[Webcast Transcript] From Mac to Mobile: Advanced Data Triage and Collection Tools for Forensic Investigators
Editor’s Note: Read the transcript from HaystackID’s webcast, “From Mac to Mobile: Advanced Data Triage and Collection Tools for Forensic Investigators,” to learn about HaystackID’s Remote Endpoint Analysis and Data Intelligence (READI™) Suite of Services. Rene Novoa, CCLO, CCPA, CJED, Vice President of Forensics at HaystackID, shared his expertise on how legal professionals can navigate complex data investigations with the new READI Suite. Highlighting its ability to streamline data handling, the READI Suite enables investigators to perform targeted collections and minimize unnecessary data capture. By leveraging new capabilities like READI Cloud™ and READI Networks™, clients can gain precise control over their data collection needs while ensuring compliance and preserving privacy. This webcast offered valuable insights into how these tools can simplify digital investigations and support collaboration between legal, IT, and forensic teams. Continue reading to explore the full transcript and understand how HaystackID is leading the way in data intelligence and digital forensics.
Expert Panelist
+ Rene Novoa, CCLO, CCPA, CJED
Vice President of Forensics, HaystackID
Rene Novoa has over 20 years of technology experience conducting data recovery, digital forensics, eDiscovery, and account management and sales activities. During this time, Novoa has performed civil and criminal investigations and provided litigation support and forensic analysis for seven years. He has regularly worked with ICAC, HTCIA IACIS, and other regional task forces supporting State Law Enforcement Division accounts and users in his most recent forensic leadership roles.
[Webcast Transcript] From Mac to Mobile: Advanced Data Triage and Collection Tools for Forensic Investigators
By HaystackID Staff
During HaystackID’s recent webcast, “From Mac to Mobile: Advanced Data Triage and Collection Tools for Forensic Investigators,” Rene Novoa, CCLO, CCPA, CJED, Vice President of Forensics at HaystackID, dove into how the Remote Endpoint Analysis and Data Intelligence (READI) Suite is a powerful tool for handling complex data investigations. By building on HaystackID’s Mobile Elite Discovery Lab (MEDAL™) Suite, this READI addresses modern challenges such as remote work setups and secure data access for various devices, ensuring investigations are conducted with proper forensic methodology, a clear chain of custody, and a focus on compliance. Novoa’s explanation highlighted how the READI Suite improves data acquisition processes while remaining cost-effective.
Novoa discussed the strategic development of the READI Suite, which offers enhanced capabilities for gathering data from different environments. This solution provides more precise and efficient data handling, reducing the risk of over-collection and unnecessary data storage. New features, such as READI Cloud™ and READI Networks™, allow for the controlled retrieval of information from sources like Google Drive™ and Dropbox®, addressing client needs without disrupting daily business operations or breaching data privacy standards.
Webcast attendees learned how the READI Suite supports targeted data collection for corporate security, eDiscovery, and executive investigations, enabling efficient triage without needing full device imaging or lengthy onsite visits. Novoa explained that this suite allows for effective collaboration between legal, IT, and forensic teams while maintaining privacy and security.
Read the full transcript below to learn how READI can streamline data preservation and ensure the precise handling of sensitive information.
Transcript
Moderator
Hello everyone, and welcome to today’s webinar. We have a great session lined up for you today. Before we get started, there are just a few general housekeeping points to cover. First and foremost, please use the online question tool to post any questions you have, and we will share them with our speakers. Second, if you experience any technical difficulties today, please use the same question tool, and a member of our admin team will be on hand to support you. And finally, just to note, this session is being recorded, and we’ll be sharing a copy of the recording with you via email in the coming days. So, without further ado, I’d like to hand it over to our speakers to get us started.
