|
Moving To 'Secure The Image': Valuable Data May Be Overwritten Forever
By: Robert Kelso of Forensic Pursuit LLC As Originally Published in Law Week Colorado, Week of August 13, 2007 Tel: (866) 784-2597Email Forensic Pursuit Website: www.forensicpursuit.com |
DENVER - The statistics are familiar: 93% of new corporate data is electronic and 70% will never be printed.1
The implications are enough to make even the most hardened discovery veteran shudder. However, this revelation is only part of the story. Truly important data-perhaps the smoking gun that makes or saves a case - may exist entirely outside this large volume of active computer data.
It is almost common sense that as disputes turn to litigation, important data may have been deleted, whether intentionally or by standard operation of a computer system. Determining the importance of deleted information and whether you want to examine it can wait until a case has traveled farther down the road of litigation. What cannot wait is preserving the deleted data before it's overwritten and gone forever. What cannot wait is securing a forensically-sound image of any and all important hard drives.
Electronically stored information comes in three basic types. Active or "live" data are the current files visible on the computer. Archival or "backup" data has been moved to peripheral storage devices such as CDs, tapes, or external hard drives. The third is latent or "deleted" data that was at one time active, but now resides only in the unallocated spaces of a hard drive. This deleted data is generally hidden from computer users and administrators. This type of data is also generally invisible to applications and tools that acquire data for e-discovery processing.
While e-discovery deals almost exclusively with live and backup data, computer forensics often focuses on deleted data. Because deleted data is generally inaccessible to even sophisticated computer users and the most capable administrators, it may not be considered reasonably accessible, and you certainly cannot rely on opposing counsel to produce it as part of normal e-discovery. If you want to preserve the opportunity to examine deleted data, you need to take steps to "secure the image."
Securing the image means creating forensically-sound copies of the hard drives of every key player's computer or server. A forensically-sound image is a sector-bysector, bit stream copy of a hard drive that retains latent or deleted data.
For an image to be forensically sound, it must meet certain criteria: First, the process of creating the image must not alter the original data in any way. Also, the image itself must be treated as real evidence and a proper chain-of-custody must be maintained. Finally, and perhaps most important, the image must be verified as perfectly identical to the original by something called a hash. A hash is a digital fingerprint created by a forensic investigator. The chances of two different objects have the same MD5 hash value are around 1 in 340 undecillion.2 That's more than a billion billion times more unlikely than two people having the same DNA!
Securing the image is about preservation. Deleted data can be overwritten at any time. Every time a computer is turned on, latent data is overwritten. And once latent data is overwritten, for all practical purposes, it's gone forever. Only a forensic image preserves the status quo and preserves latent data.
Forensic imaging of hard drives, that may yield valuable evidence, should be routine at the onset of a case. A simple back up copy is not sufficient and IT people are rarely qualified to create a forensic image. Certified forensic investigators have the proper tools and training to secure the image in such a way as to ensure that any important evidence retrieved from the image will be admissible in court. The minimal expense of securing a forensic image early in a case may make the difference between winning and losing. Importantly, forensic investigators need not view the contents of a hard drive when creating an image, so arguments of relevance, privilege, confidentiality, and admissibility can be saved for another day. As you open your next case, consider if it makes sense to secure the image now before it is too late.
The author owns Forensic Pursuit LLC.
1. See e.g., Sharon Isaacson, The Why and What of WORM Technology: Worm Tape Libraries Make Sense - Tape/Disk/Optical Storage, Computer Technology Review, Mar. 2003.
2. Richard Hardy & Susan S. Kreston, "Computers Are like Filing Cabinets . . ." Using Analogy to Explain Computer Forensics, 15 National Center for the Prosecution of Child Abuse Update No. 9 (2002).
Forensic Pursuit is an International Leader in Emerging Forensic Technology. All Members of the company are CHFI and EnCE certified Computer Forensic Investigators.
©Copyright - All Rights Reserved
DO NOT REPRODUCE WITHOUT WRITTEN PERMISSION BY AUTHOR.
