I was recently contacted to acquire some images in a civil case. Today, I was told the company works with sensitive government information and I wouldn't be able to leave the building with an entire image of any medium. My client is suppose to be supplying me with a list of "files of interest" and they do not believe free/slack space would be relevant (uh, ok).
So, I guess my question to anyone out there, what's the best procedure to acquire certain files from a system and maintain the integrity of the future case? I'm guessing at this point, these systems are probably live and still running, so is simply copying the files with original hash values enough?
Anybody else been in the position where they could only "acquire" certain sets of information on a drive?
Regardless of whether you're working for defense or prosecution…
Document! Document! Document!
Know what you're grabbing. Use a "safe copy" product that preserves the metadata and…
Document! Document! Document!
I've worked as a Special Master on cases where the main concern was that I provide both sides with forensically-sound copies of directories and files, NOT bit-stream drive images.
they do not believe free/slack space would be relevant…
It may not be. Again, to reference cases I've worked, opposing sides may want to know what was done with the files in situ. Were they copied to an external drive? Were they emailed to someone? Were they printed?
No one cared if they were deleted. The crux of the case hung on what was done with those files PRIOR to any possible subsequent deletion.
HTH…
There are a number of good ways to take out file evidence from part of the drive. The Accessdata evidence file container and the X-Ways evidence containers are both effective.
Make sure you have a signed statement from your client that they specifically don't want you to search unallocated and slack. Spend a little time explaining why they may want you to search it. In my experience, legal people (and investigators) often make technical statements with no real idea of what the practical consequences are, and if you explain it to them, they may change their mind.
If using EnCase, a logical evidence file should work as well.
There was an article written by Philip Turner titled "Selective and intelligent imaging using digital evidence bags" in "Digital Investigation" of a 2006 issue. It might have been published as part of a DFRWS workshop.
He goes into detail how selective imaging is the way to go more often than not, and describes some methodology.
So, I guess my question to anyone out there, what's the best procedure to acquire certain files from a system and maintain the integrity of the future case? I'm guessing at this point, these systems are probably live and still running, so is simply copying the files with original hash values enough?
Anybody else been in the position where they could only "acquire" certain sets of information on a drive?