• There are no suggestions because the search field is empty.

Digital Forensic News & Events

Bringing investigators digital forensics and cybersecurity related news from around the world. #AllinForensics
Back to News

Collect and Share Digital Evidence Files with Prosecutors

Posted by Richard T. Frawley on October 7, 2019
Richard T. Frawley

In this short How To video, digital forensic specialist Rich Frawley, will show you how to collect and share digital evidence files with prosecutors and third parties using ADF Software. This video is ideal for learning how to share evidence with prosecutors for review. 

If you are tasked with the collecting specific files or collecting all files from a specific location, ADF digital forensic software makes this fast and easy.  Collecting and sharing evidence can be useful

  • due to a legal hold
  • specific need in your investigation
  • a limitation placed on of claimed privilege
  • legal limitations set forth by a judge

This lesson is helpful if, for instance, if you have a need to collect only PDF files from a specific computer or collect all files from a specific User Profile. You can accomplish this by creating a Capture to meet the specific requirements and then export the files in the ADF Stand Alone Portable viewer for analysis or review by another party. Note that ADF report viewers do not require an ADF license to review the files.

To create a New File Collection Capture, got to Setup Scans from the main screen. Click on New Profile, New Capture, and then Collect Files.  On this screen you will define the files to collect.

  • Type an existing Capture Group name or a new Capture Group name appropriate to the Capture.
  • Type in a Capture Name which is not already in use.

Pick a File Type: it is possible to specify which file types to include in your search. Searches for All Files or Specific Files are available. It is possible to add multiple specific file types. If the file type required does not exist it is possible to create one by clicking on View on any File Type group and then following the instructions within the Adding a Custom File Type Section. In this example we are going to collect all PDF files from the Users Profiles.

Select the Capture Options:

  • Only detect files (no collection) The original files will not be collected but preview thumbnails of images are created
  • File identification methodFast identification identifies file types using the file extension only

Use thorough identification for files without extensions since that capture uses file signature analysis to identify files that have no file extension and fast identification on those that do. Thorough identification for all files uses file signature analysis to identify all files. Note: This will increase the time the scan takes to run.

Search selected file types in -

  • Archives Searches for all selected file types within archives
  • Documents Searches for all selected file types embedded within Document file types
  • Picture DB files Searches for all selected Picture file types within thumbcache and thumbs.db files

Next is File Properties where we can set specific parameters based on file properties for the File Collection:

And then...

Select the File Source options:

Entire file system Searches all live files

  • Targeted folders May be used to limit the extent of the scan making it run quicker. These can be used to limit the search to areas where evidential material is likely to exist. In addition, Targeted folders are searched before other folders and are not searched again if both Targeted folders and Entire file system are selected. Here we are going to Target the Users Profiles.
  • Files referenced by artifact records Used to target files referenced by Artifact Captures (e.g. email attachments)”
  • Deleted Files Targets deleted files for which references can still be found in the file system

When all selections are made, select Save and the File Capture is created and available in any Search Profile to be used in conjunction with other Artifact and File Captures or alone as a stand alone File Capture.

Collecting All Files from a Specific Location

When you want to collect all files from a specific location. In this example we'll demonstrate collecting all files from the User Rich Jr. To begin, Select or Create a Capture Group and Capture Name. Select All Files and then Targeted Folders. Add the path to collect all the files from: /users/Rich Jr/.* (for example). 

When all selections are made, hit save and the file capture is created and available in any Search Profile to be used in conjunction with other Artifact and File Captures or alone as a stand alone File Capture.

To Share with a Prosecutor or 3rd Party

Select Report → Stand Alone Viewer → Export

The entire scan results are now available for review and analysis by a prosecutor, another investigator, or another person.

Topics: Digital Evidence Investigator, Triage-G2, Triage-Investigator, Prosecutors, How To Video, DEI PRO, Triage-G2 PRO, Triage-Investigator PRO, Digital Evidence

Posts by Tag

See all

Recent Posts

New ADF Free Trial Website Ad

  • READY TO ACCELERATE YOUR DIGITAL INVESTIGATIONS?

  • Purchase