EDD Update

Before delving into why I see the era of imaging coming to a close, I’d like to define what the term means. Lawyers, computer forensic investigators and others misuse the term often, sowing confusion throughout the industry.

Here’s what imaging means, as most IT workers understand it: The electronic, bit-for-bit duplication of an entire targeted storage medium. For example, if the medium is a hard disk drive, imaging means the electronic duplication of all storage areas of the drive, both used and unused. That includes active or live files, deleted files, slack space, unallocated space and drive free space. Everything.

In the past few years, imaging has been erroneously co-opted to mean duplication of active files only. In other words, imaging came to mean only that the metadata of these active files is preserved. File creation, modification and access dates and other forms of metadata are copied into the properties of the duplicated files. Wrong.

Imaging, as most IT people understand it, is the only method of value for preservation of forensically accessible data. Imaging allows recovery of deleted files, examination of data movements, computer use patterns and so forth. In many cases, such as those involving trade secret or employee misconduct investigations, imaging is helpful. 

Working against images protects the integrity of the original data, allows the original medium to be returned to service and comports with investigative best practices. Without forensic images, difficult forensics operations must be performed on-site, against original media that may be accidentally damaged by temperamental forensic tools. On-site forensic investigations of any detail can be disruptive to employees and information systems. Such investigations are also expensive and slow.

For this reason, in cases where forensic evidence may be important, imaging – real imaging – has  always made sense. The goal has been to limit the number of images made to a minimum to avoid expense and unnecessary multiplication of data.

Why Imaging Will Die

Despite the proven benefits of imaging, the advent of new storage technologies will soon make imaging obsolete, if it isn’t already.

Here’s why: An average imaging speed, for the past 10 years, has remained steady at about 2 gigabytes per minute. This assumes the fastest wire connection, the fastest bus speeds and an abundance of random access memory (RAM). It does not include initialization or verification time, which often doubles the total time required. 

Meanwhile, storage capacity has increased exponentially. Ten years ago, 40-gigabyte HDDs were impressive. Today, 1-terabyte HDDs are common and less expensive than the 40-gig drives of 10 years ago. The largest HDD storage capacity available today is 2 terabytes. Tomorrow it will be three terabytes, or five. You get the picture.

Back in 2000, the average HDD speed was 4,200 revolutions per minute. Today, the most common HDD speed is 7,200 RPM. Thus, HDD RPM speeds (one component of imaging speed) have at best doubled while average data storage capacities have increased twentyfold or more.

Businesses and individuals have increased HDD capacity in line with storage technology improvements and lowered cost. The average business size desktop HDD, based on my experience, is now 250 gigs. The average laptop HDD capacity is 100 gigs. Both will increase steadily.

Effective imaging requires continuous rechecking of duplication efforts and a larger number of attempts than successes. Computers are not perfect, and the greater the amount of data, the greater the likelihood that the imaging process will crash and require a complete restart. 

Ten years ago, imaging a 40-gig HDD took about one hour. Today, an 80-gig HDD can be imaged in an hour, though 90 minutes is a better estimate. Imaging a 500-gig HDD, on the other hand, takes at least 500 minutes, or 12 hours. A 1-terabyte drive takes 24 hours. That’s under ideal conditions, with everything working perfectly.

Those figures don’t lie. It’s easy to see that the days of imaging as the e-discovery industry knows it are numbered.

The Fallout

Imaging is too expensive, it takes too long and it interrupts the ordinary course of business. While it may altogether go away, imaging will soon become rare. Don’t get me wrong. I favor imaging. My shop has imaged more than 10,000 hard drives since 2001. It’s really the only tried and true way the e-discovery industry has to ensure as much electronic evidence as possible is scoured from our computer systems. I’m on the losing side though.

What will replace imaging? Live file extraction. However, live file extraction means that the shadow areas of our IT systems will not be examined for potentially relevant ESI. Slack space, deleted files, unallocated space and drive free space on HDDs will go unsearched. Evidence will be missed. The truth will not always be revealed.