Data integrity is validated using commonly applied   The data can be placed in a forensically sound container
           file hashing processes to confirm that the source and   file to prevent unintentional spoliation of evidence. As
           destination data sets reflect a perfect match.       with forensic imaging, working and preservation copies
                                                                of the data set are maintained. Documentation of the
           Creating a full forensic image eliminates the need for   acquisition, chain of custody, and other investigation
           future collections from the same device. This method   work is the same as for a full forensic collection.
           is recommended for the execution of a proper forensic
           analysis process.
                                                                Common uses for forensic collection
           Common protocol includes the creation of both a
           working and preservation copy of the media to protect   of electronic evidence
           the client from unintentional data loss due to drive   Today, many business and personal records are only
           failure.                                             maintained in electronic format. Therefore, analysis

           Detailed acquisition documentation is maintained     of electronic evidence is often essential. Even when
           with information related to custodians, data sources,   paper copies of documents exist, forensic collection
           hardware identifiers, collection methods and the process   of ESI can prevent the need to sort through hard-copy
           results. Chain of custody documentation is maintained   documents or portable document formats (PDF)
           for all evidence. Similarly, the process for gathering   files that would otherwise need to be translated and
           information during the investigation is documented,   interrogated. In a forensic collection, the original files
           such as the interviews of any custodian, legal or    (spreadsheets, documents, accounting data, and emails)
           technology staff.                                    are reproduced in the same format in which they were
                                                                created.
           Targeted collection
           In some cases, a full forensic image is not needed, and   To avoid spoliation and to ensure that all relevant
           collection is limited to images of specific drives, folders,   evidence is considered, it is recommended that all
           and server file shares. This requires the identification of   electronic evidence be collected in a forensically sound
           a subset of data located on a device or system for partial   and defensible manner, including a complete chain of
           acquisition of a larger data set.                    custody and validating that the file image created is
                                                                a bit-level duplicate of the original file to increase the
           This approach is often used to control costs and     likelihood of admissibility.
           minimize operational disruptions. The acquisition of
           unnecessary content can drive up processing and      Typical examples of forensically collected electronic
           review costs. However, it should only be used when the   evidence are email or other electronic communications,
           client, preferably with the advice of counsel, is certain   financial data, banking records, social media information,
           that the identified data contains everything required   and data contained on cell phones.
           for processing and production related to a matter. This
           method typically does not allow for thorough forensic
           analysis or recovery of deleted items or file fragments.

















                                                                  Understanding the forensic technology landscape | 14