FAQ: What is a Valid Forensic Image, aka Mirror?
The first step in a forensic investigation, and in some e-discovery responses, is to get a copy of the hard drive(s) and other storage devices that may have the data you are looking for or that is responsive to discovery requests. But using Windows' traditional "Copy and Paste" isn't forensically valid.
First of all, starting the computer alters what's stored on it. The copy process itself will alter the evidence (changing the metadata and dates)…and there goes your chain of custody. Furthermore, Windows keeps all sorts of little "pockets" of information that the typical user can't see but that may contain valuable evidence. The copy procedure doesn't gather all these little "goodies."
A valid forensic image or just image is an exact, bit-by-bit copy of the storage device including all the little goodies. The forensic software that creates such images bypasses the operating system, accesses all the locations where the operating system hides data, and uses a mathematical procedure to start and assure the chain of custody. From that point on, the analysis is done on the image, again with software that assures chain of custody.
An image is sometimes called a "mirror," but I urge clients to avoid that term because it has two different connotations The confusion has caused at least 2 clients unnecessary time and expense with prior consultants.
Who should make a valid forensic image? You need a trained forensic specialist with the proper hardware and software tools to make an image. Special hardware is needed to keep the operating system from making any changes to the original data, thereby preserving the original evidence. Forensic software is needed to bypass the operating system (to get the goodies) and assure chain of custody. It is human nature to ask the IT department to come in and take a look. No one wants to make false accusations. But that "looking around" can destroy the very evidence that you are seeking. One attorney who has retained me several times says to his clients, "Shut down and get Johnette in there!"
How long does it take? The time required to make an image is dependent on the size of the device. But generally speaking, it requires hours not days or weeks. Fortunately, there is new technology that allows us to make images of servers while they are in use, thereby disrupting business as little as possible.
In another post I'll talk about the objections opposing counsel are likely to make and how you can address them. If you have had experiences with making or using images, please post a comment on your experiences. There is always more to learn.
