Diforex: Forensic Imaging your media bearers, a secure way for analysis

Forensic Imaging

The most important basic element in forensic computer science is to secure the digital evidence. This can be done in several ways. The most important basic element in forensic computer science is to secure the digital evidence. This can be done in several ways. The safest is to dismantel a hard disk from the computer or laptop and make a forensic copy of it. This proces is known as forensic imaging. While doing this we ensure that writing or adjusting data on the media bearer is prevented by hanging a write-blocker in between.

A hash (both md5 and sha1) is then taken from the complete forensic copy to preserve the data integrity. This ensures that the burden of proof can not be manipulated. Which is very importent for court if needed. The analysis of the data itself is done on the forensic copy. Even this forensic copy is protected against reading and writing. So the original hardware should not be touched anymore.

Other possibilities

In certain circumstances (a server can not switch off for business economic reasons, a hard disk with errors, etc.) it is possible to work directly on the source data bearer, with a write-blocker in between. This is still a correct forensic approach, but can result in damage to the original bearer. This is particularly the case with disc-sensitive processes such as carving and indexing.

Benefits

The benefits include the following:

• Prevents writing or adjusting data on the media bearer on which a forensic investigation is carried out;
• Ensures that the evidence will be copied completely and unmodified, including errors on the bearer;
• Ensures that the evidence is not modified nor adjusted in any way;
• Ensures that the evidence is not damaged nor overwritten;
• Allows to perform the actual analysis on this copy instead of on the original carrier.