What is Forensic Hard Drive Imaging?

When a computer is identified as possibly containing electronic evidence, it is imperative to follow a strict set of procedures to ensure a proper (i.e. admissible) extraction of any evidence that may exist on the subject computer. The first thing to remember is the “golden rule of electronic evidence” – never, in any way, modify the original media if at all possible. Thus, before any data analysis occurs, it usually makes sense to create an exact, bit stream copy of the original storage media that exists on the subject computer. This may include a single or multiple hard drives, floppy disk(s), CD(s), Zip drive(s) or DVD(s), plus many other types of storage media that now exist. Imaging the subject media by making a bit-for-bit copy of all sectors on the media is a well-established process that is commonly performed on the hard drive level, hence often referred to as hard drive imaging.

The creation of a true forensic hard drive image is a highly detailed process. If you do not have it performed by a trained professional, you may severely compromise your chances of obtaining admissible evidence as a result of your discovery efforts. Also, to avoid accusations of evidence tampering or spoliation, it is a recommended best practice that imaging be performed by an objective third party. Suggested protocols for hard drive imaging can be found within guidelines standardized by institutions and organizations like the Department of Justice (DOJ) and the National Institute of Standards and Technology (NIST).

As you hire a computer forensics expert, know that he or she can choose among a large number of software and hardware to obtain a forensic image. What is important is that you qualify the expert’s experience and that you ensure a rigid process by asking the right questions. A good start is to always make sure that the integrity of all evidence is maintained, chain of custody is established, and all relevant hash values are documented.

Once imaging is completed, any good tool should generate a digital fingerprint of the acquired media, otherwise known as a hash. A hash generation process involves examining all of the 0’s and 1’s that exist across the sectors examined. Altering a single 0 to a 1 will cause the resulting hash value to be different. Both the original and copy of the evidence are analyzed to generate a source and target hash. Assuming they both match, we can be confident of the authenticity of the copied hard drive or other media.

The industry standard for imaging currently recommends the use of the MD5 algorithm. The creator of the MD5, Ronald L. Rivest of MIT, describes the algorithm as follows:

[The MD5 algorithm] takes as input a message of arbitrary length and produces as output a 128-bit “fingerprint” or “message digest” of the input . . . The MD5 algorithm is intended for digital signature applications, where a large file must be “compressed” in a secure manner before being encrypted with a private (secret) key under a public-key cryptosystem such as RSA.

Mathematical jargon aside, the above statement simply says that the MD5 is an excellent method of verifying the integrity of data. An MD5 value obtained from the image of the hard drive should match the value of the original hard drive. Even the smallest modification on a hard drive, for example, adding a comma to a MS Word document, would vastly change the resulting MD5 hash value.

While it may seem plausible to utilize internal IT personnel to render an image of a suspect hard drive, keep in mind the possible consequences. Hiring third-party computer forensics expert will ensure safe handling of evidence. A qualified expert will follow industry standards to avoid spoliation and will help to refute the charge of sabotage by an internal staff member who may know the key individual(s) connected to the case. A third-party expert will also establish a chain of custody that guarantees another layer of protection to the evidence.