The Oliver Group assists clients in developing and executing comprehensive, efficient and forensically sound data acquisition efforts, ensuring the optimal return on investment. It is important to understand the context of each matter and develop the appropriate goals and objectives of the data acquisition process. Electronically Stored Information (ESI) can reside on network servers, desktop PCs, laptops, backup tapes, handheld devices, and just about any other storage medium. As such, it is important to scope each effort to ensure that a complete assessment of the ESI sources is made and that a cost-effective and pragmatic methodology can be developed in conjunction with all stakeholders.

The following provides an overview of the key considerations, and some common terminology to help guide you through the process. Forensic Capture

• Utilizes specialized hardware and software that maintains metadata - not every forensic capture requires a forensic image
• Consider cost containment vs. risk mitigation when deciding on the capture methods

Forensic Imaging

• Bit level copy of an entire hard drive or device
• Captures logical and deleted files, as well as file fragments
• Ensures never having to re-collect from the same device
• Typically, Preservation and Working copies are made
• Required for forensic analysis

Targeted Approach

• Selective capture of files
• Minimizes data volumes
• Does not allow for forensic analysis or recovery of deleted items

Chain-of-Custody and Documentation

• Detailed documentation regarding the ESI source, custodian and data collected
• Chain-of-Custody documents for the transfer of evidence between parties and locations
• Documentation of custodian, legal and IT staff interviews

Preservation vs. Selectiveness

• Not all data that is collected will necessarily have to be processed or reviewed
• It is often more cost-effective to preserve data at the outset, rather than to be too selective during the acquisition phase.

Evidence is potentially located in many, many places. It is critical to understand exactly what information is required for the case in order to identify the best sources of responsive data and select the appropriate acquisition protocol.

• The logical file system
• The event logs on a computer or server
• The Registry, which is essentially an enormous log file
• Application logs not managed by the Windows Event Log Service
• The swap files on a hard drive, which harbor information that was recently located in RAM (named pagefile.sys on the active Windows partition)
• Special application-level files, such as Internet Explorer's Internet history files (index.dat), Netscape's fat.db, the history.hst file and the browser cache
• Temporary files created by many applications
• The Recycle Bin, a hidden logical file structure where recently deleted items can be found
• The Printer Spool
• Sent or received email, such as the .PST files for Outlook Mail
• Slack space, where you can obtain information from previously deleted files that are unrecoverable
• Free or unallocated space, where you can obtain previously deleted files, including damaged or inaccessible clusters