Posted on: December 09, 2014in Blog
3 Methods of Forensic Imaging
Clients often ask for a forensic image of a laptop or server. Usually the “forensic” request is more about process rather than how and what ESI is captured. The client wants to ensure the process is defensible and documented.
This leads us to ask them if they want a physical, logical, or targeted image. The following will describe the differences between the three methods of imaging.
Having a plan before going into an internal investigation is crucial to it's success. Download this on-demand webinar for best practices and tips on how legal and IT departments can collaborate effectively during the investigation process.
Forensic Imaging Defined
Before I begin, I am going to provide my definition of imaging. Imaging is the process of copying an unaltered file or email to an image file. Think of an image file as a container file that provides a layer of protection to its contents. It is possible to store an individual file or the contents of an entire hard drive in one, or a set of image files. It is analogous to “zipping up” a set of files.
The benefit of using a forensic imaging application, like FTK Imager, is that it creates an audit file of what was collected in addition to a hash value of the image file. That hash value can be used to ensure the contents of the image file have not been altered.
It is also possible to conduct a sound process of copying files without storing the files in an image file. There are existing tools that allow an unaltered copy to be produced. In addition, these tools provide audit and log files describing what was copied.
One can then hash the files individually. Those hashes can then be stored along with the audit logs and used to prove (if necessary) that files have not been altered when they need to be produced or reviewed.
It is all about process, documentation, testing, knowing what you are doing and more importantly, what the software is doing to the file.
Types of Forensic Imaging:
A physical image of a hard drive will capture all of the ones and zeroes contained on the drive. It will capture the deleted space on the hard drive even if the drive has been recently formatted. It will capture deleted files and file fragments on a hard drive.
If one is making a physical image of a 1 TB drive the resulting image file(s) will be 1 TB, unless compression algorithms are used.
A logical image of a hard drive will capture all the “active” data. If you look at the My Computer icon on your computer and browse through the C drive you are viewing the logical drive and active files. This is what will be captured if one performs a logical capture.
Typically, deleted space, deleted files and fragments will NOT be captured. If one is making a logical image of a 1 TB drive, but only 30 GB is active files, then the resulting image will be 30 GB uncompressed.
If a specific set of files or documents are being requested it may be possible to selectively copy only those items from a storage medium to an image file. This is what we call a targeted collection. If only one folder residing on a network share has responsive documents it may be prudent or necessary to only preserve those documents.
This may be difficult to do if a custodian is not organized or the custodian has email in eight different PSTs and none are in separate folders. With current technology it is also possible to run search terms or other filters across a set of data and only capture those files that match the criteria. Targeted collections can greatly reduce the volume of data collected and subsequently reduce costs at all stages of the discovery process.
In conclusion, the term “forensic” may be more about process than what is being captured. Different scenarios call for different types of capture methodologies. Regardless, it is important to know what you are asking for because it can greatly affect the cost and outcome of a project.
D4 Weekly eDiscovery Outlook
Power your eDiscovery intellect with our weekly newsletter.
Posted May 17, 2017
How to Comply with 21 CFR and HIPAA Data Retention Requirements
Posted May 11, 2017
4 Key Advantages of Conducting Remote Depositions
Posted May 03, 2017
eDiscovery in International Dispute Resolution: What Experts Want You to Know
Posted April 27, 2017
China Expands Data Transfer Requirements for its Cybersecurity Law
Posted April 26, 2017
How to Use Office 365 Advanced eDiscovery to Prioritize Your Review
Posted April 21, 2017
American Bar Association Section of International Law | 2017 Spring Meeting in Washington DC
Posted April 19, 2017
Office 365 Enterprise E5: 6 Features That Could Benefit Your Business
Posted April 12, 2017
Data Reuse in eDiscovery: 4 Questions to Help Start Your Policy
Posted April 05, 2017
ESI Data Mapping Basics for eDiscovery
Posted March 30, 2017
China’s Cybersecurity Law: Objectives, Compliance and Business Recommendations