Detailed Analysis
Collection is the acquisition of electronically stored information from its original location into a separate environment for the purpose of discovery. The focus of this stage is on maintaining the forensic integrity of the data.
Collections can be targeted or broad. A targeted collection focuses on specific files or folders, while a broad collection might involve a full disk image or a complete mailbox export. Forensic tools are utilized to ensure that metadata such as creation dates, modification times, and file ownership are not altered during the transfer. A continuous chain of custody must be established to document every person who handled the data and the methods used for extraction.
Methodologies include:
- Active File Collection: Gathering only the files currently visible to the user.
- Forensic Imaging: Creating a exact copy of every bit on an entire storage medium.
- Remote Collection: Using network tools to gather data from geographically dispersed devices.
- Cloud API Collection: Extracting data directly from service providers.