eDiscovery question...
 
Notifications
Clear all

eDiscovery questions

8 Posts
6 Users
0 Likes
616 Views
jblakley
(@jblakley)
Posts: 110
Estimable Member
Topic starter
 

I have access to EnCase Forensic Imager, but I'm reading about horror stories where it writes temp files to the local drive even if ran from a portable drive. The computer that I need to do this for will still be in use as the system is being imaged. Is this a big deal if I make it known in the report?

Another note, should I use EnCase FI or take a look at FTK? I'll need them in EnCase files….

Thanks,
John

 
Posted : 25/03/2015 2:03 am
Adam10541
(@adam10541)
Posts: 550
Honorable Member
 

FTK Imager can image in e01 format which is the same used by EnCase.

Can't comment on the temp file issues as I don't use and wasn't aware of EnCase doing that..I use Xways )

Pretty sure you can run FTK from a thumdrive without it doing anything to the system being imaged but you may find some documentation to back that up on the Access Data website.

 
Posted : 25/03/2015 9:27 am
(@wookieshaver)
Posts: 27
Eminent Member
 

I would suggest Paladin Edge for imaging from a usb drive. You can load this linux distribution and easily image to E01 (with verification and logs). You can choose to mount drives as read/write for storage media for your image once booted.

 
Posted : 25/03/2015 8:36 pm
jblakley
(@jblakley)
Posts: 110
Estimable Member
Topic starter
 

Encase Forensic Imager definitely writes to the temp drive. I have a folder under C\Users\<username>\AppData\Local\Temp\1\Imager that was created.

The one issue that I have now is that I can verify the evidence files, but I can't find a single place where these hash files were written on the drive. Do they get written into the evidence file? (I did a logical acquisition for this one.)

Thanks!
John

 
Posted : 26/03/2015 3:53 am
Bulldawg
(@bulldawg)
Posts: 190
Estimable Member
 

I've only use EnCase Imager long enough to realize it's inferior to FTK Imager, but the hash values will be stored in the e01 files. Just load it up in EnCase Forensic and you can see the hash values. If you don't have EnCase, there are free tools available to read e01 files or even convert e01 to DD if that's your preference.

I do not use DD for imaging because there's no CRC on each block. E01 is a well-established format, supports compression, and has a CRC in addition to the overall hash value.

 
Posted : 28/03/2015 4:54 pm
UnallocatedClusters
(@unallocatedclusters)
Posts: 577
Honorable Member
 

GetData's free Forensic Imager (www.forensicimager.com) application might be worth a look as an additional tool to have in your tool kit to FTK Imager.

Forensic Imager is able to convert back and forth (documented with a hash verification log) between the following formats

DD /RAW (Linux “Disk Dump”)
AFF (Advanced Forensic Format)
E01 (EnCase®)

** I am curious why your subject post says "eDiscovery questions" as your question was about forensic imaging? For example, in my civil litigation practice, not all cases require or need physical images; some cases are sufficiently served by a logical collection (say using FTK Imager to create a custom AD1 file of a personal or shared directory on a network file server).

All civil ediscovery cases need original file metadata preserved so that commonly applied date filtering technology can be used, but not all categories of civil litigation cases require forensic analysis (which if true would require physical images always in all civil litigation cases).

In many instances, taking a physical image is more convenient and also allows for later forensic analysis should the need arise.

However, in my construction delay claim practice, for example, the court is considering issues surrounding "acceptable" delays versus "unacceptable delays". Complex construction projects (hotel/casino/golf course/condo combined development) have what is known as a pre-defined "critical path", that is tracked throughout the life of the project in very expensive software. Before one can determine when an acceptable delay becomes an unacceptable delay, one has to define the "critical path" that subcontractors might deviate from (defective materials arrive, thus preventing a crew from being able to install a lighting system, which in turns forces the crew to move on to the next project they committed to, etc.)

In my construction cases (wherein most litigants self collect!!!), I have been able to use GetData's excellent FEX tool to isolate color JPEG files, extract camera-Exif metadata and then export a timeline report of the 150,000 photographs taken of a complex project (I call it a "Chronological Photography Report"). This chron report tells a story by the folders that the photos are stored, such as who took them and why. In a six year project, not all employees are present or even available when a litigation occurs, so identifying custodian names and what role they played in the project helps the attorneys do their work.

The fact that the client self collected ESI without the use of any forensic imaging tools did not negatively affect my chron reporting capabilities, nor the attorney client's abilities analyze, review and produce the self collected ESI because the standards and tests by which the judge has to decide construction cases are not the same types of standards and tests judges use in Computer Fraud and Abuse Act type cases (when does authorized access become unauthorized access), for example.

Can you share what type of case your are involved in currently (divorce, toxic tort, IP, labor & employment) or the causes of action described in the latest complaint?

Larry

 
Posted : 28/03/2015 10:39 pm
jblakley
(@jblakley)
Posts: 110
Estimable Member
Topic starter
 

Larry,

Thank you for the great response. I cannot share the type of case, but I can tell you that I was requested to get a full acquisition of the drives which led me down the road of comparing EnCase FI and FTK.

Thanks!

 
Posted : 29/03/2015 6:22 pm
(@dacorr)
Posts: 8
Active Member
 

Larry,

Thank you for the great response. I cannot share the type of case, but I can tell you that I was requested to get a full acquisition of the drives which led me down the road of comparing EnCase FI and FTK.

Thanks!

If you have been instructed to complete a full aquisition of the drive my imediate question would be is the drive in a live or dead state as well as is it a laptop with drive lock and/or bitlocker or some other drive encryption.

These circumstances will influence the forensic approach as will the location of the device and if the imaging request follows after some other investigaiton it will also impact potential evidence.

FTK and Encase are both widely accepted by courts it is how you use them that will be questioned. If you are worried about temp files I can only presume the device is in a live state and it may be best to pull off volitile data before you image, this should also include RAM as your interactions may change valuable data and you will need to limit that impact.

I have used both of these tools as well as DD and on one instance I had to use Norton Ghost to take an image, live forensics is all about taking actions within reason and being able to explain them.

 
Posted : 02/04/2015 4:30 pm
Share: