Forensic Data Collection: What Attorneys Need to Know About Preserving Computers, Cell Phones, Microsoft 365 Email, Teams, and OneDrive

By Lance Sloves, CCE | Computer Forensic Services, Inc. | Dallas, Texas

When a case hinges on digital evidence — and increasingly, most cases do — the first and most critical step isn’t analysis. It’s collection. A forensic examination is only as good as the data behind it, and if that data isn’t collected properly, preserved defensibly, and documented thoroughly, even the most compelling findings can be challenged or excluded.

At CFSI, we perform forensic data collections across five primary categories of digital evidence: computers, cell phones, Microsoft 365 email, Microsoft Teams, and OneDrive cloud storage. Each one involves a different process, different tools, and different considerations. This blog post walks attorneys through what’s actually involved in each type of collection, why it matters for your case, and what you should be thinking about when you issue that preservation letter.

Why Forensic Collection Matters

Before we get into the specifics, it’s worth addressing a question we hear regularly from attorneys who are new to digital evidence: “Why can’t we just have the custodian copy their files onto a thumb drive?”

The short answer is that a custodian-collected copy is not a forensic collection. It doesn’t preserve metadata — the timestamps, access logs, and system artifacts that tell you when a file was created, modified, accessed, copied, or deleted. It doesn’t capture deleted data that may still be recoverable. It doesn’t produce a verifiable hash value that proves the data hasn’t been altered. And it doesn’t create a defensible chain of custody that will hold up under a Daubert challenge or a motion to suppress.

A forensic collection, by contrast, creates an exact, bit-for-bit image or a verified export of the source data, documents the process with detailed notes and hash verification, and preserves everything — including the artifacts that most people don’t even know exist. Those artifacts are often where the most important evidence lives.

Computer Forensic Collections

Computer collections — whether we’re talking about a Windows desktop, a Windows laptop, or a Mac — typically involve creating a forensic image of the entire storage drive. This is a bit-for-bit copy of every sector on the drive, including allocated files, unallocated space (where deleted files may still reside), system artifacts, registry hives, browser history databases, and application logs.

We perform computer collections using a forensic hardware imaging device combined with write-blocking technology. The forensic imager is a dedicated hardware unit purpose-built for creating forensic images — it connects directly to the source drive, creates the bit-for-bit copy, and generates verification hashes, all without requiring a separate workstation. The integrated write-blocking capability ensures that data flows in one direction only — from the source to the destination — preventing any writes back to the original drive. This ensures the source evidence is never modified during the collection process.

Once the image is created, we generate MD5 and SHA-1 hash values for both the source drive and the forensic image. These hash values serve as digital fingerprints. If the hashes match, we can prove mathematically that the image is an exact duplicate of the original. This verification is documented in our collection report and forms the foundation of the chain of custody.

For cases involving active employees or litigation holds where we need to collect without taking the computer offline, we can also perform live collections — imaging the drive while the system is running. Live collections capture volatile data like running processes, network connections, and RAM contents that would be lost if the machine were powered down. This approach is particularly valuable in data exfiltration and trade secret cases where we need to see what was happening on the machine at the moment of collection.

What a computer forensic image captures that a simple file copy does not includes Windows Registry data showing USB device connection history, software installations, and user activity; browser history and cached web content from Chrome, Edge, Firefox, and Safari; deleted files and file fragments in unallocated disk space; LNK files (Windows shortcuts) that record every file a user has opened and from where; Jump Lists showing recently accessed files by application; Prefetch files that record every program ever executed on the machine; NTFS journal and log files that track file system changes; email client databases for Outlook and other local email applications; and cloud sync logs for OneDrive, Dropbox, Google Drive, and other services. Each of these artifact categories can be critical depending on the nature of the case.

Cell Phone Forensic Collections

Mobile device collections are an entirely different discipline. Unlike computers, where we’re typically imaging a hard drive or SSD through a standard interface, cell phones require specialized tools and techniques that vary by manufacturer, model, operating system version, and even security configuration.

At CFSI, we perform mobile device collections using Cellebrite Premium and VeraKey — the most advanced mobile forensic extraction platforms available. Cellebrite Premium provides capabilities beyond the standard UFED, including the ability to unlock and extract data from locked devices and access the most current iOS and Android operating systems. VeraKey is Cellebrite’s consent-based extraction solution, designed for situations where the device owner is cooperating and provides their passcode — it performs a full file system extraction quickly and defensibly, producing a comprehensive image of the device. Depending on the device and its security settings, we may obtain different levels of extraction.

