希望访问中文页面? 请点此(简体中文版)  

Posted on: May 22, 2015

in Blog

When to Do a Remote Forensics Collection and 5 More FAQs

When should I request a remote collection over on-site? What does the remote collection process look like? Is it defensible? Is the remotely collected data secure and encrypted?

When should I request a remote collection over on-site? What does the remote collection process look like? Is it defensible? Is the remotely collected data secure and encrypted?

I was recently on a call with a client where we discussed the various methods of remote ESI collection. Both of us have been in the legal industry for quite some time and we were reminiscing about travelling across the globe to collect electronic evidence.

Over the years, the D4 Forensics Services Group (FSG) members and I have been to Germany, Switzerland, the Arctic Circle and about 40 of the 50 States. I have learned that much of the time spent on location was invaluable. There is real value in interacting face-to-face with the skeptical IT managers or custodians of very crucial data. It can be reassuring to them to know we were not collecting all their data or putting clandestine agents on their computers that would connect without their knowledge.

That being said, on-site forensic collections can be cost-prohibitive. Fortunately, technology allows us to perform some of our work remotely, in situations where it makes sense.

When Should I Do a Remote Collection Over an On-Site Collection?

  1. Travel expenses associated with on-site collections are cost prohibitive.
  2. The data is not readily, or easily accessible.
  3. Forensic imaging (collecting of all information) is unnecessary and a targeted collection (collection of specific files/folders) is appropriate.

For example, let’s say there is a collection in Omaha, Baton Rouge, and Modesto and all of them need to be done on the same day. We need to collect PST (email) files from three sales reps who work at home. The logistics of coordinating an in-person collection would be tricky and the expense is likely to be high, or disproportionate to the matter.

If you've determined your collection should be handled on-site rather than remotely, use this checklist to prepare for a thorough and cost-effective process.

How Does a Remote Forensic Collection Work?

Quite often, the D4 FSG will use a pre-configured hard drive to facilitate remote collections. In the scenario mentioned above, here is one possible workflow D4 may use to collect the data remotely:

  1. D4 would ship out three pre-configured hard drives, one to each sales rep. They would all receive the drive on the same day.
  2. The reps would then connect the pre-configured drive (via USB) to the computer with the ESI.
  3. A D4 data technician would then connect remotely (ONLY with the user’s permission and knowledge) to the computer. Usually an attorney is on the phone to assist with the interview, while the technician conducts the collection.
  4. Paperwork is completed by the technician.
  5. Once the collection is complete, the custodian is instructed to ship the drive back using packaging and instructions included in the original shipment.
  6. Voila’ it’s done! The data can now be stored safely or prepared for hosting and further review.

Learn more about D4's remote forensic collection capabilities and services.

Is the Remote Collection Process Forensically Sound and Defensible?

Yes, if the electronic data is handled properly. The D4 FSG utilizes specific tools to ensure the source data is not altered and the collected copy is an exact duplicate of the original. Collected ESI should be hashed and validated at the time of collection. The forensics team should also maintain a complete file-level audit log throughout the process.

Is the Remotely Collected Data Encrypted and Secure?

A main concern for legal teams is data security and confidentiality. D4's forensic consultant's utilize encryption technologies as a safeguard to ensure all non-cloud based data is completely secure throughout the entire remote collection process. All cloud-based data is collected securely within D4's network.

When Should I Do an On-Site Forensic Collection Over a Remote Collection?

Every situation, case and client network is different. The forensic consultant should assist in determining the most appropriate collection method for your matter. Here are a few examples of when a forensic collection should be handled on-site rather than remotely.

  1. There are dozens—or hundreds—of custodian workstations all in one location.
  2. Data needs to be collected from complex systems over a period of days or weeks.
  3. When a full forensic bit-stream image is necessary, it may be advisable to have an on-site resource to create the image.

When Should I Use a Hybrid Approach to Forensic Collections?

D4 often sends its forensics technicians on location to install and setup enterprise collection systems. One particular situation involved collections from multiple locations in Asia. We sent the technician to setup systems in two disparate locations. Once the systems were setup, he returned home and the collections continued over a number of weeks. The client was spared travel expenses and the job was completed with little disruption to the businesses.

Let the Expert Be Your Guide

Due to the time and money saving benefits remote ESI collections provide, this secure method is increasing in popularity. As I stated previously, every situation, case and client network differs from the next. When in doubt, call an expert forensic consultant to assist in determining the most appropriate collection method for your matter.

Discover More:

Discover More Categories

D4 Weekly eDiscovery Outlook

Power your eDiscovery intellect with our weekly newsletter.