Forensic Drive Imaging & Evidence Preservation
Forensic drive imaging is a process of cloning evidence media to protect it from being modified and creating an identical copy with a calculated hash values to ensure its integrity and validity in court. It is imperative for any forensic investigation that the original evidence is preserved in its original state.
We have made few videos on this topic. Below is one of our latest videos.
Our process involves creation a Forensically sound disk image file using computer forensic methods. This method includes the use of a hardware write-blocking device to guarantee the original hard drive cannot be altered in any way.
We also provide a MD5 and SHA1 hash verification. This is done using computer forensic software and hardware.
Original evidence media is then stored in a bonded lockup.
A full report is provided of the process and multiple forensic copies are done if required.
What is a forensic drive image exactly? Wikipedia link to drive image
- Forensic imaging or acquisition is the process where the entire drive contents are imaged to a file and checksum values are calculated to verify the integrity (in court cases) of the image file (often referred to as a “hash value”). Forensic images are acquired with the use of software tools. (Some hardware cloning tools have added forensic functionality.)
Hash Value is actually a Hash Check sum or Checksum – Wikipedia Link
Checksum functions are related to hash functions, fingerprints, randomization functions, and cryptographic hash functions. However, each of those concepts has different applications and therefore different design goals. Checksums are used as cryptographic primitives in larger authentication algorithms. For cryptographic systems with these two specific design goals, see HMAC.