Digital Computer Forensics Collection Tools

Sometimes in civil litigation it is not always possible to collect full forensic data for computer investigations. In spite of that, it is important to follow some protocol when manipulating this data.There are a number of computer forensics tools that can be used to collect such data. These digital tools are flexible and can be used on a wide range of devices. Therefore, they are suitable for mobile phone analysis as well.

Some of these are:

FTK Imager – A lightweight collection tool that can be used to create both full (physical) acquisitions and targeted (logical) acquisitions of data, from both servers and computers.

EnCase Enterprise – A collection tool that enables us to make targeted forensic copies of data remotely over a corporate network without the knowledge of the target custodians.

XRY – XRY is a reliable and highly respected forensic tool which supports a wide variety of mobile devices including mobile phones, Sat Navs and tablets. The software supports the recovery of ‘live’ and ‘deleted’ data from devices and is presented in a user friendly and clear format.

Cellebrite – Cellebrite can perform ‘live’ and ‘deleted’ analysis of a number of mobile devices including mobile phones and tablets. One of the main features of Cellebrite is that it can extract a ‘file system/file structure’ read from a device and will then display the evidence in the exact same way that it is stored on the device. Cellebrite is also an excellent tool for recovering ‘deleted’ data from mobile devices.

Pre-Processing Tools For Digital Computer Forensics

Pre-processing tools are designed to quickly reduce data volumes prior to loading into an e-disclosure platform. Some pre-processing tools on the market are charged on a per GB basis, or a per day pricing model. The per day pricing allows us to undertake high data volume projects at a lower cost than had per GB pricing been applied.

We were asked to undertake an e-disclosure exercise across 5TB (5,000,000MB) of data. Had all of this data been loaded straight into a review platform the cost would have been approaching £1 million in processing costs alone. By utilising a pre-processing engine we were able to undertake the exercise for tens of thousands instead.

Pre-processing tools includes the following:

Nuix – Excellent for large volumes of data, Nuix is able quickly to index and search almost all commonly encountered data types, allowing us to rapidly cull out irrelevant data. Nuix is capable of loading all data sources at once enabling us to de-duplicate across exhibits. In a recent exercise we were able to reduce the volume of data that needed to be loaded into the review platform from over 11TB to less than 50GB using Nuix.

EnCase – Historically a tool for forensic practitioners, EnCase can be used for e-disclosure to reduce data volumes and recover previously deleted information if required. EnCase is an ideal pre-processing tool for smaller cases with fewer data sources, but can become labor-intensive on larger cases. Recently, we used EnCase to recover deleted information for inclusion in document review, in total over 1,000 previously deleted files were recovered.

FTK – Can be used in a similar capacity to EnCase for e-disclosure. FTK indexes all data on adding to a case allowing fast keyword searching. FTK is ideal for use on cases with large volumes of emails as it is effective at maintaining document families such as emails and their attachments, which is often vital for the e-disclosure process.

Processing and Review Tools For Digital Computer Forensics

A suite of processing and review tools will initially process the data to enable de-duplication (where not undertaken at a pre-processing phase) and indexing of the data to make it fully searchable for review.This allows us to omit the pre-processing phase where data volumes are small, saving time and effort.

It is easy for the clients to do the document review without worrying about the review platforms. This is because we take full charge of hosting the platform and managing the system. During the review phase, if there is a problem, there is technical support and advice available for clients.

The digital forensics review tools include:

Clearwell- This is one of the best e-disclosure platform for processing and reviewing. In 2013 it was ranked by Gartner Magic Quadrant as the “Leader” in e-disclosure software. It offers a wide variety of features on a spontaneous user friendly interface. Clients can use Clearwell from any computer by accessing it through a protected encrypted portal. It is charge based on the number of gigabytes used.

FTK- This has a review feature that can be helpful even for a small case. Clients can review using FTK at our laboratory in Stratford-upon-Avon. through FTK from our custom-built review suites. However, this one is restricted to only one review for each exhibit. A positive aspect is that it is not charged per GB so you can save some money when using it.

Paul Bromby is the author of this article on Mobile Phone Analysis.