A forensic image, sometimes referred to as a mirror image or hard drive clone, is a fundamental aspect of data preservation and digital forensics. Forensic imaging creates an exact bit-for-bit copy of the source hard drive, SSD, USB or other media, and creates a unique digital fingerprint that is used to certify its authenticity. This process is critical when digital evidence will be admitted as evidence in litigation.
When a computer is identified as potentially containing electronic evidence, it is imperative to follow a strict set of procedures to ensure an admissible extraction of any potential evidence residing within. The first thing to remember is the “golden rule of electronic evidence” – if within reason, the original media should never be altered or modified in any way. Thus, before any data analysis occurs, it usually makes sense to create an exact, bit-for-bit copy of the original storage media. This process is more commonly known as forensic imaging. A forensic image is also sometimes referred to as a bit stream image, hard drive image, mirror image, disk clone or ghost image. However, in the technology world, mirror imaging, ghost imaging, or disk cloning are each specific backup methods and do not always generate a true forensic image.
How is a forensic image generated?
The generation of a forensic image is a highly detailed process. Most industry standard forensic imaging tools will identify the date of imaging, the examiner who conducted the imaging and generate a hash value, which is used to verify the image is true and accurate. Some tools go into further detail and provide sector counts, serial number information and more. Institutions and organizations like the Department of Justice (DOJ) offer guidelines and suggested protocols for hard drive imaging.
Generally, forensic imaging tools read the source media sector by sector, bit by bit, and make an exact copy of the data. Upon completion, this copy becomes the forensic image. There is no “one correct way” to generate a valid forensic image. Some tools may read the source media starting at the first sector, while others may start at the end. Some tools can compress the forensic image to take up less space while maintaining its authenticity. Other tools can encrypt the data so you need a password to review the forensic image.
Once imaging is completed, any industry standard tool will generate a digital fingerprint of the acquired media, otherwise known as a hash value. A hash generation process involves examining all the 0s and 1s that exist across the source media. Altering a single 0 to a 1 will cause the resulting hash value to be different. Both the original media and the forensic image are analyzed to generate a hash value. If the original media and forensic image hash values match exactly, the authenticity of the forensic image is validated.
After a valid forensic image has been generated, the original media can confidently be considered “preserved” and forensic analysis can commence. Alternatively, after the preservation copy is created, the original media can be reviewed knowing that it has been properly preserved.
As you hire a digital forensics expert, know that there is a wide variety of tools and hardware available to generate a valid forensic image. What is more important than the specific tool used is that your expert has the proper qualifications and that the source device’s integrity is maintained. Maintaining the integrity of the source device can be as simple as starting a chain of custody document, or may be more complicated depending on the exact situation.
While it may seem plausible to utilize internal IT personnel to generate a forensic image, keep in mind the possible consequences. It is not uncommon to hear accusations of sabotage or spoliation by an internal staff member, whether intentional or not, leading to inadmissible evidence. Hiring a third-party digital forensic expert will ensure defensible handling of evidence, will establish a chain of custody and is a proactive step to preventing accusations of tampering or spoliation.
Furthermore, amended Federal Rule of Evidence 902, that went into effect on December 1, 2017, creates a mechanism to authenticate digital evidence by means of a certification by a qualified person instead of by live testimony. By hiring a third-party forensic expert to create the forensic image and provide the certification of authenticity, neither your IT personnel nor your forensic provider will need to testify as to the authenticity of the forensic image.
Gary Hunt is a Senior Digital Forensic Examiner for QDiscovery. Gary holds the Certified Computer Examiner (CCE) certification, is an active member of the International Society of Forensic Computer Examiners (ISFCE) and High Technology Crime Investigation Association (HTCIA) organizations and is one of QDiscovery’s testifying experts. Prior to joining QDiscovery, Gary managed the Midwest presence for TransPerfect Legal Solutions’ Forensic Technology and Consulting division. His diverse background in technology, forensics and eDiscovery provides a unique perspective to many challenges faced in the eDiscovery industry.