Self-identification and data collection is a potential chink in the armor for any defense, opening the possibility of a challenge from opposing counsel that relevant data was inadvertently or maliciously missed. As COVID restrictions were put in place and in-person data preservation was no longer possible, digital forensic experts and software developers needed to adjust to this new landscape and develop solutions to preserve electronically stored evidence remotely in a defensible manner.
Digital forensics experts have long been able to remotely collect targeted files and folders from custodians’ computers and network servers; typically, by screen sharing and remotely taking control of the custodian’s computer. The preserved data is secured within a forensically sound logical container file which can detect if the contents are manipulated post collection. This is critically important to retain full chain of custody if the resulting files are transferred via secure FTP or shipped via encrypted drive. Advancement in remote control technology, including encrypted, remote sessions, has made this process more defensible and efficient.
Historically, mobile device preservation have their own unique challenges. For instance, with the correct credentials, it is possible to preserve an iPhone’s iCloud backup remotely. However, iCloud backups can miss data depending on the user’s sync settings or space available on their iCloud account. Similarly with Android devices, a user can configure their device to backup to Google Drive, but it is not a comprehensive backup and is not always enabled by the user. The traditional approach of collecting data by remotely controlling the custodian’s machine will result in changing evidence on the host machine.
To adapt to remote working challenges, the development of Mobile Development Units (MDU) has become critical. MDUs involve shipping pre-configured kits in a hard shell airtight and waterproof case that is securely padlocked. The kit includes a forensic laptop, sterile encrypted hard drive, chain of custody form, data cables, and a return shipping label. A call is arranged at a convenient time for the custodian to connect to a digital forensics consultant who will walk them through the setup of the kit.
The forensic laptop is used to initiate a secure remote-control session of the machine. Using this laptop instead of their own ensures all the correct software and system files are pre-loaded with no impact to the user’s machine. The MDUs also provide the ability to open the images for verification purposes and conduct post collection filtering. Custodians often have privacy concerns around preserving an entire mobile device because there is often cross-contamination between business and personal usage. Consultants are often requested to export date ranges or specific categories, such as SMS, MMS, Chats, Contacts, etc. The MDUs permit the consultant to apply these filters, export the relevant files, and delete the original image, all before the evidence leaves the custodian’s location. The maturity of these remote collection solutions has enabled the legal industry to significantly reduce the burden of identification and preservation of potentially responsive data across many custodians and geographies. This process has allowed consultants to reduce the impact of what—before the COVID-19 pandemic—would have been an invasive collection into a more comfortable experience.
Other work from home challenges were solved by the adoption of collaboration tools such as Slack, Teams, Salesforce, Zoom, etc., enabling employees to collaborate with their teams from multiple locations on different devices. Digital forensic software developers have introduced technology to preserve these sources remotely as most of the relevant data is stored in the cloud. However, as practitioners have experienced in the field, these tools are susceptible to changes in the tools interfaces which can result in forensic software no longer correctly preserving or parsing the underlying data. Given the volume, variety and velocity of applications and their rapid development, digital forensics tools will always be playing catch up to any changes and data collections should be manually validated to ensure all available data is being successfully parsed out.
Once the data is preserved, you need to consider how that data is presented for review. There are some great solutions available which can deliver data formatted in a load file and ready to ingest into a review platform. However, if you or your client have utilized a less popular tool for collaboration, it is possible that that the tools may not support them.
In some instances, the native application does not permit an effortless way of downloading data out of their environment, so an ability to triage the options available and what will be included in the export or not, should be fully tested and understood.
In summary, the new normal of remote working does not appear to be subsiding anytime soon. Thankfully, developments and improvements in technology have made remote collection workflows more efficient and cost-effective. There are still potential pitfalls to consider, such as a user connecting an incorrect device, slow internet connections, or issues with supported devices, so legal teams should continue to be vigilant when considering the best strategy for data preservation.
Technology will continue to evolve and the best practices for collecting them will adjust accordingly. Early collaboration with your digital forensic partners will help you navigate the complex data challenges related to these emerging technologies.