LITIGATION SUPPORT TIP OF THE NIGHT

For a good guide on how to collect data from a hard drive in a manner that is defensible under Minnesota state law, see Novacheck, Mary T.; Thornton, Molly B.; Beard, Jeffrey J.; and Burns, Mark (2014) "IT Technologies and How to Preserve ESI Cost Effectively," William Mitchell Law Review: Vol. 40: Iss. 2, Article 6, available at: http://open.mitchellhamline.edu/wmlr/vol40/iss2/6. See Appendix A, 'Sample Technologies for Preservation and Collection - Hard Drives'. The guide shows how data can be collected with EnCase. The authors are a partner at Bowman and Brooke LLP, a partner at Dorsey & Whitney LLP, an information governance consultant for IBM, an e-discovery manager for Boston Scientific, and a manager with KPMG's Forensic Technology Services practices.

Follow these basic steps:

1. First document each step in the process with a checklist.

2. The hard drive of the source computer is extracted, connected to a write blocker, which is then in turn connected to the forensic expert's PC.

3. EnCase allows for individual directories to be collected. When you're ready to proceed, click 'Acquire'.

4. The paper recommends the following settings for the output. A file output from from EnCase will have a .E01 file extension. EnCase outputs data in 640 MB image files by default.

In Windows 7 if you to Start and type in 'Event Viewer', an application will launch that will allow you to track all login attempts to your PC.

In the Event Viewer menu list, select Windows Log and expand the folder tree. Select security. This will show you a log of events on your PC, and 'Date and Time' field will allow you to easily tell whenever someone has had your PC on.

Note that you may see entries with the Task Category of 'Logon' and with a note of 'An account was successfully logged on' on the General tab in the pane at the bottom, even when the someone has not successfully logged on and entered the correct password to access the system.

If you click on the 'System' icon in the tree, and scroll to find 'Error' level records, you'll be able to find notes reading, "currently configured password due to the following error: Logon failure: unknown user name or bad password." on the general tab. A good way to pinpoint when an unauthorized person was trying to access your PC.

There is a file in Windows 7 at C:\Users\[username] named NTUSER.DAT. This is a registry hive. A new hive is created for each user that logs in. The hives contain information about a user's application settings, network connections, printers, and environment settings. This is a very useful file to have when you're imaging a user's laptop or desktop. However registry files like this one cannot be copied with Windows Explorer. If you try, you'll get an error message like this one:

FTK Imager can be used to copy this files. On the toolbar, click on the yellow safe icon. A new dialog box will appear prompting the user to 'Obtain System Files'. If you select the option for 'Password recovery and all registry files', and select a folder to copy the files to, the NTUSER.DAT file will be copied with other registry files to the new destination.