A forensic image refers to a copy of unmodified electronic data. The image file can be a copy of a single file or an entire hard drive.
Forensic imaging, the process of getting a forensic image, is the first step in any digital forensic investigation. If not done right, the evidence may be deemed inadmissible. That is why choosing an expert third party to create a forensic image is critical. The professional ensures that proper procedures and protocols are followed and avoids evidence tampering or destruction.
Other interesting terms…
- What is Unallocated Space?
- What is a File Attribute?
Read More about “Forensic Image”
You can compare forensic imaging to obtaining physical evidence (e.g., a suspect’s fingerprints, the murder weapon, etc.) from a crime scene, the only difference being proof of the crime comes from a suspect’s digital devices (e.g., personal computer [PC], digital camera, etc.)
How Do You Collect a Forensic Image?
Several forensic imaging techniques exist, which we’ll discuss in greater detail below.
1. Copying and Pasting
This method is the easiest to do. Anyone can do it, as it’s no different from copying a file from your mobile phone and pasting it into a folder on your computer. In forensics investigations, law enforcers can copy all the contents of a suspect’s computer using the Ctrl + A (select all) and Ctrl + C (copy) commands. They can then paste the contents into a connected flash drive using the Ctrl + P (paste) command. Note, though, that the standard copy-and-paste process only duplicates visible files. Hidden files (i.e., supporting data to open the files and master boot records [MBRs]) can’t be copied. If that happens, there’s a chance that investigators may not be able to open the copied files.
2. Disk Cloning
Disk cloning, which creates a copy of the original drive, including all the information to open the duplicate or cloned drive (i.e., supporting data and MBRs), is better than copying and pasting since it treats all files as if they were the original. The process creates what we call a “one-to-one copy.” The duplicate can replace and work just like the original drive.
3. Disk Imaging
Disk imaging is similar to disk cloning, except that the duplicate hard drive serves as a backup or an archive. Even if the process copies all the data, including supporting data and MBRs, the forensic image is a single file that users can store in any storage device (e.g., an external hard drive, tapes, etc.). As such, the duplicate is not necessarily identical to the copied hard drive. Accessing the image’s content requires using a software imaging program. You don’t create a one-to-one copy because a backup device can store multiple image files.
What Are the Types of Forensic Images?
There are also three kinds of forensic images—physical, logical, and targeted. Take a look at their definitions below.
Getting a physical image of a hard drive is the best kind of forensic image, as you get all of the data on the drive. Apart from files, it also captures deleted space on the drive even if it has been recently formatted, deleted files, and file fragments. It helps in cases where suspects are believed to have deleted or tampered with evidence. As such, metadata (information about a file that users don’t usually see) is an essential factor.
A logical image of a hard drive obtains all active data. You can’t see deleted files, space, and file fragments. It works best for cases that only require the information a drive contains.
There are times when you know exactly what files or documents you need for your case. Selected documents can be copied to an image file to create a targeted collection. Using targeted forensic images decreases costs and labor since a much smaller dataset requires gathering and analysis.
What Do Tools for Forensic Image Gathering Do?
Various readily available software programs are used to get forensic images. Most courts accept forensic images as evidence. Such solutions can do the following:
- Find, decrypt, collect, and preserve forensic images from various devices while ensuring evidence integrity
- Allow seamless integration into most investigation workflows
- Clone data across several drives
- Let users preview data and assess potential evidence on a machine
- Make forensic images of the data, duplicating everything and disallowing modification of the original
Forensic images are a must when gathering evidence for any kind of case aided by technological tools. You learned what they are, how they are gathered, and what their kinds are here. You also learned about some popular forensic imaging software.