Join Us!

Notifications
Clear all

Data collecting  

  RSS
ChocolateDonut
(@chocolatedonut)
New Member

I have a week and a half to put together some sort of data collection protocol for client ediscovery and harvest data. We are starting with scratch and I a a *little* bit nervous. I have read a fair amount of posts (thank you thank you for this helpful forum) and have done my own research, but I would love some input on what you think might be a good set-up. I have looked at EnCase and some other software- helix, Ghost.. and so far like the looks of EnCase for my purpose. Would it have to be run off a laptop? If I just use windows explorer and Ghost would I be destroying metadata? if you were a litigation paralegal, running Summation 2.7.2, how would you set up a data harvesting protocol? Any advice is very appreciated!

~A

Quote
Posted : 06/07/2006 2:38 am
debaser_
(@debaser_)
Active Member

By data harvesting protocol, do you mean a set procedure by which machines in question are imaged in a manner that will enable discovery to take place? ie. sector by sector copy.

If this is all you are doing then encase is way more than you need. To keep it simple and effective id say go for FTK Imager.

If im wrong about what you are asking, then hey it happens P

ReplyQuote
Posted : 06/07/2006 3:00 am
ChocolateDonut
(@chocolatedonut)
New Member

more specifically, I would like a non-obtrusive (quick/little affect on business) method - if that would be bit-stream copy or term-searched active files - I do not necessarily need the free space copy, but whatever's clever.

Data will be collected from C drives and a server.

Thanks, I'll check out FTK

ReplyQuote
Posted : 06/07/2006 3:37 am
debaser_
(@debaser_)
Active Member

more specifically, I would like a non-obtrusive (quick/little affect on business) method - if that would be bit-stream copy or term-searched active files - I do not necessarily need the free space copy, but whatever's clever.

Data will be collected from C drives and a server.

Thanks, I'll check out FTK

If you want a forensically sound image you will need the free space. Unallocated space is where you will find files that have been deleted.

It sounds like you want this to be setup and done automatically at scheduled intervals? For multiple clients and a server? That is a different matter all together. I thought you just wanted some software to image a machine when an incident had occurred.

It all comes down to why are you doing this? What are you trying to accomplish? This seems like a lot of data to gather.

ReplyQuote
Posted : 06/07/2006 3:45 am
ChocolateDonut
(@chocolatedonut)
New Member

IP litigation initial discovery - When all is said and done, I need a collection of files from our client that are responsive to set key terms - and I'm not sure if it is easier (on our client) to collect an overly broad data set, or run some sort of index. You might be able to tell I am new to this…

ReplyQuote
Posted : 06/07/2006 3:54 am
debaser_
(@debaser_)
Active Member

IP litigation initial discovery - When all is said and done, I need a collection of files from our client that are responsive to set key terms - and I'm not sure if it is easier (on our client) to collect an overly broad data set, or run some sort of index. You might be able to tell I am new to this…

Yeah im pretty new myself. Your lawyerspeak has me baffled. I have no clue what you are asking for. Perhaps some of the more experienced guys will know.

ReplyQuote
Posted : 06/07/2006 8:26 am
ChocolateDonut
(@chocolatedonut)
New Member

Is there a linux tool that will let you browse windows environment, mark which files or folders you want to copy, copy them, create a hash valuse and an audit log of the whole process? I think that's what I need…

ReplyQuote
Posted : 06/07/2006 9:59 pm
nate
 nate
(@nate)
New Member

It sound like what you are trying to do is both computer forensics and eDiscovery. I'll take a shot and try to help you out. First a forensic image of the media will have to be obtained. EnCase, FTK Imager, DCFLDD, Safeback are just a few that can do that. Next you will have to export file types you are intrested in from the image files created in the first step. You will need Forensic software for for this step. Encase and FTK both work fine for that step. Finally you will load your files into Summation and run your searches. Summation will parse .pst files so you wont have to extract individual email files.

As for a protocol I am thinking you might be looking for what I think of a a procedural document. I am providing ours as a template. It is mostly focused on the forensic side of the process because law firms usually do eDiscovery.

Good Luck
Nate

Acquisition Standard Operating Procedure

1.0 Purpose
This document establishes Standard Operating Procedure (SOP) for the acquisition of digital media in a forensically sound manner so that the data discovered within that media would be considered from a true and accurate copy of the original media.

2.0 Scope
This (SOP) applies to all internal labs, Digital Works employees and third parties who access lab facilities managed by Digital Works. All forensic acquisition activities conducted by Digital Works employees, must be performed according to this document.

