Clients often ask for a forensic image of a laptop or server. Usually the “forensic” request is more about process rather than how and what ESI is captured. The client wants to ensure the process is defensible and documented.
This leads us to ask them if they want a physical, logical, or targeted image. The following will describe the differences between the three methods of imaging.
Forensic Imaging Defined
Before I begin, I am going to provide my definition of imaging. Imaging is the process of copying an unaltered file or email to an image file. Think of an image file as a container file that provides a layer of protection to its contents. It is possible to store an individual file or the contents of an entire hard drive in one, or a set of image files. It is analogous to “zipping up” a set of files.
The benefit of using a forensic imaging application, like FTK Imager, is that it creates an audit file of what was collected in addition to a hash value of the image file. That hash value can be used to ensure the contents of the image file have not been altered.
It is also possible to conduct a sound process of copying files without storing the files in an image file. There are existing tools that allow an unaltered copy to be produced. In addition, these tools provide audit and log files describing what was copied.
One can then hash the files individually. Those hashes can then be stored along with the audit logs and used to prove (if necessary) that files have not been altered when they need to be produced or reviewed.
It is all about process, documentation, testing, knowing what you are doing and more importantly, what the software is doing to the file.
Types of Forensic Imaging:
A physical image of a hard drive will capture all of the ones and zeroes contained on the drive. It will capture the deleted space on the hard drive even if the drive has been recently formatted. It will capture deleted files and file fragments on a hard drive.
If one is making a physical image of a 1 TB drive the resulting image file(s) will be 1 TB, unless compression algorithms are used.
A logical image of a hard drive will capture all the “active” data. If you look at the My Computer icon on your computer and browse through the C drive you are viewing the logical drive and active files. This is what will be captured if one performs a logical capture.
Typically, deleted space, deleted files and fragments will NOT be captured. If one is making a logical image of a 1 TB drive, but only 30 GB is active files, then the resulting image will be 30 GB uncompressed.
If a specific set of files or documents are being requested it may be possible to selectively copy only those items from a storage medium to an image file. This is what we call a targeted collection. If only one folder residing on a network share has responsive documents it may be prudent or necessary to only preserve those documents.
This may be difficult to do if a custodian is not organized or the custodian has email in eight different PSTs and none are in separate folders. With current technology it is also possible to run search terms or other filters across a set of data and only capture those files that match the criteria. Targeted collections can greatly reduce the volume of data collected and subsequently reduce costs at all stages of the discovery process.
In conclusion, the term “forensic” may be more about process than what is being captured. Different scenarios call for different types of capture methodologies. Regardless, it is important to know what you are asking for because it can greatly affect the cost and outcome of a project.
Attract & Retain Top Talent
With a rapidly changing industry, it's vital to offer the right compensation and set the right expectation. With our Salary Guide, get detailed job descriptions, industry insights and local salary data to equip your managers with hiring confidence and expertise.Get your copy »