By Peter Coons, SVP, Computer Forensics and Collections
I was on a call with a client today and we were discussing the various methods of remote ESI collection. Both of us have been in the “industry” for quite some time and we were reminiscing about travelling across the globe to collect electronic evidence.
Over the years I have been to Germany, Switzerland, the Arctic Circle and about 40 of the 50 States. I racked up a lot of frequent flier miles and hotel points. I also learned that much of the time I spent on location was invaluable. There was real value in interacting face to face with the skeptical IT manager or custodian of very crucial data. It was reassuring to them to know we were not collecting all their data or putting clandestine agents on their computers that would connect without their knowledge. Fast forward to today where technology now allows us to perform some of our work remotely in situations where it makes sense.
When does it make sense?
Let’s say there is a collection in Omaha, Baton Rouge, and Modesto that all need to be done on the same day. We need to collect PST (e-mail) files from three sales reps that work at home. The logistics of coordinating an in-person collection would be tricky and the expense may very likely be high or not proportionate to the matter.
So we have an alternative, which is a remote ESI collection. Quite often D4 will use a pre-configured hard drive to facilitate remote collections. Using the scenario above as an example:
1. D4 would ship out three pre-configured hard drives, one to each sales rep. They would all receive the drive on the same day.
2. The reps would then connect the pre-configured drive (via USB) to the computer with the ESI.
3. A D4 data technician would then connect remotely (ONLY with the user’s permission and knowledge) to the computer. Usually an attorney is on the phone to assist with the interview while the technician conducts the collection.
4. Paperwork is completed by the technician.
5. Once the collection is complete, the custodian is instructed to ship the drive back using packaging and instructions that were included in the original shipment.
*Is the data secured and encrypted? Yes it is, as our technicians create encrypted evidence files. The evidence files are hashed at the time of collection and that information is recorded and used to validate the files when they are received at the D4 lab.
6. Voila’ it’s done! It can now be stored safely or prepared for hosting and further review.
When doesn’t it make sense to do a remote collection?
Maybe when there are dozens or hundreds of custodians in one place, or there are complex systems that need to be collected over a period of days or weeks. If it is necessary to create a true forensic bit stream image, then it may be advisable to have an on location resource to create the image.
A party may also choose a hybrid model.
D4 often sends its technicians on location to install and setup enterprise collection systems, such as AccessData’s Enterprise product. I wrote a blog about that some time ago. The situation involved collections from multiple locations in Asia. We sent the technician to setup systems in two disparate locations. Once the systems were setup he returned home and the collections continued over a number of weeks. The client was spared travel expenses and the job was completed with little disruption to the businesses.
While I do think remote collections have their benefits, I still believe strongly there is value from the face to face meetings that put the client (and especially the IT folks) at ease. At the end of the day, the decision comes down to proportionality, cost, time, complexity, and the vendor’s experience with remote collections.
Actually what I miss the most is free trips to sweet locations and racking up miles!