Rene Novoa
Hi, everyone, and welcome to another HaystackID webcast. I’m Rene Novoa, your expert moderator and lead for today’s presentation discussion, “From Mac to Mobile: Advanced Data Triage and Collection Tools for Forensic Investigators.” I am very excited about this. This webcast is part of HaystackID’s ongoing educational series designed to help you stay ahead of the curve in achieving your cybersecurity information governance and eDiscovery objectives. We are recording today’s webcast for future on-demand viewing and will make the recording and complete presentation transcript available on the Haystack website. I’m looking forward to talking about our new advanced solutions with HaystackID’s Remote Endpoint Analysis and Data Intelligence, what we call READI Suite, the industry’s most comprehensive suite of endpoint collection and triage capabilities. Now, just before we jump in, just a little bit about me. My name is Rene Novoa and I am the VP of Forensics here at HaystackID. I have over 20 years of technology experience in data recovery, digital forensics, eDiscovery, and account management. I currently run the Forensic Lab, as well as our R&D team. I work with new and emerging technologies. So, let’s dive into this presentation. Unfortunately, John Wilson, our CISO, was going to join us and was unable to make this presentation. So, we’ll move through this.
We’ve already covered a little about who I am and what we’re going to talk about here. But before we get into the READI Suite, in which we’re really excited about some of our new capabilities, I want to talk about how we got there and how all these new tools and capabilities have come to light.
So, we really look at our clients’ needs. And just last year, we came out with our MEDAL services, which are mobile-centric: triage, targeted collections, full-file system extractions. And so, the READI Suite of Services really complements more on the network and computer side of things. So, we started looking and talking to our clients and understanding what the industry needed. We saw that they both wanted onsite and remote collections to be almost very similar in terms of capabilities. They wanted the ability to be able to target. They also want to be able to go onsite. But both solutions had to work together there: the protocol and policy were repeatable and well-documented. They were understood. It wasn’t just fly-by-the-seat technology but something that was truly tested. They could go to court with it, and it was proven. We are still maintaining a lot of our forensic methodology, maintaining a strong chain of custody, documentation, compliance, and security. These are essentially important to all of us in the industry as we go. And we’re working with sensitive data, we’re working with client information. And we want to make sure that we do not have a breach, we do not have leakage, and that we’re collecting only what we need.
And at the same time, this has to be cost-effective. Everyone is sensitive to budgets. We can collect everything. We can store as much data as you want, but it does come at a cost. So, we really had to find new technology, new techniques, and methodologies that really met our client’s needs with a lot of diverse options. Flexibility, being able to do onsite, being able to do remote, being able to be flexible with our documentation to make sure it was secure.
So, as we move through, I’ll answer questions at the end, and if there are other types of concerns that your clients are requesting and it may not be up here, please let’s talk about that. So, as we develop these new technologies, we can keep them at the forefront of our minds as we develop these new tools. Some of the big hurdles that we’re finding, not only with onsite but with remote, is accessibility to storage devices, especially when we start talking about laptops and servers and security that goes along with it, with MDM. Even with individuals working remotely, hardware is being sent to them where we’re not able to access the USB ports. We’re not able to extract the storage devices where we can do full imaging or where we have the right blockers or some of the tools that we’re doing pre-boot, secure boot-ups. There are many tools that are booting up not to get into the OS to be able to collect those full images or even targeted data at that point.
But a lot of the time, that comes with Secure Startup. It comes with admin passwords. And many companies, or many clients, are not willing to give that up. They want us to collect the data in a certain way but may not have the ability or the policy setup to allow USB connections for certain Macs that only have USB-C ports. And the only way accessible, we can’t take them apart, is to go through those ports. But Secure Startup and other restrictions prevent us from actually getting into those devices. So, security and policy have really shaped how we attempt to capture data. Being able to not only work with the hardware but actually work on more the logical side and working on the device itself.
When we talk to clients, we can consult and consider the next options, and there are always these considerations. We need to understand what the case may be about and the scope of the project. We really have to take in when we start looking at cost-effectiveness, travel expenses, and the examiner’s time on site. How is that time being utilized? Can it be utilized for other projects? And when you’re on-site, it is completely dedicated to that client. And if we’re sitting there just imaging for eight hours, that individual is not being used. And we’re just tying up these billable hours.
And as much as we want to make money and have these billable hours, we also need to work with clients to find what their needs are. Are we data mining PII with way more than what we need? Is the information that we’re pulling out of scope? When we do full images, we may be capturing a lot of information that really does not need to be looked at or considered. If we’re going to hold it, we’re also going to charge. We’re going to end up with these large datasets that only need to be collected, stored, processed, and reviewed. And we all understand how those costs are just going up each time more and more data is collected. Targeted collection has really been a conversation piece with a lot of our clients. How can we securely target information within the industry that I’m hearing everywhere? Mobile, I think, was the big talk last year. And now, we’re seeing more push to look at computers, networks, and cloud repositories. And just actually, the downtime when we look at remote kits, we look at being on-site.
