Computer forensics, also known as digital forensics, is the science of capturing and analyzing digital data, typically from computer mass storage devices such as hard disk drives, thumb drives, memory cards and the like. Special care must be taken to ensure that the evidence is collected in a sound manner, has not been altered during the acquisition process, and that the captured data has been authenticated and is analysis-ready. There are many disk imaging tools on the market today that allow you to capture digital data, both hardware-based and software-based. Most forensic practitioners have a variety of tools in their arsenal, allowing them to select the most appropriate device for the specific task at hand.
Here are the top 5 things to consider when making a purchase:
As hard disk capacities have increased exponentially over the last few years, the amount of data on a hard disk has grown as well. That can mean long acquisition times. Advertised speeds are based on the fastest throughput. Speed will be limited by the speed of your source or suspect drive specifications and is typically slower then the evidence or destination drive, but you should make sure that the device can image at the fastest speeds possible.
2. Supported drive interfaces
Forensic investigators may encounter various drive interfaces; IDE/SATA/SAS/SCSI. Some imaging devices only support one interface type, so look for a tool that can provide support for as many interfaces as possible, either natively (preferred) or with the use of drive adapters.
3. Ease of use
Most investigators do not have time to attend complex training classes to learn how to use a tool nor do they want to wade through a lengthy and complicated users manual each time they use the device. A device that has an intuitive user interface with easy to follow icons is preferable, particularly for field work.
Is the data capture device write-protected to ensure that no information is introduced onto the media during the capture process? Can the data capture device act as an external write-protect device so no other write-blockers are required after acquisition? Is the evidence drive enclosed in the data capture device? This would provide additional protection during the capture process.
Authentication is a critical component of digital data acquisition. Make sure that the data capture device you are selecting uses a recognized algorithm or hash “digital fingerprint” such as MD5 (the industry standard) or SHA. This process provides absolute verification that the copy is an exact duplicate of the original.
Do you have any other suggestions for officers purchasing and evaluating computer forensics products? Please leave a comment below or email firstname.lastname@example.org with your feedback.
Linda Davis, Director of Marketing at Logicube, Inc., contributed to this report. http://www.logicubeforensics.com