TEST to main content First level navigation Menu
Scan of fingerprint

Three benefits of using live forensic imaging in your next case

by ​David Greetham
Today, forensic imaging remains the foundation for all computer forensics.

In fact, forensic imaging is critical when having electronically stored information (ESI) admitted as evidence in courts and tribunals around the world, or performing internal investigations. Consequently, it is more important than ever to identify and utilize the most effective and defensible imaging methods available, while remaining cognizant of any cost concerns that clients may have.

Over the last quarter century, legal requirements have increased the prevalence of and reliance upon computer forensics.

Over the last quarter century, legal requirements have increased the prevalence of and reliance upon computer forensics. Traditionally, computer forensics has been performed by leveraging static imaging, meaning that the process is performed after a workstation is shut down. Yet, with the recent amendments to the Federal Rules of Civil Procedure (FRCP)1, live acquisition (while the workstation is still running) of ESI can provide your firm with significant advantages.

To help you learn more about the power of live imaging and the benefits it can provide your firm and your clients, here are three factors for you to consider: 
Information encryption

1. Data custodians (computer users) can facilitate the creation of their own forensic images.

After a data custodian installs an encrypted hard drive in his/her computer, a remote live imaging tool will run with no further input needed by the custodian. This enables a complete forensic image of the internal storage device to be created and an electronic audit performed that records a range of information such as the make, model and serial number of the system, and user and domain details; the same system details that an on-site forensics expert would gather. In many circumstances, live imaging captures ESI more efficiently and cost-effectively and without the logistical challenges of getting a forensics expert onsite. 

2. Live imaging enables the imaging of random access memory (RAM).

With live imaging, an image of RAM can also be captured, providing you with a complete picture of how the system has been used immediately prior to the imaging process. With a static approach, this data is ultimately lost when the system is shut down which prevents access to this volatile and often important ESI.


You may be asking yourself, why should we explore live imaging if traditional static imaging already meets certification requirements?

Potential cost savings and ease of logistics aside, there is scientific proof that live imaging can be an effective way to gather ESI. In fact, tests show that live imaging of workstations may be considered more forensically sound, making fewer changes to workstations than when they are shut down prior to creating a static image. 

Have you explored live imaging for your firm? 

Discover the benefits of forensic imaging 
David Greetham
David Greetham, Vice President of eDiscovery Sales and Operations, Ricoh USA, Inc., is responsible for driving Ricoh’s computer forensic and electronic discovery services strategies and growth in the U.S. He has testified as an expert on numerous occasions both nationally and internationally, is a member of the Association of Certified Fraud Examiners, a Certified Computer Crime Investigator, a Certified Fraud Examiner, and a Certified Forensics Litigation Consultant. Greetham is the inventor and developer of Remlox™, a forensically sound “remote collection” tool which has already been used in 37 countries throughout the world.
1 Federal Rules of Civil Procedure. 2016 Edition. https://www.federalrulesofcivilprocedure.org