Insights: Article

Forensic Data Collections

For Civil and Criminal Procedures

By   Trent Leavitt

December 15, 2017

Forensic data collections are expansive. They can be anything from a single email account to all of the computers of upper management in a large corporation or a single cell phone. Regardless, they all need to be collected in a safe forensic manner. You might ask, “why does it matter how it is collected, if the document, email, database or folder is able to be read, then what is the worry? The worry you should have is admissibility in court. When a document, let’s say a word document needs to be used in court, the way that it was collected must be defensible. Meaning that opposing counsel must be convinced that nothing has been deleted or altered. This is done by looking at the metadata. When data is not collected in a forensically sound manner, you inherently change the metadata, whether you mean to or not. Once opposing counsel objects because of spoiled metadata, it is out and sanctions and/ or summary judgment on your case can be right around the corner.

Three problems exist in forensic data collections.

First, most of the time, they are not done correctly. Copying and pasting your documents onto a thumb drive and handing them to your lawyer is not the best idea (Just FYI). Second, it’s not very defensible. If you or a member of your IT staff collected the data, the argument can be made that it might have been done with a certain amount of prejudice and that the key piece of evidence could have been left out. When you outsource, you outsource the defensibly and liability to the third-party who is collecting the data. This takes a large amount of risk and exposure off of you and your client and places it on the third-party responsible for the collection. Third, most don’t know what is capable of being collected. Keep reading to see what can be collected and used in a variety of cases.

It used to be that data collections were a simple matter of placing documents into a forensic image and then sending it off for review. Today the solutions are much more complex and cost-effective.

On-site collections are the most standard form of forensic data collections. We are capable of going on-site anywhere in the world, even on short notice to collect data directly from laptops, servers, desktops, cell phones when the circumstance calls for it. We collect everything in a sound court-approved manner. This is normally done for larger collection batches of data.

Remote Collections are collections much like an on-site collection, only smaller in nature, which allows us to perform the collection remotely, thus saving our clients money. In order to perform remote collections, we need to work with the IT staff to gain secure access to the network. IT staff can also be utilized in collections that would normally be done on-site, but don’t have to be. This saves money on the overall project.

Targeted Collections are just that, a collection of data performed either on-site or remotely for a specific set of data. This can be done by collecting a set of data by a certain time period, or folder for example. If you know exactly what it is that you need to be collected, then we can collect it for you.

Cloud Collections are forensic data collections that require harvesting data from cloud storage areas. This would include Gmail, Yahoo, Hotmail, Dropbox, Google Drive etc. If it is cloud-based, we have a way of forensically extracting the data for use in court.

Social Media forensic data collections have become more and more relevant in both civil and criminal cases. We can forensically collect from Facebook, Twitter, Instagram, Youtube, to name a few. Please see our social media collection service page.

Mobile Device Forensic Data Collections are the collections of cell phones and tablets. We utilize multiple tools to be able to collect from thousands of different types of mobile devices. Deleted text messages and other social media are among a few of the types of items that can be retrieved from cell phone forensic collections

Culled Forensic Data Collections is the combination of any of the above-listed collection methods, but with the ability to cull only the responsive data at the same time that the collection is taking place. Please see our page on culled data collections to get a better idea how this new technology can save large amounts of time and money as well as reducing risk.

For further information on how to use some of the tools that we make available to our clients, please click here to learn more about FTK Imager.