The process of collecting electronic data can be a complicated one in e-discovery or computer forensic investigation. This can be attributed to the vast amount of data, different electronic storage locations and also the increasing file-types used. It is important to note that the initial data collections steps are very vital part of the process. Should errors occur; the process can be very costly in the investigation or in terms of cost? Therefore before the process of data collection begins, there is a need for experts to examine the type of data that is very crucial, where it is located, the amount needed and also whether active data or mirror image capture is needed. In this article, we explore the various differences between active data capture and mirror image capture.
After identifying the location of the relevant data, the data must be retrieved. Computer forensic and data experts can be able to retrieve data that is in all operating and storage systems. This can include the antiquated systems. No matter how the data is collected, a forensic copy of the media can be made by the use of the appropriate and effective software. Therefore the imaging process can offer investigators and clients a complete mirror image, or snapshot, of the deleted, active, and also partially overwritten data that is contained in the media. It also ensures that there are no alterations that can be made to the original data.
It is important to note that the imaging process does not destroy data in any way and neither does it require an operating system to be booted. This ensures that the system will not be altered in any way in the imaging process and thus preserves the evidentiary value. Many IT professionals and lawyers are not aware of the booting process of a computer as it damages the critical evidence and also it is likely to change the metadata, such as modified dates or created dates that are associated with given files. Also, the process of booting can cause problems to the hard drives of the system being used.