Incident Response
24 hours
(915) 544-2034
(888) 544-2034
Digital Forensic Services
- Law Enforcement
- Government
- Private Sector
Incident Response
24 hours
(915) 544-2034
(888) 544-2034
Digital Forensic Services
- Law Enforcement
- Government
- Private Sector
One of the many common definitions for 'forensic' is 'suitable for a court of law, public debate or argument'. In the field of digital forensics, part of that suitability comes from being able to show that the digital evidence was not changed in any meaningful way during the process of its recovery. It is for this reason that the same software which might be used to recover lost or deleted data for personal or business use might be unacceptable for use in a forensic setting. The forensic imaging and data acquisition process is much more demanding than simple data recovery.
The goal of the forensic imaging process is to produce an exact, bit-for-bit duplicate of the digital content located on the computer, drive or device to be examined. The image can then be copied for archiving and subjected to the forensic examination without fear of damaging or altering the original. A sophisticated mathematical algorithm, called a hash, can be run on the original and the copy to verify that they are identical. This process is referred to as 'imaging' or 'acquisition'.
One of the main tools used for forensic imaging is a hardware write blocker. These devices allow hard drives and other devices to be connected to a computer in a read-only mode, preventing data on the device from being changed. There are many different types of interfaces for hard drives and other devices, and write blockers are available for most of them.
The other primary tool for the acquisition process is a piece of software for device imaging. There are many different programs which will do imaging but they all share the same primary function: they copy, bit for bit, the contents of one drive or device to another. Often these programs will also perform the hash test to verify that the image is identical to the original.
At NTC Forensics we can image most types of drives and devices. Our El Paso lab includes write blockers for IDE, SATA, USB and SCSI devices. We also have interface cables for most brands of cell phones and PDAs and can read data from thumb drives, flash memory and digital cameras. We stock a wide range of hard drives from 200 MB up to 250 GB for use in the imaging process, and we have a fully mobile acquisition unit for imaging devices in the field. We can image a drive or device as part of a complete analysis or as a service to provide a forensic image for analysis by law enforcement or another third party. Contact us at (915) 544-2034 for more information about our forensic imaging capabilities.
