A lot has changed since my early days in forensics (before gray hair started to sink in) when the imaging process started with a neutered boot disk, loading the Iomega drivers to obtain access to my JAZ drive and then imaging using SAFEBACK. As data sizes continue to increase, the need to consider targeted collections becomes increasingly important to help manage eDiscovery costs and attorney review time. I’d be interested to get a sense on what the level of use is for tools such as Microsoft’s Robocopy utility for eDiscovery collection projects where individuals are required to do a targeted collection; I’m not referring to a traditional forensic case (i.e. – misappropriation of trade secrets) where a forensic image of the former employee’s workstation is required, but rather an eDiscovery project where your client is requested to collect and produce responsive data based on a discovery request, and facets such as deleted data are non-issues – this is a targeted collection. A good example would be where there is a single folder or group of folders on a shared network drive that is intermingled among hundreds of GBs or TBs of non-responsive electronic data and the necessity and/or resources do not warrant a forensic image. What tools are you using for targeted collections? On our end we use various tools including FTK Imager and Robocopy, using the standard switches that accurately maintain the date\time stamps for the collected files while creating a log file of the collection. Although I’ve testified on forensic\eDiscovery cases throughout my law enforcement \ private sector career I’ve never had to provide any testimony regarding a targeted collection. If anyone has I’d be interested to hear about the case or be provided the case name. Thanks in advance.
Anton
For network shares/folders I've used F-Response, SafeCopy2, and EnCase. All of them have worked fine for me (haven't used all at the same time mind you).
Tom
Using either my machine through F-Response or the custodian machine live, or booting the custodian machine with WinFE
FTK Imager most times (filters to grab all the *.doc/x across the entire drive, etc…or complete folders). Can't beat the price (free).
X-Ways Forensics if I need to grab a little more (XWF filters work better than FTK Imager when it comes to finding system related files, such as .lnk, .pf, setupapi.log). It can cull by NSRL hashes at the same time, etc…A log of all activity is generated as well. Not being able to put the files into an encapsulated format is not possible with XWF, but would be nice if it could, like into a logical file of some sort. For the native extractions from XWF, I usually put them into a FTK Imager AD format for safety of the files.
There are a multitude of apps similar to Robocopy I've used and seen used, but I tend to stick to FTK Imager and XWF.
Thanks. FTK Imager is the tool I most frequently use as well - for the reason you mentioned, its ability to collect into an image file rather than loose files. As you noted, one of the issues with using a robocopy or similar like tool is that you need to then create a logical evidence file of the copied data. Good input on XWF. I have a license for it and use it for my analysis but haven't used it for collections before. I will definitely take a look at its collection capabilities.
Thanks to both you and Tom for sharing.
-A