In the not too distant past everything of any importance was recorded on paper. Copies were laboriously written out by a myriad of clerks, and alterations were relatively easy to spot when compared with the original. Next came the typewriter and then the photocopier, great labour saving devices but spotting false documents became more difficult. A whole branch of Forensic Science arose from this to deal with the matter of ‘Questioned Documents’.

The arrival of mass storage devices created even more problems as far as copies were concerned. Information was no longer stored in easily readable words but as a series of magnetic impulses recorded on tape and disk. How then was this to be copied or produced in readable form? There were two simple answers:

• The answer to creating a copy was to take a ‘bit’ image of the drive which recorded all of the data on a disk. This proved a fairly reliable but cumbersome method, as the image had to be restored to the original or identical disk and only really existed in the world of the mainframe and mini-computer.
• The most obvious way to produce data in a readable form was the printout. Simple? – Yes; but how then to check the information in its original form? The answer was to call upon the services of a multitude of ‘experts’ to recreate the original system and reproduce the printouts (at what cost?).

The advent of the IBM PC and its many variants introduced new problems into the world of investigation: the volume of data, the ability to change data without trace and the ability to hide or delete data. Computing was made available to the masses which naturally included the criminal fraternity. It was apparent that specialist knowledge was needed to investigate this new technology and thus was born the art of ‘Forensic Computer Examination’.

Initially, the only method available to the investigator was to obtain a backup of the files on a disk, restore those files to another disk and go through them one at a time.

Many early backup packages used the ‘imaging’ method but by the mid to late 1980s were being replaced by software which allowed the user to backup and restore selected files. This was a leap forward as far as the user was concerned, but not much use for investigators. This is because selective backup operates at the file system level and consequently does not copy free and slack space (residual data): not very satisfactory when you are looking for that elusive deleted file.

The next step was to examine the original media with a disk editor.

Many a long hour has been spent with a disk editor going through each sector of the original disk, only to be met at the end of the day with the allegation the investigator has somehow tampered with the original media.

A principle that emerged from these allegations (which is now being widely adopted by law enforcement agencies) is:

"No action taken by anybody performing an investigation on a computer should change data held on that computer or other media which may subsequently be used as evidence."

 
Whilst it seems to be common sense, it is surprising how many people do not realise the consequences of just ‘booting’ a PC under its own operating system. Date and Time stamps (which may be crucial) will change and allegations of tampering will be made.

This is where taking an ‘image’, and working solely on that image, preserves the data in its original form.

 

	UK +44 (0) 1869 355255 Freephone 0800 581263	investigate@vogon.co.uk			USA +1 405 321 2585 Toll Free 1-800 392-5373	investigate@vogon.us
	München +49 (0) 89 3235030 Köln +49 (0) 2203 91547 400 Freecall 00800 42424200	investigate@vogon.de			Norway +47 2337 1400 Freecall 00800 42004242	etterforskning@vogon.no

Copyright Vogon International. All rights reserved.  
Home Page | Investigation Services | Laboratory Services | Forensic Systems