How digital forensic images are collected?

by
How digital forensic images are collected

Digital forensics is the process of collecting, analyzing, and reporting on digital data in a manner that is legally admissible as evidence. It involves making a bit-for-bit forensic copy or image of digital media like hard drives, cell phones, or other storage devices. This forensic image contains an exact replica of the original data, allowing investigators to analyze the image rather than the original device. Collecting proper forensic images is crucial for maintaining data integrity and ensuring the investigation follows proper evidence handling procedures.

Table of Contents

Why are forensic images necessary?

Forensic images are necessary for several reasons:

  • Preserves the integrity of the original evidence – By working off a copy, the original evidence cannot be altered or damaged during analysis.
  • Allows non-invasive analysis – Forensic tools can thoroughly analyze the image without making changes to the original evidence.
  • Presents evidence chronologically – The image preserves the state of the data at the time it was acquired.
  • Retains metadata – The image contains all filesystem metadata like file dates, permissions, etc.
  • Proves authenticity – Hash values verify the image is an exact copy of the original evidence.
  • Can be reused – The image can be analyzed repeatedly without re-seizing the device.
  • Allows collaborative analysis – Multiple investigators can analyze the same image.

Without forensic images, the original evidence would be at risk of alteration. The chain of custody and integrity of the evidence would be questioned in court. Forensic images allow for reliable, repeatable, and non-invasive analysis.

When should you acquire a forensic image?

A forensic image should be acquired as soon as possible during the investigation process. The optimal scenarios are:

  • For seized devices – Immediately after seizing the device, it should be powered down, transported to the lab, and imaged.
  • For live acquisitions – If powered on, the device should be imaged onsite using a forensic write blocker to prevent changes.
  • After incident response – After containing an incident, affected systems should be forensically imaged.

There are risks if imaging is delayed. Data could be deleted, altered, or corrupted if the device remains powered on. Imaging should occur as soon as practicable to preserve the state of data.

How are forensic images acquired?

There are several methods investigators use to acquire forensic images depending on the type of device and situation:

Hard drive imaging

Hard drives are removed from a system and connected to a write blocker, which allows read-only access. A bitstream image is created sector-by-sector using software like EnCase, FTK Imager, or dd. The image format is a raw bitstream of the drive.

Logical file copy

With a logical acquisition, only file and folder data is copied from the drive, not empty disk space or slack space. This is faster but does not capture all data. Useful for capturing a subset of files.

Live acquisition

Performed while the system is still running by booting to a CD or USB drive and imaging over the network or to a removable drive. Uses software like Helix or CAINE. Captures volatile data like RAM.

Mobile device imaging

Uses a combination of hardware like a Cellebrite or XRY to extract a physical image, or software to extract a logical backup of selected data from the phone.

Cloud acquisition

Uses APIs or web scraping to extract a forensic image of cloud data from providers like Google, Dropbox, or Amazon. Custom connectors needed.

Network traffic capture

Acquires forensic images of network traffic using sniffing tools like Wireshark or NetworkMiner to capture packets off the wire or from a SPAN port.

What are the requirements for forensic imaging tools?

Forensic imaging tools should meet certain requirements to acquire admissible evidence:

  • Write protection – Uses hardware or software write blockers to prevent modification.
  • Error checking – Verifies the integrity of the duplicated data.
  • Bit-for-bit accuracy – Duplicates every bit from the original without omissions or interpretations.
  • Authentication – Stores hash values to authenticate duplicates with the original.
  • Compression – Does not compress, encrypt, or alter the source data.
  • Standard formats – Uses industry standard image formats like .E01, .AFF, or .dd.
  • Media agnostic – Capable of imaging multiple media types like SATA, SSD, USB, etc.
  • Speed – Works at reasonable speeds without throttling transfers.
  • Documentation – Logs every action taken during the imaging process.
  • Scripting – Supports scripting for repetitive tasks or bulk collection.

Following these requirements ensures the imaging process is forensically sound and evidence is admissible in court.

How are hash values used?

Hash values are an important part of verifying forensic images. A cryptographic hash algorithm like MD5, SHA-1, or SHA-256 generates a unique string value representing the source data. Even minor changes result in a different hash value. Hashing is used to:

  • Validate integrity – Matching hash values indicate the image is identical to the original.
  • Authenticate copies – The source and duplicates should all have matching hash values.
  • Spot changes – Different hashes mean the evidence was altered or corrupted.
  • Prove methodology – Documenting starting and ending hashes shows proper handling.

Imaging tools calculate hashes automatically during acquisition. Investigators should hash devices before, during, and after imaging to maintain a chain of custody.

What information should be logged during imaging?

Proper documentation is critical to prove the imaging process was forensically sound. The following information should be recorded:

  • Case identifier
  • Evidence tracking number
  • Investigator name
  • Date and time of acquisition
  • Imaging tool and version
  • Write blocker used (hardware/software)
  • Device manufacturer, model, and serial number
  • Hard drive details (make, model, size, interface, etc)
  • Hash value of original evidence before imaging
  • Hash value of forensic image created
  • Any errors or abnormalities during process
  • Verification that image is readable

This log becomes evidence documentation that is part of the chain of custody. It demonstrates the process was forensically sound and can be replicated if needed.

How is data verification performed?

