Blue Dragon are often asked to collect data forensically for regulatory or internal investigations, arbitrations, commercial crime or litigation situations.
When collecting data in the Asian region any given case may involve consideration of the following:
Forensic collection is an important process whereby evidence is obtained for later analysis and use. As the use may be internal investigation, arbitration, regulatory investigation, commercial crime investigation, cyber-breach, or data privacy breach, it is important that the evidence is preserved in a format for which the collection agency can guarantee that the data has been collected in a forensically safe manner, free from tampering or alternation, and has remained in the custody of collection agents at all times.
When collecting data from media sources (servers, computers, mobile phones and so on) there is the data stored on the hard drive, and the data stored in the random access memory (RAM) which is a volatile data source. This RAM data is not stored on the hard drive, and can be lost completely when the device is turned off. The question is, what type of data can be stored in the RAM? Typically speaking, it will contain the most up-to date evidence of user behaviour, for example, phone call logs, web-based browser emails, and any information which is temporarily cached which might be purged upon exit of the applications. Clipboard contents of current information (such as cut/paste, currently open applications, and such like). Therefore, if there is any question as to the most recent activities of the user, the RAM should be preserved. Obviously to be preserved the device must remain on, and the examiner must have password access to that device.
To stop a device going to sleep, a forensic tool called a mouse jiggler was created. It uses small mouse movements to keep the computer awake. It looks like this:
There are many issues involved with the forensic collection of cloud data, if it can genuinely be considered truly forensic in nature. There are issues of ownership, jurisdiction (which country's laws apply might depend upon the location of the cloud storage). Accesss to the physical media for storage will not occur and so the data is being accessed often in the same manner as a user or an administrator. Generally forensic procedure dictates the taking of proper records so that where possible the data is not altered and is maintained in as close to the original data state as is possible.
Date Created: 1 June 2017 |   Date Modified: 27 December 2017 |  Author: Dmitri M A Hubbard