Data Collection Methods Explained
Part 1: Personal Computers and Servers
One of the first components of digital forensics and e-Discovery is the collection of data across all types of digital platforms like tablets, phones, and computers. Every time an email is sent, a social post is uploaded, or a website is searched, a digital recording of the event is made. In this series, we’ll look at the data collection methods we use for the various types of devices. The first in the series will explain the data collection methods for personal computers and servers.
What is a Forensic Image?
When it comes to personal computers and servers, forensic imaging is always the preferred data collection method. Forensic imaging is the process of creating an unmodified copy of digital data that retains its original metadata.
It may not seem like it, but simple interactions can alter a file's metadata and raise questions about the authenticity and provenance of the data in question. Once a file or data store is modified, it is no longer forensically sound. These actions can alter metadata:
Copying files to a thumb drive
Emailing documents to counsel
Printing a document to PDF
Copying a file from DropBox to the local computer
Logical vs. Physical Images
Our clients often come to us knowing they need forensic imaging without fully appreciating the differences between logical and physical images and the processes needed to obtain each. We’ll explain the types of imaging we use and the pros and cons for each using the following physical-world example:
Your client is involved in a payment dispute with a vendor. To resolve the dispute, all the checks the client wrote in the past year need to be reviewed. You are led to their office to find the check and once there you see a filing cabinet, a desk, and a waste bin.
Targeted Logical Imaging
Your client opens their filing cabinet and directs you to several specific folders containing bank statements with scans of cleared checks. You make a copy of each of these items.
In this example, we know exactly where the data resides.
In the world of forensic imaging, this would be like finding all the data on a hard disk in specific files or folders. All metadata about the files collected are retained.
Pros:
Fastest collection method
Smallest image size
Cost-effective
Cons:
Must know exactly where to look
Easy to overlook important data
No deleted or unallocated data
User Profile Logical Imaging
Your client knows they have the checks but isn’t sure how they’ve been filed. They’ll know them when they see them, though. You make a copy of everything in the filing cabinet to sort through later.
In this example, we know the general area of the data but not the exact location.
In this instance, forensic imaging would mean creating a logical image of everything in a user’s profile folder. This generally includes all user-generated documents and user-specific application data such as email stores, web browsing history, etc. All metadata about the files collected are retained.
Pros:
Faster than a full logical image
All user-generated data is collected
User application data is collected
Cons:
Takes longer than a targeted logical image
Much larger dataset to sift through
No deleted or unallocated data
Full Logical Imaging
Your client once had the checks but isn’t sure where they would have put them. You collect everything in the filing cabinet and all the items on the desk, such as their desk calendar on which they wrote the checks—maybe there’s a writing impression left behind.
In this example, we believe we’ll find the checks in the filing cabinet, but there may be missing items so we look to other places for evidence of the checks in addition to the filing cabinet.
Full Logical Imaging means we create an image of everything in the operating system as well as the user profile data. We copy the full disk, for example, the C: drive in Windows, capturing operating system files that could be used for a deeper dive investigation. All metadata about files collected are retained.
Pros:
Faster than a full logical image
All user-generated data is collected
All application data is collected
Cons:
Takes longer than a targeted logical image
Much larger dataset to sift through
No deleted or unallocated data
Physical Imaging
Your client has no idea where the checks are and frankly, they may have been shredded. You make a copy of everything in their filing cabinet and all the items you see on their desk, but in this instance, you also take the waste bin full of shredded paper with you - maybe you can piece together the missing check.
In this example, we hope the checks are in the filing cabinet or maybe we can find writing impressions on the desk, but now we also need to start piecing together smaller bits of potential evidence.
In a digital situation like this, we create a bit-for-bit image of the device. Every piece of data on the disk will be copied. In addition to what the operating system can see, this also gives us access to deleted files and unallocated space (i.e., space that the operating system has deemed available for reuse but that hasn’t been overwritten).
All user-generated data is collected
All application data is collected
Deleted and unallocated space are included
Cons:
Slowest collection type
Largest image size
Deleted and unallocated data will need to be “carved” to be useable
Collection Comparison
The logical and physical data collection methods and what can be obtained from their use are broken down in this chart:
Metadata
User
Generated
Data
Application
Data
Operating
System
Data
Targeted Logical
User Profile Logical
Full Logical
Full Physical
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
No
Yes
Yes
Yes
No
No
Yes
Yes
Have a Question or Need to Arrange a Collection?
Give us a call or email, and we'll be happy to discuss your project and how Digital Strata can help.
Get started, today!
How can we help you?
“Digital Strata went above and beyond to address my client’s concerns. They were responsive and timely in their communication. I appreciated them breaking down and guiding us through the process of obtaining the information we were searching for. I will certainly be using them in the future and highly recommend them to anyone going through the litigation process." - Samantha Sader - Krigel & Krigel
"Our firm has been working with Digital Strata for the last two years. I cannot compliment Dan and his team enough on their communication, delivery on deadlines, and exceeding our expectations. We will be happily working with Digital Strata for the foreseeable future." - Brian Barjenbruch - KC Property Law
"Our firm retained Digital Strata to organize and evaluate a massive amount of data maintained by our client’s vehicle management system. The project required our consultant, Nick Harris, to obtain and learn the bespoke software program which ran the system. Nick went over and aboard with fast turnaround of ever more detailed analyses to aid our preparation for depositions and, ultimately, for a successful outcome on summary judgment." - Tracy Moran, McCormack Suny LLC
"We've had the pleasure of working with Dan Fischler and Nick Harris from Digital Strata for multiple years now. They are part of the team at Datamine Discovery and we communicate daily with them regarding forensic investigation and data collection matters. What I like best about them is their combination of technical and communication skills. Each time I work with them, I know the project is in good hands." - Scott King, Managing Partner, Datamine Discovery