Metadata transfer files concern

Hello , I have a dilemma…

client is working off a laptop that is running out of storage space. Her other MacBooks were seized as part of an investigation.

Her employer, sent her a “Preservation Letter,” mandating that she not destroy or delete anything, including emails and draft documents.

She wants to continue using this MacBook and wants to purge some of the unwanted files, but we have advised her that she can’t destroy them, and instead, must move them to an external hard-drive.

How do we do this without losing any metadata? I’m particularly concerned about “author, created, and modified” info.

Is there a forensically sound way to move these files to a drive?

If your client received a preservation letter, and is continuing to use the laptop, my first suggestion would be to stop all activity on the laptop as soon as possible (including moving anything off the device) and to have a forensic image of the laptop acquired.

After that, your firm can advise if it is appropriate for your client to continue to use the laptop, or if she should switch to a different device temporarily while the investigation is ongoing.

I agree with Arman. First thing to do is acquire a forensic image of the computer to create a point-in-time preserved copy of everything.

Afterwards, in terms of moving files to an external hard drive to free up space, make sure your external drive is formatted with the same filesystem as your Mac (either APFS or HFS+). Unlike in Windows, Mac filesystem metadata is generally preserved when you drag-and-drop files to another volume of the same file system. It would be best practice to maintain the same folder structure as best you can.

Finally, documentation is extremely useful, so if you do move data, create a record of what you have done and why so that you can refer to it later in the event it is needed.

1 Like

Thank you!Thank you!

1 Like