From the time that we’re able to collect on-site, as more individuals are leaving the office, they’re moving away from headquarters, and whether we have to go remotely to this individual’s site, whether we’re sending collection kits, which is very popular, as well as being on-site, being able to take that data, get it to a laboratory, being able to download that information, process it, get it into some sort of analysis and then review, we’re looking at five days possibly. From the time of shipment, arriving from shipment to the full process, you’re looking at five days. How do we cut that time down when we have fast turnarounds and impending deadlines and court dates? So, we really have to ask that question: What really needs to be preserved? Can we do it by date range? Is it only looking in the last six months, the last year? Can we target selective data? Can we just get a folder of the critical information that maybe that’s project-based or company-based? A lot of individuals who are using their own devices or part of a company may have other NDAs with other companies that just cannot be accessed. They do not want that data to be reviewed. It’s way out of scope. So, we really had to take these core considerations, look at the technology, and what we could come up with.
So, that’s where READI Suite of Services really is part of HaystackID’s Forensics First offering. As I mentioned before, we had MEDAL last year, which really focused on mobile. So, READI is really designed to address the complexity of digital forensics for investigators when we start talking about cloud services, network environments, macOS, Windows, and Microsoft Windows-based systems. So, it’s essential for us to not only to do triage for cybersecurity, information governance, and data preservation.
It’s allowing us these new tools that we’re going to walk through, allow us to go through these steps with these data sources, which is something that, I think, was lacking before, especially when we start looking at the macOS, and we’re looking at the cloud services. We would have to pull everything down. We would have to either collect the full image with Macs having three or four million files and then have to sift through user-created data to really get to the root of what we needed. Here’s a quick overview of what we’re going to be going over over the next 20 or 30 minutes. We’ve come out with READI Cloud™, READI for Windows, READI Networks™, and READI OSC for Mac. So, let’s just start with our cloud services.
Currently, we’re looking at repositories for Dropbox®, Google Drive™, Box®, and Microsoft OneDrive®. And how does that differ from other tools? So, let’s take Google Drive, for instance. Many of us use Google Vault. Many organizations have Google Vault. If you know what you’re collecting, Google Vault is a great tool to extract data and if you need to preserve information. But if we’re doing a triage, if we’re doing an investigation, and we want to see the folder structure, it’s not a very comprehensive tool to understand what is in that Google Drive without having to either share the drive or do something where the custodian is going to know what’s going on. We don’t want to disturb the environment. We also want to be able to triage. We don’t want to be able to walk through it with the custodian, and maybe look at the structure and be able to selectively collect folders or files from these repositories. READI Cloud allows us to get into individual’s Google drives and see it the way they see it, and walk through and get a structure of the folder structure. Then, we can work not only with our client but with the custodian and selectively pull the data that may be in scope that they are willing to turn over or this is the correct data within scope. For this project, we only need to collect this part of Google Drive without guessing, without certain keywords where we may miss data. And that goes along with both Dropbox, Box, and OneDrive. This does give us the ability to target selective folders and files within these environments, which, as people have done this over time, that after collecting those repositories, we didn’t always have that ability. Either individuals, I know in the past, we were using syncing, they were syncing the whole drive, then processing, doing file reports, but you now have collected all this information that now you’re responsible for.
There’s a lot of risk and privacy concerns that go along with that. So, we’re going to break that down a little bit more as we go through. For READI Network, it means being able to put an endpoint into the environment, collect routinely, triage, and look at logs so that we’re not collecting an entire share unnecessarily. Or we are working with local IT to get our agent into the network and able to collect specific files, just like folders and even logs, for eDiscovery matters, which we’ll go through the use case scenarios with READI Network Services, which is very exciting. As per Windows and OSX for Mac, it’s really the same. Can we get in and triage? Can we come in and look at certain logs, USB store activity logs? Can we even determine that this is the right computer? Is this the right device for collecting the user profile? We can do some early case assessments here with both Mac and Windows to determine if this device is in scope. Is it needed for the investigation? Do we need to collect everything? And maybe we do need to send somebody on-site because it’s going to need a full analysis. We are going to want to get essentially a bit-for-bit collections, which we know normally that’s just not the term that we use anymore, but we may need to get a full preservation. And same with Mac systems. If we don’t have to go on-site and take down that system and look ahead of time and say, “Hey, this is the right environment we need,” maybe we just need to get a folder from this Mac user profile. We can do that much faster than either going on-site or even sending some sort of kit to the custodian. So, we are excited about these new capabilities that we’re about to release and offer to clients and to the industry.
