At Precise, our digital forensics experts offer a wide array of services, from deleted data recovery to employee misconduct investigations. Today our experts will be answering some of the questions they are frequently asked about remote forensic imaging.
Q: When should I do a remote collection instead of an on-site collection?
A: Remote collections are useful when client devices are geographically disbursed or travel expenses to the site are cost prohibitive. We can securely execute computer forensic tools on the remote machine and gather either a forensic image of the entire hard drive or collect specifically targeted information. With remote collections, data can be culled and filtered prior to forensic data acquisition. Remote collections are often less costly and time consuming than on-site collections.
Q: Is remote forensic imaging forensically sound and defensible?
A: Yes, as long as proper handling of the data is observed. We ensure the source ESI (electronically stored information) is not altered and the collected copy is an exact duplicate of the original. We create and maintain a clear chain of custody and can provide expert witness testimony in court, if necessary.
Q: What is a targeted collection?
A: If you only require a specific set of files or documents, we can selectively copy just those items to an image file. This is referred to as a targeted collection. If only one folder on a network has responsive documents, a targeted collection is often a more cost and time effective solution.
Q: What is the difference between a physical and a logical image?
A: A physical image of a hard drive captures all the ones and zeroes contained on the drive. It also captures the deleted space on the drive (even it has been recently formatted), deleted files and file fragments. Therefore a physical image of a 500 GB drive will yield a resulting image file of 500 GB.
A logical image of a hard drive captures all “active” data. The C drive on a computer contains the logical drive and active files. If you look through the drive you will get an idea of what a logical image captures. Typically deleted files, space and file fragments will not be captured. So if a logical image is made of a 500 GB drive, but only 50 GB is active files, the resulting image will be 50 GB.
Choose Precise for Your Remote Forensic Imaging Needs
At Precise, our digital forensics experts are ready to help you with all your forensic imaging needs. From targeted collections to departing employee investigations, we provide fast, accurate service. Call us today at 866-277-3247 to learn more.
Recent Comments