We get requests from time to time to leverage F-Response Enterprise and our professional services expertise to perform large scale E-Discovery preservation/collection efforts. We've had the opportunity to develop a series of guidelines over the last few years and wanted to share those guidelines with you.

1. Whenever possible collect logical files over full disk images.

Why?

Simply put, the sheer volume of full disk images in a large scale collection becomes mind boggling. Much like any effort, volume is often the single largest limiting factor, one 160Gig drive isn't too bad, four hundred 160Gig drives, too much, both to manage and to reasonably review. Next your choice of logical file acquisition tools is going to be important. Each of the major forensic imaging/analysis tools has a logical evidence acquisition function, your main drivers in deciding which tool to use are going to be portability, supportability, and speed. The evidence files you collect will need to be reviewed by you and your team, the opposition's team, and any future teams that come after you. Much like how you never write a contract without thinking about the people that will come after you and have to interpret your agreement; you cannot select an imaging tool or format without considering all the different firms that will come into contact with your collected data.

2. Develop a reasonably detailed plan covering what, where, how, and who.

Why?

It's easy to get confused when collecting data from hundreds of machines. So before you get started put some effort into developing a plan of action for the effort. Are specific workstations going to be an issue? Server? What about the custodians, are they aware of the effort, or should this be a covert operation? Simple steps like deciding on a naming convention for the collection files is important. For example (MACHINENAME-CUSTODIAN-DATE...).

3. Find a central location in terms of bandwidth, this is most often the IT data center or HQ site.

Why?

In most large organizations the distances between sites is considerable. Frequently the network bandwidth between remote sites is poor, however the bandwidth available wherever the IT data center is located is often more than sufficient to access most remote sites. Given our preference, we like to setup in a conference room close to the IT data center or in the HQ site, typically these rooms can be reserved for a period of time and give us quick access to the IT staff members most likely to know the credentials and details necessary to connect to the acquisition targets.

4. Consider Remote Desktop if bandwidth is insufficient between a given remote site and your central location.

Why?

Microsoft Terminal Services is a remarkable piece of technology. Whenever we are faced with a remote location that's just too remote to collect data from via F-Response, we connect ourselves via Terminal Services on a machine physically located at the remote location. Here's where having the IT data center and associated staff close by is important, often they can get you access to a machine running Terminal Services at the remote site which you can confirm has the Microsoft iSCSI Initiator and is capable of accessing your newly deployed F-Response targets. We collect our data to that remote machine then perform the slower copy operatiions to bring the collected materials back to our central site. We have successfully used this process to access machines 2+ oceans away, truly a simple and remarkable technique when bandwidth is tight.

5. Get IT to build a user account on the domain with sufficient credentials for you to access remote targets, and have them disable it when you are finished.

Why?

It's much easier to control access with a newly created domain credential, in addition Active Directory logging can provide and additional audit trail around targets connected to. Also, by having a credential created for you and your team IT can enable/disable your access readily without impacting other operations.

6. Assign one person to keep a solid accounting of the effort.

Why?

In a large scale collection effort it's easy to get confused. Which machines have we collected? Which machines do we still need to collect from? Which machines did our credential not allow us to access? Do we need to virtually manifest ourselves somewhere? All of these data points should be tracked and managed by one person, either on good old fashioned paper, or in a spreadsheet. In addition they should be able to calculate a few metrics after first couple of days to get a good estimate of the total duration of the effort.

7. Expect a few things will go wrong along the way, and be ready to make adjustments on the fly when needed.

Why?

Every effort, regardless of how meticulous the preparation, can suffer from un-foreseen issues. It's the nature of the industry and if you've been working in it long enough you'll know exactly what we are talking about. Recognize that issues are going to come up, so that when they do you can address them in a calm and collected manner.

Hopefully these guidelines help you in your large scale collection efforts. However, if you are planning such a project and want to use F-Response feel free to give us a call, chances are we can get someone from our professional services team to answer any questions you might have.

Thanks!

Warmest Regards,

M. Shannon, Founder

F-Response

February 4, 2010