Logical Imaging

In digital evidence gathering, traditional methods and workflows have forensic investigators and eDiscovery specialists create a bit-by-bit duplicate physical image of an entire hard drive. Creating physical images has become an ever increasing, time-consuming process as more and more data is distributed throughout computers, devices, networks and clouds of all kinds, not to mention the continued growth in caseloads and hard drive sizes themselves.

previewThe introduction of logical imaging into the Ditto Forensic FieldStation makes data investigation and acquisition a highly streamlined and efficient process. Investigator time and investigation budgets are greatly reduced as logical imaging, with its ability to selectively choose data to image, can collapse data acquisition to minutes instead of the more exhaustive collection process that might take hours or days.

A logical image captures an evidentiary image of all, or a targeted subset, of the active data on a logical partition of a hard drive. This active (or visible) data is what would find if you were to browse through the drive with My Computer on Windows or with the Finder on a Mac. What a logical image doesn’t include are deleted files, file fragments, and deleted or clear space from that partition. The logical imaging feature implemented on the Ditto device allows an investigator to quickly scan the contents of a hard drive and image only the files and folders relevant to the investigation.

dittoFor example, if you know that the evidence you need likely resides somewhere within the AppData folder on a Windows system, creating a full physical image of the entire drive captures more data than is strictly necessary, which increases the time and cost to sift through that data. The process of sifting through a full physical image often leads investigators to using a keyword search approach, which often yields a body of results that captures too much or too little relevant information but rarely captures just the right amount of and right type of information. It can also open the investigator up to claims of document dumping and the chance of producing privileged information unrelated to the investigation. So instead of creating a full physical image, you can instead perform a logical image operation and capture just the AppData folder to an image which will reduce or eliminate these overheads.

Logical imaging is a forensically sound method of evidence capture that does not alter the metadata or other information stored in the captured files and folders.

Unique to secure hardware-based evidence gathering devices, the Ditto Forensic FieldStation logical image function allows you to create a logical image of an entire hard drive partition, or simply perform targeted collection on a portion of drive or selected files in a filesystem or network location. Click here for more information about the Ditto Forensic FieldStation.

Learn more

Check out this video of James Wiebe talking about Logical Imaging and the Ditto Forensic FieldStation.