Using Assure to image USB's and other removable devices
Evitrack Assure is capable of imaging not just hard drives, but any digital media that is installed or can be attached to a computer.
There is an abundance of applications and software that advertise or claim to copy devices such as hard drives and USB keys. Some only copy file data, the folder and data structure. Others will create bit-by-bit copies of devices, and as such are a complete copy of the media. However, these may not be forensic images.
A forensic image or forensic copy is NOT just a bit-by-bit copy of a physical storage device. Whilst the contents of a forensic image are a bit-by-bit copy of a device that will contain everything:
- Folders and directory structure
- Unallocated space
- Free space
- File slack or slack space
- Deleted files
- Recoverable file elements left in both the file slack and free space
The other aspect that relates to creating a forensic image is how the device was accessd in the first place, a user needs to be sure that data and timelines are not being modified in the process.
On numerous occasions we have come across situations where someone in organisation has been given the task of searching for possible evidence as well as copying the media. Where, either their efforts or the application they use overwrites file access times and other crucial data.
This is one of the main reasons that EviTrack Assure is provided with its own operating system. So that we can ensure that all accessible media is ‘read only’, ensuring that status is maintained and recorded throughout any acquisition process.