eDiscovery Daily Blog

Image is Everything, But it Doesn’t Have to Cost Anything – eDiscovery Best Practices

Do you remember this commercial?  Can you believe it’s 23 years old?

Let’s recap.  So far, in our discussion of free utilities for collection of data for eDiscovery, we’ve discussed the pitfalls of using drag and drop, the benefits of Robocopy (illustrating with the same example copy) and the benefits (and pitfalls) of Richcopy for targeted collection.  But, are there any free tools that will enable you to perform a bit-by-bit forensic image copy that includes deleted files and slack space data?  Yes, there is.

Forensic Toolkit (FTK) is a computer forensics software application provided by AccessData.  The toolkit includes a standalone disk imaging program called FTK Imager.  FTK Imager is a free tool that saves an image of a hard disk in one file or in segments that may be reconstructed later. It calculates MD5 or SHA-1 hash values of the original and the copy, confirming the integrity of the data before closing the files.

With FTK Imager, you can:

  • Create forensic images of local hard drives, floppy diskettes, Zip disks, CDs, and DVDs, entire folders, or individual files from various places within the media.
  • Preview files and folders on local hard drives, network drives, floppy diskettes, Zip disks, CDs, and DVDs – including files located in container files such as ZIP or RAR files.
  • Preview the contents of forensic images stored on the local machine or on a network drive.
  • Mount an image for a read-only view that leverages Windows Explorer to see the content of the image exactly as the user saw it on the original drive.
  • Export files and folders from forensic images.
  • See and recover files that have been deleted from the Recycle Bin, but have not yet been overwritten on the drive.
  • Create MD5 or SHA-1 hashes of files and generate hash reports for regular files and disk images (including files inside disk images) that you can later use as a benchmark to prove the integrity of your case evidence. When a full drive is imaged, a hash generated by FTK Imager can be used to verify that the image hash and the drive hash match after the image is created, and that the image has remained unchanged since acquisition.

Like all forensically-sound collection tools, it retains the file system metadata (and the file path) and creates a log of the files copied.  You can also provide Case Number, Evidence Number, Unique Description, Examiner, and any Notes for tracking purposes to aid in chain of custody tracking.

To download FTK Imager, you can go to the AccessData Product Downloads page here.  Look for the link for FTK Imager in “Current Releases” (it’s currently the seventh item on the list) and open the folder and select the current version of FTK Imager (currently v3.1.2, released on 12/13/12).

Next week, we will begin to discuss how to use FTK Imager to preview files, create forensic images, recover deleted files and use hash values to validate your image.

So, what do you think?  Have you used FTK Imager as a mechanism for eDiscovery collection?  Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine Discovery. eDiscoveryDaily is made available by CloudNine Discovery solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscoveryDaily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.