Ghosts and Forensic Images
Out technology expert explains the difference between a hard drive forensic "image" and a hard drive "ghost."
October 15, 2008 at 08:00 PM
6 minute read
The original version of this story was published on Law.com
Preserving electronically stored information from a computer should be easy –just make a copy of the relevant files and go on with your business. After all, every computer can “copy and paste.”
Alas, like many issues that swirl around electronic discovery, proper data preservation is not so simple. Any time you use a computer's native capacity to copy and paste a file, the computer tracks that action by marking the file appropriately, usually by modifying the metadata.
This may be fine in some instances, but modified metadata can raise the suspicion that the files were tampered with or altered after a duty to preserve arises. The ultimate goal is to copy individual files or entire hard drives at a primordial level, so that the computer's operating system doesn't have an opportunity to modify the metadata.
Therein lies one of the keystones of the science of computer forensics. In electronic discovery, computer forensics professionals are routinely employed to collect and preserve electronic information from computers. These professionals use hardware and software tools to ensure that copied files are not modified and are therefore properly preserved without any danger of spoliation.
Typically, computer forensics professionals make wholesale copies of individual computer hard drives, which are referred to as forensically sound “images.” For example, if a recently dismissed employee was suspected of using their work computer to surf unsightly corners of the Web, a computer forensics professional could create a mirrored “image” of that employee's computer hard drive that can be used for investigative purposes. The image takes a snapshot of the computer and avoids the possibility that the Internet browsing history would be deleted or overwritten by subsequent use.
Similarly, forensic images can be made of laptops used by sales employees that may be on the road or “out in the field.” Instead of leaving the sales person without a laptop for several days while their system is searched pursuant to a discovery request, a forensic image can be done in several hours and the laptop can be put back into action.
There are several different certification programs for computer forensics professionals where they are trained for their craft. More importantly, the training educates about the legal implications of their work.
Computer forensics has been a mainstay in the criminal world where many of today's crimes are perpetrated with the help of a computer. Today, however, forensic images are increasingly utilized in the world of civil litigation when it is necessary to preserve and collect relevant electronic data from computers. Computer forensic professionals are keen to keep the chain of custody intact, taking great pains to document and log every action done while imaging a computer.
Furthermore, computer forensics professionals will verify their work with the use of a “hash” algorithm. This simply means that the hash value of the original hard drive must be identical to the hash value of the imaged hard drive to prove that it is an identical copy. Obviously, forensics professionals are often called into court as witnesses to explain this process and verify their work.
Even in light of all these safeguards, attorneys commonly dismiss the recommendation to employ the services of a certified computer forensics professional when it is necessary to collect and preserve electronic information on a computer. The reasoning may be based on cost, or they may be convinced that a typical drive “clone” or “Ghost copy” may be sufficient.
IT professionals regularly create “clones” of computer systems for backup purposes or to comprehensively transfer files from one computer to another. One common tool for creating a hard disk clone is Norton Ghost from Symantec. A hard disk clone created by the Ghost software typically copies only the “active data” found on a computer since that is most important to a computer's operating system and human user.
A forensically created hard drive image, on the other hand, copies files at a “bit level,” including files that may have been deleted or fragmented. The most well-known computer forensic software is EnCase from Guidance Software.
Craig Ball, an attorney in Texas and a noted Certified Computer Forensic Examiner, explains that a forensically sound image captures areas of the hard drive that hold a wealth of forensically significant data (such as unallocated clusters and file slack space). Ball further explains that “a Ghost image only collects active data that the user can see–notwithstanding that hard drives hold far more information than the users–or operating systems–can see.”
That's not to say that using Norton Ghost in some situations (with appropriate knowledge) is unacceptable. I asked Ball this question and he responded that “it's appropriate to use Ghost to image a drive for preservation when you neither anticipate nor should anticipate a need to analyze or recover data in unallocated clusters and slack space, that is, when you don't expect to restore deleted information or be challenged on the integrity of the data. In an e-discovery effort where computer forensic issues aren't implicated, Ghost is a decent preservation tool. It's pretty fast (because it only grabs active data), and its compression features use storage space efficiently.”
(For much more detailed information on these terms please read Ball's excellent compendium of articles, “Six on Forensics.”)
Norton Ghost and other similar software applications are readily available to many IT professionals who may insist that such tools can be used to adequately preserve information on a hard drive. And while in some instances Ghost may be a sufficient tool, consideration must be given to the purpose for which a copy is being made.
In the right hands, Ghost can be commanded to dig deeper and copy deleted or inaccessible files. But if that type of information could reasonably be expected to become an issue in a contemplated lawsuit, why would you take a chance? As Ball explains, “it's 'forensic' because you anticipate presenting [the information] in court.” An IT professional may be unprepared or unable to defend the process of copying a hard drive with Ghost in a court room, which is why it's so important to employ the services of an experienced, trained and certified computer forensics professional.
Computer forensics is a scary topic, especially when we're throwing around terms like slack space, unallocated clusters and swap files. But a forensically sound hard drive image is not nearly as scary as a Ghost copy when it's important to properly and thoroughly preserve files on a hard drive.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllDigging Deep to Mitigate Risk in Lithium Mine Venture Wins GM Legal Department of the Year Award
5 minute readFTC Settles With Security Firm Over AI Claims Under Agency's Compliance Program
6 minute readPeople and Purpose: AbbVie's GC on Leading With Impact and Inspiring Change
7 minute readTrending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250