After acquiring a forensic image, investigators must verify it is a precise duplicate of the original data. Verification methods include:

  • Hash value comparison – The hashes of the source evidence and image should match if unchanged.
  • Read verification – Opening random sectors and files from the image to check they are accessible.
  • File listings – List directory contents on the evidence and image to ensure files and dates match.
  • Metadata review – Spot check timestamps, file sizes, format headers, and other metadata.
  • Forensic tool verification – Many tools have built-in read verification functions.

It is critical to diagnose any errors that occur during verification. If the image does not perfectly match the original evidence, the acquisition must be repeated. Verification ensures the image is a bit-for-bit duplicate before analysis.

What media types require imaging?

While hard drives are a common source of evidence, many devices and media types should be imaged. Examples include:

  • Hard drives (HDD, SSD, hybrid, external)
  • RAID arrays
  • USB flash drives
  • Optical discs (CDs, DVDs, Blu-ray)
  • Floppy disks
  • Tape drives
  • SD cards and microSD cards
  • CompactFlash cards
  • SIM cards
  • Smart cards
  • Smartphones and tablets
  • Wearables (smart watches)
  • IoT devices
  • Game consoles
  • eBook readers
  • GPS units
  • Digital cameras
  • Dashcams
  • Drones
  • Network traffic captures
  • Cloud data

Essentially any digital media that stores data should be forensically imaged for analysis. The variety of media continues growing rapidly.

What mistakes should be avoided when imaging?

Imaging is a process sensitive to errors that could render evidence inadmissible. Investigators should avoid:

  • Not using write blockers – Failing to prevent writing can modify evidence.
  • Imaging to same drive – Requires disassembly and can miss data.
  • Not hashing original media – Without starting hashes, integrity can’t be proven.
  • Altering original evidence – Must not modify evidence before imaging.
  • Sloppy documentation – Meticulous notes required to track process and proof.
  • Untrained personnel – Experienced forensics team should perform imaging.
  • Unsupervised imaging – Chain of custody requires controlled process.
  • Unverified images – Must diagnose any verification errors to ensure accuracy.
  • Unused originals – Should rehash originals after imaging completes.
  • Not testing tools – Ensure imagers work properly on evidence media types.

Avoiding these pitfalls will preserve evidence integrity and prevent challenges to admissibility.

How are forensic images stored?

Forensic images require specialized storage designed for evidence data:

  • Access controls – Stores images with strict access limited to investigators.
  • Audit logs – Logs all access and actions performed.
  • Bit-level preservation – Retains integrity of original bitstream without change.
  • Retention policies – Follows evidence retention regulations before disposition.
  • Searchability – Catalogs images to quickly locate by case or tracking ID.
  • Chain of custody – Demonstrates who accessed evidence when.
  • Redundancy – Critical evidence requires backup copies and disaster recovery.
  • Authentication – Uses hashing to verify stored images against originals.

Proper storage maintains evidence for analysis while preventing spoliation.

What are recommended procedures for forensic imaging?

Best practices for forensic imaging include:

  1. Document original device condition and details.
  2. Photograph device and label ports/cables.
  3. Disable wireless interfaces like WiFi to isolate.
  4. Attach write blocker and verify read-only access.
  5. Calculate starting hash value of device.
  6. Create bitstream forensic image to sterile drive.
  7. Record process details and any errors or abnormalities.
  8. Verify image to ensure it matches the original.
  9. Hash image after completion and match to starting hash.
  10. Safely store and retain image per policy.

Following these steps produces court-admissible forensic images while avoiding spoliation.

What mistakes lead to evidence spoliation?

Failure to follow proper procedures can lead to spoliation – the destruction or alteration of evidence. Common mistakes include:

  • Not disabling network access on devices – Allows remote wiping or alteration.
  • Allowing imaging software to alter original data.
  • Imaging back to same original device – Overwrites portions of data.
  • Hash collisions between original and image – Indicates overwriting.
  • Errors or crashes during imaging – Can destroy portions of data permanently.
  • Poor storage conditions like magnets or moisture – Can irretrievably damage device.
  • Mishandling or dropping devices – May physically destroy platters.
  • Delayed or interrupted imaging – Allows interim changes if device left powered on.
  • Unused write blockers – Without protection, connecting drives risks writes.

Any misstep that impacts the quality of evidence leads to spoliation claims. Documenting procedures is the best defense.

How are forensic images presented in court?

Forensic images may be introduced as evidence in court proceedings. Standard practices for courtroom presentation:

  • The qualified forensic examiner who created the image testifies about acquisition procedures.
  • The examiner authenticates the image using hash values matched to original media.
  • The examiner documents the unchanged state of evidence when seized.
  • Notes, photographs, and logs detail the imaging process and storage.
  • Imaging hardware and software must be court-validated.
  • Documentation establishes a chain of custody for the evidence.
  • Copies of images may be provided, but originals remain in investigator possession.
  • The examiner describes verification steps taken to ensure accuracy.
  • Defense may request additional copies for analysis by its examiners.

Following best practices for imaging and documentation make court introduction straightforward.

Conclusion

Performing forensically sound data duplication requires specialized tools, controlled procedures, and meticulous verification. Evidence preservation begins the moment a device is seized. Investigators must follow strict protocols to acquire accurate forensic images that will withstand legal scrutiny. Using certified hardware and software while avoiding mistakes ensures the imaging process does not taint evidence. With proper acquisitions, forensic images become powerful court exhibits that decrypt the full secrets contained on digital devices.