Long before we had literal computers in our pockets, digital forensic investigators were working to clone vital information from servers and hard drives. Digital forensic imaging, as it’s called, involves processes and tools used in copying a physical storage device for conducting investigations and gathering evidence. The copy does not just include files that are visible to the operating system but every bit of data, every sector, partition, file, folder, master boot records, deleted files and un-allocated spaces. The image is an identical copy of all the drive structures and contents. It’s an incredibly delicate process that comprises high tech equipment, quality and efficiency.
To learn more about the process, Forensic editor-in-chief Michelle Taylor recently caught up with Todd Bellows, Director of National Sales for Logicube, one of the oldest manufacturers of hard drive duplication and forensic acquisition solutions in the industry.
MT: What are some of today's most popular methods of data extraction?
TB: Data extraction, by nature, is a cumbersome process for any forensic investigator. Simplification of this process and utilization of the correct tool(s) is paramount. For hard drive and multimedia extraction an investigator would select one of the following two paths: use of a forensic workstation or laptop coupled with a hardware write blocker and back-end forensic software suite or use of a robust and efficient hard drive duplicator.
MT: Can you compare and contrast the two methods?
TB: An investigator will be handicapped when using a computer, write blocker and software bundle as this combination is slow and inefficient. With today’s large capacity hard drives, the days of quick drive collection and examination are over. Furthermore, these bundles are not developed to handle more than one drive connection at a time. Other critical required tasks cannot be performed until the solution fully completes each independent drive copy. When switching to a high-speed hard drive duplication platform, some offering up to 50 to 90 GBs/min, along with multi-connection points, the ability to launch and process multiple collections simultaneously—some up to 5 at one time— and previewing and management of the finished collected files, investigators take advantage in savings of time and money.
MT: What are the determining factors for these methods? How would a digital forensic examiner know to use one method over the other?
TB: New investigator entrants into the digital collection market may look to use a computer bundle as the perception is this is a less expensive solution. However, when one reviews the total ownership cost of the type of computer required for data acquisition, software licenses and the external write blocker, they may be overlooking the hard drive duplicator option. Understanding the true benefits of the correctly selected HDD duplicator will allow the user greater feature scalability, thus eliminating the need to purchase additional equipment to satisfy different parts of the evidence collection process. There are HDD duplicators that offer advanced modules to support the likes of cloud and mobile phone capture in addition to the core hard drive interface ports.
MT: What are some of the challenges facing the forensic data extraction industry today? And how can they be overcome?
TB: Forensic investigators are always faced with relevance and necessity of using a specific tool. Authentication, reliability and accuracy are keys to the outcome and success of each investigation. They will look to products that carry a strong industry name and have been battle tested for use in their day to day jobs. HDD acquisition tools that have proven track records with reporting that is widely accepted throughout the U.S. court system are keenly sought after. Vast compatibility ensures the tool will hit all marks when media types can vary so drastically. The selection and investment in a scalable HDD duplicator tool will certainly pay dividends when medium- and long-term budgets are uncertain.
MT: With technology changing so rapidly, how do you future-proof your digital forensics methods?
TB: Future proofing goes back to investing in the correct tool. There are specific companies in the digital forensic marketplace that operate as engineering organizations at their core. These companies offer products that allow future, possibly unidentified technologies to be added to their current platform offerings. A customer can now purchase an HDD duplicator as an investment that offers industry leading data capture speeds along with platform scalability and upside to the initial purchase through the innovation and addition of adapter interfaces This is truly unique in the forensic market sector that is full of software product offerings that come with recurring licensing fees.
Todd Bellows joined Logicube at its’ inception in 1999. He oversees and is responsible for all domestic and Canadian sales, including government and tier one corporate accounts. Bellows has a Bachelor of Science degree in Ag-Business from Cal Poly, San Luis Obispo.