The quarterly publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/1136335
P E E R T O P E E R : I L T A ' S Q U A R T E R L Y M A G A Z I N E | S U M M E R 2 0 1 9 41 for forensic examination. The stored pristine copies should only be made available for re- imaging if a working copy is somehow altered or compromised. 3 . C O L L E C T I O N M E T H O D S There are two methods by which devices are most often forensically collected – via hardware imaging or via software tools that are specifically designed for forensic imaging. Each approach has advantages and disadvantages which are discussed below, but often a combination of methods will be the best approach. Also, each method can be used onsite (where the original devices are located) or within the forensic examiner's lab. Hardware imaging is done through an appliance, such as OpenText™ Tableau TX1 Forensic Imager, which connects to the original device in such a way that it will not alter the electronic evidence on that device. Making a forensic image this way is usually the most expedient and thorough way to get an exact duplicate of the data that is on the original device, but it does require more time (and, more destination storage space) than making an image. However, forensic imaging devices can be limited in their range of connectivity given that there are many different types of ports to connect to. This issue can create delays in a collection project if an investigator doesn't have the connectors needed for the range of devices targeted for collection. An alternative process for forensically collecting data is using software applications such as Tableau Imager. The advantage to this approach is that these applications are usually more accommodating since they are not affected by the physical connections on a device. Conversely, the software approach can be slower than using a hardware appliance given that the software may require a good bit of configuration per device. The best way to take advantage of the benefits of each approach is to plan for the use of both hardware and software means on every project. Understand in advance of written record known as a chain of custody be kept of the entire forensic collection process should questions arise later. This document must memorialize the steps taken to image each piece of original media and should include details of the actions taken by all participants in the collections effort. At a minimum, these details should include the following specifics: • A photo of the device that includes, ideally, the device name and serial number (or a similarly unique identifier), • The name of the custodian to which the device belongs, • The location of the original media, • The date and time that the device was acquired, and • In civil matters, if the device was shipped to the location where it is being imaged, the shipping receipt should also be included. The chain of custody document should be maintained throughout the acquisition process, noting when a device changes possession from within the forensic examiner's organization, and until the device(s) leave(s) the possession of the examiner's office. The form of the chain of custody can be kept in paper or electronic form, as long as its authorship remains verifiable and its contents securely stored 2 . F O R E N S I C I M A G I N G P R O C E S S It's best practices to create two forensic images of all devices targeted for collection, a pristine and a working copy. By doing so, the risk of spoliation is minimized. All pristine copies should be kept in a secure place (such as a safe) which has very limited or managed access; the working copies should be used the forensic examination the types of devices (computers, mobile phones, servers, etc.) that will need imaging as well as their operating systems and prepare accordingly. This understanding will best guide the forensic collection hardware and software preparation process. 4 . W R I T E B L O C K I N G P R O T E C T I O N Regardless of whether a forensic examination is executed with forensic hardware or software, it is also best practices to include the use of a device called a 'write blocker' or 'forensic bridge' in the process to assure that all electronic evidence on the targeted device is not altered. This device 'sits' between the original device and any externally-connected appliance or application being used to make a forensic copy. The write blocker then protects the original device by allowing only 'read' commands to be passed to the original device and blocking all 'write' commands. Although this step in the process increases the time it will take to complete a forensic collections project, the benefits of reducing the risk of altering the electronic data are substantial. 5 . H A S H VA L U E C O M P A R I S O N Once the process of imaging devices is complete, it is prudent (although not required) to assure that the veracity of the data on each image is exactly as it is on the original media—which may be important to prohibit admissibility claims later on by objectively illustrating that the images are exact duplicates. The best and most common way of making this assurance is by comparing the hash values on each image to those on the original—with the goal a 100 percent match from one to the other. Without getting into the technical details, hashes are often described as digital fingerprints for files, folders, drive partitions or entire physical drive volumes and are created by running an algorithm on the digital contents of the original device and then its copies. There are two types of