There are three essential tasks that an examiner performs during the analysis of evidentiary digital media: (1) creation of a forensic image; (2) creation of a forensic archive from the forensic image; and (3) exporting potential probative digital data related to the investigation. All three tasks are critical to the overall success of the investigation and eventual prosecution of the case.

FORENSIC IMAGE AND FORENSIC ARCHIVE
The admissibility of potential probative data at trial is probably going to be based upon the successful creation of the initial forensic image, its digital authenticity, and its chain of custody (if appropriate). Any of the many available forensic software tools can be used to create a forensic image. They all generate a bit-by-bit copy (a “bitstream image” or “mirror image”) of the data residing on the digital media. This ensures that all the data from allocated space, unallocated space, and free space is made available for examination. Hash algorithms, such as Message Digest 5 (MD-5) or Secure Hash Algorithm-1 (SHA-1) provide a digital authenticity of not only the forensic image, but also the forensic archive and any potential digital probative data.

After receipt and inventory, the first priority is to create both a forensic image and a forensic archive. Using an approved forensic software tool and an appropriate write blocker, the evidence is acquired, resulting in creation of the forensic image, which is normally stored on a forensic computer’s evidence hard drive. Subsequently, the forensic archive is created from this forensic image. Once the forensic archive is exported onto optical media, digital tape, and/or another hard drive, the forensic image is analyzed for potential probative data. In addition to hashing, there are certain other precautions that have to be taken into consideration to ensure the authenticity of both the forensic image and the forensic archive. Specific policy and procedure needs to be defined to preclude the commingling of forensic images from separate items or different cases. There has to be a procedure for wiping the forensic image after analysis is completed. Although the forensic image is work product, it can be considered evidence since it is an exact copy of the digital evidentiary media. Therefore, the examination area needs to be physically secured with limited access. Forensically sterile media must be used when creating the forensicarchive. If an agency chooses to archive the evidence hard drive itself, other issues will arise. These include maintaining a chain of custody, proper packaging to prevent inadvertent damage and/or deleterious change, and the costs associatedwith purchasing additional hard drives.

A number of agencies create and store all examiner-generated forensic images on a Storage Area Network (SAN). There are many advantages in doing so. Virtually all SANs are configured into a RAID (Redundant Array of Inexpensive Disks). This provides data reliability, redundancy, and increased input/output performance. A SAN can also be configured with automated tape back-ups to provide another level of redundancy. Likewise, there are some disadvantages. The initial cost of the SAN and its maintenance can be costly. There has to be policy and procedure in place to preclude not only commingling of forensic images, but also limiting access to the forensic images themselves. One method would be to create individual, secured partitions for each examiner. Security procedures would dictate that access to the individual partitions is restricted. Other issues then arise: Is the forensic image going to be maintained on the SAN after the completion of the analysis? Is a forensic archive going to be created from the forensic image and stored separately on the SAN? Will the forensic image be eventually wiped and the space reclaimed? Storing forensic images on the SAN becomes a question of sufficient hard drive capacity, physical security, and a chain of custody. Remember, although the forensic image is work product, it can still be considered as evidence. In fact, there are a number of agencies that specifically keep these forensic images available for further analysis. Other agencies allow case investigators access to the forensic image to bookmark potential probative data for prosecution purposes. When this occurs, a higher level of security has to be established. Likewise, if the SAN is used as a repository of forensic archives, then appropriate additional layers of redundancy, physical security, and access will become necessary.