Posted on: December 09, 2014in Blog
3 Methods of Forensic Imaging
Clients often ask for a forensic image of a laptop or server. Usually the “forensic” request is more about process rather than how and what ESI is captured. The client wants to ensure the process is defensible and documented.
This leads us to ask them if they want a physical, logical, or targeted image. The following will describe the differences between the three methods of imaging.
When dealing with an internal investigation process, it's critical your legal and IT departments collaborate effectively. For best practices and steps that can be taken to improve communication between the teams, sign up for the webinar on Feb 15th!
Forensic Imaging Defined
Before I begin, I am going to provide my definition of imaging. Imaging is the process of copying an unaltered file or email to an image file. Think of an image file as a container file that provides a layer of protection to its contents. It is possible to store an individual file or the contents of an entire hard drive in one, or a set of image files. It is analogous to “zipping up” a set of files.
The benefit of using a forensic imaging application, like FTK Imager, is that it creates an audit file of what was collected in addition to a hash value of the image file. That hash value can be used to ensure the contents of the image file have not been altered.
It is also possible to conduct a sound process of copying files without storing the files in an image file. There are existing tools that allow an unaltered copy to be produced. In addition, these tools provide audit and log files describing what was copied.
One can then hash the files individually. Those hashes can then be stored along with the audit logs and used to prove (if necessary) that files have not been altered when they need to be produced or reviewed.
It is all about process, documentation, testing, knowing what you are doing and more importantly, what the software is doing to the file.
Types of Forensic Imaging:
A physical image of a hard drive will capture all of the ones and zeroes contained on the drive. It will capture the deleted space on the hard drive even if the drive has been recently formatted. It will capture deleted files and file fragments on a hard drive.
If one is making a physical image of a 1 TB drive the resulting image file(s) will be 1 TB, unless compression algorithms are used.
A logical image of a hard drive will capture all the “active” data. If you look at the My Computer icon on your computer and browse through the C drive you are viewing the logical drive and active files. This is what will be captured if one performs a logical capture.
Typically, deleted space, deleted files and fragments will NOT be captured. If one is making a logical image of a 1 TB drive, but only 30 GB is active files, then the resulting image will be 30 GB uncompressed.
If a specific set of files or documents are being requested it may be possible to selectively copy only those items from a storage medium to an image file. This is what we call a targeted collection. If only one folder residing on a network share has responsive documents it may be prudent or necessary to only preserve those documents.
This may be difficult to do if a custodian is not organized or the custodian has email in eight different PSTs and none are in separate folders. With current technology it is also possible to run search terms or other filters across a set of data and only capture those files that match the criteria. Targeted collections can greatly reduce the volume of data collected and subsequently reduce costs at all stages of the discovery process.
In conclusion, the term “forensic” may be more about process than what is being captured. Different scenarios call for different types of capture methodologies. Regardless, it is important to know what you are asking for because it can greatly affect the cost and outcome of a project.
D4 Weekly eDiscovery Outlook
Power your eDiscovery intellect with our weekly newsletter.
Posted February 23, 2017
Women in eDiscovery Atlanta | New Data Technology Trends
Posted February 23, 2017
Corporate Internal Investigations Best Practices
Posted February 13, 2017
4 Key Internal Roles Involved with Conducting Corporate Investigations
Posted February 09, 2017
Corporate Internal Investigations: A Legal & IT Love Story [Webinar]
Posted February 09, 2017
Intellectual Property Theft: How to Ensure a Defensible Investigation
Posted February 02, 2017
Could the Amazon Echo be a New Source of ESI?
Posted January 26, 2017
Information Governance Policies: The Fundamental Building Block to eDiscovery
Posted January 25, 2017
4 Urban Legends about Analytics and e-Discovery
Posted January 19, 2017
Legal Hold Triggers: When Should You Document Your Reasonable Anticipation of Litigation?
Posted January 12, 2017
5 New Year's Resolutions from an Experienced eDiscovery Team