ACEDS presentation on Forensic Data Collection
An ACEDS webinar took place today, entitled "The Evolving Dynamic of Forensic Collections", and presented by David Greetham of Ricoh. Mr. Greetham is a certifed fraud examiner, a license private investigator, and is certified as an Advanced Certified Forensic Technician by the High Tech Crime Institute. I took away the following tips from this excellent presentation.
1. Any examination must be performed on forensic images not the original evidence.
2. It must be possible for all examinations to be repeated by the opposing counel's expert.
3. A forensic image, (from which deleted files can be recovered) can be created for any single file, or folder, not just a whole drive.
4. Onsite forensic data collection is becoming less common as remote methods of data collection are developed.
5. The use of social media has risen at an exponential rate: There are 4 billion views of videos on YouTube each day in 2015, as opposed to 2 billion in 2011. In 2011, there were only 500 million active monthly users on Facebook - as opposed to 1.49 billion today.
6. In Lester v. Allied Concrete Co. and William Donald Sprouse, the Virginia Circuit Court for Charlottesville fined an attorney $542,000 and his client $180,000 after they altered a Facebook page to remove images of the client, a widower, wearing a "I [heart] hot moms" tee shirt. The client was the plaintiff in a wrongful death suit against a driver convicted of involuntary manslaughter for rolling over his car and crushing the plaintiff's wife to death =. The court also cut the jury verdict against the defendant in half.
7. It is possible to collect data from Twitter accounts without following the users, and to also automatically collect the web pages linked to in the tweets. Both Facebook and Twitter should be collected in html deliverables.
8. When collecting from Apple's iCloud, it's not necessary to use an iPhone, or iPad. iCloud data includes a database with deleted content, including messages. Apple has a back-up application called the Time Machine which allows usage on a device to be tracked over a period of time.
9. False friending someone on social media may be considered unethical.
10. When collecting data from Solid State Drives the TRIM feature should be disabled, but TRIM usually doesn't engage in USB connected external drives. It is nearly impossible to collect data from encrypted SSDs, and deleted data usually cannot be recovered.