digital forensics (2)

Changes in Forensic Investigations and Collections

Share this article

In part four of our series on change, we’re diving into changes in forensic investigations and collections. Even for those that perform eDiscovery frequently, these changes are relevant since forensic data can be a vital part of eDiscovery document sets.

The forensics industry has not changed as quickly as the eDiscovery market, certainly in terms of processes and software, but there are still important considerations. The collections process has had to keep up with the new and updated types of data to capture – social media and ephemeral information (such as Slack, WhatsApp, and Snapchat) being two examples. There are also significant shifts in the data sources for forensics as well as consolidation in the industry among tools and providers.

Forensic Sources of Data

Historically, the computer and IT would be the best source of information about everything that happened on it, and the need for third-party logs was rare. But the advent of third-party data storage sites accessible through webpages has meant that investigators need to gather logs or data for information a user accessed, but the computer does not store tracking information.  

For instance, using O365 through a web browser to edit a Word document leaves very little trace on the computer as to what changes were made in Word. When utilizing Gmail through the web application, it does not leave the kind of significant traces on the computer as it does when Outlook downloads data to a .pst file.

The advent of remote work has accelerated the use of remote desktop applications to connect to virtual computers. In this scenario, the local computer may store very little information about user behavior. But, the local computer cannot be disregarded for the purpose of timing and some other user actions. For instance, the local computer connects to an internet source and potentially a VPN and has local printing and storage capabilities that may be shared with a remotely connected computer. Therefore, both the local computer and the remote desktop may need to be taken into account during a forensic investigation to get a complete picture of user activity.

Remote Collection

With more data being generated and stored in public and private clouds, remote collection is in its heyday. The need for a physical presence to collect ESI and other forensic data still exists, but it’s becoming rare.

For example, data collection from iOS/Apple devices (such as iPhones and iPads) can be made using iCloud backup techniques. Indeed, most iOS devices can be collected without significant time interruption to the user. The user has to provide credentials and answer a two-factor authentication prompt, in contrast to taking a phone away for several hours to collect it in person. A ubiquitous system to collect Android devices does not exist, although there may be some possibility for certain brands. As such, those devices most often need to be collected in person.

In general, any device connected to the internet with a reasonably fast upload bandwidth can be collected remotely. In the cases where bandwidth is insufficient, a drive may be shipped to a user to plug in, collect locally, and ship back to the examiner. This requires a relatively comfortable computer user on the collection end but no special skills or training.

With remote collections, chain of custody documentation is even more important. Establishing when and how the data was released is critical in any situation, particularly in cases like the one mentioned above.

Of course, remote collections aren’t without complications. The right type of access to the computer such that an appropriate forensic collection can occur is crucial. Often, screen sharing technology blocks the ability of popups for administrative tasks making it difficult to use these remote technologies. Common video meeting technology may not be sufficient, and an alternative IT support style screen sharing tech may be needed to walk a user through administrative prompts with verification from the remote-assisted examiner.

In a recent case, Avansic’s forensic technicians had difficulty getting screen sharing to work on a remote computer, so we had a custodian access the meeting with their cell phone and hold it in front of the screen while we told them what to do. Not the most convenient, but it worked, given the remote location of the user and the device.

Data Types

Collaboration communication has experienced quite the evolution: from phone calls to chat programs to email and beyond. Currently, Slack, Teams, and other web-based platforms like Monday have replaced back-and-forth email and other text-based communication. Most of these tools were not built with eDiscovery in mind.

Although some of these programs make it possible to export information, for eDiscovery purposes, that data needs massaging and conversion to be useful. Taking these exports in whatever format they might be, normalizing the data, and combining it with other regular documents, forensic artifacts, and email takes certain skills and is a moving target as these programs add features or alter their export methodologies.

Collaboration apps, much like social media, allow users to alter a message after it has been sent, potentially creating two versions of a message seen by a recipient. This is unlike email, which is fixed in time and doesn’t change.

Consolidation of Tools

Significant M&A has been ongoing in the forensics industry in the last few years, in the companies themselves and with the software they develop. This has led to examiners moving between companies which can cause confusion when transitioning a project to another company but staying with the same examiner. To alleviate this, ensure your engagement letters with forensics vendors contemplate the termination of that vendor or individual and the assignment of a new one.

A combination of companies can mean the change, consolidation, or sunsetting of software they own – whether it is a legacy tool that processes NTFS for carving deleted data (which hasn’t changed in years) or a brand new piece of software that can interpret geolocation data from multiple disparate devices in real-time. Understanding who actually owns the software you’re using and what happens to your licenses if they are acquired or go out of business is good hygiene. Given the hundreds of individual tools and licenses many forensics practitioners have, it is essential to manage them and understand a little about where they are positioned in the market.


Although forensic changes don’t move at the same pace as eDiscovery, there are significant factors to consider if a case uses data from a forensic examination or if such an examination is being contemplated. Understanding the change in this industry can help customers, vendors, and other stakeholders have a better picture of where forensics fits.


Share this article