(1) Field of the Invention
The invention relates to methods for collecting data for use as evidence in civil or criminal investigations.
(2) Description of the Related Art
Traditionally, in civil and criminal investigations, electronically stored information (“ESI”) has been collected in one of the following methods: making the usual file copy (which most computer users know how to do), making a special backup, and forensic imaging.
The usual file copy is the most straight forward process, and simply involves selecting the files or folders on an storage device (typically a computer's hard drive) and copying them to another piece of electronic media (typically an external hard drive, USB flash drive or CD/DVD). Quite often, this process is performed by the custodian of the Electronically Stored Information (ESI) themselves, or a company's IT professional. The commonly perceived advantages of this collection method are that it has few logistical requirements, and can be performed by someone with limited technical knowledge. Software tools such as Microsoft's ROBOCOPY can automate the copy process, but the complexity and learning curve of those tools typically negate the advantage of the simplicity of the file copy process. Another disadvantage is that the file copy method will only collect “live” files; files that are clearly viewable and accessible by the custodian on the computer system. Another disadvantage is that the file copy method can change information (metadata) about the files being copied, or even the data in the files. Such information may be of relevance to the matter, or could serve to establish foundation or authenticity of the files. An example of this would be a file's creation date and time, or the specific location of the file on a hard drive.
Additionally, the method of collecting ESI by merely making file copies does not include the ability to collect deleted files, and usually does not include system files and log files or unallocated disk space. Unallocated disk space is the area of the hard drive or electronic storage medium where previously viewable files are stored for a period of time. When a file is deleted using normal Microsoft Windows procedures, the operating system's reference to the deleted file is merely lost, making the deleted file no longer accessible, without the deployment of specialized tools, which can often recover the previously deleted file. Deleted files may show former possession of information, or attempts to destroy or alter evidence. System files and logs are often used to establish user activity, such as internet browsing, or movement of data to external media.
Most custodians of information relevant to an investigation or legal proceeding do not have the technical knowledge to locate system files and logs, and some files are not accessible by the custodian. The computer operating system, and most applications, cannot directly access deleted files or unallocated disk space.
Because the file-copy method of data collection is limited to only the files selected by the custodian, this method is not suitable if changes are made in the scope, after the original collection is completed. It is not uncommon for the scope of legal discovery or an investigation to change as new information is revealed throughout the course of the matter. Common scope changes include new key players being revealed, changes in relevant data types selected to be reviewed or changes to actual search criteria.
Using the usual file-copy data collection method, changes in scope after the initial collection require a second collection, and maybe a third collection and so on, as scope is refined. Additional collections not only result in additional time and cost, but also potential evidence can be lost or become inaccessible, if a court rules that additional collections are overly intrusive or burdensome to the custodian. Furthermore, even if additional collections are allowed, data may have also been altered or destroyed since the initial collection by normal computer functions, accidental alteration, or intentional destruction.
Putting the selection and collection process in the hands of the custodian greatly increases the possibility of accidental, negligent, or willful destruction, alteration, or omission of evidence. If such events occur, potentially relevant evidence can be lost, and responsible parties and their attorneys can face sanctions and or fines.
The second common method of data collection is to make a special backup. This method uses backup applications either included as part of the computer's operating system, such as Microsoft Windows Backup and Recovery, or aftermarket backup utilities such as Norton Ghost or Acronis TrueImage.
The special backup method requires more technical ability than the file-copy method, and appropriate backup software may not be preinstalled on the computer. Installing software on the computer could potentially alter the very evidence that is being collected. Other disadvantages are that backup software does not copy recoverable deleted files or unallocated disk space, and some backup software is known to alter certain metadata.
The third common option for collecting ESI is making a complete forensic image of a computer hard drive or other storage device. A complete forensic image is a verifiable bit-by-bit copy of the data stored on an electronic storage device, including deleted or unallocated data. This process bypasses the computer operating system, and in a non volatile manner, copies all of the data including recoverable deleted files, unused disk space, and system files. This method even copies areas of the physical storage device that are reserved for manufacturer access only, and areas that are empty and have never stored data (truly unused disk space). A complete forensic image is created using specialized software and/or hardware that copies all data on a hard drive in a verifiable and repeatable manner that does not alter the original media. A full forensic image collected by an experienced forensic professional is the industry standard method of collecting electronically stored information for use in civil and criminal matters, and has been for several years. Because a forensic image collects a complete copy of all data on a piece of electronic media, even if the scope of the matter changes, the data has already been collected and preserved in a read only format, and thus can be analyzed and produced by the custodian to the opposing party as needed.
