in discovery Sept. 25 th , 2019 1 People. Partnership. Performance. - - PowerPoint PPT Presentation
San Diego ACC Paralegal Institute Forensics strategies for emerging data sources in discovery Sept. 25 th , 2019 1 People. Partnership. Performance. epiqglobal.com Slack Overview Account Types Collection Method Channels vs Direct
1
2
3
4
5
5
6
6
7
7
8
9
10 10
11 11
administrator account.
process and generate a load file.
12
13 13
14 14
− Encryption − Third party messaging apps − Evolving and changing technology − Enterprise Mobile Device Management Software
Wi-Fi network
16 16
− Does a policy exist? − Does IT implement a Mobile Device Management software solution? − Does preservation of BYOD data exist? − Does device accessibility exist (for example, passcode management) − Has collection of intermixed data been addressed?
17 17
− Can you selectively export the requested conversations?
18 18
supported), along with technical device details such as the device IMEI and serial
the identified data types and technical device information are included in the reports.
Custody on the collection report drives.
custodian (or counsel) for retention.
text message/chat thread data.
19 19
− Allows security policy to be managed centrally − Allows remote wipe − May allow for passcode change (usually causes wipe) − Potential to inhibit the ability to collect data − AirWatch,MaaS360, MobiControl, XenMobile, others
20 20
22 22
to prevent changes/destruction (remote wiping)
forensically maintain RF isolation
for RF avoidance (use caution)
23 23
Across all products support for over 10,000 mobile devices
24 24
application decoding, forensic analysis, and advanced reporting.
− Advanced Logical Method 1 & 2
− Physical (if supported) − Logical − File System (typically Android Backup)
25 25
at a similar rate. With the growth in device capacity, the time to collect a large phone is comparable to imaging a workstation at 3-5 hours.
27 27
a MDM policy.
forgotten password feature for the backup encryption.
need the password to decrypt the image.
https://support.apple.com/en-us/HT205220
29 29
performed to remove the password, but it also resets numerous other phone settings.
should only be used as a last resort.
alternative method to getting to the data on the encrypted device.
30 30
collection times longer than most custodian’s will want to be without their device.
be backed up.
31 31
2018.
entire industry to collect iCloud backups starting late September 2018 when the backup was iOS 11 or 12, and 2FA was enabled.
iCloud downloads. At this moment in time, this is solution is currently unavailable.
32 32
newer devices.
because of the Android security patch updates. In order to collect third-party apps or deleted text messages, you need a physical extraction.
JTAG, Chip Off, etc) are available through Epiq and trusted third party vendors, but not always supported on the newest Android devices. These methods may render the device permanently unusable.
33 33
35 35
36 36
tagging
format
relationship if processed
Pro’s Con’s
37 37
produced.
38 38
TXT-PARTICIPANTS List of participant names and/or telephone numbers. TXT-BODY Body of text messages, notes, chats, or calendar items. Do not populate for emails. TXT-STATUS Indicates whether text was Sent or Read on the device. TXT-THREAD-GROUP Populate with the DOCID of the first text in the chat conversation to allow the entire chat conversation to be
grouped as a family. (Sort each device by Chat Number and then by Row Number to assign TXT-THREAD-GROUP identifier.) This is NOT the BEGATTACH field or Relativity Group Identifier.
TXT-SMSC Short Message Service Center (handles SMS text messages on behalf of phone service provider) TXT-STARREDMESSAGE Notes whether the message was flagged. TXT-DELETED Indicates whether a chat, instant message, or file was deleted from the mobile device and recovered by Cellebrite. TXT-READDATE Date and time the chat, text message, or instant message was opened to read. Format: MM/DD/YYYY HH:MM:SS
(Use 24-hour times, e.g., 13:32:00 for 1:32 pm); AM, PM, time zone, or day of the week indicators cannot be included.
TXT-TIMESTAMP Timestamp of item. Equivalent to DateRecieved afor incoming items or to SateSent for outgoing items. In
MM/DD/YYYY HH:MM:SS in 24-hour format that does not include AM, PM, time zone, or day of the week indicators.
TXT-LOCATION GPS information associated with chats, text messages, or instant messages. TXT-MESSAGENUMBER Similar to RowNumber. Individual identifier for message. TXT-CHATNUMBER Chat number, identifies chat groups. TXT-ROWNUMBER Row number.
39
40 40
Platform
Management
Apps
Collaboration
Calendar, Contacts & Tasks
Conferencing
41 41
42 42
Exchange:
Sent Date
SharePoint:
Modified Date
43 43
SharePoint Online/OneDrive:
Exact URL Required *** S&CC will take erroneous URLs and not report an immediate error
Exchange Online:
Select Mailbox by typing user alias
44 44
45 45
etc.
(per Microsoft) if the data is exported and searched downstream
items if they understand and accept the limitations of the Microsoft O365 index
46 46
export
current location to the parent folder and process repeated until pathname is under the 260-character limit.
the filename
47 47
From Microsoft:
the search results are larger than 2 TB, consider using date ranges or other types of filters to decrease the total size of the search results.
day.
your organization.
48 48
Each “Team” has
dedicated EXO mailbox associated to a Team)
users EXO mailboxes)
Chat oriented collaboration tool with social media influence
49 49
. . .
File storage tool similar to Dropbox, Box.com, Google Drive
Share” on File Server.
50 50
Metadata Concerns:
synced by the local file system. The same document will have different creation dates in different sync points.
points, including duplicates, could be a requirement.
collection if single sync point is collected.
51 51
SharePoint Export folder SharePoint User Interface
52
52