Making a forensic image of digital evidence is the best way to preserve data that might be needed for current or potential legal proceedings. The most common target of this process is a hard drive, but there are many other forms of digital storage. The first and perhaps most important rule of evidence handling is preservation. Digital evidence can be fragile. Most people don’t realize just how easy it is to change digital evidence, and it may be that the most easily, and often inadvertently, changed data might be the most important.
So, what exactly is a forensic image? It’s a way of capturing all of the contents of a digital storage device. This includes both the logical file structure (files and folders) and all the associated metadata for that logical structure (metadata is a topic for another blog post). A forensic image also includes the file slack space and the unallocated space (also topics for another post). This is where all sorts of interesting things might be found that can include deleted files, file fragments, and more. Not all cases involve the analysis of the digital contents beyond the logical structure. However, if you don’t capture everything from the start, it may be lost, and you won’t have a chance should it become important later.
The nuts and bolts of creating a forensic image start with write-blocking technology. Using either specialized hardware or software, an analyst can connect to and read the contents of a storage device while ensuring that nothing, including last access dates, gets changed on the original device.
There are a number of acceptable software tools as well as output formats for a forensic image. The two most common are the DD and .e01 (EnCase) formats. These are functionally equivalent. The key is that both are locked down, read-only, exact versions of everything on the original evidence item. Once the forensic image copy has been made, it can be shared among as many other investigators/analysts as needed. There is no need to go back to the original evidence item. All copies are verifiable and can be certified as being true and correct copies of the evidence (HASH values is a topic for yet another upcoming blog post).
Does a forensic image capture EVERYTHING? Not quite. While the process I described is the gold standard for handling evidence in civil and criminal cases, there are a couple of exceptions that I have run into over the years. First, all modern hard drives contain what is called SMART data. This is mostly hardware diagnostics and health information. This can include data such as how many times the hard drive has been powered on. Obscure information certainly, but it (and the other SMART data) might be important depending on the case.
Another item that comes to mind is specific to USB devices like hard drives and thumb drives. These devices contain a (mostly) unique ID that you can think of as a serial number (but different from the actual serial number that may be visible on the device). No forensic imaging process captures this information, and it is not changeable. The only way I know of to obtain this information is to attach the original USB device to an analysis computer and use software to specifically read this data either directly from the device or from the Windows registry where this information gets stored.
What is this unique ID good for? In most cases it is possible (as least on a Windows machine) to determine if a particular USB device has been attached. I have seen cases where an analysis of a Windows computer has led to a user being ordered to produce all storage devices they used on it. Once the items were turned over, along with a sworn declaration, analysis showed the user did a bait-and-switch, either completely omitting some items or providing a similar make and model device. In addition to the user’s other problems, they introduced perjury into the mix.
The forensic imaging process is the single most important part of a digital forensic analysis. If it is not done correctly, the digital evidence isn’t really evidence at all because it cannot be shown to be accurate and could likely not stand up in court. More about mishandling of evidence in a future post.