With the goal of acquiring digital evidence from varying types of computer systems, investigators have
often used classic hardware tools such as write-blockers in conjunction with laptop computers and software
to acquire images of source (evidentiary) hard drives. Alternatively, investigators have used forensic drive
duplicators, which combine at least the write-blocker and computer into one hardware resource, thus
speeding the process.
This group of resources (write-blocker, host computer, and software; or alternatively: a forensic duplicator) has invariably required the local assistance of a forensic computer investigator.
Investigators have developed a response orientation that integrates these tools: after being alerted to a
potential crime (or in the case of E-Discovery, an event), an investigator travels to the scene of the crime,
identifies hard drives within computer systems, and images the hard drive. The E-Discovery track is parallel:
an investigator will travel to a client’s site and determine which digital resources to analyze and copy.
Remote forensic acquisition is a strong solution to the problems that have emerged:
• Investigative travel increases expense
in an IT and forensic culture that has
increasingly become more cost sensitive.
• Investigators can’t see the target
computer system in real time; they have
to wait until they arrive on site.
Recognizing the need to acquire information and evidence from distant computers, a new group of E-Discovery and forensic tools have evolved
in the last five years. In order for these tools to allow the discovery of information, they have generally
required the installation of very specialized software programs in remote (or distributed) computers. These
programs consequently enable the transfer of selected files, data carves, and system information to a central
server, with analysis thereafter by a forensic or IT specialist.
It is not difficult to install the software programs, but several concerns emerge:
• The installed software program provides an ‘infection’ of its own within the targeted remote
• The program must send data via the internet and does not perform local analysis on the data; it is
hobbled for analysis.
• The program is not capable of operating with an in situ free hard drive, as in the case with typical
‘dead box’ forensics. (‘Dead box’ forensics is classic computer forensics, where drives are removed from
computer systems, so that they may be imaged for forensics or IT discovery.)
• Even if the software program works in conjunction with the computing hardware on which it is installed
to analyze storage data, it is dependent on that computing hardware for good performance. In other words: a
slow computer gives even slower analysis results.
The software programs that are referenced as a part of this discussion are an important part of evidence
collection (especially E-Discovery), and are available from AccessData, Guidance Software, and others.1, 2
Is there an improved method for speeding remote forensics and E-Discovery?
A device is required to have two characteristics to excel at remote forensics:
1) It must, without excuse, create copies of hard drives and network volumes no matter what type of file
system or network configuration.
Product Insight: Remote Forensic
Acquisition Using Hardware Tools
Figure 1: Forensic UltraDock v5 from CRU, TD3 from Tableau, and
a traditional hard disk drive.