Preserving electronically stored information from a computer should be easy –just make a copy of the relevant files and go on with your business. After all, every computer can “copy and paste.”

Alas, like many issues that swirl around electronic discovery, proper data preservation is not so simple. Any time you use a computer's native capacity to copy and paste a file, the computer tracks that action by marking the file appropriately, usually by modifying the metadata.

This may be fine in some instances, but modified metadata can raise the suspicion that the files were tampered with or altered after a duty to preserve arises. The ultimate goal is to copy individual files or entire hard drives at a primordial level, so that the computer's operating system doesn't have an opportunity to modify the metadata.

Therein lies one of the keystones of the science of computer forensics. In electronic discovery, computer forensics professionals are routinely employed to collect and preserve electronic information from computers. These professionals use hardware and software tools to ensure that copied files are not modified and are therefore properly preserved without any danger of spoliation.

Typically, computer forensics professionals make wholesale copies of individual computer hard drives, which are referred to as forensically sound “images.” For example, if a recently dismissed employee was suspected of using their work computer to surf unsightly corners of the Web, a computer forensics professional could create a mirrored “image” of that employee's computer hard drive that can be used for investigative purposes. The image takes a snapshot of the computer and avoids the possibility that the Internet browsing history would be deleted or overwritten by subsequent use.

Similarly, forensic images can be made of laptops used by sales employees that may be on the road or “out in the field.” Instead of leaving the sales person without a laptop for several days while their system is searched pursuant to a discovery request, a forensic image can be done in several hours and the laptop can be put back into action.

There are several different certification programs for computer forensics professionals where they are trained for their craft. More importantly, the training educates about the legal implications of their work.

Computer forensics has been a mainstay in the criminal world where many of today's crimes are perpetrated with the help of a computer. Today, however, forensic images are increasingly utilized in the world of civil litigation when it is necessary to preserve and collect relevant electronic data from computers. Computer forensic professionals are keen to keep the chain of custody intact, taking great pains to document and log every action done while imaging a computer.

Furthermore, computer forensics professionals will verify their work with the use of a “hash” algorithm. This simply means that the hash value of the original hard drive must be identical to the hash value of the imaged hard drive to prove that it is an identical copy. Obviously, forensics professionals are often called into court as witnesses to explain this process and verify their work.

Even in light of all these safeguards, attorneys commonly dismiss the recommendation to employ the services of a certified computer forensics professional when it is necessary to collect and preserve electronic information on a computer. The reasoning may be based on cost, or they may be convinced that a typical drive “clone” or “Ghost copy” may be sufficient.

IT professionals regularly create “clones” of computer systems for backup purposes or to comprehensively transfer files from one computer to another. One common tool for creating a hard disk clone is Norton Ghost from Symantec. A hard disk clone created by the Ghost software typically copies only the “active data” found on a computer since that is most important to a computer's operating system and human user.

A forensically created hard drive image, on the other hand, copies files at a “bit level,” including files that may have been deleted or fragmented. The most well-known computer forensic software is EnCase from Guidance Software.

Craig Ball, an attorney in Texas and a noted Certified Computer Forensic Examiner, explains that a forensically sound image captures areas of the hard drive that hold a wealth of forensically significant data (such as unallocated clusters and file slack space). Ball further explains that “a Ghost image only collects active data that the user can see–notwithstanding that hard drives hold far more information than the users–or operating systems–can see.”

That's not to say that using Norton Ghost in some situations (with appropriate knowledge) is unacceptable. I asked Ball this question and he responded that “it's appropriate to use Ghost to image a drive for preservation when you neither anticipate nor should anticipate a need to analyze or recover data in unallocated clusters and slack space, that is, when you don't expect to restore deleted information or be challenged on the integrity of the data. In an e-discovery effort where computer forensic issues aren't implicated, Ghost is a decent preservation tool. It's pretty fast (because it only grabs active data), and its compression features use storage space efficiently.”

(For much more detailed information on these terms please read Ball's excellent compendium of articles, “Six on Forensics.”)

Norton Ghost and other similar software applications are readily available to many IT professionals who may insist that such tools can be used to adequately preserve information on a hard drive. And while in some instances Ghost may be a sufficient tool, consideration must be given to the purpose for which a copy is being made.

In the right hands, Ghost can be commanded to dig deeper and copy deleted or inaccessible files. But if that type of information could reasonably be expected to become an issue in a contemplated lawsuit, why would you take a chance? As Ball explains, “it's 'forensic' because you anticipate presenting [the information] in court.” An IT professional may be unprepared or unable to defend the process of copying a hard drive with Ghost in a court room, which is why it's so important to employ the services of an experienced, trained and certified computer forensics professional.

Computer forensics is a scary topic, especially when we're throwing around terms like slack space, unallocated clusters and swap files. But a forensically sound hard drive image is not nearly as scary as a Ghost copy when it's important to properly and thoroughly preserve files on a hard drive.