in discovery
play

in discovery Sept. 25 th , 2019 1 People. Partnership. Performance. - PowerPoint PPT Presentation

San Diego ACC Paralegal Institute Forensics strategies for emerging data sources in discovery Sept. 25 th , 2019 1 People. Partnership. Performance. epiqglobal.com Slack Overview Account Types Collection Method Channels vs Direct


  1. San Diego ACC Paralegal Institute Forensics strategies for emerging data sources in discovery Sept. 25 th , 2019 1 People. Partnership. Performance. epiqglobal.com

  2. • Slack Overview • Account Types • Collection Method • Channels vs Direct Messages Slack • Limitations • Processing / Review • Recap with step-by-step collection instructions 2 People. Partnership. Performance. epiqglobal.com

  3. Slack Stats • Released in 2014 • 3 million paid subscribers • 8 million daily users • More than 1,500 apps in Slack directory • 5.1 billion corporate valuation 3 People. Partnership. Performance. epiqglobal.com

  4. What is Slack? 4 People. Partnership. Performance. epiqglobal.com

  5. Public and Private Channels Direct and Multi- party Messages 5 5 People. Partnership. Performance. epiqglobal.com People. Partnership. Performance. epiqglobal.com

  6. Free, Standard, and Plus accounts require the end users credentials to collect their account 6 6 People. Partnership. Performance. epiqglobal.com People. Partnership. Performance. epiqglobal.com

  7. Enterprise accounts can be collected from an administrator login 7 7 People. Partnership. Performance. epiqglobal.com People. Partnership. Performance. epiqglobal.com

  8. Free Slack Account Limitations 8 People. Partnership. Performance. epiqglobal.com

  9. Slack Export Features • The native export for Plus and Enterprise accounts creates a JSON file • The JSON file includes a link to the native but not the actual native file. • The JSON file format is not easily rendered into a reviewable format. 9 People. Partnership. Performance. epiqglobal.com

  10. Slack Collections • Best Practice tools: • Capture Direct and Multi-party Messages • Selectively capture Public and Private Channels • Download and extract metadata from attachments • Retains the parent-child relationship with attachments • Generate a native file of the message conversation • Export is load ready for Relativity 10 10 People. Partnership. Performance. epiqglobal.com

  11. Slack Collection Recap • Is the client using Slack Enterprise or Free/Standard/Plus versions? • If Enterprise, we can collect the custodian’s direct messages and channels from an administrator account. • If no, we need the custodian’s credentials. • Does the client have two-factor, SSO, or SAML authentication enabled? • Determine what Public channels need to be collected and from whom. • Determine if Direct Messages need to be collected and from whom. • Confirm if a date filter should be applied to the collection. • The collections typically takes 1-2 days to download with an additional day or so to process and generate a load file. 11 11 People. Partnership. Performance. epiqglobal.com

  12. Mobile Devices 12 People. Partnership. Performance. epiqglobal.com

  13. • Corporate Policy and Mobile Device Management Considerations • Overview of mobile devices collections Mobile • Potential issues to consider with Apple and Android devices • Reporting, review, and production of mobile data 13 13 People. Partnership. Performance. epiqglobal.com

  14. mobile device preservation and collection • Mobile device data is: • Easily altered / spoliated • Challenging preserving and collecting − Encryption − Third party messaging apps − Evolving and changing technology − Enterprise Mobile Device Management Software • Differs in format from traditional computer data collections • Constantly changing when connected to a cell tower or Wi-Fi network 14 14 People. Partnership. Performance. epiqglobal.com

  15. • Corporate Mobile Policies – Universal Considerations

  16. BYOD • Bring Your Own Device (BYOD) • Increasing popularity • Users mix personal and business data − Does a policy exist? − Does IT implement a Mobile Device Management software solution? − Does preservation of BYOD data exist? − Does device accessibility exist (for example, passcode management) − Has collection of intermixed data been addressed? o Third-party and affiliated parties such as board members 16 16 People. Partnership. Performance. epiqglobal.com

