Verify Results” as seen in the example below. Â
If the “Verify result” value equals “Match”, then a successful bit-for-bit forensic image has been created of the workstation internal hard drive.
All FTK Imager open windows may be closed at this point as the forensic imaging process is successful and complete!
- “MD5 Hash” – This is a unique value calculated using a standard mathematical algorithm and is a court-accepted method of determining if a file is a true forensic copy of another file.
- “SHA1 Hash” – This is another, more complex, unique value calculated using a standard mathematical algorithm and is a court-accepted method of determining if a file is a true forensic copy of another file.  Â
Please see below for a SlideShare about employee turnover, originally presented as part of a class on best practices.
You can also download resources via the links below:
- Employee Turnover Manual (this article in .docx format)
- Employee Evidence Tracker
- Generic Record Request Description Sheet
- Twitter Record Request Description Sheet (Companion To Subpoena)
- Forensic Analysis Best Practices Class Slides
About The Author
Larry Lieb is a nationally known subject matter expert in the field of computer forensics and electronic discovery.  Larry has testified in both Federal and State courts on the subjects of computer and smartphone forensics.  Larry’s practice focuses on maximizing the limited dollars his clients have available for substantive legal work whilst minimizing wasted expense.