“It takes time, but it was worth it for the final result!”
Making a reliable copy
One of the unwritten rules (it's probably written down somewhere) is that you never work on original data.
This is where imaging comes in. It's the process of making an exact byte-for-byte copy of the original data, including deleted space. In some cases, where it is likely that the data will change as soon as it has been captured (say, from a live production server that needs to keep working) then we'll also make a copy of the copy. This allows for any kind of hardware failure whilst still preserving 'best evidence' in progressing your case.
The way that we know that we have a perfect copy is using a hash. This is a mathematical algorithm which in essence provides 'digital fingerprint' of the data. There's a techy description of that here if you're interested. What it means in real terms is that as long as the hash from the original matches the hash from the copy, then they are an exact duplicate of each other.
The techniques we use mean that copying is resistant to the kind of degradation that you would see in something like a photocopy of a photocopy, because the copier isn't perfect. With forensic tools, the copy is perfect, and we use the hash to prove it.
It's been said that integrity cannot be retrofitted. This has never been more true than with respect to imaging. If an investigation is carried out on live data and a change occurs, then you simply will not be allowed to rely on that data in any formal setting, for example an HR hearing, an industrial tribunal or at court. It's impossible to know when an investigation begins where it will lead. We have seen minor cases gather momentum into full blown criminal matters for Crown Court, and other potentially earth-shattering disputes fizzle out a week later.
It's simply the case that you can never assume an investigation won't require the level of integrity needed for a formal setting. You must always make an image of the data for this reason.
It's true that copying large amounts of data in this way can be time consuming. Data transfer speeds are improving all the time, but the fact remains that the laws of physics cannot be ignored or bypassed. It takes as long as it takes.
Image now, analyse later...
In some circumstances, you may decide that a full investigation is unwarranted. It may be that you decide, for the moment, not to take a matter forward.
By simply imaging the device in question now, you freeze the evidence as it stands, allowing an investigation to be carried out at some future date should it later become necessary. This is a very cheap insurance policy that many organisations are adopting as a standard part of their leavers process for certain roles within their organisation.
If this is something that you'd like the ability to do in-house as a part of your forensic readiness strategy, then we'd be happy to come and instruct your staff on how to carry out this straight forward procedure.
Call us now on 020-8166-0059 or send us an email and we'll call you straight back to discuss how we can help.