Three benefits of using live forensic imaging in your next case

Today, forensic imaging remains the foundation for all computer forensics.

In fact, forensic imaging is critical when having electronically stored information (ESI) admitted as evidence in courts and tribunals around the world, or performing internal investigations. Consequently, it is more important than ever to identify and utilize the most effective and defensible imaging methods available, while remaining cognizant of any cost concerns that clients may have.

Over the last quarter century, legal requirements have increased the prevalence of and reliance upon computer forensics. Traditionally, computer forensics has been performed by leveraging static imaging, meaning that the process is performed after a workstation is shut down. Yet, with the recent amendments to the Federal Rules of Civil Procedure (FRCP), live acquisition (while the workstation is still running) of ESI can provide your firm with significant advantages.¹

To help you learn more about the power of live imaging and the benefits it can provide your firm and your clients, here are three factors for you to consider:

3. Live imaging can bypass most encryption.

By definition, live imaging generally defeats encryption for the data custodian once they are logged on to the system being imaged. Unlike static imaging, live imaging does not require IT administrators to share their sensitive decryption codes which are being used to protect the highly confidential business records. By taking the live imaging approach, bypassing encrypted hard drives and encryption software is achieved, because the custodian is already logged-in using their own credentials – placing the target ESI temporarily in an unencrypted state.

You may be asking yourself, why should we explore live imaging if traditional static imaging already meets certification requirements?

Potential cost savings and ease of logistics aside, there is scientific proof that live imaging can be an effective way to gather ESI. In fact, tests show that live imaging of workstations may be considered more forensically sound, making fewer changes to workstations than when they are shut down prior to creating a static image.