Targeted Digital Computer Forensics Collection Tools

By Author: Martin Plough
Total Articles: 1
Comment this article

It is not always possible to undertake a full forensic collection of data, especially in civil litigation. However there are best practices when it comes to the copying, moving and archiving of data which should be adhered to.

Where we are required to undertake a collection, we have a broad range of digital computer forensics tools that allow us to collect data from almost any device. These include:

FTK Imager – A lightweight collection tool that can be used to create both full (physical) acquisitions and targeted (logical) acquisitions of data, from both servers and computers.

EnCase Enterprise – A collection tool that enables us to make targeted forensic copies of data remotely over a corporate network without the knowledge of the target custodians.

XRY – XRY is a reliable and highly respected forensic tool which supports a wide variety of mobile devices including mobile phones, Sat Navs and tablets. The software supports the recovery of ‘live’ and ‘deleted’ data from devices and is presented in a user friendly and clear format.

Cellebrite – Cellebrite can perform ‘live’ ...
... and ‘deleted’ analysis of a number of mobile devices including mobile phones and tablets. One of the main features of Cellebrite is that it can extract a ‘file system/file structure’ read from a device and will then display the evidence in the exact same way that it is stored on the device. Cellebrite is also an excellent tool for recovering ‘deleted’ data from mobile devices.
Pre-Processing Tools For Digital Computer Forensics

Pre-processing tools are designed to quickly reduce data volumes prior to loading into an e-disclosure platform. Some pre-processing tools on the market are charged on a per GB basis, or a per day pricing model. The per day pricing allows us to undertake high data volume projects at a lower cost than had per GB pricing been applied.

We were asked to undertake an e-disclosure exercise across 5TB (5,000,000MB) of data. Had all of this data been loaded straight into a review platform the cost would have been approaching £1 million in processing costs alone. By utilising a pre-processing engine we were able to undertake the exercise for tens of thousands instead.

Pre-processing tools includes the following:
Nuix – Excellent for large volumes of data, Nuix is able quickly to index and search almost all commonly encountered data types, allowing us to rapidly cull out irrelevant data. Nuix is capable of loading all data sources at once enabling us to de-duplicate across exhibits. In a recent exercise we were able to reduce the volume of data that needed to be loaded into the review platform from over 11TB to less than 50GB using Nuix.

EnCase – Historically a tool for forensic practitioners, EnCase can be used for e-disclosure to reduce data volumes and recover previously deleted information if required. EnCase is an ideal pre-processing tool for smaller cases with fewer data sources, but can become labour-intensive on larger cases. Recently, we used EnCase to recover deleted information for inclusion in document review, in total over 1,000 previously deleted files were recovered.

FTK – Can be used in a similar capacity to EnCase for e-disclosure. FTK indexes all data on adding to a case allowing fast keyword searching. FTK is ideal for use on cases with large volumes of emails as it is effective at maintaining document families such as emails and their attachments, which is often vital for the e-disclosure process.

Processing and Review Tools For Digital Computer Forensics
A suite of processing and review tools will initially process the data to enable de-duplication (where not undertaken at a pre-processing phase) and indexing of the data to make it fully searchable for review. This allows us to omit the pre-processing phase where data volumes are small, saving time and effort.

All of our review platforms are fully hosted by us, taking the burden of managing the system away from our clients and enabling them to focus on the document review. We provide on-call analysts who offer both technical support and expert advice during the review phase.

Processing and review tools includes:
Clearwell – Arguably the industry leading e-disclosure processing and review platform. Ranked as a ‘Leader’ in the 2013 Gartner Magic Quadrant for e-Disclosure Software, Clearwell offers a broad range of features, provided from within an intuitive, easy-to-use interface. Clearwell is charged on a per GB basis and can be accessed remotely on any computer through our secure encrypted portal.

FTK – FTK offers review functionality that can be effective on smaller cases. Review via FTK can be provided from our custom-built reviewing suites in our laboratory in Stratford-upon-Avon. The functionality is less than that of Clearwell and is limited to one reviewer per exhibit, however FTK is not charged on a per GB basis meaning that it can be a cost-effective solution in some cases.

Paul Bromby is the author of this article on Mobile Phone Analysis.
Find more information, about Mobile Phone Forensics here