How to Produce Quality Forensic Images in 4 Easy Steps

Editior’s Note: Data Security Weekly is happy to feature a guest article from Cyanline CEO Steven Branigan covering the interesting topic of computer forensics. Forensic imaging is not only important to law enforcement and government agencies, but is gaining much broader use with corporations looking to store forensic images of employee computers and laptops prior to re-issuing them to other employees.

As cyber crimes gain prevalence and corporate security departments, law enforcement and government agencies scramble to obtain the quality evidence they need to clear cases in due time, a system that is proven to make forensic images fast and without hassle is a must.

Out with the old, and in with the new:

Conventionally, to forensically capture a subject’s drive, a forensic investigator would need a blank destination drive, laptop with imaging software, writeblocker and associated cables. This already hefty load doesn’t account for the extra personnel required to handle these elements, thus wasting valuable time and money. Nor does it describe the many things that could go wrong.

Traditionally, it was possible for a forensic examiner to mistakenly “acquire” the blank disk to the evidence drive instead of the reverse, effectively destroying the evidence. Seriously, it happens. You are in a conference room handling 25 computers – and really, after a while all the disks have the same checksum or the copy was made, but labeled incorrectly. Any and all of these things can invalidate the forensic image.

However, the latest innovation in computer forensic technology, the Fast Disk Acquisition System (FDAS), is setting a new industry standard. Engineered for high-speed imaging, the new device consolidates many of these elements into one streamlined unit. Eliminating cumbersome steps and equipment that hamper investigation efficiency and efficacy, FDAS reduces complexity – and therefore the chance of errors — while greatly increasing speed.

Fast – and Foolproof

Here is how the complex becomes very simple – yet still forensically sound.

#1: Connect the system to the source disk.

  • Then, view the messages in the status display and press two buttons. The system will transfer a complete, byte-for-byte image of the disk. Forensic images of a disk drive should be directly copied from the source disk to guarantee that nothing is written to the source disk.

Note: It is crucial that the evidence is not tampered with before the imaging process to ensure the quality of your investigation.

#2: Verify the copy.

  • Check to make sure that the evidence obtained is the exact copy of the original. The first step is to verify that each block of data read is written to the destination without error! Thus, the forensic system must be built to properly handle, read and write errors.
  • In addition, a comparison of the source disk and the output file is the extra step many take to ensure the copy is true.
  • Confirm that the file created is not altered. Generate a hash value of the output file. The hash value will not change unless the output file is modified.

Note: A hash value does not help you validate that the source disk is a true copy. See “Some Facts & Misconceptions About the Checksum Value” for more information. The hash value is important, though, as shown in the next step.

#3: Save the image.

  • Typical forensic imaging using a writeblocker or dedicated device requires that you to save the image to a spare hard drive. However, FDAS saves the image automatically so that no additional drives are required.

#4: Make copies.

  • It’s always important to keep a copy of your image along with its hash value. Any copy of the evidence MUST generate the same hash value as the original, or it is not a true copy. FDAS allows imaging straight to a storage area network. It also provides that ability to copy the image(s) stored on the internal storage either via the network or to a spare hard drive attached to the system.

How to Calculate Forensic Imaging Time

  • The time required to make a forensic image increases as the capacity of disk drives increases.
  • The time required decreases with high performance output.
  • The time required decreases with native access to the source disk drive.
  • The best speed that a disk drive can be imaged is calculated by dividing the total capacity of the disk by the maximum sustained transfer rate (MSTR) of the disk. MSTR is the manufacturers information on how quickly data can be read off a disk drive for large transfers and lets us know how fast the data comes off the disk.
  • For example, a 20GB disk drive with a MSTR of 2.5GB/m would take approximately 8 minutes to image at best. A 200GB disk drive with a MSTR of 4GB/m could take at least 50 minutes, while a 1 TB disk drive with an MSTR of 6GB/m would take about 2.5 hours.

Why Forensic Investigators Need Speed

A recent Police Chief Magazine article titled, “The Growing Challenge of Computer Forensics” revealed that police managers must find a way to examine an increasing number of digital devices in a timely manner with limited resources. Plus, some jurisdictions enforce strict deadlines to gather forensic material and only add to the pressure. The result is loss of critical evidence because time has run out. This is why it is important to invest in a quality forensic imaging system that is simple, fast and cost-effective. Remember, it is imperative to have a system that ensures that an image has not been tampered with, but still gives a true image for a quality investigation.

About Steven Branigan

Experienced forensic scientist and licensed private investigator, Steven Branigan creates forensically sound products to advance the investigative industry, including Cynaline’s Fast Disk Acquisition System (FDAS). Renowned speaker and instructor, Branigan is an active member in the High Technology Crime Investigation Association, Federal Bureau Investigation’s Infragard and New Jersey License Private Investigators Association. Branigan is the author of High Tech Crimes Revealed and received awards from the U.S. Secret Service and New Jersey State Police.

Leave A Comment...