Some of the things that I’ve already covered are really the benefits of the READI Suite. Not only is it efficient, it’s rapid triage for identification and key data points. So, it’s understanding what we have, and this is really coming into the information governance of understanding what is there before we consult on the next steps. We also want to be accurate. We want to make sure that we’re just targeting what we’ve learned in our rapid triage and identification so that we’re not over-collecting. At the same time, having compliance and maintaining privacy. There are many cases where individuals [and here I am particularly referencing the C-suite] don’t want personal information accessed. They may be part of other boards that have NDAs. You cannot look at that. We really need to target specific data on their computer systems and mobile devices and have the ability to separate personal and business information overall. Again, having a great chain of custody, being repeatable, good documentation for security, and being able to provide a sense of security to the individuals using this suite of services. This allows us to collaborate with legal, IT, and forensics teams, as we’re able to give them information.
As we’re able to say, “Hey, we’re into the Google Drive, here are the list of folders. What do we need to collect?” And we’re working with real-time data before we go on-site, before those next steps. Or even it’s giving them intelligence to make better business decisions and better next steps in the case decisions. So, it’s really important to work together as we run these services, to work as a team with the READI Suite team, as well legal, as well as with the local IT. So, just a breakdown. I’m sure there are questions. How are we getting in there? How can my organization use the READI Suite? And so, for the cloud services, we are adding more and more repositories, but these are just going to be the initial launch. I know Teams is in the works, and we’re working on the capabilities of what we’ll be able to extract from individual teams with credentials. These still are going to require credentials. So, we’re not breaking into the Dropbox or the Google Drive. We are still working on getting access. There will be some 2FAs possibly needed, but this does allow some sense of security with the custodian when you can talk them through and even do a screen share and say, “Hey, we’re only going to collect what you’re telling us to collect, and you can see what we’re selecting as it does get loaded directly to our data center.” So, it’s not going to a drive. It’s being targeted, collected and being driven directly securely to a data center, where it’s encrypted, it’s then processed, and then into review.
It is a very not a point-and-click system, but it is absolutely in collaboration with the custodian and with legal teams, so that we’re collecting exactly what we need. And if anyone has done a collection, or worked with a custodian that’s really, really nervous, they really want to understand everything. If you can show them and say, “Hey, these are the list of what we see, which ones can we collect for?” they feel better that their privacy, security, and voice are being heard. That’s something that we really here at HaystackID saw with our clients, and we really had to work with them to make sure that we made individuals feel better about giving access to their personal Dropbox, where they may have their soccer photos, their wedding photos, their class reunions. And those are just personal memories. They don’t need to be in a server somewhere, stored for the next five years, while this case is being settled. So, we’re really taking everything into consideration with the tools that are developed and used in these cases. Our READI Network Service, as I mentioned before, there’s no need for physical equipment to be sent or a hard drive to be plugged in. And some of the things that we see when we send hard drives for network collections is that we would send a hard drive, and it may have some tools on there and some things for us to give file lists or our breakdowns on sizes. We had some selective tools. But what we found out is that with a lot of networks we plug a hard drive in, it would want to format that drive to make sure that it was encrypted. Although the drive was sent BitLocker-encrypted, it had to encrypt it itself, wiping out all of our tools. We would have to almost start over and find a different way to get our toolset onto that hard drive.
