Targeted, seamless remote collection is the holy grail of e-discovery. Nobody wants to have to acquire a full hard drive when all that is required is one folder, and nobody wants to fly a consultant out for a collection every time a custodian happens to be in a remote location. The ideal collection tool would collect data with precision, via a user-friendly interface that can be used by a non-technical person, and do it fast.

Digital Strata recently evaluated three tools that could provide a solution to this problem: Titan, re-branded as Nuix Collector Portable, developed by MicroForensics, Inc.; One Click Collect, Harvester edition, developed by PinPoint Labs; and EnCase Portable, developed by Guidance Software, Inc.

Tools Evaluated
All three tools allow you to ship an external drive to a custodian preloaded with “jobs” for an automatic or almost automatic collection. They all incorporate file hashing and logging (for chain of custody purposes), and support long path names and signature analysis. See the comparison table below for more information.

Titan/Nuix Collector Portable
Titan, also known as Nuix Collector Portable, contains two components: Collector (a preview and review tool) and CLI (a collection wizard/command-line tool).

The CLI Wizard can be used to do a local collection (local or mapped network drive) or to create a job (an XML file) that can be automatically run from an external drive (e.g. USB drive) by a custodian. It is possible to configure this job so that it lets the custodian specify additional data sources and/or auto-detects volumes. A virtual machine is treated as any other computer as long as the prepared remote collection USB device is “shared” with it.

Multiple jobs can be combined in a batch file, which is useful when you have multiple sources that need to be de-duplicated.

De-duping, de-NISTing and filtering by Windows security ID, keywords, file extensions, and date are all optional. Files can be collected in a native format or in a proprietary tamper-proof container, which also stores a copy of the job file. Choosing a forensic snapshot option, as opposed to selecting a native copy, is advisable when one anticipates encountering open PSTs or locked files. The file signature table can be easily updated by either exporting one from EnCase or editing it manually.

The CLI Wizard’s user interface is easy to navigate. Following the conventional wizard paradigm, you are presented with a series of steps and choices. XML job files can be saved for later use, and parameters, such as the examiner’s name and “before” and “after” splash screens for the custodian, can be easily modified. All the custodian has to do is to plug in the prepared external drive and click “OK.”

Logging is robust: collection job statistics are included, in addition to a list of unrecoverable errors (if any) and files that did not meet collection criteria (i.e. “non-responsive” files). One can create a new job file from the list of errors to be run later.

It is notable that, as of the current release (June 2010), it is not possible to restart a collection that has been interrupted. Thus, it is imperative that the custodian does not close the application once automatic collection starts. A recover mode option is due to appear in the next release.

One Click Collect—Harvester Edition
Like Titan, the Harvester edition of One Click Collect can be run from a portable device. You can also run the program from a specific network address and queue jobs. As opposed to Titan, files are copied in native file format only. You can choose whether to copy the folder structure along with the files or not. Harvester presents you the option of whether or not to rename the files should name collision occur. Also, you can exclude temporary files and system files and folders from your search.

The user interface is very simple—all options are presented on one screen. Every time you roll over a portion of the screen, an appropriate “help” section appears at the bottom. One nice touch is that you can choose document types to collect as opposed to having to specify file extensions; thus, you do not necessarily need to know which file extension is associated with each file type.

As with Titan, de-duping and de-NISTing are both optional, however there is no keyword filtering available.

EnCase Portable
There are three ways to do a collection with EnCase Portable: boot to an EnCase Portable USB device, double-click on the executable from the attached USB drive, or execute the program in quiet mode via command line. You would have to ship the custodian both the EnCase Portable dongle and a prepared storage device. If you choose to execute the program by double-clicking, you will be asked to select a job to run. EnCase Portable comes pre-configured with a number of jobs, such as “collect document files,” “create copy of a drive or memory,” and more. You can easily create your own jobs (either for previewing or collecting data) by choosing modules and modifying conditions. The latter’s syntax is the same as the one used for scripting conditions in other versions of EnCase. While creating jobs is not as simple as with Titan or Harvester, once the device is configured properly, a custodian just has to double-click on the executable and select the job to run (unless the device is pre-configured with auto-run or the program is being run in quiet mode).

