Computer Forensic Imaging Tools
During the course of an electronic investigation you may be called upon to plan the forensic analysis of a target's computer system and hard drive.The target hard drive may contain a range of data relevant to an investigation from emails making overt admissions to trace evidence of files that were "attempted" to be deleted that when "undeleted" may prove to be incriminating.
The general flow chart for a computer forensic investigation can be summarized with an acronym ISUPR and is as follows:
Image - where the target hard drives are cloned
Search - where keyword searches for relevant evidence are performed if feasible (i.e. non images)
Undelete - where you restore files that were deleted if enough of the underlying data is still present
Preview - where you use a universal viewer to review potentially relevant files, data, and images
Report - where you report on your methods and results
I will deal with the first stage here - Image the target hard drive(s).
The Image stage is perhaps the most exciting stage where an investigator needs to get actual access to the target's computer system and in essence "clone" the target's hard drive(s). Needless to say that the access to the target's hard drive must be lawful or the investigator may, ironically, be in violation of applicable law such as the Computer Fraud and Abuse Act. Some examples of lawful access include via a valid search warrant, subpoena, pursuant to a contract, and when appropriate that of an employee using an employer's PC.
The imaging process must also be forensically sound, well documented, and comply with applicable rules of evidence, including but not limited to, maintaining the chain of custody.
The National Institute of Standards and Technology (NIST) under an agreement with US Department of Justice has come up with some mandatory requirements for a forensically sound hard drive imaging tool and they are:
-The tool shall make a bit-stream duplicate or an image of an original disk or partition.
-The tool shall not alter the original disk.
-The tool shall be able to verify the integrity of a disk image file.
-The tool shall log I/O errors.
-The tool’s documentation shall be correct.
There are a variety of software and hardware tools that are used to Image a target's hard drive. The US Department of Justice has tested various software and hardware hard drive imaging tools to determine if they are forensically sound and has provided such results. I will not endorse any hard drive imaging tool here or pass judgment on whether they comply with the above requirements but rather provide you with a list in no particular order of commonly used computer forensic hard drive imaging tools for your convenience:
Paraben
FTK
LogiCube
WinHex
dd
ILook
You need to take care of handling the computer forensic Image stage in a technically sound and legally compliant manner since there is little chance to fix any mistakes made in this stage or to "unring the bell". If a mistake is made in the hard drive imaging process or an anomaly is found then a proper cross examination or other legal attack can possibly lead to the exclusion of such evidence. On the positive side if a technically and legally valid hard drive image or "clone" is made most mistakes made after the Image stage, such as "undeleting" erased files, can be fixed or redone on the fly with little or no consequence other than time.
Reader Comments