As improved technology connects more users and organizations, the devices we use have become integrated into our daily personal and business operations. The same innovations that help accelerate businesses, communications, and operations can also streamline investigation collection processes and collaboration. In cases of enterprise incidents and litigation, the ability to efficiently narrow data collection while broadening the reach of an investigation can be crucial.
Read: Advantages of targeted collection →
Finding critical digital evidence quickly and completely remains the foundation of every investigation. But today’s investigations need more. Investigators should have the proper tools to unleash targeted, remote, and onsite data collection, task scheduling for automatic collection, and powerful search and analytic tools. Platforms providing both onsite and remote targeted collection capabilities are becoming more valuable to all categories of investigation including enterprise, service providers, and law enforcement.
View all of Lee Reiber’s predictions for 2024 →
Targeted data collections, whether onsite or remote, offer advantages that help investigators accelerate case resolution. Capabilities for targeting cloud extraction and targeting image and facial collections also help streamline investigations by saving time and resources. However, there are cases in which targeted collections are not needed. For example, law firms and some corporations require full disk preservation, in which all data on a disk or endpoint in the collection is imaged and stored. But more enterprises and service providers are adopting targeted data collection capabilities in their efforts to better manage time and resources toward reducing case backlogs.
Onsite targeted collection scenarios
Law enforcement and government agency investigations generally run their collections of mobile devices or computers while it’s in the investigator’s custody. These collections are often run in a lab setting or on location. Enterprise investigators also use direct access to endpoints in their custody as well as onsite servers for live analysis and the preservation of data. Whether in-lab or on location, onsite collections can be performed by basic forensic programs. The capability to target data during these onsite collections allows investigators to narrow the focus on their search to relevant data, saving collection time and data storage.
Benefits of onsite targeted collection
Onsite targeted data collection sometimes offers investigators more control over the device during collection. An investigator with onsite custody can physically secure the endpoint and its data. Onsite collections can be beneficial to investigators who cannot afford to lose access or custody of their devices, or if the devices cannot be transported easily.
Onsite targeted collection limitations
Relying on targeted collection processes on site can present challenges and require costs for investigations including:
- Time challenges – Onsite collections require physical presence in the lab or at the user’s location, requiring time to transport the phone or endpoint from its origin to the investigator’s location.
- Travel costs – The cost of domestic or international flights, accommodation, and per diems for one or multiple forensic team members can greatly impact investigation costs and budgets.
- Intrusion and workflow disruption – Onsite collection of data from a phone or endpoint requires physically separating the device from an employee or suspect, intruding into the workplace and disrupting workflow and productivity.
- Limited collections – Onsite data collections can only be run while the phone or endpoint is in custody.
Remote targeted collection scenarios
Remote targeted collections are used by investigators needing to collect, handle, and analyze large volumes of data across geographically dispersed locations. When data is needed from an endpoint that’s not in hand or easily acquired, investigators need the ability to remotely collect that data. Remote collections offer not only timely access to the targeted data, but flexibility to continue collections while the user continues to work.
Enterprises rely on remote collections to reach employee endpoints spread out in other states, countries, and continents. Law firms use remote collections to gather eDiscovery data including social media accounts, messages, emails, and documents.
Advantages of remote targeted collections
Investigators and incident response teams may need to begin investigations before the person knows they’re being investigated. As an example: When investigating the suspected theft of intellectual property, evidence collection should start prior to notification. Waiting until a suspect is aware of the investigation leaves the potential for tampering with or wiping of evidence.
Remote targeted collection provides more reach and options for investigations involving endpoints in use and at a remote location including:
- Uninterrupted workflows – If the user of the targeted endpoint works remotely, scheduled targeted remote collections save time, travel, and allows user to continue working on the device without interruption.
- Flexibility – Investigators have greater options for timing and scheduling of collections without the need to coordinate with onsite personnel or suspects.
- Time sensitive/savings – Remote collections can be deployed more rapidly and scaled for cases involving a large number of collaborators.
- Convenience – Eliminating the physical presence of an investigator onsite with the endpoints adds convenience to investigations.
- Remote scheduling capabilities – Corporate and enterprise investigators can also use remote capabilities to schedule automated collections from endpoints, allowing the device to remain in the user’s possession and continued workflow on the device while the investigation proceeds.
Disadvantages of remote targeted collections
Investigators sometimes must work with a user to accept a remote device collector application to the user’s endpoint. The full realization of remote collection benefits will rely on the quality of an organization’s forensics platform. Enterprises and service providers who have not yet adopted a digital forensic platform providing capabilities for both onsite and remote targeted collections are limiting the scalability and scope of their investigative potential.
Onsite and remote targeted collection solutions
Finding critical digital evidence quickly and completely remains the goal of every investigation. Those goals can be achieved using targeted, remote, and onsite data collection, task scheduling for automatic collection, and powerful search and analytic tools. Platforms providing onsite and remote targeted collection capabilities are becoming more valuable to all categories of investigation including enterprise, service providers, and law enforcement. The choice of using onsite and remote forensic data collection methods depends on the investigation’s specific needs and goals. Investigators seeking advantages to maximize efficiency in investigations should explore digital forensics tools built for targeted remote collections, such as Oxygen Remote Explorer.