With the events of the past year, many businesses moved to a working from home culture. As we slowly move out of lockdown restrictions across the world, the likelihood is that a hybrid approach to working in an office and from home will be coined as the ‘new normal’. With this shift in location of employees, the physical location of potentially relevant information is no longer centralised within the four walls of a company’s office. In this article, we discuss the approaches that can be taken to remotely capture, in a forensic and defensible manner, all relevant devices and information that is required in support of legal matters.

Historically, there was never a second thought to the need for a digital forensic expert to be in physical possession of a digital device to preserve its contents. On many matters, this involved the deployment of teams of experts to client locations. This immediate deployment could be down to the lack of understanding, or comfort, with what can be achieved with remote data collections, and how these are just as defensible as an onsite collection. However, there will still be instances where onsite data collection will be required, partly down to various factors that we will cover in this article.

Why choose a remote collection?

Remote data collections are becoming a pertinent method of acquiring digital data in the forensic industry, with advancements in software and services making this type of forensic collection an ever more viable option. Depending on the needs of a project or client, remote data collections may be a more feasible method of obtaining data from relevant devices. For instance:

1. Speed

• There is an almost immediate start to the data collection exercise due to the time saved in travel and setting up equipment at an onsite location.
• When data is captured remotely, there can be a quicker turnaround in preparing this for follow on processes, such as a document review/disclosure exercise.
• Delays often occur when visas are required to access a country. However, these can be overcome by utilising a remote data collection methodology.

2. Cost

• In-person data collections often require a consultant, or team of consultants to both travel to and stay in close proximity to a client’s office. With a remote data collection, these ancillary expenses are not incurred on a matter.
• With more and more people working from home, digital devices are no longer centralised at a company’s office. As such, remote collections can be a non-intrusive way to image devices that may be located at personal residences and negate the need for travel to every location.
• Consultants can continue with other work while acquisitions are running. However, if they were onsite this may not be possible, and a client may therefore be charged additional fees.

3. Travel restrictions

• With the current uncertainty and ever-changing circumstances of the pandemic, remote data collections have become a neat and functional way of acquiring digital data in a forensically sound manner whilst minimising person to person contact.

Applicable data sources suitable for remote data collection

The below is not an exhaustive list of data sources suitable for remote collection but does give a flavour as to the types of data and applications.

• Emails: online email service providers such as Outlook, Office365, Gmail, and Yahoo, as well as other email providers can all be downloaded remotely in a forensically sound manner using specialist data capture software.
• Cloud services: cloud data storage services including but not limited to data from Office365, G-Suite, Dropbox, OneDrive and Box.
• Physical devices: including servers (both physical and virtual), computers and laptops (Windows, Mac and Linux devices), and mobile phones (the capability of conducting remote captures of mobile phones can vary due to the need for hands on access to the device).
• Collaboration or chat software: Zoom, Teams or Skype are more commonly used within businesses and logs, including chat records, call histories and shared documents can all be secured remotely. More legacy chat applications such as Bloomberg chat have and continue to be easily acquired in a remote fashion.
• Document management systems: platforms such as SharePoint can be fully extracted and preserved remotely. Depending on data volumes, there may be a need for some level of onsite presence.
• Databases (including CRM or other structured systems): this includes accounting systems, Salesforces or other bespoke company systems.

Precautions / Limitations

Whilst the remote data collection process can provide an efficient method of obtaining client data, there are disadvantages, or potential risks, associated with not having an expert present on-site to conduct the acquisition:

• Without as many techniques available to approach the acquisition, networking reliability may hinder the dependability of our forensic tools.
• The ability to troubleshoot an acquisition where it is not working is more difficult in a remote collection scenario.
• There is a reliance on on-site personnel carrying out physical tasks such as connecting hard-drives and providing basic diagnostic information. The trustworthiness and competence of the IT team, or individual in control of information is crucial.
• The remote acquisition capabilities of mobile phones are typically quite limited as they require a more hands on method of data extraction.
• Due to the levels of security present on modern smartphones or tablets, acquiring these types of devices can be demanding and may require more hands-on involvement in order to obtain an extraction. Depending on the requirements, a remote collection may still be a viable option but does require additional support from the person in physical custody of the device.
• It is necessary to obtain all usernames and passwords with administrative privileges of the device to be acquired. Should the custodian not have this information, it can often be provided by a custodian’s company IT team but there may be pushback from a security standpoint.

Benefits

There are significant benefits in performing remote collections, but it is always necessary to weigh up these against the previously discussed precautions whilst also taking time to consider to feasibility on a case by case basis. Certain benefits include:

• Chain of custody – this can still be achieved albeit with slightly different procedures to those that would be used if a physical handover of a device is being performed. Ensuring that remote access logs, courier records a documented record of the process is retained provides sufficient evidence of any virtual handover process. Should there ever be a question raised around the tampering of a device whilst a remote collection is in process then there are forensic analysis techniques that can be applied to prove or disprove such claims.
• Forensically Sound Captures – Remote collections typically apply the same tools and techniques as those used during an in-person capture. It is purely the mechanism for accessing the device that is different. As such, all data can be proven to be accurate at the time of capture if this ever comes under scrutiny.
• Cost Savings - directed at a reduced cost due to the limited need for travel charges and expenses for a forensic consultant to travel and attend an on-site address.
• Contactless – Remote collections are conducted in a manner that reduces person to person contact during the current pandemic situation or where there is a need for a discrete data collection.
• Speed – The time to get setup and running with a remote collection can often be quicker than travelling to the location of the device. This is certainly relevant where devices are spread across geographies. In addition, any follow-on processes can often be started immediately upon the successful capture. For example, any requirements for processing into a document review platform or forensic analysis.

In summary, a remote collection is never the silver bullet that can be used in all data collection requirements. However, with careful consideration of the case requirements and by weighing up the benefits and potential limitations, they can certainly be an effective approach to saving time and cost on many matters.

How can A&M help?

At A&M, we have extensive experience remotely collecting and preserving email accounts, cloud storage, mobile devices, computers and servers using a multitude of forensic techniques and tools. As part of this, the team is continuously developing procedures for capturing across various sources, ensuring that all of our processes are conducted in a forensically sound manner to certify that any investigative findings are admissible in court and will withstand scrutiny.

Recent case examples of remote data collection

The A&M team have performed several remote collections on a variety of matters over recent months. A few such case examples are:

1. The team conducted a remote collection of over 20 exhibits including email accounts, cloud storage and chat applications using industry standard data capture software and forensically sound techniques, documenting our methods of capture within detailed data acquisition forms to comply with industry standards;
2. Worked closely with a client’s IT support team in the UK to remotely access and acquire a copy of an email server. The digital copy of the data was then encrypted and shipped to our colleagues in the US to be processed, indexed and uploaded to Relativity for a document review exercise;
3. Provided detailed instructions to a client’s IT support to facilitate in the acquisition of several computers remotely. The logs of each data acquisition were reviewed by our experts for verification, and the data was sent by the client via secure courier to our London headquarters in order for the data to be uploaded to our FTP site.

If you would like to discuss the feasibility of performing remote data collections on an existing or future matter, then please do not hesitate to get in touch with the author Graeme Buller or one of the A&M team.