Data imaging is focused on recovering “non-spoiled” evidence for the purpose of support in negotiation, internal investigation, civil court, or in a criminal court. A critical step in a professional e-investigation is imaging, or creating an exact replica of the device and data being considered as digital forensic evidence. This is similar to how a physical crime scene would be photographed to collect evidence and leads. The experts at McCann use well-respected technology, such as EnCase, and standards to ensure that any evidence found will be permissible in a trial situation.
Once the data is obtained, it is duplicated using a write blocking device and our hard drive duplicator, and then software imaging tools like EnCase, FTK Imager or FDAS step in. The media is then verified by the SHA or MD5 hash functions. Imaging Procedure will vary depending on if device is powered on or off, scenario, scope of case, imaging for “us” or opposing side, operating system, time constraints, directives in court order, etc. Imaging of data have some similar steps. These include starting the chain of custody; recording type, brand, model, serial number of device and storage media inside device; photographing devices and storage media inside devices; verifying accuracy of date and time of device; and verifying information collected. Each type of ESI source, such as laptops, desktops, servers, hosted drives, mobile phones, and smart phones all have unique steps in the imaging process.
Laptops:
The laptop imaging process creates a forensically sound bit-by-bit copy of the drive to a set of digital forensic image files that contain drive checksum values throughout the forensic image as well as MD5 and SHA1 hash values for the drive image. The forensic image is verified and compared against original hash value, checked for errors and loaded to check for partitions, file systems, and encryption. The internal calendar and clock of the laptop are noted, and the drive is re-installed back into the laptop.
Desktops:
The desktop imaging process creates a forensically sound bit by bit copy of the drive to a set of digital forensic images. The number and type of storage devices in the desktop is determined. The hard drive(s) is/are removed from the desktop, and the type, brand, model, serial number of the drive(s) is/are recorded and photographed. The drive is then hooked up to a high-speed forensic imaging device which determines existence of any hidden areas of hard dive such as DCO or HPA and creates a forensically sound bit-by-bit copy of the drive to a set of digital forensic image files that contain drive checksum values throughout the forensic image as well as MD5 and SHA1 hash values for the drive image. The digital forensic image is verified and compared against original hash value, checked for errors and loaded to check for partitions, file systems and encryption. The internal calendar and clock of the desktop are noted and the drive is re-installed back into the desktop.
Servers:
The server hard drive imaging process creates a forensically sound bit by bit copy of the drive to a set of digital forensic images. The RAID type and configuration is determined with the number and type of storage devices in the server. The hard drives are removed from the server one-at-a-time, and the position, type, brand, model, serial number of each drive is recorded and photographed. One-at-a-time, the drives are then hooked up to a high-speed computer forensic imaging device and a forensically sound bit-by-bit copy of each drive is created to a set of digital forensic image files that contain drive checksum values throughout the forensic image as well as MD5 and SHA1 hash values for the drive image. The digital forensic images are verified and compared against original hash value, checked for errors and loaded (virtually rebuilding RAID configurations in the forensic software where necessary) to check for partitions, file systems and encryption. The internal calendar and clock of the server are noted and the drives are re-installed back into the server.
Hosted drives:
The hosted drive imaging process creates a forensically sound bit by bit copy of the drive to a set of digital forensic images. Determine type of hosting, hosting environment, server hardware, version of client and server host and operating system. The most accurate and efficient method of access is determined depending on hosting environment. Forensic imaging software is run from hosting account with proper permissions and access for scope of imaging. Forensic imaging software is run on requested data to create a forensically sound copy of the requested files and data with necessary hash values. The digital forensic images are verified and compared against original hash values, checked for errors. Appropriate chain of custody is started for the collected data.
Flash drives or other small medium:
If storage device is being removed from camera, phone or other device) and photograph. The type of storage media is determined. The media is removed from the device if necessary, and the type, brand, model, serial number of the media is recorded and photographed. The media is then hooked up to an appropriate hardware write-blocker (via adapter or reader if necessary). Forensic imaging software is run to create a forensically sound bit-by-bit copy of the media to a set of forensic image files that contain checksum values throughout the forensic image as well as MD5 and SHA1 hash values for the image of the media. The forensic image is verified and compared against original hash value, checked for errors and loaded to check for partitions, file systems and encryption. The internal calendar and clock of the device are noted and the media is re-installed back into the device if necessary.
Mobile and Smart phones:
The mobile imaging process creates a forensically sound bit by bit copy of the drive to a set of forensic images. The phone is examined for existence of internal storage, flash storage and SIM card. If SIM card exists, it is removed and cloned with the exception of provider network information to prevent connection to the provider network which keeps phone secure and prevents remote wiping and prevents incoming calls, messages, voice mail, etc. which could overwrite deleted information on the device. Flash storage devices are removed and imaged according to “Flash drive and small medium” procedure. If the phone does not have a SIM card, it is then placed inside a faraway container which prevents wireless signals from reaching the phone. The phone is then hooked up to a mobile phone forensic imaging device using appropriate cable or connection method. The phone is imaged in 1 or more ways depending on supported access methods which may include direct access, software query, file system dump or physical image. The images are verified and compared against original hash values, checked for errors and loaded to verify data.
Atypical scenarios can include “hostile imaging” (not dissimilar from some of the issues encountered at Noble), physical access issues (such as security or not having proper authorization to areas of hardware needing to be imaged), encryption, employees finding out about imaging and “forgetting” company laptop at home that day, unexpected drive types or sizes requiring specialized hardware or software for imaging, slow or older hardware that can significantly increase imaging time, missing hardware, failing drives or media, court orders or other agreements preventing looking at or verifying collected data that is later found out to be invalid, encrypted, wrong custodian, etc. after access is granted, last minute changes that change the scope or hardware needed for imaging process. Start chain of custody on laptop.

Comments are closed