Your SlideShare is downloading. ×
0
At the Frontier of forensic collection
At the Frontier of forensic collection
At the Frontier of forensic collection
At the Frontier of forensic collection
At the Frontier of forensic collection
At the Frontier of forensic collection
At the Frontier of forensic collection
At the Frontier of forensic collection
At the Frontier of forensic collection
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

At the Frontier of forensic collection

10,178

Published on

Presentation offered by Danny Garwood and Robert Castonguay at KPMG 2011 advanced eDiscovery Conference.

Presentation offered by Danny Garwood and Robert Castonguay at KPMG 2011 advanced eDiscovery Conference.

Published in: Technology, Business
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
10,178
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
0
Comments
0
Likes
3
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • How should collections be performed?· All data collections should be performed in a forensically sound manner. This means that the collection should done using sound, defensible manner using industry accepted tools and procedures. The collection should produce an accurate representation of the source evidence.
  • With that said, there are targeted collection tools available that can provide far greater defensibility than simply copying data to a thumb drive. PinPoint Labs was one of the early proponents of this technology; Access Data Triage is one solution for creating a self-executing collection script on a thumb drive; Guidance EnCase Portable another; Microforensics Titan Collector is one option, as is Nuix Collector Portable.
  • Conclusion:In summary, we have highlighted how forensic collection has evolved and that new technology now permits ….
  • Transcript

    • 1. At the Frontier ofForensic CollectionWhen is remote collectionright for you ?October 11, 2011
    • 2. Agenda ■ Full Disk Forensic Collection versus Targeted ■ Self Collection ■ Forensically Sound Self Collection ■ Remote Collection© 2011 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms 1affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
    • 3. Full Disk Forensic Collection versus TargetedFull Disk Forensic Image : • A forensic collection is a bit-by-bit copy – exact clone • Entire hard drive including all active files, deleted files, file fragments and blank space (unallocated) • Mostly required for investigations or when recovery of deleted data may be important • Preserves all data reducing the risk of spoliation and has greater legal defensibility • For eDiscovery: • Rampant over-collection • Forensic imaging simply is not required or needed • Adds unnecessary costs© 2011 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms 2affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
    • 4. Full Disk Forensic Collection versus Targeted• Targeted Forensic Collection : • A targeted collection includes only active files deemed relevant to the case (e.g. emails and Microsoft office documents) • Reduces cost and time due to faster collection time and less data • Using the same forensically sound tools, approach and methodology • Maintains chain of custody, preserving data integrity, no risk of spoliation • Functionality to filter data by custodian, folder, file type and date range© 2011 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms 3affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
    • 5. Self Collection • Dangers inherent in self-collection: • Omission by inadvertence, laziness, or lack of technical/legal training • Data integrity issues – such as MD5 Hash and Metadata spoliations • Unpredictability and inconsistency • U.S. District Court Judge T. John Ward of patent law fame has recently issued an opinion on e-discovery sanctions. Green v. Blitz U.S.A., Inc, 2011 U.S. Dist. LEXIS 20353 (E.D. Tex. Mar. 1, 2011) • The Court orders Blitz to pay $250,000 in civil contempt sanctions • The Court issues an additional $500,000.00 sanction that will be tolled for thirty (30) days from the date of this Memorandum Opinion & Order. At the end of that time period, if Blitz has certified with this Court that it has complied with the Court„s order, the $500,000.00 sanction will be extinguished© 2011 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms 4affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
    • 6. Forensically Sound Self Collection• Portable collection technologies that can be configured by an expert to collect ESI based on specific criterias• Generate MD5 hash values• Executed by a custodian• Process creates a reasonable, proportional and defensible collection• Minimize complexity, just a few clicks!© 2011 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms 5affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
    • 7. Remote Collection• Large population of custodians• Remote collection sites/locations• Conduct over network LAN/WAN• Streamline process to make more efficient, less disruptive• Costs reductions• Considerations: • Requires appropriate access rights for deployment and access • Bandwidth • Multi-jurisdictions© 2011 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms 6affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
    • 8. Thank youPresentation by :Danny GarwoodRobert Castonguay
    • 9. The information contained herein is of a general nature and is not intended to address the circumstances of anyparticular individual or entity. Although we endeavor to provide accurate and timely information, there can be noguarantee that such information is accurate as of the date it is received or that it will continue to be accurate in thefuture. No one should act on such information without appropriate professional advice after a thorough examinationof the particular situation.© 2011 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independentmember firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rightsreserved.The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks of KPMGInternational Cooperative.

    ×