The case against the go-bag

By Jeff Rutherford

Originally published in the May 2026 issue of Magnet Unlocked. Want to be the first to see new content? Sign up for our monthly newsletter, Magnet Unlocked.

I spent years in law enforcement, and the calculus was simple: if the device mattered, you put your hands on it. You bagged it, tagged it, transported it, and processed it in a lab you controlled. There was something almost reassuring about that physical chain of custody, a tactile confidence that ran from scene to courtroom. The idea of collecting from a machine I couldn’t see, in a building I hadn’t walked through, on a network I didn’t own? That was somebody else’s problem.

That was then.

I spend a lot of my time talking to the people on the front lines and I can tell you that the ground has shifted. Remote collection isn’t a compromise anymore. For a large and growing part of this industry, it’s the default.

Why jet fuel is a line item

Forensic service providers are the ones who feel this most acutely. You get a call and historically, here’s what happens: someone packs a bag, books a flight, flies to wherever the endpoints are, performs the collection on-site, packs the media, flies home, and begins processing. At each of those steps there’s latency, cost, and human exhaustion baked in.

And it is days before a customer sees results.

I’ve spoken to practitioners who have made that exact trip, and they’ll tell you the same thing; the travel isn’t the worst part. The worst part is knowing that the threat actor has been dwell-timing in the environment the entire time you were in the air.

Now contrast that with what’s possible when you can drop a lightweight agent on the endpoint remotely, the workflow compresses dramatically. I’ve heard from practitioners who’ve gone from a multi-day engagement to having processed data available for review the same day the call came in.

Same. Day.

That isn’t a rounding error, that’s a fundamentally different product you’re delivering.

The over-collection problem nobody talks about enough

Here’s where I want to get specific about something that doesn’t get enough airtime in these conversations: scoping.

The old remote collection paradigm, even when it worked, was blunt. You’d pick a category, say web history, user directory, or app data. Hit collect and let it run. The tools grabbed everything that matched the category definition, and you ended up with a collection that was technically complete and practically overbroad.

In eDiscovery contexts, overbroad isn’t just messy, it’s potentially sanctionable. If you’re engaged in corporate litigation and your authorization is scoped to a specific custodian’s email correspondence related to a particular contract period, collecting the entire user profile isn’t just inefficient. It may exceed your legal authority. Over-collection can expose you, your client, and your engagement to serious legal risk.

This is why Endpoint Explorer, the targeted browsing and pre-collection feature in Magnet Nexus is more than a convenience feature. It’s a capability that changes the legal profile of a collection. You’re not pulling an entire directory and sorting it out later. You’re navigating the remote file structure as if it were your own machine, identifying the specific files or directories that are responsive to your scope, and collecting precisely those artifacts. Nothing more.

For practitioners who’ve spent time in civil litigation or internal investigations, that granularity is table stakes. For those coming from a law enforcement background, where the goal was often to take the entire device and sort it in the lab, it represents a real shift in how you approach the job.

The physical reflex

In law enforcement, physical possession of the device is foundational. You need to be able to testify that you controlled that evidence from the moment of seizure. Remote collection, in that context, introduces variables that a defense attorney can exploit. I understand that reflex.

But the corporate world operates under different constraints and different mandates. The endpoint you need to examine may be on another continent. The organization may have a hundred endpoints that need to be triaged simultaneously. Physical collection, in that environment, is not just slow, it’s often not possible. The question isn’t whether to do remote collection; it’s whether to do it well or badly.

Doing it well means having tooling that gives you genuine pre-collection visibility, targeted scope control, auditability, and the ability to share collected data securely across a distributed team. Those things exist now. The gap between what you can do remotely and what you could only do on-site has narrowed to the point where, for most corporate and incident response use cases, the on-site model isn’t providing meaningfully better evidence, it’s just providing slower evidence.

The practical upshot

If you’re a service provider and you haven’t evaluated whether your current workflow requires a plane ticket, that evaluation is overdue. The tooling has matured.

If you’re a corporate investigator or in-house examiner, the scoping argument alone should be compelling. Remote collection with proper scope control is a more defensible practice than broad on-site collection that exceeds your authorization. That’s not a technology argument; that’s a legal one.

And if you’re still planning your collections around the assumption that you’ll need physical access, my honest advice is to keep that skill sharp, because you’ll still need it. But build the remote collection capability alongside it. The cases that demand it are already in your queue.