Avalon Blog

Forensic Imaging: A Better Approach to eDiscovery

Written By: Kyle Cavalieri, Chief Information Officer


electronic discovery

Proper preservation of electronic information is often not as simple as it seems.  In the world of computer forensics and electronic discovery, a simple ‘copy and paste’ of the relevant items may lead to issues further down the road.  It is imperative to ensure that the data has been preserved in a defensible manner to avoid any issues of spoliation.

When the files are touched by the parent operating system the information is tracked and stored, which modifies certain attributes of the files (known as metadata).  This modified information can raise concerns that the files have been altered or tampered with.  One of the main rules when dealing with electronic evidence is to never modify the original media, if at all possible.

Thus, the best way to collect electronic evidence is by creating a forensic image of the source media.  A forensic image will create a bit-for-bit copy of the original media, ensuring data accuracy.  These bit-level images include data that may have been deleted or otherwise not accessible to the end-user or operating system.  The forensic imaging tools will generate a mathematical checksum, also known as a hash value or digital fingerprint, on the source and target data.  As long as they both match, we can be sure the data is an authentic, exact duplicate of the original media.

These forensic images are vastly different that the ‘disk cloning’ or ‘disk mirroring’ tools widely used in the IT world.  The cloning tools, such as Symantec Ghost, are not designed to create bit-for-bit duplications; instead, they recreate the partition information and copy the active files as needed.  No deleted or inaccessible data is capture during the cloning.  In addition, these tools typically do not generate the mathematical hash values of the source and target.  However, if hash values were generated for the source and target it is highly likely that the results would be vastly different.  This may lead to issues in the court room!

While it is possible for internal IT staff to use cloning tools to ‘preserve’ certain data, the possible consequence must be kept in mind.  If an issue arises, will the IT personnel be able to defend the cloning process in court?  Hiring third-party forensic experts ensures that your data is preserved in a legally defensible manner.

If you liked this blog you might also be interested in reading: 4 Reasons Your Firm Should Outsource eDiscovery


Read our free case study to see how Avalon helped one client foil an elaborate kickback scheme orchestrated by a CTO.
Case Study: White Collar Fraud

Posted in eDiscovery, Digital Forensics