If we have to download on their network, we’re now doing downloads. We’re riding to the network with our tools and you’re really stepping all over the information. You’re stomping all over your clients’ network with your data. So, we looked at that as we found that more and more, we had to reformat on-site using that server, getting new BitLocker keys. And it’s just taking more time, and I think it caused a lot of frustration with clients who didn’t understand how that worked. The READI solution for networks was very exciting because we don’t need to send a hard drive. We don’t need to have that BitLocker encryption reformatted. We do not have to send a toolkit or access the network to download our tools. Once we have an agent installed, we’re then able to then run reports. We are then able to collect selective information without stomping, leaving our footprints. It’s going to be a small footprint, but not as much as us downloading 60 megabytes of tools, reformatting drives, and plugging in our own hard drives. It does allow us the ability to grab logs, possibly grab selective data in folders, and really work with the network administrator to what we have access to. So, very exciting about the network services there. I think it’ll be a lot easier on examiners and professionals alike.
We get into Mac. Again, there are many problems when we’re trying to do full images. As you know, many of the tools aren’t even supporting M3 right now. And every time they come out with a new chipset, it becomes even more challenging to boot from a disk or a tool that may be out there. Many tools are booting from USBs. We’re trying to get full disk permissions and admin access. All these are considerations, and many times, we’ve just been looking for selected folders on a Mac, depending on the investigation. I’m not just going to say that at all times. And there’s a lot of place and times where we need to get those images and get as much as possible. But in a lot of cases, we just really need that folder for eDiscovery and preservation. We really need just that user profile. So, having the ability to do that small extractions, getting some of those logs, is going to be, in certain cases, very beneficial and very quick, especially if it’s just one computer remotely and we just need to get selected files. That goes along for Windows, and Windows can be a little bit more robust regarding the type of logs that we get. Especially we want to know about USB store. We want to get the activity logs, user directories, registry analysis. And especially for cybersecurity, that’s going to be extremely important to do a first triage. Before we go and image everything and take anything offline, we may want to keep that device online. We need to quickly triage and make some good decisions.
I’ve gone through some of the use cases, and we’re going to break them down. We do have law enforcement in here. Not that we do a lot of law enforcement work, but just showing the benefits of the READI Suite, as well as these new tools that are being developed and how they can be used. And we’ll go through each one of them. For law enforcement, we’ll cover very quick, just getting into where individuals are. And I don’t want to say bad individuals. Still, when they’re doing investigations, they need to get into these repositories, where people are storing nefarious information, or they may need to get access to run time-sensitive investigations. The tools that are being developed for the READI Suite would be very beneficial, as they do not have to collect everything. Then, anybody who’s worked in law enforcement knows that there is some delay. There is some processing time. Being able to target information and get the right information into the investigator’s hands fast is going to be very beneficial to them. If anybody really wants to dive into law enforcement, we can take that offline and we can ask questions. And we can do that at a later date.
For corporate security, especially if you’re doing employee misconduct, we want to get some time-sensitive logs. We want to make sure that we understand what the individual is doing. Getting those communication logs and getting some critical business information may be important, so time matters. We may not be able to take down the whole computer or take down that repository. So, this is the way for corporate security. They can use the READI Suite of Services, quickly triage, target some logs, and make the decision, such as if we need to confiscate this computer. Do we need to take down this part of the network? Do we need to collect right away because there may be a situation? So, this is for fast-moving cases where we definitely need these triage tools.
eDiscovery, especially when we start talking about Mac and Windows computers, when we’re just preserving project-based data, maybe we just need the documents that have all the critical information, PowerPoints, and financial information for an individual that we need to produce or preserve. We don’t need to get a full file system or a full image of a mobile device or even a computer. We really just need the target information to preserve the information that is there. If needed, we can quickly go in here with the READI Suite to collect either part of it or all of the computer. This way, we can know what repositories may be collected on those computers. And then, that could lead us down to ask better, intelligent questions. Say, “Hey, we looked at the logs in the computer. We see that you’re connected to a Google Drive and you have a OneDrive. We’re going to need the credentials. We are going to select these types of folders in this target, this type of data.” Again, making the custodian, making the individual feel better about what they’re giving up, and more likely and hopefully, give you those credentials and to work in a peaceful manner.
