The quarterly publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/1136335
42 approved hashing algorithms that can be used for this process, including MD5 and SHA hash algorithms. Once this task is completed, the respective hash value files are reviewed from each device for accuracy. If they are exact matches, the copies are deemed to be complete and exact copies. The benefit of having hash files on hand to demonstrate veracity of data will certainly offset the time it takes to create them. Challenging Sources of Data It's difficult to overlook sources of potentially relevant data such as email. Each day, however, new communications systems come online that may contain data that should be preserved. Some primary sources, though not comprehensive, include email, IM, mobile device sources, and emerging forms of ephemeral data. 1 . E M A I L The task of tackling email preservation and collection requires that the forensic examiner and the IT team work together closely since IT is best positioned to identify the locations of relevant email stores most quickly. Once this task is complete, the IT team can assist in the capture of relevant email accounts (key custodians are particularly significant here), back-up these accounts, and then copy them into a PST or OST file that the examiner can then review. For the key custodians, it is also best practices to make a full forensic image of their computers to assure that archived PSTs, .msg and .txt files, and any deleted files which are saved on these machines can be captured. From this point, industry standard forensic analysis software, such as OpenText EnCase Forensic, can be used to locate any deleted files and their fragments. 2 . M O B I L E D E V I C E S Mobile devices have long been a source of consternation for forensic examiners because of the tactical challenges that they present. Password protection/encryption is one grand challenge, but the types of common uses for cell phones these days add to this list. Voicemail, text and IM (discussed below), and social media accounts all exist on these devices and their operating systems can often make the preservation and collection of this data very difficult. Lastly, the data is very easily altered by simply turning the device on. Hence, retaining an examiner who is skilled at preserving these devices is a very good idea. He or she will know to power these devices down immediately, to include their details in the chain of custody documentation, and how best to assure that a forensically- sound image of each device is made/used to assess the evidence that each one includes. Innovation is more than technology confidently purchased. Legal Innovation Consultants Before you launch go to senteadvisors.com/landing