Any data that is collected is stored in an EnCase Evidence File—a forensically sound tamper-proof container. Since EnCase Portable is a forensic tool, it has no problem handling open files. When scripting your job, you can choose to generate reports, which is a useful feature.

Speed Test
The final and one of the most important comparisons is the amount of time it takes to process data. All three of the tools mentioned above were tested with a data set (a.k.a. “sandbox”) of over 362 GB loaded with all types of documents and e-mail files. The data set contained 479 .doc files (approximately 180 MB).

Titan

• Crawling network mapped sandbox drive for .doc files only.
• Used forensic snapshot feature.

Total time: 1 hour 5+ minutes. Collected 480 files including one Zone Identifier (an alternate data stream).

Harvester

• Crawling network mapped sandbox drive for .doc files only.
• After three hours, Harvester was still enumerating files, no copying had commenced.
• Crawling locally attached sandbox drive for .doc files only.

It took 50 minutes to enumerate the files (479), and another 50 minutes to copy 75% of them. In comparison, it took 41 seconds to create a logical evidence file containing those 479 documents using EnCase Forensic. Previewing time with the latter was less than 3 minutes.

NOTE: According to PinPoint Labs, this issue should be fixed in the next release.

EnCase Portable

• Crawling locally attached sandbox drive for .doc files only.

It took 3 minutes to identify and collect all 479 .doc files.

NOTE: Even though this is not crucial to e-discovery, it is worth noting that EnCase Portable was the only one of the aforementioned tools that did not change the Entry Modified date (as reported by EnCase).

Conclusions
Choosing a tool relies on your needs based on the types of cases you work, the capabilities of your staff, and the location of the target computers.

EnCase Portable was the fastest of the three tools evaluated, but it does not lend itself well to doing non-disruptive automatic collection. The interface is probably too technical for someone without any computer forensics or EnCase background. On the custodian’s side, you must disrupt the custodian’s work by either booting to a USB drive or walking them through several steps. Alternately, you would have to request privileged access to the custodian’s computer in order to run the program in quiet mode.

Between Harvester and Titan, Harvester offers a more streamlined interface, as well as the option to run the program from a network address as opposed to from an external drive only, but the lack of a forensically sound file container is a big drawback (depending on your use case). In comparison, Titan seems to be more flexible and offers more features, such as the ability for the custodian to name more sources, combine batch files, and so much more. As of this writing, MicroForensics has formed a partnership with Nuix and made available an Enterprise version of the Nuix Collector (a.k.a. Titan)—Nuix Collector for Networks.

Finally, no discussion of remote collection can be complete without mentioning F-Response. F-Response essentially serves as a conduit by establishing a write-blocked channel between your machine and the target computer. It makes the target machine’s physical and logical volumes appear on your machine as if they were local. In that manner, any forensic or e-discovery tool can be used to process the data. We have used EnCase Forensic via F-Response to search the sandbox drive attached to another computer for .doc files. As with EnCase Portable, previewing and collection were extremely fast (less than 5 minutes). It is necessary to mention that the user on the other end does have to execute a program for the connection to be established (all that is required is a simple double-click if you have preconfigured the settings). Also, establishing a connection with a Mac computer requires root access on the latter and execution of several shell commands. Since F-Response relies on an IP address to establish a connection, if the target machine is behind a NAT firewall or VPN, it can prove difficult to be difficult and at times impossible to create a connection.

Ms. Nasielski is a forensic/e-discovery specialist at Digital Strata, Inc. She holds a Master's of Forensic Science (concentration in High Technology Crime Investigation) degree from The George Washington University and was previously employed at Charles Schwab & Co. as a forensic analyst. Founded in 1994, Digital Strata is a professional services company that specializes in easing the burdens of Discovery, litigation support, and forensics, some of the most complex, intricate, and expensive corporate legal processes. This is our specialty, it’s not part of a product suite; it’s the core of what we do.