Forensic imaging requires specialized knowledge, training, and tools. This combination of training and tools adds to the cost of data collection. Traditional forensic imaging also requires that a forensic expert have physical access to the electronic storage device. This can be a logistical nightmare, especially when dealing with large-scale collections or geographically dispersed custodians. With the development of telecommuting, this is more common than ever before. It is also difficult to collect data from busy executives and sales people due to their busy schedules. Unfortunately, these people are the ones most likely to be important custodians in litigation and investigations.
Because of the logistical and financial drawbacks of forensic imaging, particularly in large scale collections or in geographic regions where forensic professionals are not readily available, some organizations have previously chosen to not collect data using forensic imaging, thus risking court-ordered sanctions for spoliation of evidence.
The following U.S. patent applications disclose various inventions relating to a method of collecting complete computer forensic images of storage media: U.S. patent application no. 20090094203 discloses an apparatus and method for searching for digital forensic data. U.S. patent application no. 20090253410 discloses a method for mitigating the unauthorized use of a device. U.S. patent application no. 20090247122 discloses a system for monitoring the unauthorized use of a device. U.S. patent application no. 20090164522 discloses a method for the forensic collection of volatile and static data from active target computer systems. Each one of these patent applications is incorporated by reference in its entirety.
U.S. patent application no. 20090164522 states, “In preferred embodiments of the method, the data is collected covertly”, and also “The active target computer in the above method can be a public computer in a library, hotel, internet cafe, school, and the like, or may be a personal computer left running unattended in a home or business and the like. The target computer can be any computer that has recently been used by a subject under investigation, preferably a computer in which the subject has not shutdown or restarted the system after use.”
Unfortunately, the invention of U.S. patent application no. 20090164522 requires that “a user such as an agent's handler will preferably first be trained in the use of the system to fully understand its power and use.” That method of data collection also requires that the trained user must select key information, including a label for the removable storage device to be used, case name, and user information, whether the system should generate code for covert or overt data collection, and the data items to be collected. Furthermore, U.S. patent application no. 20090164522 states about its “Data Acquisition Phase” the following: “This phase, while simplistic in use, can be the most complicated to perform.”
U.S. Pat. Nos. 7,640,323 and 7,644,138 disclose a forensics tool for examination and recovery of computer data. Each one of these patents is incorporated by reference in its entirety. The invention of U.S. Pat. Nos. 7,640,323 and 7,644,138 allows a user to conduct a limited preliminary examination of a computer using a client program on a physical memory device, whereby limited information about the examination result is displayed. To further access and examine the actual underlying data, the user must obtain additional functionality by obtaining a command block from a control server. The additional functionality allows the client program to extract, copy, export, or further access the data of interest. Although the client program allows a user to repeatedly determine whether various drives contain information of interest, each time a determination is made, however, the user must contact the vendor and purchase additional features or commands. Specifically, a person investigating a target computer using forensic client software must visit the control server to purchase a command block and specifically tailor the exact type of data that is to be retrieved and downloaded onto an external drive. Once the customizable feature or command is purchased, it is usable with the client program only on a specific computer. Furthermore, the feature or command is specific to a specific hardware in a specific state.
Thus, what is needed is a method of data collection that does not require the custodian of the data to choose between (a) the evidentiary advantages and flexibility of making a forensic image, and (b) the simplicity and low cost of making a file copy. More specifically, what is needed is a method of collecting complete computer forensic images of storage media that allows the custodians to easily perform a self collection of all of the available storage space on their hard drives or other attached electronic media capable of storing data, while authenticating the collection, preserving exact copies of all live and unallocated data, without making changes to the collected data, and without allowing the custodian to deselect certain files, or accidently delete or spoil data.