A forensic image is an image or exact, sector by sector, copy of a hard disk, taken using software such as Paraben Lockdown/Forensic Replicator or Logicube Forensic Dossier. These software solutions create exact copies of the hard drive, and, unlike the Windows OS, they don’t try to write to drive on startup, thus preserving an exact copy of the hard disk. Deleted files, slack space, system files and executables (and documents renamed to mimic system files and executables) are all part of a forensic image.
A forensic copy is a file-level copy of data from a hard disk. Before the copies are taken, the parties involved in the discovery process agree what type of files (email, purchase records, timecards, etc.) will be part of the forensic analysis, and then only those files are copied. Special software, such as EnCase Forensic, is used to create a logical evidence file (LEF) in E01 or L01 format. An E01 file is a proprietary format file that stores the physical bitstream of a hard drive. Forensic software creates this bitstream, which is an exact duplicate of the entire hard drive, using non-invasive procedures. An L01 file format is an Encase Forensic proprietary file storage format, which stores the files with varying levels of compression. This digital evidence container is validated and approved by courts worldwide.
In some cases a court order will allow seizure of the hard disk for copy or imaging; in other cases, such as internal audits, file copies can be made over the LAN or other network connections. Once the forensic image or copy has been obtained, it can then be expanded onto a control computer in a secure facility for file and data search. At that point, additional software, such as Clearwell, can be used to index the files for enhanced keyword search (for standard office documents) and email discussion topic thread indexing.
For more information, see "E-Discovery Q & A for Data Warehouse Administrators" and "CSI SQL Server."
