Acquisition is Usually the First Step

The work in each digital forensic investigation often begins with acquisition of one - and often many - digital storage devices ranging from hard disks and SSDs to USB thumb drives to cell phones and tablets. "Forensic imaging" is the phrase we use to talk about the acquisition process and the word "forensic" in this context means that we are imaging (acquiring) images in a "forensically sound" way - that is to say, using processes that are recognized as best practices and hold up in a court of law.

Each type of device presents unique challenges and numerous tools have been developed to meet these challenges. Other factors like the volume of cases, whether you work in the field or in a lab environment and your organization's budget also impacts the choice of tools.

The Basics...Using a Write Blocker

Successful forensic imaging depends on several key elements:

• Being able to connect to and communicate with the source evidence device.
• Ensuring the source evidence device is not modified.
• Ensuring that the copy (the forensic image) is a faithful and verifiable duplicate of the original evidence.

Write blocking is one of the most widely used technologies used to enable a successful connection to the source evidence device while ensuring that it remains unmodified.

There are many different types of write blockers - like those in the Digital Intelligence UltraBlock family of write blockers. Different write blockers offer different interfaces for connecting to different types of storage devices, like SATA, SAS, IDE, USB, memory cards and so forth. The write blocker "sits between" the source evidence device and the computer doing the imaging operation. You can buy write blockers individually or in complete kits.

The process of forensic imaging is itself managed by "imaging software" like TIM (the Tableau Imager), EnCase Forensic or FTK Imager. Imaging software reads the source evidence through the write blocker and creates a "forensic image" on a destination device. While creating the forensic image the imaging software also calculates a digital "fingerprint" (technically known as a "hash signature") for the evidence and stores this signature with the forensic image. The fingerprint/signature can be recalculated at later stages of the digital investigation and compared with the original to ensure that the forensic image remains a faithful copy of the original evidence.

Dedicated Imagers

Dedicated imagers  - sometimes called forensic duplicators - combine the function of the write blocker, imaging computer and imaging software into a single, portable device.

Dedicated imagers offer a variety of input ports and adapters for connecting the source evidence device. They also offer different output ports for connecting destination devices to hold the forensic image. High-end dedicated imagers also include network interfaces and are able to write forensic images to network-attached storage.

Purpose-Built Forensic Systems

Purpose-built forensic systems - like the Digital Intelligence line of FRED workstations offer high-performance processing with built-in write-blocking and pre-installed imaging software. These systems are ideal for use at your desk or in a forensic lab environment.

Forensic Networks

Forensic imaging produces enormous volumes of data and many organizations have requirements to keep this data for a long time - sometimes forever. Forensic networks offer a solution for managing large quantities of forensic images and case data.

A forensic network - like the Digital Intelligence FREDC Data Center  - is an enterprise-class system encompassing processing, storage, backup, network switching and administration. RAID-based storage provides secure, fault-tolerant storage that can be shared among many examiners and investigators and tape backup offers a path for long-term storage and archival of case data.

Jumpstart the Software Learning Curve with Digital Intelligence Training

Acquiring tools is step one. Using them effectively while sifting through complex regulatory challenges often requires a step learning curve. Let Digital Intelligence help. We offer technology, product, and process training to build the skills need to work efficiently in a changing digital landscape.

We define and conduct training based on your experience, knowledge level, and professional goals. At our training location or yours. learn more

Enhance Your In-House Capabilities with Digital Intelligence Forensic Services

Looking for an alternative to the traditional "buy, learn, and use" model of software ownership? Digital Intelligence Forensic Services offers price competitive options. Our skilled, certified, and in-house services staff have decades of digital forensic and eDiscovery case work experience. Contact us to learn more about our capabilities, creative service options, and collaborative approach to working for you. learn more

Technical Support You Can Count On

When you purchase from Digital Intelligence, you’re getting the best forensic products money can buy. But the value doesn’t stop there. You get lifetime technical support and access to a professional, dedicated support team. We measure our success not just by the number of systems we sell but also by the level of support we provide. Whether it’s a question about your FRED, UltraBlock, Imager or software – or a question about a forensic problem you face – we have your back. Call, email, or text. We are here for you.