"the creation of a true forensic hard drive image is a highly detailed process."
During the collection and preservation of digital evidence, it is important to remember the first rule taught to new computer forensic students: Do not modify the original media in any way if at all possible. New students are taught procedures to follow to help protect the integrity of the evidence.
Creating a forensic image of a digital storage devices is an industry standard for collection and preservation. A forensic image, which is also referred to as a “mirror image,” is a sector-by-sector copy of the original media. A forensic image will contain all data, including deleted files and the unallocated space of the original media. The original media will often be connected to some sort of hardware write-block device as a measure to prevent data from being written back to the original media.
Once an image has been created, it is good practice to make a backup copy of the image in case the original image fails at a later date. This is especially true if the original media is placed back into service.
During the imaging process, a mathematical algorithm is calculated and stored for future reference. These are referred to as “hash values” and typically the MD5 or SHA1 algorithms are used for this purpose. Hash values are used to verify the integrity of the forensic image at a later date to ensure nothing has altered the image.
Not all cases warrant the need of a forensic image. In some cases, it is appropriate to collect targeted data, such as specific user files from a server. While the user may have less 2 gigabytes of data in a “home” folder, there is no need to create a forensic image of the entire 12 terabytes of network storage. Even if the collection is limited to specific files, the process will still need to involve the proper preservation of that data for integrity purposes.
Depending on your matter, we can provide proper consulting on the following issues surrounding the identification, collection, and preservation of electronic data:
- Proper documentation and chain of custody
- On-site and remote data collections
- Proper collection of cell phone and mobile device collection
- Collecting data in cross-border situations