Posted on: December 09, 2014in Blog
3 Methods of Forensic Imaging
Clients often ask for a forensic image of a laptop or server. Usually the “forensic” request is more about process rather than how and what ESI is captured. The client wants to ensure the process is defensible and documented.
This leads us to ask them if they want a physical, logical, or targeted image. The following will describe the differences between the three methods of imaging.
Having a plan before going into an internal investigation is crucial to it's success. Download this on-demand webinar for best practices and tips on how legal and IT departments can collaborate effectively during the investigation process.
Forensic Imaging Defined
Before I begin, I am going to provide my definition of imaging. Imaging is the process of copying an unaltered file or email to an image file. Think of an image file as a container file that provides a layer of protection to its contents. It is possible to store an individual file or the contents of an entire hard drive in one, or a set of image files. It is analogous to “zipping up” a set of files.
The benefit of using a forensic imaging application, like FTK Imager, is that it creates an audit file of what was collected in addition to a hash value of the image file. That hash value can be used to ensure the contents of the image file have not been altered.
It is also possible to conduct a sound process of copying files without storing the files in an image file. There are existing tools that allow an unaltered copy to be produced. In addition, these tools provide audit and log files describing what was copied.
One can then hash the files individually. Those hashes can then be stored along with the audit logs and used to prove (if necessary) that files have not been altered when they need to be produced or reviewed.
It is all about process, documentation, testing, knowing what you are doing and more importantly, what the software is doing to the file.
Types of Forensic Imaging:
A physical image of a hard drive will capture all of the ones and zeroes contained on the drive. It will capture the deleted space on the hard drive even if the drive has been recently formatted. It will capture deleted files and file fragments on a hard drive.
If one is making a physical image of a 1 TB drive the resulting image file(s) will be 1 TB, unless compression algorithms are used.
A logical image of a hard drive will capture all the “active” data. If you look at the My Computer icon on your computer and browse through the C drive you are viewing the logical drive and active files. This is what will be captured if one performs a logical capture.
Typically, deleted space, deleted files and fragments will NOT be captured. If one is making a logical image of a 1 TB drive, but only 30 GB is active files, then the resulting image will be 30 GB uncompressed.
If a specific set of files or documents are being requested it may be possible to selectively copy only those items from a storage medium to an image file. This is what we call a targeted collection. If only one folder residing on a network share has responsive documents it may be prudent or necessary to only preserve those documents.
This may be difficult to do if a custodian is not organized or the custodian has email in eight different PSTs and none are in separate folders. With current technology it is also possible to run search terms or other filters across a set of data and only capture those files that match the criteria. Targeted collections can greatly reduce the volume of data collected and subsequently reduce costs at all stages of the discovery process.
In conclusion, the term “forensic” may be more about process than what is being captured. Different scenarios call for different types of capture methodologies. Regardless, it is important to know what you are asking for because it can greatly affect the cost and outcome of a project.
D4 Weekly eDiscovery Outlook
Power your eDiscovery intellect with our weekly newsletter.
Posted October 19, 2018
Creating Strategic eDiscovery Workflows for Small Teams
Posted October 10, 2018
How to Reduce Your Threat of Cyber Attacks in Wake of China Hack Allegations
Posted September 26, 2018
X1 Insight and Collection & RelativityOne Integration: Testing and Proof of Concept
Posted September 19, 2018
D4 used Relativity to pinpoint a single Chinese character with hundreds of thousands of WeChat messages
Posted September 12, 2018
Why You Should Implement Pre-Review Analysis in Your ECA Workflow
Posted September 05, 2018
What is Data Mapping? ESI Basics for eDiscovery
Posted August 29, 2018
ILTACON 2018 Takeaways: 4 Ways to Get Your Lawyers to Use Advanced Technologies
Posted August 22, 2018
Basic eDiscovery Early Case Assessment Checklist
Posted August 15, 2018
Document Review Best Practices: 9 Steps to Prepare Your Workflow
Posted August 10, 2018
Data Reuse in eDiscovery: 4 Questions to Help Start Your Policy