A logical extraction captures user-accessible data — contacts, call logs, text messages, photos, videos, and app data. This is the most basic level of collection and is available on virtually all devices. A file system extraction goes deeper, capturing the entire file system structure including application databases, system logs, and cached data that isn’t visible to the user. This is the level we strive for in most cases because it provides access to the KnowledgeC, Biome, and other system databases that contain detailed usage and activity records. A full file system or physical extraction captures everything — including deleted data, unallocated space, and the raw contents of the device’s flash storage. This is the most comprehensive extraction available and provides the greatest opportunity for recovering deleted evidence.

The level of extraction we can achieve depends on several factors: the device model, the iOS or Android version, whether the device is locked or unlocked, and the device’s security configuration. This is one of the reasons we always emphasize to attorneys that device preservation is time-sensitive. Operating system updates can change what’s extractable, and continued use of the device overwrites recoverable data.

Once the extraction is complete, we verify the data using hash values and export the results into our analysis platforms — Magnet Axiom, Cellebrite Physical Analyzer, Oxygen Forensic Detective, and iLEAPP — for processing and examination.

For cases involving multiple devices or company-issued phones, we can perform collections on-site at the client’s office, at our lab in Dallas, or by coordinating a secure shipment of the devices to our facility.

Microsoft 365 Email Collections

Collecting email from Microsoft 365 (formerly Office 365) is one of the most common requests we receive, particularly in employment disputes, trade secret cases, and internal investigations. Unlike collecting a local computer or phone, M365 collections are performed remotely through Microsoft’s administrative tools and APIs.

There are several approaches to M365 email collection, and the right one depends on the scope of the case, the volume of data, and the level of access available.

At CFSI, our primary tool for Microsoft 365 email collection is Forensic Email Collector (FEC) by Metaspike. FEC is a purpose-built forensic tool that connects directly to Microsoft 365 mailboxes and performs a forensically sound collection of email data. Unlike manual PST exports or IT-driven collections, FEC preserves the complete email structure — including folder hierarchy, metadata, headers, attachments, calendar items, and contacts — while generating hash values and detailed collection logs that document every step of the process. FEC also captures the Recoverable Items folder, which retains messages that the user has deleted — even after they’ve emptied their Deleted Items folder. This is critical in cases where a custodian may have attempted to destroy evidence.

For cases requiring broader search capabilities or where we need to place custodians on hold, we also work within Microsoft Purview (formerly the Microsoft 365 Compliance Center). Purview allows us to place custodian mailboxes on Litigation Hold — which prevents the user or any automated retention policies from deleting email — and perform targeted Content Searches using date ranges, keywords, senders, recipients, and other criteria.

What makes M365 email collection particularly important is what it captures beyond the messages themselves. Every email in Microsoft 365 carries detailed header information that records the complete routing path from sender to recipient, including timestamps at each relay point, originating IP addresses, and authentication results. In cases involving spoofed emails, phishing, or disputed communications, these headers can be the difference between proving and disproving a claim.

Additionally, Microsoft 365 maintains a Recoverable Items folder for each mailbox that retains deleted messages for a configurable retention period — even after the user has emptied their Deleted Items folder. If a custodian has attempted to destroy evidence by deleting emails, we can often recover those messages from the Recoverable Items folder or from the Purges subfolder within it.

We also collect Unified Audit Logs from the M365 tenant when they are available and relevant. These logs record user activity across the entire M365 ecosystem — who logged in, when, from what IP address, what files they accessed, what emails they read or sent, and what administrative changes were made. In data exfiltration cases, the audit logs are often where we find the evidence of unauthorized access or bulk data downloads.

The key consideration for attorneys is timing. Microsoft 365 audit logs have a default retention period that varies by license level — in many cases as short as 90 days for standard licenses. If you suspect that M365 data will be relevant to a case, we strongly recommend engaging a forensic examiner to initiate preservation and collection as early as possible.

OneDrive, SharePoint, and Teams Chat Collections

OneDrive, SharePoint, and Microsoft Teams are all part of the Microsoft 365 ecosystem, and we collect data from all three through Microsoft Purview. While each platform serves a different purpose — OneDrive for personal cloud storage, SharePoint for shared document libraries, and Teams for messaging and collaboration — Purview’s eDiscovery tools allow us to search and export data across all three from a single interface.

OneDrive for Business is a cloud storage platform that syncs files between a user’s local computer and Microsoft’s cloud servers. When a user saves a file to their OneDrive folder on their laptop, it automatically syncs to the cloud. When they delete a file from the cloud, the deletion syncs back to the laptop. This bidirectional sync creates forensic artifacts on both the local machine and in the cloud — and collecting from both sources provides the most complete picture.

On the cloud side, we download OneDrive and SharePoint contents through Microsoft Purview’s Content Search and eDiscovery tools, which allow us to target specific custodian accounts and capture all files, folders, and their associated metadata — including file creation dates, modification dates, sharing permissions, and version history.

