Forensic Duplicator

Forensic Duplicator - Why Is It Delicate To Duplicate

In the course of a computer forensics investigation, one of the most vital steps is the collection of the data. There are two main types of data collection that can be performed, typically referred to as live analysis vs. dead analysis. In the past, dead analysis was usually employed, meaning that the data was "at rest" (on a hard drive, for example). For many years, it was feared that data would be erased or otherwise become untraceable if the computers in question were allowed to remain active. More recently, there has been a push to perform investigations on live data - that which is contained on running, working systems. Advances in technology, as well as a better understanding of the methods of white collar criminals, have caused this change in thinking. Many times, the information that is most vital to an investigation is in the computers memory, NOT on long term media storage (such as a hard drive) and would be lost if and when the computer was turned off.

The technique known as imaging is the primary data collection technique used by the computer forensic professional. A stand alone hard drive forensic duplicator will produce an exact copy of everything that is contained on a hard drive, giving the computer forensic professional a mirror image of the data in question. There are also software programs that image a hard drive to make a virtual exact copy of the data. Both of these methods function at the sector level of the hard drive, and employ bit stream copying methods to produce a an exact copy of each and every part of the media that is accessible to users, rather than just copying the file system. The bit stream method is far more precise. During the image making process, write protection devices and techniques are used to make sure that there are absolutely no changes made to the original storage media. It is also vital that the image making process be verified at multiple points to make sure that the data is retained in its' original state. Many times, this step is skipped (because it is time consuming) and many a court case has been lost because of this omission. Any defense attorney worth her or his salt will challenge the veracity of the data, and it is imperative that the prosecution be able to prove that the data is "clean".

In some evidence gathering situations, the computer forensic professional may not have full physical access to suspect machine. In this case, the computer forensic professional must copy the drive without removing it from the computer. It is in these situations that the forensic duplicator becomes the most important tool of all. The effective products will employ a method to copy a drive by some non-invasive means (a USB or FireWire port). Several manufacturers also offer forensic specific adapters (for example, a PCMCIA device) for work done on laptop and notebook computers.

Privacy Policy