Creating evidential copies through routine backup procedures will only permit replicating specific files while none of the files with delete indicators are recovered, nor the designated ‘free space’ between files. To remediate this limitation, a ‘forensic image’ should be obtained utilizing task-oriented software. Appropriate forensic image software reproduces an exact working copy of the original media’s content. Technologically, media content imaging can be carried out without launching the computers operating system, thereby avoiding tampering allegations. Functionally, the applied imaging software should be capable of making an exact replication of every encoded bit contained on the target media.
Residual data includes deleted files, fragments of deleted files and other data that are still existent on the disk surface. Forensic imaging software can capture residual data on targeted drives. Effective imaging replicates the disk surface sector-by-sector as opposed to reproduction file-by-file. With appropriate tools, even data commonly considered destroyed can be recovered from a disk’s surface. Furthermore, imaging software can also generate a log file recording of IT parameters such as disk configuration, interface status, and data checksums that are critical for supportable conclusions regarding an incident or event.
After creating at least two media images, one replication can be inserted as a target system substitute for the original while the second replication can be utilized for forensic analysis. Lastly, once facsimiled, the original media should be sealed in a sterilized container, labeled and stored as evidence.
“View Part I of the Preserving Electronically Encoded Evidence series here“
Post Note: An expanded version of this blog entry is available through the ISACA Journal.