The very first step is making a forensic image of the evidence. This image is a perfect bit-for-bit copy of the source drive, often called bit stream imaging or simply hard drive imaging.
This process goes far beyond a standard backup. Unlike a typical copy, which grabs only active files like documents, pictures, emails, and essential system files, a forensic image captures everything on the drive:
- Active files
- Deleted files
- System files that aren’t obvious but can hold valuable artifacts
- Unallocated areas (which often hide remnants of deleted data)
Why it’s not the same as a backup
When an IT professional copies a computer, they’re usually grabbing just what’s live and visible. That’s not sufficient for an investigation.
A proper forensic image also involves a write block device.
- This ensures nothing is written back to the original evidence drive during imaging.
- It prevents altering critical data points like timestamps, which are essential for building an accurate timeline of user activity.
So why might we ever start with a backup?
Good question. Sometimes, a backup is simply what’s immediately available, like a nightly backup or a copy made during a recent tech support session.
Grabbing a backup lets us do a low-profile, non-alerting check to see if there’s “smoke” before pulling the plug for a full forensic image.
- No need to yank the computer for an after-hours “black bag” job.
- No need to concoct a reason for the employee to bring it in for a suspicious “upgrade.”
- It keeps the investigation discreet until there’s actual evidence to justify taking stronger action.
If our initial look into the backup suggests wrongdoing, that’s when we’d move forward with creating a proper forensic image.
The importance of hashing, or why a backup isn’t good enough for court
Another huge reason a standard backup isn’t suitable for litigation:
No hash value.
When we make a forensic image, we also create a hash value (think: a digital fingerprint) using an algorithm like MD5 or SHA1.
- This alphanumeric string uniquely represents the contents of the image.
- It allows us, and any other forensic expert, to prove that the image is an exact match to the original evidence.
In litigation, it’s common for opposing experts to receive a copy of the image. Hash values ensure everyone can verify they’re working from identical evidence, which builds trust and can lead to faster resolution.
Hashing isn’t just for entire drives either. We can also hash specific files to verify they haven’t changed.
What about other types of devices?
What we’ve discussed here mostly applies to standard computers, desktops and laptops.
- Imaging servers, smartphones, tablets, or cloud storage comes with its own unique processes and considerations.
- We’ll get into those nuances in future posts.
Coming up next
We’ll continue walking through the process of handling digital evidence in a forensic investigation, what happens once we have the image, and how we dig in to uncover the truth. #ComputerInvestigation
About Swailes Computer Forensics
Swailes Computer Forensics provides expert digital forensic services to law firms, corporations, and organizations nationwide. Our work includes investigations into intellectual property theft, employee misconduct, data breaches, and more. With decades of experience and a commitment to integrity and clarity, we help clients uncover critical evidence and take informed action.
If you’re facing a potential case of employee data theft or have concerns about unauthorized activity, contact us for a confidential consultation.