Extract from Wes Johnson and Maureen Murchie’s article “Full Forensic Imaging vs. Targeted Data Collections: Which One Do I Need?”
Do you really need that full forensic image, or will a targeted data collection get the job done?
Full forensic imaging and targeted data collections may sound similar and even get tossed around interchangeably at times, but they are very different operations. We see countless hours of time and millions of dollars wasted due to clients choosing full forensic imaging when a targeted data collection is what they really need. Understanding some important differences between the two data collection types will help you make the right choice for your case and your wallet.
What is a full forensic image?
A full forensic image is a bit-for-bit copy of an entire data storage device, like hard disk drives, solid state drives, USB or thumb drives, etc. A forensic image captures not only the “live” data but also all deleted or potentially recoverable data. Depending on how the image is created, this may also include unallocated and free space too. Think of it like copying a notebook, but instead of just copying the pages with writing, you capture the covers, the binding, the empty pages, the inside covers – absolutely everything. Sounds like a waste of time and effort, right? In most instances, full forensic imaging is just that.
While full forensic imaging might be useful in certain circumstances (more on that below), in most civil litigations, it is the definition of overkill and a poster child for over-preservation. Using full forensic imaging instead of targeted collections will increase your collected data size by a factor of 5x, 10x or more. As a general rule, every step of the EDRM costs more when you collect more data. Thus, by over-collecting you’re increasing the costs of every other step in the EDRM.