  17. BYOD How do you address the privacy concerns to limit what is reviewed? • How do you address the intermingled data issues? • − Can you selectively export the requested conversations? 17 17 People. Partnership. Performance. epiqglobal.com

  18. Example BYOD collection method Forensics consultant will collect the device using Cellebrite. • All collected data will be saved to an encrypted hard drive. • The consultant will open the collection in Cellebrite Physical Analyzer (PA). • The consultant will prepare a Cellebrite PA report of the requested SMS, MMS, and Chat (if • supported), along with technical device details such as the device IMEI and serial number. The report will be made in two formats: Microsoft Excel and Cellebrite UFED Reader format. The reports will be saved to two (2) separate collection drives. The consultant will perform a QC check on the Cellebrite reports with counsel to ensure only • the identified data types and technical device information are included in the reports. The consultant will take possession of the collection reports and start an electronic Chain of • Custody on the collection report drives. The consultant will hand the original encrypted drive with the full collection data to the • custodian (or counsel) for retention. Forensics consultant will only leave the collection site with the Cellebrite reports of identified • text message/chat thread data. 18 18 People. Partnership. Performance. epiqglobal.com

  19. MDM • Mobile Device Management Software • Used by organizations to control device use and security − Allows security policy to be managed centrally − Allows remote wipe − May allow for passcode change (usually causes wipe) − Potential to inhibit the ability to collect data − AirWatch,MaaS360, MobiControl, XenMobile, others 19 19 People. Partnership. Performance. epiqglobal.com

  20. MDM • Examples of MDM restrictions 20 20 People. Partnership. Performance. epiqglobal.com

  21. • Mobile Collections

  22. Mobile Device Collections • Mobile device must be isolated from cell towers and Wi-Fi (radio frequencies – RF) to prevent changes/destruction (remote wiping) • Special faraday boxes can be used to forensically maintain RF isolation • Airplane mode is a common method for RF avoidance (use caution) 22 22 People. Partnership. Performance. epiqglobal.com

  23. Mobile Device Collection Tools • Tools currently available at Epiq: • Cellebrite • XRY • Blacklight* • Mobilyze* • Oxygen Forensics* Across all products support for over 10,000 mobile devices • * Limited to iOS and certain logical Android collections 23 23 People. Partnership. Performance. epiqglobal.com

  24. Cellebrite Collection Method Overview Industry standard in mobile collections, • application decoding, forensic analysis, and advanced reporting. Apple iOS collections • − Advanced Logical Method 1 & 2 Android • − Physical (if supported) − Logical − File System (typically Android Backup) 24 24 People. Partnership. Performance. epiqglobal.com

  25. Collection Time Phone sizes have increased 10x • over the last five years with volume of text and chat messages growing at a similar rate. With the growth in device capacity, the time to collect a large phone is comparable to imaging a workstation at 3-5 hours. 25 25 People. Partnership. Performance. epiqglobal.com

  26. • Mobile Collection Issues to Consider

  27. Encryption Types • Encryption is becoming more popular on mobile device hardware, software, and on the application level. • Hardware/File Based − Blackberry, Android, and iOS • Software − iTunes Backup Encryption • Application Level − Messaging Apps: Signal and Wickr 27 27 People. Partnership. Performance. epiqglobal.com

  28. iTunes Backup Encryption One-time password • It can be user initiated or implemented via • a MDM policy. iTunes (installed version) does not support a • forgotten password feature for the backup encryption. The device can be collected, however we • need the password to decrypt the image. https://support.apple.com/en-us/HT205220

  29. iTunes Backup Encryption Removal For iOS 11 and newer, a setting reset can be • performed to remove the password, but it also resets numerous other phone settings. Once you apply the reset, it can not be undone. This • should only be used as a last resort. Consider downloading an iCloud backup as an • alternative method to getting to the data on the encrypted device. 29 29 People. Partnership. Performance. epiqglobal.com

  30. Apple iOS collection issues The new iPhones support 512 GB of storage making the • collection times longer than most custodian’s will want to be without their device. iTunes Backup Encryption • MDM client software restricting what applications can • be backed up. 30 30 People. Partnership. Performance. epiqglobal.com

Recommend


More recommend