Forensic Disc Images

This technical note provides details on Forensic Disc Images including use case examples and processing requirements.

Overview

A forensic disc image is typically acquired when not only the files on the computer are relevant, but the details of deleted files, edit history and web browser history (to name a few) are as well. A disc image is a bit-by-bit copy of a full or partial disc and contains information about the source disc. The contents on disc are constantly changing with use, so a forensic disc image acts as a snapshot of the disc at a specific given time.

Forensic Collection vs Standard Copy Collection

Forensic disc images are favored over standard file copy methods in certain cases usually involving internal or criminal investigations. With a forensic image, every bit of data pertaining to the source disc is preserved. With a standard collection, only the most recently accessed files are obtained. Once a forensic image is created, it can be further analyzed to determine actions surrounding the particular event in question. Forensic disc images are defensible and are often used as evidence.

In most cases, other collection methodologies are acceptable and less expensive. These include 1) a non-forensics collection of all files from a computer, 2) a ‘directed collection’ of only certain files on a computer, based on file types, disc locations on a custodian’s computer, and/or keyword search terms, and 3) remote collection of cloud-based email or document repositories. For more information, see Remote ESI Collection

Processing a Forensic Disc Image

The main image file formats in use in discovery today are EnCase (E01 file extension) and raw image files such as dd files. These files are not readable without appropriate software.

To request preprocessing of a forensic disc image, remote collection services, or request additional information, please contact Lexbe’s Professional Services team at professionalservices@lexbe.com.