chevron-down Created with Sketch Beta.
January 06, 2022 Articles

Advancements in Remote Collection Techniques

How have digital forensic software developers evolved to solve pandemic challenges?

By Mark Clews and Corey Salm

From the moment COVID-19 turned the working world upside down in December 2019, employees have been generating new data sources as they adapt to conduct their work remotely. Identifying where this data is stored and ways to defensibly preserve it has become more challenging for the legal industry.

This article discusses how digital forensic software developers and practitioners have evolved to help solve these challenges.

The COVID-19 pandemic accelerated the working world’s embracement of remote work and the technology solutions that make it possible. The legal community was particularly impacted by these new working models as in-person custodial interviews and depositions were no longer possible. The industry was forced to shift to alternative solutions, such as video conferencing, to circumvent these challenges. Remote work also significantly impacted digital forensics and e-discovery best practices, as traditional workflow models that were taught and followed for decades (e.g., full forensic imaging of devices) became more challenging.

Self-identification and data collection is a potential chink in the armor for any defense, opening the possibility of a challenge from opposing counsel that relevant data was inadvertently or maliciously missed. As COVID restrictions were put in place and in-person data preservation was no longer possible, digital forensic experts and software developers needed to adjust to this new landscape and develop solutions to preserve electronically stored evidence remotely in a defensible manner.

Digital forensics experts have long been able to remotely collect targeted files and folders from custodians’ computers and network servers; typically, by screen sharing and remotely taking control of the custodian’s computer. The preserved data is secured within a forensically sound logical container file which can detect if the contents are manipulated post collection. This is critically important to retain full chain of custody if the resulting files are transferred via secure FTP or shipped via encrypted drive. Advancement in remote control technology, including encrypted, remote sessions, has made this process more defensible and efficient.

Historically, mobile device preservation have their own unique challenges. For instance, with the correct credentials, it is possible to preserve an iPhone’s iCloud backup remotely. However, iCloud backups can miss data depending on the user’s sync settings or space available on their iCloud account. Similarly with Android devices, a user can configure their device to backup to Google Drive, but it is not a comprehensive backup and is not always enabled by the user. The traditional approach of collecting data by remotely controlling the custodian’s machine will result in changing evidence on the host machine.

To adapt to remote working challenges, the development of Mobile Development Units (MDU) has become critical. MDUs involve shipping pre-configured kits in a hard shell airtight and waterproof case that is securely padlocked. The kit includes a forensic laptop, sterile encrypted hard drive, chain of custody form, data cables, and a return shipping label. A call is arranged at a convenient time for the custodian to connect to a digital forensics consultant who will walk them through the setup of the kit.

The forensic laptop is used to initiate a secure remote-control session of the machine. Using this laptop instead of their own ensures all the correct software and system files are pre-loaded with no impact to the user’s machine. The MDUs also provide the ability to open the images for verification purposes and conduct post collection filtering. Custodians often have privacy concerns around preserving an entire mobile device because there is often cross-contamination between business and personal usage. Consultants are often requested to export date ranges or specific categories, such as SMS, MMS, Chats, Contacts, etc. The MDUs permit the consultant to apply these filters, export the relevant files, and delete the original image, all before the evidence leaves the custodian’s location. The maturity of these remote collection solutions has enabled the legal industry to significantly reduce the burden of identification and preservation of potentially responsive data across many custodians and geographies. This process has allowed consultants to reduce the impact of what—before the COVID-19 pandemic—would have been an invasive collection into a more comfortable experience.

Other work from home challenges were solved by the adoption of collaboration tools such as Slack, Teams, Salesforce, Zoom, etc., enabling employees to collaborate with their teams from multiple locations on different devices. Digital forensic software developers have introduced technology to preserve these sources remotely as most of the relevant data is stored in the cloud. However, as practitioners have experienced in the field, these tools are susceptible to changes in the tools interfaces which can result in forensic software no longer correctly preserving or parsing the underlying data. Given the volume, variety and velocity of applications and their rapid development, digital forensics tools will always be playing catch up to any changes and data collections should be manually validated to ensure all available data is being successfully parsed out.

Once the data is preserved, you need to consider how that data is presented for review. There are some great solutions available which can deliver data formatted in a load file and ready to ingest into a review platform. However, if you or your client have utilized a less popular tool for collaboration, it is possible that that the tools may not support them.

In some instances, the native application does not permit an effortless way of downloading data out of their environment, so an ability to triage the options available and what will be included in the export or not, should be fully tested and understood.

In summary, the new normal of remote working does not appear to be subsiding anytime soon. Thankfully, developments and improvements in technology have made remote collection workflows more efficient and cost-effective. There are still potential pitfalls to consider, such as a user connecting an incorrect device, slow internet connections, or issues with supported devices, so legal teams should continue to be vigilant when considering the best strategy for data preservation.

Technology will continue to evolve and the best practices for collecting them will adjust accordingly. Early collaboration with your digital forensic partners will help you navigate the complex data challenges related to these emerging technologies.

Mark Clews is a senior managing director with Ankura in Irvine, California. Corey Salm is a director with Ankura in Miami, Florida.

The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.

Ankura is the Litigation Advisory Services Sponsor of the ABA Litigation Section. This article should not be construed as an endorsement by the ABA or ABA Entities.



Copyright © 2022, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Litigation Section, this committee, or the employer(s) of the author(s).