The investigation of crimes involving computers is not a simple process. In the vast majority of cases, the assistance of a computer forensic expert is required to extract information from an electronic device without corrupting or contaminating the original data, which could render any evidence recovered inadmissible in a court of law.
The requirement for an auditable approach to the analysis of digital data is set out by the Association of Police Officers (ACPO) guidelines for the handling of computer-based evidence. These guidelines outline rules for every step of the process – from crime scene and seizure protocol through to analysis, storage and reporting – to ensure evidential continuity and integrity.
Because the preservation of evidence in its original state is so vital, computer forensic experts use a process known as forensic disc imaging, or forensic imaging, which involves creating an exact copy of the computer hard drive in question. This is not a case of copying files from one drive to another, rather it is the process of copying the exact state of every piece of data of the drive, so that artefacts such as registry entries – which record information pertaining to activities performed on the computer such as a connection and disconnection of an external storage device – and even apparently ‘deleted’ files are copied exactly to the new image.
Creating a perfect forensic image of a hard drive can be very time consuming and the greater storage capacity of the drive, the greater the time required. The method used to extract the data is also a factor, so with a ‘FireWire’ connection, imaging may occur at a rate of approximately 1 gigabit (GB) per minute, but using specialist hardware, this rate could rise to an average of 4GB per minute. This means that imaging a 1 terabyte (TB) drive, currently available for purchase for less than 80 GBP, would take around five to 18 hours to complete.
However, copying the data is only half of the imaging procedure, the second part of the process is to verify the integrity of the copy and to confirm that it is an exact duplicate of the original. Image verification takes a similar amount of time to imaging, effectively doubling the time taken to complete the imaging process. And if any inconsistencies are located, the process must begin again from scratch, meaning that a failed first attempt at imaging a 1TB drive would mean that the full imaging and verification process could take 20 to 72 hours to complete.
While forensic imaging is a vital process to ensure that evidential continuity and integrity is preserved, the time consuming nature of the process can put investigations under pressure, particularly in cases of kidnap or terrorism where a delay in recovering evidence could have disastrous consequences. And this is a problem that seems unlikely to be solved in the short term, because as new technologies are developed to increase the speed with which a drive can be imaged, so too grows the storage capacity available to the average consumer.