With the advent of inexpensive storage, the ability to store large amounts of data and information has become common. A 200GB hard drive is no longer expensive. Larger hard drives and more storage space can cause issues for an investigator who might be working onsite or during emergency cases. Although some utilities include newer technology that speeds up the imaging process, there are times when a full volume image simply isn't possible. Such times might include situations in which data is stored on a mainframe computer.
Evidence is usually found in files that are stored on hard drives, storage devices, and media, so there may be instances in which you don't necessarily want or need the entire operating system. If your suspected criminal is not particularly techno savvy, you might only want the user -created files. Address books and database files can be used to prove criminal association, pictures can produce evidence of illegal activity such as counterfeiting, e-mail or documents can contain communications between criminals, and spreadsheets often contain drug deal lists. In these types of cases, copying only the directories or files that are pertinent to your case might be more efficient than copying the entire drive contents.
Remember that full imaging will copy each sector of the original media, including hidden data, partially erased data, encrypted data, and unused space. A full image copy also takes longer to make, and it will use more space. The full imaging process is less bandwidth-efficient than partial imaging because no matter how small the difference between the source and destination, the entire disk is copied . A partial image is quicker to copy and easier to work with and search. However, by using a partial image, you run the risk of missing valuable data. If you do not image the whole drive, make sure that you have recorded the partition information.
From time to time, I am called upon to image hard drives away from the comfort and security of my lab.
I have had to image hard drives at 2 o'clock in the morning. The reasons for the nocturnal timetables were simple. The employers needed to collect evidence of employee wrongdoing without the employees finding out that the bosses were on to them.
Although this type of exercise might seem extreme, it actually occurs quite often. CEOs and board chairmen have asked me to investigate senior-level executives when they thought that those executives were embezzling or violating Security and Exchange Commission (SEC) regulations.
The procedure to follow for acquiring evidence in this surreptitious manner is actually very straightforward. Don't get caught! For your career's sake, you must also check the company's policy to make sure that you have the legal authority to go into the office and that the company has a policy that shows that the employee has "no expectation of privacy" on his company computer.
Typically, I arrive at the corporate offices in the middle of the night and am met by the director of security, who escorts me to the executive's office and unlocks the door. Usually, I take a couple of 'instant photos' of the office and desk to make certain that I leave the room exactly as I found it. I also begin my chain of custody by taking photographs of the computer, including the serial numbers on the case and the hard drive.
I then open up the executive's computer and image the hard drive using a portable forensics acquisition device known as the ImageMASSter Solo 2. Of course, I must 'pull the plug' on the computer to power it off before I unplug the hard drive from the PC. After performing the forensics imaging, I then put the computer back together and leave the office exactly as I found it.
This method of forensics imaging requires that you "get it right" the first time. Make certain that you obtain an MD5 hash from the original drive and the forensics image, and that the two hash values match. Unlike performing a forensics image in your lab, you only get one chance to acquire the image successfully when you're in the field. If you don't capture the image successfully the first time, you might not get another chance to do so.
Don't attempt this type of forensics acquisition until you have some experience under your belt and you understand everything that can go wrong while imaging a computer.
When deciding which method to use, evaluate which of the following types of information you may need:
Text documents, spreadsheets, databases, financial data, electronic mail, digital photographs, sound, and other multimedia files
Previously deleted data, deleted folders, slack space data, and intentionally placed data
Extra tracks or sectors on a floppy disk, or an HPA on a hard drive
User settings, functionality of the hardware or software.
Boot files, Registry files, swap files, temporary files, cache files, history files, and log files
The next section briefly describes some of the tools you will encounter in Chapter 8, 'Common Forensics Tools.' It goes into a little more in depth on some of the other tools that are available for capturing memory and disk images.