Three benefits of using live forensic imaging in your next case

by David Greetham

Summary

Three factors to consider with live acquisition of ESI

Time: 3 minute read

Today, forensic imaging remains the foundation for all computer forensics.

In fact, forensic imaging is critical when having electronically stored information (ESI) admitted as evidence in courts and tribunals around the world, or performing internal investigations. Consequently, it is more important than ever to identify and utilize the most effective and defensible imaging methods available, while remaining cognizant of any cost concerns that clients may have.

Over the last quarter century, legal requirements have increased the prevalence of and reliance upon computer forensics. Traditionally, computer forensics has been performed by leveraging static imaging, meaning that the process is performed after a workstation is shut down. Yet, with the recent amendments to the Federal Rules of Civil Procedure (FRCP)1, live acquisition (while the workstation is still running) of ESI can provide your firm with significant advantages.

To help you learn more about the power of live imaging and the benefits it can provide your firm and your clients, here are three factors for you to consider:

Subscribe to our newsletter

1. Data custodians (computer users) can facilitate the creation of their own forensic images.

After a data custodian installs an encrypted hard drive in his/her computer, a remote live imaging tool will run with no further input needed by the custodian. This enables a complete forensic image of the internal storage device to be created and an electronic audit performed that records a range of information such as the make, model and serial number of the system, and user and domain details; the same system details that an on-site forensics expert would gather. In many circumstances, live imaging captures ESI more efficiently and cost-effectively and without the logistical challenges of getting a forensics expert onsite.

2. Live imaging enables the imaging of random access memory (RAM).

With live imaging, an image of RAM can also be captured, providing you with a complete picture of how the system has been used immediately prior to the imaging process. With a static approach, this data is ultimately lost when the system is shut down which prevents access to this volatile and often important ESI.

Have you explored live imaging for your firm?

Discover the benefits of forensic imaging

3. Live imaging can bypass most encryption.

By definition, live imaging generally defeats encryption for the data custodian once they are logged on to the system being imaged. Unlike static imaging, live imaging does not require IT administrators to share their sensitive decryption codes which are being used to protect the highly confidential business records. By taking the live imaging approach, bypassing encrypted hard drives and encryption software is achieved, because the custodian is already logged-in using their own credentials – placing the target ESI temporarily in an unencrypted state.

You may be asking yourself, why should we explore live imaging if traditional static imaging already meets certification requirements?

Potential cost savings and ease of logistics aside, there is scientific proof that live imaging can be an effective way to gather ESI. In fact, tests show that live imaging of workstations may be considered more forensically sound, making fewer changes to workstations than when they are shut down prior to creating a static image.