Now we need to discuss a very important part of the collection process. In terms of best practices, any data collection should be handled very carefully to avoid changing the data in any way. However, the primary way to collect data is to use a team of forensic experts who will create “forensic images” or collect the data in a “forensically sound” way.
A forensic image is a bit-by-bit image of a particular hard drive. It can be a computer or a server hard drive. It basically means that they collect every tiny bit of data on the hard drive as it existed. The goal is to do a single collection and get everything we need for any future analysis.
It isn't always necessary to image an entire computer or server hard drive. Sometimes we will only need specific file directories that the custodian has pointed us to during their custodial interview. Still, the data is collected very carefully using forensic procedures.
The forensic team will use software like EnCase, FTK Imager or one of several other tools. The files we receive are called “evidence files” and they have file extensions similar to *.ad1, *.e01, *.ex01, *.l01 or *.lx01.
If you are working with a client that is trying to save money or time by letting their IT department perform the data collection and their IT contact is not familiar with forensic images for litigation matters, they may try to use software they already have on hand, like Ghost software, to create a computer image. Be sure to interject and let everyone know that a Ghost image is not the same thing as a forensic image. Fortunately, there are more and more corporations that have their own internal forensic teams to perform data collections.
When you receive the forensic data, be sure to also request a copy of the forensic team's tracking log. It will contain information about exactly what data was collected and from which custodians.