1. Forensic Collections

Blue Dragon are often asked to collect data forensically for regulatory or internal investigations, arbitrations, commercial crime or litigation situations.

When collecting data in the Asian region any given case may involve consideration of the following:

  • Language needs of forensic collection resource
  • Data privacy laws of local jurisdiction
  • Data privacy laws operating on any custodians collected
  • National secrecy laws
  • Cyber protection laws
  • Encryption protocols
  • Nature of the collection (overt, covert, investigative, litigation, regulatory)
  • Employment contacts / waivers / needs for consent.
  • Ownership of devices / servers / sources to be collected
  • Jurisdictional claims on data

  • 2. Collection Procedure

    Forensic collection is an important process whereby evidence is obtained for later analysis and use. As the use may be internal investigation, arbitration, regulatory investigation, commercial crime investigation, cyber-breach, or data privacy breach, it is important that the evidence is preserved in a format for which the collection agency can guarantee that the data has been collected in a forensically safe manner, free from tampering or alternation, and has remained in the custody of collection agents at all times.

    3. Practical guidance

  • Collect evidence broadly and in one collection where possible. You might not get another chance to collect and if you do the evidence derived might have been altered by users.
  • If collecting in multiple locations in a covert collection, these should be timed to begin at the same moment.
  • Consider any encryption on the devices. If the devices are encrypted, it would be safer to obtain passwords and conduct live collection from the devices, where encryption has been bypassed.

  • resume

    4. Collection tools

  • Hardware or software write blocker to prevent data being written to the acquisition target device. Software write blocker must be compatible with the version and operating system, but may allow faster collection.
  • Media for forensic image to be stored on. If can take multiple copies at once, one original forensic copy which will not be examined.
  • Acceleration device for multi-unit collection, multi copy creation.
  • Specialised devices for collecting off smartphones or tablets.
  • Software imaging tools and specialised software for different collection types.
  • Relevant plugs and adaptors.
  • For live collection, the power cord of the device.
  • For encrypted devices, the username and password.

  • 5. Collecting Volatile data

    When collecting data from media sources (servers, computers, mobile phones and so on) there is the data stored on the hard drive, and the data stored in the random access memory (RAM) which is a volatile data source. This RAM data is not stored on the hard drive, and can be lost completely when the device is turned off. The question is, what type of data can be stored in the RAM? Typically speaking, it will contain the most up-to date evidence of user behaviour, for example, phone call logs, web-based browser emails, and any information which is temporarily cached which might be purged upon exit of the applications. Clipboard contents of current information (such as cut/paste, currently open applications, and such like). Therefore, if there is any question as to the most recent activities of the user, the RAM should be preserved. Obviously to be preserved the device must remain on, and the examiner must have password access to that device.

    To stop a device going to sleep, a forensic tool called a mouse jiggler was created. It uses small mouse movements to keep the computer awake. It looks like this:

    resume resume

    6. Collecting Data from Cloud sources

    There are many issues involved with the forensic collection of cloud data, if it can genuinely be considered truly forensic in nature. There are issues of ownership, jurisdiction (which country's laws apply might depend upon the location of the cloud storage). Accesss to the physical media for storage will not occur and so the data is being accessed often in the same manner as a user or an administrator. Generally forensic procedure dictates the taking of proper records so that where possible the data is not altered and is maintained in as close to the original data state as is possible.

    Date Created: 1 June 2017   |   Date Modified: 27 December 2017   |  Author: Dmitri M A Hubbard