Forensic Acquisition/Imaging 

Data acquisition in digital forensic investigation is one of the most important and critical step.

Most of the time the result of data acquisition is a forensic image file of the digital source device, media or exported data set.

The forensic actions are done on the spot or in the forensic office of WINDIFE. It will depend the case and the request of the customer.

Forensic data acquisition encompasses all the procedures involving the identification and forensic gathering of digital evidence what includes imaging (cloning), copying or forensic exporting data evidence from any IT source device.

Depending the digital device and the data source to be acquired, the forensic specialist can have different approaches for the forensic acquisition.

The forensic examiner is trained and has experience in this field. He can perform a forensic acquisition of any type of device/media such a PC/Mac, CD-Rom/DVD, Hard Disk Drive (HDD), removable/external hard drive, smartphone, tablet, USB thumb drive, server/NAS storage data.

The type of data acquisition can be for example a physical disk to disk copy, a disk to image file acquisition, a logical disk or volume/partition to image file or only a specific data collection of files and folders (based on specific search criteria) saved at the end in a forensic image file.

In case of smartphone or tablet the data acquisition can be more complex and challenging taking into account device protection and/or encryption.

The computer forensic specialist is in charge to prepare in advance the destination drives which will be used to save the forensic images. All media and hard disk drives used by the forensic examiner will be first wiped with a forensic tool to ensure the secure deletion of any data originally stored on the drives.

The computer forensic specialist will always take care and ensure that the forensic evidence, whatever it is the primary source device/media/data and/or the forensic copy image file are sealed and stored in a secure area to be preserved from any alteration or modification because evidence data should not be compromised during the forensic investigation process and the Chain of Custody must be assured.

The forensic expert will most of the time perform two forensic copies of the first forensic image created. One copy will be kept as safe backup set in a secure area and the second copy will be used for processing, examination and search.

The first forensic image created and representing the exact copy of original source data will be delivered to the customer with a detailed acquisition report.

For each forensic image file an acquisition hash is created. It is the result of an algorithmic calculation which produces a unique string of characters that act as a digital “fingerprint” for a particular data set. It helps to authenticate the forensic copy and can be used to verify the state and  integrity of evidence data.

WINDIFE has all the necessary software, hardware tools, skills and knowledge to accomplish all the digital forensic tasks they are responsible for.