Microsoft Teams chat collections are increasingly critical in litigation and internal investigations. Teams has replaced email as the primary communication channel in many organizations, and the conversations that happen in Teams channels and direct messages often contain the most candid and revealing communications in a case. Through Purview, we can search and export Teams chat messages — including one-on-one chats, group chats, and channel conversations — along with shared files, images, reactions, and timestamps. Teams chat data is exported with full metadata preservation, including sender, recipient, timestamps, and message threading, providing a complete record of who said what, when, and to whom.

On the local computer side — and this is where OneDrive collections become particularly powerful in data exfiltration cases — the OneDrive sync engine maintains detailed logs that record every sync operation. These logs document which files were synced, when they were synced, the direction of the sync (upload vs. download), and the sync status. When an employee copies company files from a shared OneDrive or SharePoint site to their personal OneDrive or to a local folder, the sync logs can capture that activity even after the files themselves have been deleted.

We have handled multiple cases where an employee was accused of stealing company data, and the OneDrive sync logs on their company laptop provided a complete record of every file they downloaded, when they downloaded it, and where they saved it — even though the employee had subsequently deleted the files and emptied the Recycle Bin. The sync logs survived because most users don’t know they exist.

For attorneys handling trade secret or data exfiltration cases, OneDrive collections should always include both the cloud-side export through M365 eDiscovery and the local-side forensic image of the custodian’s computer. The cloud export tells you what’s currently stored. The local forensic image — combined with sync log analysis — tells you what was accessed, copied, moved, and deleted.

Additionally, OneDrive maintains a Version History for files, which means that even if a custodian has modified a document to remove incriminating content, earlier versions of that document may still be recoverable through the version history. And OneDrive’s Recycle Bin retains deleted files for up to 93 days, providing another recovery opportunity for recently deleted evidence.

Coordinating a Multi-Source Collection

In many of the cases we handle, the relevant evidence doesn’t live in just one place. A departing employee’s data exfiltration might involve files downloaded from OneDrive to their laptop, sensitive discussions in Teams chats, documents emailed to a personal Gmail account through M365, and then accessed on their personal cell phone. A distracted driving case might involve the driver’s iPhone, their iCloud account, and the vehicle’s infotainment system. A fraud investigation might span multiple computers, email accounts, and cloud storage platforms.

When we perform multi-source collections, we coordinate the timing and sequencing of each collection to ensure consistency and minimize the risk of data loss. Ideally, all sources are collected as close together in time as possible to provide a consistent snapshot of the evidence landscape.

We document each collection with a detailed forensic collection report that includes the identification of each evidence source, the collection method and tools used, the date, time, and duration of the collection, hash verification values for all collected data, the chain of custody from collection through delivery to our lab, and any anomalies or issues encountered during the collection process. This documentation is critical for establishing the admissibility of the evidence and for defending the collection methodology if challenged by opposing counsel.

What Attorneys Should Do Now

If you’re handling a case where digital evidence may be relevant — and in today’s world, that’s nearly every case — here are the steps we recommend.

Issue a preservation letter immediately. Notify the opposing party and any relevant custodians of their obligation to preserve digital evidence, including computers, cell phones, email accounts, Teams chats, and cloud storage. Be specific about the data sources you want preserved.

Engage a forensic examiner early. The sooner we can assess the evidence landscape and begin collections, the more data we’ll be able to preserve. Delayed collections mean lost data — deleted files get overwritten, audit logs expire, and devices get updated or replaced.

Don’t let IT handle forensic collections. Your client’s IT department may be well-intentioned, but they are not forensic examiners. IT collections typically don’t use write-blocking hardware, don’t generate hash verification, don’t preserve deleted data, and don’t create the chain of custody documentation needed for court. A forensic collection performed by a certified examiner is the standard that courts expect.

Think beyond the obvious. The most important evidence is often in the places people don’t think to look — sync logs, system databases, audit trails, browser caches, and metadata. A forensic examiner knows where to look. Make sure they know what questions you’re trying to answer so they can focus their collection and analysis accordingly.

Preserve the chain of custody. From the moment evidence is identified through its presentation in court, every transfer, access, and handling event should be documented. We maintain detailed chain of custody records for every piece of evidence we collect and can testify to the integrity of our process if called upon.

Computer Forensic Services, Inc. (CFSI) is a veteran-owned digital forensics firm headquartered in Dallas, Texas, serving the legal community since 2002. We provide forensic data collection, analysis, and expert witness testimony for computers, cell phones, Microsoft 365 email, Teams, OneDrive, SharePoint, and cloud storage platforms. For consultations, visit cfsiusa.com or call 214-306-6470.

This blog post was AI-assisted in its drafting and is based on the forensic collection methodology and casework of Lance Sloves, CCE.