3.0 Standard Operating Procedure
Principle Digital evidence, by its very nature, is fragile and can be altered, damaged, or destroyed by improper handling or examination. For these reasons special precautions should be taken to preserve this type of evidence. Failure to do so may render it unusable or lead to an inaccurate conclusion.

3.1 Procedure
Acquire the original digital evidence in a manner that protects and preserves the evidence. The following items outline the basic steps

1. Document and verify hardware and software configuration/operation of the analysis system. This will be done prior to the acquisition job before leaving the lab if the acquisition is offsite.

2. Document the make, model, and type of system and note the condition of the system to include any damage present.

3. Disassemble the case of the computer to be examined to permit physical access to the storage devices. Take care to ensure equipment is protected from static electricity and magnetic fields.

4. Identify storage devices that need to be acquired. These devices can be internal, external, or both. Document internal storage devices and hardware configuration. Drive condition (e.g., make, model, geometry, size, jumper settings, location, drive interface).

5. Disconnect storage devices (using the power connector or data cable from the back of the drive or from the motherboard) to prevent the destruction, damage, or alteration of data.

6. Retrieve configuration information from the suspect’s system through controlled boots. Perform a controlled boot to capture CMOS/BIOS information and test functionality. Boot sequence (this may mean changing the BIOS to ensure the system boots from the floppy or CD-ROM drive). Time and date. Power on passwords. Perform a second controlled boot to test the computer’s functionality and the forensic boot disk.

7. Ensure the power and data cables are properly connected to the floppy or CDROM drive, and ensure the power and data cables to the storage devices are still disconnected. Place the forensic boot disk into the floppy or CD-ROM drive. Boot the computer and ensure the computer will boot from the forensic boot disk. Reconnect the storage devices and perform a third controlled boot to capture the drive configuration information from the CMOS/BIOS.

8. Ensure there is a forensic boot disk in the floppy or CD-ROM drive to prevent the computer from accidentally booting from the storage devices.

9. Whenever possible, remove the subject storage device and perform the acquisition using the analysts system. When attaching the subject device to the analysts system, configure the storage device so that it will be recognized.
10. When using the subject computer to acquire digital evidence, reattach the subject storage device and attach the analysts evidence storage device (e.g., hard drive, tape drive, CD-RW, MO).

11. Ensure that the analysts storage device is forensically clean when acquiring the evidence.

12. Write protection should be initiated, if available, to preserve and protect original evidence.

Note The examiner should consider creating a known value for the subject evidence prior to acquiring the evidence (e.g., performing an independent cyclic redundancy check (CRC), hashing). Depending on the selected acquisition method, this process may already be completed.

13. If hardware write protection is used
a. Install a write protection device.
b. Boot system with the analysts controlled operating system.

14. If software write protection is used
a. Boot system with the examiner-controlled operating system.
b. Activate write protection.

15. Investigate the geometry of any storage devices to ensure that all space is accounted for, including host-protected data areas (e.g., nonhost specific data such as the partition table matches the physical geometry of the drive). Capture the electronic serial number of the drive and other user-accessible, host-specific data.

16. Acquire the subject evidence to the analysts storage device using the appropriate software and hardware tools, such as
a. Stand-alone duplication software. (ENCASE boot floppy/CD)
b. Forensic analysis software suite. (ENCASE or FTK Imager)
c. Dedicated hardware devices.

Verify successful acquisition by comparing known values of the original and the copy or by doing a sector-by-sector comparison of the original to the copy.

3.2 General Requirements
The analyst will perform a dry run of this procedure a sufficient number of times prior to a live acquisition so to insure that he or she can perform all steps with ease and from memory. Hand written investigators notes will be maintained that indicate that this (SOP) was followed in the acquisition process. This (SOP) is focused on the acquisition of Hard Disk media but general steps can be taken with other types of media. Specific procedures will be followed when acquiring forensic images from the following types of media
• Backup tapes
• CD/DVD
• Cell phones
• PDA’s
• Jump Drives
• Memory cards

3.3 Administrative
Prior to performing an acquisition the analyst is responsible assuring that all necessary hardware and software is available. This is especially important when performing an offsite acquisition. A list of necessary items is
• Computer technicians tool kit
• Flat screen monitor
• Keyboard/mouse
• 2 power cords
• 1 power strip with extension cord
• USB external drive enclosure
• 200 GB IDE hard drive
• Analysis workstation w/all peripherals
• Spare IDE data cables
• Hardware write block device
• Control boot floppy
• External USB floppy drive
• Forensic Acquisition Software

4.0 Enforcement
Any employee found to have violated this (SOP) may be subject to disciplinary action, up to and including termination of employment.

5.0 Definitions

6.0 Revision History

ReplyQuote
Posted : 06/07/2006 11:06 pm
Share: