Migrated from eDJGroupInc.com. Author: Greg Buckles. Published: 2010-06-29 06:57:12Format, images and links may no longer function correctly. In Part 1, we explored the basic methods of collecting from desktops in the large enterprise environment. The recent Delaware ruling of Roffe v. Eagle Rock provided a good context to discuss the potential pitfalls and necessity of custodial self-designation of potential evidence. That brings us around to the lowest risk/highest effort method, full forensic images of desktops. I want to be very careful here to differentiate a bit-by-bit image of the physical drive from the more commonly used ‘forensically sound copy’. A forensic image captures every one or zero across the entirety of the physical drive. This means that an 80 GB laptop drive will have an 80 GB forensic image, even if there are only 20 GB of files on it. A ‘forensically sound copy’ uses the operating system to capture the content (Hash verified) and the context (OS metadata) of selective active or deleted files. Now that we have made that clear, we can move on to enterprise forensic collection, which I am taking to mean the ability to collect a full forensic image without having to physically attach a write-block device.
Encase Enterprise and AccessData Enterprise are centralized, secured platforms that utilize distributed agents or servlets on all your desktop computers to remotely collect forensic images. These companies have fought each other over the forensics market. Guidance made the first enterprise platform in 2002-2003 while AccessData’s Enterprise was not released until early 2008. Your IT department has to push out the software before you can make collections and neither system supports any kind of proactive datamap to locate and identify target machines. Network bandwidth and user impact are the primary challenges to this method. The systems have gotten a bit better about throttling back on the target resources during the imaging, but they have to hog your connectivity to move that much data. With so many corporate applications moving to the intra/internet, you will expect all the target user machines to behave like there was a U.S. World Cup match during working hours (i.e. slow to a crawl).
Acquiring a full drive image from a mobile device has unique challenges. I heard early stories about hybrid images due to target IP addresses being reassigned when the users logged off. The products are more mature now. Really. My early experiences in disk imaging across the network were less than stellar. However, I have gotten recent reports of 6-8 hour collections with improved infrastructure and better data handling from the software. Every environment is special, so you should conduct realistic performance testing before you cut any purchase orders for any product. This bandwidth choke point has pushed Guidance and AccessData to create portable USB versions (EnCase Portable and Live Response), but these products really focus on selective and crawl search collection over full disk images. Forensic examiners have always been able to use a boot CD to do local acquisitions, but the new crop of plug-n-play tools are designed to allow a non-certified user to acquire the image onto an external hard drive or appliance and ship it back. A good example of this is HSSK’s Remlox self-collection appliance.
The enterprise forensic platforms appeal to highly regulated or risk sensitive companies that have regularly pay for disk imaging of multiple custodians. The market is focused on selective collection methods, which is why you do not see Autonomy bragging about their ability to do full disk images with their Autonomy Legal Hold (ALH) platform. They have the capability, but know that their prospects are interested in defensible, selective collection of active files to manage the scope of collections more than digging into slack space and cookie crumbs. The primary scenarios that justify forensic imaging of desktops, volatile RAM and mobile devices usually justify the expense of a third party expert to directly acquire and analyze the ESI. Basically, if you think that your matter may need to comply with the higher standards of care/custody of criminal investigations, then step back and let the experts handle it.