top of page

ACEDS presentation on Forensic Data Collection


An ACEDS webinar took place today, entitled "The Evolving Dynamic of Forensic Collections", and presented by David Greetham of Ricoh. Mr. Greetham is a certifed fraud examiner, a license private investigator, and is certified as an Advanced Certified Forensic Technician by the High Tech Crime Institute. I took away the following tips from this excellent presentation.

1. Any examination must be performed on forensic images not the original evidence.

2. It must be possible for all examinations to be repeated by the opposing counel's expert.

3. A forensic image, (from which deleted files can be recovered) can be created for any single file, or folder, not just a whole drive.

4. Onsite forensic data collection is becoming less common as remote methods of data collection are developed.

5. The use of social media has risen at an exponential rate: There are 4 billion views of videos on YouTube each day in 2015, as opposed to 2 billion in 2011. In 2011, there were only 500 million active monthly users on Facebook - as opposed to 1.49 billion today.

6. In Lester v. Allied Concrete Co. and William Donald Sprouse, the Virginia Circuit Court for Charlottesville fined an attorney $542,000 and his client $180,000 after they altered a Facebook page to remove images of the client, a widower, wearing a "I [heart] hot moms" tee shirt. The client was the plaintiff in a wrongful death suit against a driver convicted of involuntary manslaughter for rolling over his car and crushing the plaintiff's wife to death =. The court also cut the jury verdict against the defendant in half.

7. It is possible to collect data from Twitter accounts without following the users, and to also automatically collect the web pages linked to in the tweets. Both Facebook and Twitter should be collected in html deliverables.

8. When collecting from Apple's iCloud, it's not necessary to use an iPhone, or iPad. iCloud data includes a database with deleted content, including messages. Apple has a back-up application called the Time Machine which allows usage on a device to be tracked over a period of time.

9. False friending someone on social media may be considered unethical.

10. When collecting data from Solid State Drives the TRIM feature should be disabled, but TRIM usually doesn't engage in USB connected external drives. It is nearly impossible to collect data from encrypted SSDs, and deleted data usually cannot be recovered.


 
 

Recent Posts

See All
How does Relativity use AI data?

How is data generated by aiR utilized by Relativity? Relativity has published a white paper addressing its AI security policies assuring...

 
 

Sean O'Shea has more than 20 years of experience in the litigation support field with major law firms in New York and San Francisco.   He is an ACEDS Certified eDiscovery Specialist and a Relativity Certified Administrator.

​

The views expressed in this blog are those of the owner and do not reflect the views or opinions of the owner’s employer.

​

If you have a question or comment about this blog, please make a submission using the form to the right. 

Your details were sent successfully!

© 2015 by Sean O'Shea . Proudly created with Wix.com

bottom of page