Data Collection Pitfalls Part 1/5: Encryption & Phones

While data collection may seem like a straightforward process, it rarely is. There are an innumerable amount of unforeseeable circumstances, computer technologies, and people that can cause problems during an on-site collection. In this multi-entry blog series, we'll be discussing the most common items and the people that can make data collection more difficult for you so that you can make more informed decisions during your collections and collection prep.

Computers Using Full-Disk Encryption

Encryption is basically a method of scrambling information in a way that only the correct passphrase can unscramble it. Full disk encryption is a security feature that encrypts an entire hard drive, instead of "standard" encryption, which usually refers to encrypting a single file or partition. As the world becomes more and more mobile, full disk encryption is gaining in popularity because of the security it provides for a computer's entire hard drive.

Handling the collection of an encrypted hard drive can take more time and money than an unencrypted hard drive. The safest way to handle full disk encryption involves a good deal of time and duplication, as follows:

1. The drive must be duplicated while encrypted.

2. The encryption software must be removed (so the drive is no longer encrypted when it is turned off).

3. The drive must be duplicated again.

4. The encryption software must be re-installed and the drive re-encrypted.

The above process takes many hours with a standard-sized hard drive. However, this process may not be necessary for all e-discovery purposes. If a company is using full disk encryption and cost is a major concern (as it often is), the encryption software could be removed by the company's system administrator prior to the EDD vendor's arrival on-site. If you decide on this course of action, removing encryption software can take several hours so it is best not to wait until your vendor arrives. If the laptop is being sent to your vendor and you want keep it encrypted while it is en route, you might be able to have your vendor remove the encryption, but it will likely add to your cost.

The methods mentioned above assume that you, your client, or the EDD vendor has the encryption key. Most companies that use full disk encryption have an administrator's key to use, so even if an employee will not give up their key, the disk can still be decrypted. Without any key, however, "cracking" encryption ranges from relatively time-consuming to extremely time-consuming; strong keys could take several months or years to crack.

Cell Phones

The fact that there are lots of different manufacturers with lots of different phone models make collecting cell phone data very difficult. At this point, there is no standardization to how data is stored by cell phones, and storage algorithms can vary from one model to the next. This makes it very difficult for forensic software vendors to keep up. This is not to say that the data is not attainable, but don't be surprised if you cannot get everything you would expect to get (all deleted files, for instance), or if what is collected turns out to be not as easy to review as you would like.

The more common a phone is (a common BlackBerry model, for instance) the more effort forensic hardware and software companies put into making that phone simple and clean to collect and review. Obscure phones are usually more difficult to collect, and the data that is collected is more difficult to review.

Submit to Delicious Submit to Digg Submit to Facebook Submit to Google Bookmarks Submit to Stumbleupon Submit to Twitter Submit to LinkedIn
© 2012 Jones Dykstra & Associates, Inc.
5850 Waterloo Rd, Suite 140, Columbia, MD 21045
P:(410) 480-7190 F:(410) 480-7191
contact@jonesdykstra.com