Remote Forensic Collection: Considerations for a WFH Strategy
TLS experts Jon Langton and Joseph Marra were pleased to be invited as guests on a podcast published by the International Legal Technology Association (ILTA).
The episode, “Forensic Collections in a ‘WFH’ World,” features a discussion on remote data acquisition considerations and logistics, ranging from the preparatory stages through the execution of the collection.
Jon and Joe were joined by Don Myers, a shareholder at Littler Mendelson P.C. Don is a TLS client, and provided valuable insight from a legal team’s perspective. The main points of the talk are summarized below.
Key Considerations for Remote Collections
Before a remote collection begins, there are a few main considerations that need to be addressed with the appropriate parties.
It’s imperative to talk with the legal team, the end-client, and the custodians to learn about the type of data being collected and where it’s stored—whether that’s on a smartphone, computer, personal email account, etc. At this stage, all parties should be provided with a thorough explanation of what will occur during the collection process.
Another key piece to consider is the importance of communication throughout the process in an effort to ensure that everyone is on the same page and working toward a common goal for the end-client. This will ensure the remote collection can proceed as quickly and smoothly as possible.
Additionally, the technical specifications of each collection dictate the forensic workflow, so it’s important to get a sense of the technology and nature of the data sources prior to launching a remote collection.
Security Concerns
First and foremost, legal teams value the involvement of a trusted vendor who understands and communicates security issues up front and can ensure that a client’s data is secure and protected.
Whenever data is in transit, utilize encryption—and deploy multiple layers if possible.
Many forensic tools allow for the collected data to be encrypted by the tool itself, in addition to being securely acquired to an encrypted hard drive. These options allow for multiple layers of encryption and provide a sufficient assurance of security.
Advantages of Remote Collections
The main advantage of remote collections is the logistical convenience for many legal teams, end-clients, and custodians.
It is far easier to ship a collection kit to a custodian and walk through the process on a screenshare meeting or phone call than to arrange for multiple forensic experts to travel to disparate locations or to coordinate a collection meeting with multiple custodians in a conference room in a central location.
Simply put, it’s easier to ship five collection kits out than trying to get five people in the same room. It’s about efficiency.
In the here and now, remote collections are in vogue for obvious reasons, despite having been deployed for years.
Aside from the logistical advantages of remote collections, there’s also a clear advantage when it comes to technology. Because remote collections have been deployed by forensic practitioners for years, a foundation for advancing the necessary techniques and technologies already exists.
Although technology and collection techniques need to evolve, the pre-COVID establishment of remote collection workflows allows for a more flexible and nuanced approach to simultaneously or consecutively collecting from custodians in disparate locations in less-than-ideal scenarios.
Disadvantages of Remote Collections
Regardless of the technology’s high quality or the existence of numerous established collection workflows, there really is nothing that compares to having boots on the ground and being hands-on with these devices and data sources.
Ninety to ninety-five percent of collections can be effectively executed remotely, but there is an added comfort level and advantage to in-person collections, where a forensic practitioner can troubleshoot or assist in the face of an unforeseen issue.
Remote collection workflows will typically require the involvement of an IT rep or custodian, even in a limited fashion, which may not be ideal from a legal team’s perspective.
Questions might exist about the trustworthiness of an end-client or custodian, or the relative importance of a particular custodian’s data may necessitate that a third-party solely drive the collection workflow. In that instance, legal teams ordinarily prefer that a forensic expert performs the collection without the assistance of an involved party, which might involve an in-person collection or the delivery of a custodian’s device to a practitioner’s forensic lab.
Chain of Custody
Legal teams are rightfully concerned about the chain of custody, documentation, and overall integrity of a collection.
Within the context of a remote collection, the chain of custody applies to two distinct objects:
1. The physical device or data source itself, and
2. The hard drive that houses the acquired data.
A source device’s chain of custody is typically not of specific importance during a remote collection, as the physical computer or mobile device isn’t really changing hands. The destination hard drive is more important, which is why the appropriate chain of custody documentation should be included within a remote collection kit.
While the device will remain with an end-client or custodian, it’s imperative to ensure that the destination hard drive’s chain of custody is tracked throughout the entire deployment of the remote kit—from the initial shipment or delivery of the kit through the collection process, until the acquired data is returned to a forensic lab and cataloged into an evidence repository.
In addition to chain of custody, legal teams are invested in the maintenance of clear documentation associated with collecting an entity’s or person’s data.
A common example of this documentation is the execution of a consent form when a custodian’s personal device is collected. Custodians will have understandable questions about the security of their data, and it’s important to clearly outline the scope of the data collection and review. Consent forms allow for the formal documentation of an end-client’s or custodian’s approval of the collection and review processes.
In addition to formally establishing a basis for the collection of data, consent forms typically alleviate any ambiguity that might be associated with forensic collection workflows and provide an additional measure of trust and comfort.
For more information on TLS’s digital forensics capabilities, visit our website.