And we cover some of this with cybersecurity, and this is where I really wanted to cover executive investigations. I’ve seen it time and time again, where we come on-site and, “You can only take these contacts. You can only have this folder. How long is this going to take? You have one hour with my one-terabyte phone. And I have a two-terabyte computer, and it’s a Mac. And you have one hour to work with it.” A lot of the READI services really stemmed from a lot of these conversations that we had. And I’m sure if anyone has done any high profile case or dealing with a C-suite, it is very time-sensitive, especially on global companies. And there’s never a good time just to take their phone or their computer away when they’re on it most of the day. And taking a computer down for eight hours is just not a realistic approach in many of these cases. I have dealt with many individuals who were part of multiple boards, and they were part of multiple startups. We could not have access to that information. It would’ve broken a lot of the NDAs, and there was a lot of legal red tape there. So, coming up with the ability to talk to them, their legal team, and our clients, say, “Hey, we have the technology, the ability to go in, and we can show you. We can demonstrate that we’re only going to select this folder. We will target this information within this date range based on this intelligence because we’ve triaged the device. And we have our ducks in a row. We have facts that this is what we’re collecting, this is the reason why, and this is how we came to this conclusion.”
And we’ve already started implementing this, and we’re getting a lot of some really positive feedback. You can target that, and that’s all you’ll grab. And so, we have to stand by that. It has to have a chain of custody. It has to have documentation. It has to be repeatable. We’re checking every box to ensure privacy and security in one package, so the individual feels good about it. We’re only taking what we need, and we can move the case along a lot faster.
We’ve covered a lot of this. I talked about MEDAL. That was our initial launch of these types of services. Again, we met all those checkboxes really driven by our clients, and based on what we saw, we saw how the world had changed and how data was being used. We’re out of the office. We’re now remote. A lot of individuals are only coming back two days a week, so having the tools not only for our MEDAL Lab, which is on our mobile side that does triage, targeted collections, direct to Relativity, full-file system extraction for firmware messaging, which is important, and unlocking services. All that goes into: What does the client need, and when do they need it? So, having the ability to triage gives us the tools and intelligence to provide services and consulting and be able to execute what we need to do the first time. The expectation of what the client is expecting is met because we built it up through these different steps and provided them with information along that path.
I think we’ve pretty much covered why READI matters: to meet the toolsets and the expectations of our clients. And these are all being developed based on feedback from everybody here, based on the industry, based on what we see every day, and what all of you guys are seeing every day. And I know a lot of these struggles are not new to HaystackID; they’re new to everyone. And I think we’re all looking for solutions that are going to hit all those checkboxes that are both onsite and remote, that are cost-effective, and that have documentation. And security and privacy are taken seriously, and how you handle data and how you conduct set expectations for everybody. This is why it matters, and I’m looking forward to seeing this released and people taking advantage of HaystackID’s tools.
If you have any questions, please let me know. You can put them in the chat, or we can follow up. Here’s our information if you have any questions. I don’t see that we have any questions here at this time, so I’m going just to read our closing statements. And then, if you guys have questions, I can continue to stay on for a few moments. On behalf of HaystackID, I also want to thank everyone who took the time out of their busy schedules to attend today. We truly value your time and appreciate your interest in educational series. Don’t miss our next webcast, October 29th, “Anatomy of a Business Email Compromise.” Our experts will guide you through the anatomy of a business email compromise and strategies that your organization can deploy to detect and prevent these types of attacks.
Check out our website, HaystackID.com, to learn more about and register for the upcoming webcast and explore our extensive library of on-demand webcasts. Once again, thank you all for attending today’s webcast, and we hope you have a great day.
About HaystackID®
HaystackID solves complex data challenges related to legal, compliance, regulatory, and cyber events. Core offerings include Global Advisory, Data Discovery Intelligence, HaystackID Core® Platform, and AI-enhanced Global Managed Review powered by its proprietary platform, ReviewRight®. Repeatedly recognized as one of the world’s most trusted legal industry providers by prestigious publishers such as Chambers, Gartner, IDC, and Legaltech News, HaystackID implements innovative cyber discovery, enterprise solutions, and legal and compliance offerings to leading companies and legal practices around the world. HaystackID offers highly curated and customized offerings while prioritizing security, privacy, and integrity. For more information about how HaystackID can help solve unique legal enterprise needs, please visit HaystackID.com.
Assisted by GAI and LLM technologies.
Source: HaystackID