Recently, remote digital forensic collections have become more and more practical. Software tools increasingly collect data from various devices without the need for a physical presence, often saving time and money. However, as convenient as remote collection may seem, it brings with it a set of risks that investigators must carefully navigate.
Chain of Custody Concerns:
One of the primary risks associated with remote digital forensic collections is the potential compromise of the chain of custody. Maintaining the integrity of evidence is paramount in legal proceedings so that the evidence collected can be authenticated at trial, and the remote nature of collections introduces opportunities for unauthorized access or tampering of the data collected. Instead of evidence going from the device to the storage media (whether physical or cloud) under the immediate control of the examiner, chain of custody in a remote collection is more complicated. The starting point is ensuring that the device being collected is the correct device. Chain of custody for an onsite collection includes documenting physical markings and identifiers, including on the storage devices inside the computer itself when possible. Ensuring chain of custody of data remotely extracted from the device is more complicated, including safeguards to ensure it is not intercepted during the collection process. Furthermore, in many cases it is recommended to preserve the device itself. When the device is being maintained anyway, local collection instead of remote collection usually makes sense.
Network Stability and Reliability:
Generally, collection from even portable devices yields enough data to make transmitting it over the internet a significant task. As a result, collections directed remotely may still require a local drive to store the collection, as in the case of a workstation containing a 2 TB drive. Adding local storage media requires documentation of the actions of the local “boots on the ground,” which is potentially made even more challenging without the forensic examiner present. Similarly, chain of custody for local storage media receiving the collected data can be challenging. Imagine collecting 2 TB of data from a workstation while it is in its ordinary environment—chain of custody for both the workstation (during collection) and the receiving storage media may still necessitate having a custodian present that entire time. If the data is instead being transmitted upon collection, remote digital forensic collections heavily rely on stable and reliable network connections. If the target device has limited or unreliable internet connectivity, this challenge becomes even more pronounced. Connectivity problems can prolong the remote collection process, negating some of the cost savings.
Loss of Intelligence Gathering:
Remote digital collection deprives the examiner of the opportunity to gather intelligence while onsite. For example, if collecting a desktop workstation, onsite collection allows the examiner to inspect the computer device to determine if it has been moved or opened recently. Physical connections to the device can be observed and evaluated for their implications. An SD card in a phone can be removed and separately imaged. Other devices, such as USB sticks and external hard drives may be seen nearby and collected. Remote collection deprives the examiner of the opportunity to observe and learn from the device’s condition and its environment, leading to blind spots in the investigation.
While remote digital forensic collections can offer convenience, speed, and cost savings, they impose non-monetary costs that must be considered and that may not be worth the tradeoff. Granted, time, budget, or both, may not allow the examiner performing the investigation to travel to the device(s) for collection or imaging, and shipping the device(s) may not be recommended for any number of reasons. In such circumstances, a local examiner can perform the collection and send the data to the engaged examiner for analysis, which can simplify chain of custody, data transmission, and maintain the investigators’ ability to gather intelligence in the process.