Below you will find common collection types and instructions for transferring data to Compliance DS. For any detailed questions please contact edsupport@complianceds.com directly.

Email:

The most common email export format is PST.  This format is typically fairly simple to export from an archive or an Exchange Server directly.  It can also be copied from a users local machine in OST format or PST format, but PST is typically more reliable.  The most important piece of the data transfer process is to name these export files consistently.  We prefer the format Custodian-SourceType-CollectionDate.  For example, if two custodians John Smith and Tara Peyton both had an eVault and exchange PST for export they would be named as follows:

  • jsmith-exchange-03-10-2015.pst
  • jsmith-eVault-03-10-2015.pst
  • tpeyton-exchange-03-10-2015.pst
  • tpeyton-eVault-03-10-2015.pst

For mbox, emlx, loose msgs and other mail formats that typically consist of multiple files, please see the loose files section below.

Loose Files

The most reliable deliveries for loose files are E01s or AD1s, but we most commonly see ZIP, RAR, 7z and other standard compression containers.  E01s and AD1s will preserve the appropriate metadata.  The FTK Imager software that can create E01s and AD1s is available as a free download from http://www.accessdata.com/support/product-downloads.  E01s are typically a full disk image, but they can be filtered down using the full version of FTK or another forensic tool.  AD1s are typically just a single directory of data.

ZIP, RAR and other compression containers can modify dates as well as other metadata depending on the software and options chosen during compression.  If these containers are going to be used please refer to any ESI protocol or discovery order that might be in effect and be sure that the metadata will remain intact.  In addition, these containers do not normally track the full file path of the evidence collected, so it is important to note that information in a collection log where appropriate, in case it is needed later.  If you are going to use a Zip software, we highly recommend 7zip (http://www.7-zip.org/download.html) with encryption. 7zip is the best free compression software, outside of forensic containers, for preserving metadata and the built in encryption and file splitting will make uploads simpler and more secure.  The built-in Windows zip tool will modify metadata, we do not recommend it.

Our Aspera transfer tool can also preserve almost all metadata for loose files directly, with the exception of Last Access date.  Pathing information can also be preserved through Aspera if one is using the CI Processing application.

In any event, please do not transfer loose files via a direct windows copy with no container, forensic or otherwise.  This can introduce permissions issues and metadata modifications.

Using a variety of archive types as examples, please see the following filenames for our sample custodians John Smith and Tara Peyton.

  • jsmith-mydocs-03-10-2015.ad1
    • (ad2 through adX would be named the same as FTK automatically splits the archive into separate files based on size increments)
  • jsmith-delldesktop-03-10-2015.e01
    • (e02 through eXX would be named the same as FTK automatically splits the archive into separate files based on size increments)
  • tpeyton-usersfolder-03-10-2015.zip
  • tpeyton-thumbdrive-03-10-2015.rar
  • tpeyton-networkdrive-03-10-2015.7z
  • jsmith-loosemsgs-03-10-2015.zip
  • jsmith-iMacmbox-03-10-2015.zip

Collection Log

As any files are collected, exported or transferred it is best to track them in a Collection log This will allow everyone to track progress and make the process as defensible as possible.  We can store this log on sharefile and it will track the revisions automatically.

Aspera Electronic Transfer

We perfer to use Aspera for electronic data transfer when it is possible to install the plugin and the bandwidth on the client upload side is sufficient.  We create a secure project folder within our main Evidence store or within a client's dedicated DaaS file store.  The transfer site is embedded within our Relativity environment, so a separate login is not required.  The ED Support team can setup a share for you directly, please contact edsupport@complianceds.com.

Please note that loose files or evidence should not be uploaded to this system directly.  It should always be contained within some kind of archive such as PST, E01, AD1, ZIP, RAR, etc. that will preserve metadata.  Please see above for more information.

There are some system requirements that are needed for Aspera to function properly:

  • In order to transfer files using Aspera, a plugin must be installed locally. If you are not prompted to install the plugin automatically or have trouble installing the plugin please see here.
  • You may also need to contact your IT department to gain administrative access to the local PC and allow traffic to our Aspera server on IP Address: 162.211.205.193.
  • An Aspera testing and pre-installation site can be found here.  This can be very helpful for troubleshooting communication and installation issues.
  • For more information & documentation on Aspera please see here.

Sharefile Electronic Transfer

We use Sharefile to transfer data if the bandwidth on the client upload side is sufficient.  This system will log what is uploaded, when and by whom.  We create a project folder on our site at https://complianceds.sharefile.com.  A client will receive an invite directly to this folder.  If you have yet to receive an invite, please contact edsupport@complianceds.com.  We would prefer not to share accounts, so that the automated tracking can take place.  We recommend Chrome or Firefox when using Sharfile.

Please note that loose files or evidence should not be uploaded to this system directly.  It should always be contained within some kind of archive such as PST, E01, AD1, ZIP, RAR, etc. that will preserve metadata.  Please see above for more information.

You may use FileZilla and other desktop applications as well to upload data to sharefile or automate the process:

Hard Drive Delivery

If you are having trouble uploading data due to size or bandwidth limitations a hard drive delivery is a good substitute.  When sending hard drives please alert us prior to shipping by emailing edsupport@complianceds.com with project name, hard drive serial #, approximate size, potential tracking number and any encryption information if applicable.  We will respond with the appropriate address for your request.

 

ACEDS Nuix Relativity Brainspace