• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
At the Frontier of forensic collection
 

At the Frontier of forensic collection

on

  • 10,441 views

Presentation offered by Danny Garwood and Robert Castonguay at KPMG 2011 advanced eDiscovery Conference.

Presentation offered by Danny Garwood and Robert Castonguay at KPMG 2011 advanced eDiscovery Conference.

Statistics

Views

Total Views
10,441
Views on SlideShare
9,801
Embed Views
640

Actions

Likes
2
Downloads
0
Comments
0

4 Embeds 640

http://kpmgblog.ca 629
http://paper.li 7
http://www.linkedin.com 3
https://www.linkedin.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • How should collections be performed?· All data collections should be performed in a forensically sound manner. This means that the collection should done using sound, defensible manner using industry accepted tools and procedures. The collection should produce an accurate representation of the source evidence.
  • With that said, there are targeted collection tools available that can provide far greater defensibility than simply copying data to a thumb drive. PinPoint Labs was one of the early proponents of this technology; Access Data Triage is one solution for creating a self-executing collection script on a thumb drive; Guidance EnCase Portable another; Microforensics Titan Collector is one option, as is Nuix Collector Portable.
  • Conclusion:In summary, we have highlighted how forensic collection has evolved and that new technology now permits ….

At the Frontier of forensic collection At the Frontier of forensic collection Presentation Transcript

  • At the Frontier ofForensic CollectionWhen is remote collectionright for you ?October 11, 2011
  • Agenda ■ Full Disk Forensic Collection versus Targeted ■ Self Collection ■ Forensically Sound Self Collection ■ Remote Collection© 2011 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms 1affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
  • Full Disk Forensic Collection versus TargetedFull Disk Forensic Image : • A forensic collection is a bit-by-bit copy – exact clone • Entire hard drive including all active files, deleted files, file fragments and blank space (unallocated) • Mostly required for investigations or when recovery of deleted data may be important • Preserves all data reducing the risk of spoliation and has greater legal defensibility • For eDiscovery: • Rampant over-collection • Forensic imaging simply is not required or needed • Adds unnecessary costs© 2011 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms 2affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
  • Full Disk Forensic Collection versus Targeted• Targeted Forensic Collection : • A targeted collection includes only active files deemed relevant to the case (e.g. emails and Microsoft office documents) • Reduces cost and time due to faster collection time and less data • Using the same forensically sound tools, approach and methodology • Maintains chain of custody, preserving data integrity, no risk of spoliation • Functionality to filter data by custodian, folder, file type and date range© 2011 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms 3affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
  • Self Collection • Dangers inherent in self-collection: • Omission by inadvertence, laziness, or lack of technical/legal training • Data integrity issues – such as MD5 Hash and Metadata spoliations • Unpredictability and inconsistency • U.S. District Court Judge T. John Ward of patent law fame has recently issued an opinion on e-discovery sanctions. Green v. Blitz U.S.A., Inc, 2011 U.S. Dist. LEXIS 20353 (E.D. Tex. Mar. 1, 2011) • The Court orders Blitz to pay $250,000 in civil contempt sanctions • The Court issues an additional $500,000.00 sanction that will be tolled for thirty (30) days from the date of this Memorandum Opinion & Order. At the end of that time period, if Blitz has certified with this Court that it has complied with the Court„s order, the $500,000.00 sanction will be extinguished© 2011 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms 4affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
  • Forensically Sound Self Collection• Portable collection technologies that can be configured by an expert to collect ESI based on specific criterias• Generate MD5 hash values• Executed by a custodian• Process creates a reasonable, proportional and defensible collection• Minimize complexity, just a few clicks!© 2011 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms 5affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
  • Remote Collection• Large population of custodians• Remote collection sites/locations• Conduct over network LAN/WAN• Streamline process to make more efficient, less disruptive• Costs reductions• Considerations: • Requires appropriate access rights for deployment and access • Bandwidth • Multi-jurisdictions© 2011 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms 6affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
  • Thank youPresentation by :Danny GarwoodRobert Castonguay
  • The information contained herein is of a general nature and is not intended to address the circumstances of anyparticular individual or entity. Although we endeavor to provide accurate and timely information, there can be noguarantee that such information is accurate as of the date it is received or that it will continue to be accurate in thefuture. No one should act on such information without appropriate professional advice after a thorough examinationof the particular situation.© 2011 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independentmember firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rightsreserved.The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks of KPMGInternational Cooperative.