Forensic Hard Disk Drive Imaging

To Protect Authenticity and Chain of Custody

For Discoverable Evidence

written by  S.E. Fowler

Damage to Evidence Resulting from Inadvertent Modification of Source Hard Disk Drive Data During an Imaging Process

Data image creation is a necessary first step when pursuing any investigation of evidence that may be found on a hard disk drive suspected to have been used for computer data storage and subject to litigation. Unintended alteration of this data during the imaging process can compromise their evidential value and expose you to questions and concerns which are roundly discredited when you can prove that no changes occurred. Unfortunately, even under circumstances controlled with apparent expertise, inadvertent changes can take place. Such an occurrence will obviate the one-time only opportunity to fix proof of non-alteration. Years of experience at MicroCom provides clients with peace of mind and ensures that all best practices known to the industry are skillfully and unerringly implemented and dangers to evidence are avoided.



When the evidence is disk drive data (or contents of any other computer memory storage device), a crucial first step in evidential acquisition is that all recorded information on the source drive is computer copied and stored in precisely the same sequence upon a similar drive or device that has been prepared so that it has been verified to contain no preexisting data. A common expression describing a drive thus prepared is "forensically wiped". The copy process is carried out so that the copied information is compared to the source to ensure exact duplication.

The imaging process itself is accomplished at MicroCom by means of a provable read-only procedure which precludes any changes being made to the original evidence. Hardware tools are implemented to integrate a printed audit trail within a process making it extremely difficult to produce falsified records. When imaging is completed the evidentiary device is retained in secure storage and never again disturbed until an authorized request is presented.


The Process of Imaging the Hard Drive Evidence

At the outset it is important to establish a proper method of documentation. An unbroken chain of actions must be carefully accounted for by the forensic examiner you select and recorded for every event taking place and for each action performed within the process. Its scope must range from the first moment your valuable source of evidence is delivered into the examiner's custody and be maintained until the case is officially closed. You should do the same beforehand while it is in your possession. If the suspect drive must be returned because it is not your property, of if for any other reason it is not permissible for the examiner to maintain secure custody of the source evidentiary disk a second image copy should be made so that you still have control of evidence which you can prove has not been altered.

Creation of a working copy image of all data on the source drive initiates the investigation. In this first step, all the information, all magnetic impressions, that is, all "ones and zeroes" in existence on the evidentiary data storage device are duplicated and stored in precisely the same sequence upon the forensically wiped hard disk drive. This drive will thereafter be known as the image device. The imaging is accomplished by means of a read-only procedure which precludes any changes being made to the original evidence.


How to Image Hardware or Software?

There is controversy among experts about whether procedures involving the use of particular operating systems or software tools may, unbeknownst to the forensic examiner, make minor alteration to the drive being imaged. It is therefore best to circumvent any and all possibility of change to the source evidence by being certain the imaging process is performed without use of any computer software interaction whatsoever. With your suspect drive MicroCom will image using hardware only equipment specifically designed for this purpose. Many law enforcement agencies, from local police departments to the FBI and the CIA rely on precisely the same type of equipment, equipment manufactured by one of only a tiny handful of companies who have created and made available this special function product.

Correct performance of the imaging process requires an exhaustive knowledge of the storage device technologies being addressed and an expert understanding of how data structures are recorded by such storage devices. A competent purveyor of computer forensic services and support must be qualified to bring all of these elements to bear simultaneously on authenticating what becomes the very foundation of a successful discovery undertaking. Without this foundation an irreproachable basis for any and all evidence found may not be established.

Protect Your Evidence — Image Right!

Computer forensics experts agree, authentication of computer data as evidence is an important topic. It's been observed that no matter how much digital signing, hashing, association of time stamps, documentation or whatever other pronouncement of authenticity is brought forth in a court case, opposition counsel will fervently contend that the imaging and discovery process, and of course, the evidence resulting from it, is sloppy, incompetent, or without mitigation blatantly fabricated to frame the defendant.  The order of the day is clear:  take the hard drive (the computer's source of evidence), make a forensic copy, then lock it away in a safe place!


   Copyright © 2014 MicroCom Digital Discovery.   All Rights Reserved.