Posted on: December 09, 2014in Blog
3 Methods of Forensic Imaging
Clients often ask for a forensic image of a laptop or server. Usually the “forensic” request is more about process rather than how and what ESI is captured. The client wants to ensure the process is defensible and documented.
This leads us to ask them if they want a physical, logical, or targeted image. The following will describe the differences between the three methods of imaging.
Having a plan before going into an internal investigation is crucial to it's success. Download this on-demand webinar for best practices and tips on how legal and IT departments can collaborate effectively during the investigation process.
Forensic Imaging Defined
Before I begin, I am going to provide my definition of imaging. Imaging is the process of copying an unaltered file or email to an image file. Think of an image file as a container file that provides a layer of protection to its contents. It is possible to store an individual file or the contents of an entire hard drive in one, or a set of image files. It is analogous to “zipping up” a set of files.
The benefit of using a forensic imaging application, like FTK Imager, is that it creates an audit file of what was collected in addition to a hash value of the image file. That hash value can be used to ensure the contents of the image file have not been altered.
It is also possible to conduct a sound process of copying files without storing the files in an image file. There are existing tools that allow an unaltered copy to be produced. In addition, these tools provide audit and log files describing what was copied.
One can then hash the files individually. Those hashes can then be stored along with the audit logs and used to prove (if necessary) that files have not been altered when they need to be produced or reviewed.
It is all about process, documentation, testing, knowing what you are doing and more importantly, what the software is doing to the file.
Types of Forensic Imaging:
A physical image of a hard drive will capture all of the ones and zeroes contained on the drive. It will capture the deleted space on the hard drive even if the drive has been recently formatted. It will capture deleted files and file fragments on a hard drive.
If one is making a physical image of a 1 TB drive the resulting image file(s) will be 1 TB, unless compression algorithms are used.
A logical image of a hard drive will capture all the “active” data. If you look at the My Computer icon on your computer and browse through the C drive you are viewing the logical drive and active files. This is what will be captured if one performs a logical capture.
Typically, deleted space, deleted files and fragments will NOT be captured. If one is making a logical image of a 1 TB drive, but only 30 GB is active files, then the resulting image will be 30 GB uncompressed.
If a specific set of files or documents are being requested it may be possible to selectively copy only those items from a storage medium to an image file. This is what we call a targeted collection. If only one folder residing on a network share has responsive documents it may be prudent or necessary to only preserve those documents.
This may be difficult to do if a custodian is not organized or the custodian has email in eight different PSTs and none are in separate folders. With current technology it is also possible to run search terms or other filters across a set of data and only capture those files that match the criteria. Targeted collections can greatly reduce the volume of data collected and subsequently reduce costs at all stages of the discovery process.
In conclusion, the term “forensic” may be more about process than what is being captured. Different scenarios call for different types of capture methodologies. Regardless, it is important to know what you are asking for because it can greatly affect the cost and outcome of a project.
D4 Weekly eDiscovery Outlook
Power your eDiscovery intellect with our weekly newsletter.
Posted January 18, 2018
5 Expert Predictions for the eDiscovery Industry in 2018
Posted January 17, 2018
Get Your Passport to GDPR Success - LegalTech New York 2018
Posted January 11, 2018
Is Your Organization Vulnerable to a Cyber Attack? 3 Steps to Put Your Mind at Ease
Posted January 04, 2018
How the EU and China Plan to Deal with Multinational Data
Posted December 28, 2017
How to Navigate International Data Privacy Laws for eDiscovery
Posted December 21, 2017
Cross-Border eDiscovery: An Introduction to Cultural and Legal Obstacles
Posted December 14, 2017
Webinar Q&A Featuring Panelists from Special Counsel and Brainspace
Posted November 30, 2017
Help Your Employees Find the Information They Need with Machine Learning
Posted November 22, 2017
How to Use Managed and Prioritized Workflows to Reduce the Cost of Review [On-Demand Webinar]
Posted November 16, 2017
5 Workflow Tips for Conducting a Foreign Language Review