It is a fact that the world is moving into a digital eon where computer technology is a thriving and dynamic industry but so is the burden that comes with it; that is cyber-crime, hacking, computer related security breaches, related intellectual theft and computer insecurity among others, and it is for this reason that Computer forensics plays a key role in our society and in legal issues. Computer forensics is whereby computer related evidence undergoes the processes of collecting, analyzing and preservation of data for key purpose of court presentation i.e. it may openly serve as evidence in a legal matter. “It is defined as the process involves the preservation, identification, extraction, documentation and interpretation of computer data.”(Patzakis, 2001)
A bit-by-bit image is otherwise known as a bit-stream image and is defined as a “sector-by-sector copy of a hard drive or a set of files that creates an exact copy of a hard drive preserving all latent data in addition to files and directory structures.”(Centre for Computer Forensics, 2008) Being one of the three processes of computer forensics it is very important in that it creates a ‘mirror’ image that can be read by computer forensic tools for purposes of analysis. A ‘mirror’ image is the hard drive created from a hardware that does a bit-stream copy from an original drive to another. Bit-by-bit imaging is crucial in creating “a file that contains every bit of information from the source in a raw bit-stream format” (Schwarz, 2004)otherwise known as a forensic duplicate.
In order to establish the importance of a having a bit-by-bit image of the hard drive or a mirror hard drive one needs to have a working understanding of the steps employed in a computer forensic investigation and the processes applied in the steps. “The three steps essential to any forensic investigation are acquiring, authenticating and analyzing.” (Bui, Enyeart, Luong, 2003, pg1)Acquiring encompasses gaining the contents of the subject hard drive mainly done by generating a bit-by-bit duplication of the hard drive. Acquiring information entail a carefully formulated booting process, imaging of hard drive and thirdly the mirror image copy created is mounted as a read-only drive. Authenticating is the process of “ensuring that the copy used to perform the investigation is an exact replica of contents of original hard drive and ensuring that the evidence has not been altered during acquisition process.”(Bui, Enyeart, Luong, 2003, pg1 and pg5) Analysis is whereby time is taken into retrieval of deleted files and interpreting of the results. “Forensic software tools are used to recover deleted files that have not been fully overwritten along with unallocated or temporary data.” (Patzakis, 2001)
An importance of a bit-by-bit image of hard drive is enabling data to be preserved and acquired legally. To create a mirror image hard drive an initial booting process is first carried out. Owing to the fact that when a computer is switched on a number of changes take place during the booting process making the data completely different from when it was shut. For this reason a special booting process is initiated to ensure that original is not altered. Electronic evidence is delicate and can easily be tampered with if not handled properly.
The process of imaging is where the focal goal is to have a bit-by-bit image of the hard drive. The main importance of having a bit-by-bit image or copy of hard drive is so that computer forensics encounters no risk of evidence contamination. Hence plays a key role in its integrity in court. Another importance of a bit-by-bit image hard drive is that it is a duplicate of the original hence can be accepted by court only on grounds that the data is shown to be an accurate copy of target hard drive.
A bit-by-bit image of hard drive is not writable meaning that when created it is mounted as a read only drive. When fashioning a bit-stream image, target hard drive files are attached to a write protected device guaranteeing no writes occur to the original. This poses a grave importance in ensuring that “examination is done on image of target drive without changing contents of the original. Consequently, allowing search and analysis of computer files without altering date stamps or any other information.” (Patzakis, 2001).This is of importance for integrity of the computer data to hold up as crucial and legitimate evidence in the court.
Another major significance of a bit-by-bit image of the hard drive is that it allows for use in one major step of any forensic investigation that is authentication. As the definition states computer forensics is built on principle that data is ultimately used in court .A bit-by-bit image of the hard drive can be used to prove that the evidence was not tampered with and that it is an exact duplicate of the subject hard drive thus proving procedure of authentication. Evidence is protected from alteration with during investigation because a mirror hard drive is the one that is used for examination. “Court will accept duplicated computer data only if demonstrated to be an exact and accurate copy of original” (Patzakis, 2001) and this is done with the use of the bit-by-bit image of hard drive in a process involving signatures or else known as a hashing process. Therefore it prepares or authenticates data for presentation in court.
A bit-stream image hard drive is also very important in process of analysis. One major aspect in analysis is data recovery where computer forensic tools are employed. Purpose of a bit-stream image of hard drive is that analysis is not done directly on computer in question but on a copy therefore preventing tampering and upholding the legitimacy of the evidence in court and consequently allowing for analysis and interpretation of results ensuring original evidence is protected from inadvertent changes.
In conclusion a bit-by-bit image hard drive elaborately indicates main importance in allowing preservation and proper acquiring of data ,authentication of data for presentation in court i.e. assuring the integrity of the data and lastly recovery of all possible data including deleted files.
References
1. John M. Patzakis (2001), Computer Forensics –From Cottage Industry to Standard Practice, Volume-2, ISACA.
Available at http://www.isaca.org/Journal/Past-issues/2001/Volume-2/Pages/Computer-Forensics-From-Cottage-Industry-to-Standard-Practice.aspx
(Last accessed, 18th April, 2013)
2. Thomas Schwarz (2004) HD Duplication, cse.scu.edu.
Available at http://www.cse.scu.edu/~tschwarz/coen152_05/Lectures/HDDuplication.html
(Last accessed, 18th April, 2013)
3. Sonia Bui, Michelle Enyeart & Jenghuei Luong (2003), Issues in Computer Forensics
Available at
http://www.google.com/search?q=Forensics+Investigation.pdf+by+Sonia+Bui&hl=en&ie=UTF-8&tbm=
(Last accessed, 18th April, 2013)
4. What is a bit stream image? Center for Computer Forensics [CCF], (2008)
Available at
http://www.computer-forensics.net/FAQs/what-is-a-bit-stream-image.html
(Last accessed, 18th April, 2013)
