Legal Technology News - E-Discovery and Compliance Blog

« Gmail Goes South | Main | Storage, an evolving concept »

September 01, 2009

The Death of Imaging

Lawyers and electronic discovery pundits have argued for years over the merits of forensic media imaging, or imaging for short, as a means of capturing electronically stored information (ESI).

Imaging captures the greatest volume of raw data, but it also dramatically increases the financial burden on the producing party. The debate focuses on whether and when imaging should be used for forensic work due to its inherent high price tag.

As I see it, the entire argument is without purpose. Imaging has its uses, but storage technologies will soon make it obsolete. Live file extraction will become the de facto method of gathering ESI. The death of imaging is upon us and its passing will have a profound effect on the e-discovery industry. In essence, the death of imaging means potentially relevant electronic evidence will be missed, making it harder for the courts to get to the truth of matters before them.

Industry Confusion

Before delving into why I see the era of imaging coming to a close, I’d like to define what the term means. Lawyers, computer forensic investigators and others misuse the term often, sowing confusion throughout the industry.

Here’s what imaging means, as most IT workers understand it: The electronic, bit-for-bit duplication of an entire targeted storage medium. For example, if the medium is a hard disk drive, imaging means the electronic duplication of all storage areas of the drive, both used and unused. That includes active or live files, deleted files, slack space, unallocated space and drive free space. Everything.

In the past few years, imaging has been erroneously co-opted to mean duplication of active files only. In other words, imaging came to mean only that the metadata of these active files is preserved. File creation, modification and access dates and other forms of metadata are copied into the properties of the duplicated files. Wrong.

Imaging, as most IT people understand it, is the only method of value for preservation of forensically accessible data. Imaging allows recovery of deleted files, examination of data movements, computer use patterns and so forth. In many cases, such as those involving trade secret or employee misconduct investigations, imaging is helpful. 

Working against images protects the integrity of the original data, allows the original medium to be returned to service and comports with investigative best practices. Without forensic images, difficult forensics operations must be performed on-site, against original media that may be accidentally damaged by temperamental forensic tools. On-site forensic investigations of any detail can be disruptive to employees and information systems. Such investigations are also expensive and slow.

For this reason, in cases where forensic evidence may be important, imaging – real imaging – has  always made sense. The goal has been to limit the number of images made to a minimum to avoid expense and unnecessary multiplication of data.

Why Imaging Will Die

Despite the proven benefits of imaging, the advent of new storage technologies will soon make imaging obsolete, if it isn’t already.

Here’s why: An average imaging speed, for the past 10 years, has remained steady at about 2 gigabytes per minute. This assumes the fastest wire connection, the fastest bus speeds and an abundance of random access memory (RAM). It does not include initialization or verification time, which often doubles the total time required. 

Meanwhile, storage capacity has increased exponentially. Ten years ago, 40-gigabyte HDDs were impressive. Today, 1-terabyte HDDs are common and less expensive than the 40-gig drives of 10 years ago. The largest HDD storage capacity available today is 2 terabytes. Tomorrow it will be three terabytes, or five. You get the picture.

Back in 2000, the average HDD speed was 4,200 revolutions per minute. Today, the most common HDD speed is 7,200 RPM. Thus, HDD RPM speeds (one component of imaging speed) have at best doubled while average data storage capacities have increased twentyfold or more.

Businesses and individuals have increased HDD capacity in line with storage technology improvements and lowered cost. The average business size desktop HDD, based on my experience, is now 250 gigs. The average laptop HDD capacity is 100 gigs. Both will increase steadily.

Effective imaging requires continuous rechecking of duplication efforts and a larger number of attempts than successes. Computers are not perfect, and the greater the amount of data, the greater the likelihood that the imaging process will crash and require a complete restart. 

Ten years ago, imaging a 40-gig HDD took about one hour. Today, an 80-gig HDD can be imaged in an hour, though 90 minutes is a better estimate. Imaging a 500-gig HDD, on the other hand, takes at least 500 minutes, or 12 hours. A 1-terabyte drive takes 24 hours. That’s under ideal conditions, with everything working perfectly.

Those figures don’t lie. It’s easy to see that the days of imaging as the e-discovery industry knows it are numbered.

The Fallout

Imaging is too expensive, it takes too long and it interrupts the ordinary course of business. While it may altogether go away, imaging will soon become rare. Don’t get me wrong. I favor imaging. My shop has imaged more than 10,000 hard drives since 2001. It’s really the only tried and true way the e-discovery industry has to ensure as much electronic evidence as possible is scoured from our computer systems. I’m on the losing side though.

What will replace imaging? Live file extraction. However, live file extraction means that the shadow areas of our IT systems will not be examined for potentially relevant ESI. Slack space, deleted files, unallocated space and drive free space on HDDs will go unsearched. Evidence will be missed. The truth will not always be revealed.

Eric P. Blank is the founder and managing attorney of Blank Law + Technology PS. His practice focuses on electronic discovery counseling, e-security response planning and implementation, investigations and computer forensics. Mr. Blank has conducted more than 300 investigations into computer and software-related torts and employee misconduct since 2001 and has frequently been a court-appointed special master or neutral in e-discovery matters.

TrackBack

TrackBack URL for this entry:
https://www.typepad.com/services/trackback/6a00d8345280a669e20120a595181e970c

Listed below are links to weblogs that reference The Death of Imaging:

Comments

This article is focused on the traditional (i.e. dead/offline) method of forensic imaging and completely ignores live forensic imaging options being adopted by forensic and discovery practitioners alike.

Mr. Kerr,

Thank you for reading and taking the time to respond to my blog post.

Here are my thoughts:

Live forensic imaging (as described in your comment) is an invitation to disaster and spoliation.

Due to the high risks involved, our office does live imaging very infrequently and only on express request from a customer.

Live imaging exposes electronic data to inadvertent destruction and alteration. Additionally, most live forensic imaging can be extremely time intensive because the data is being transferred in a much slower method than traditional bit-for-bit imaging methods.

Eric,

Excellent article (both I and II) - the movement away from forensic imaging is frustrating both from the risk and time perspective but also from the cost perspective. Our firm utilizes hardware imaging as a primary option which gives us close to 4GB/min. in most cases. This option allows us to offer fixed fee pricing to our clients while solving the risk/time issue as well. Based on current technology - the move to live imaging is premature and completely ignores the value obtained from the data that is ignored in live imaging. What a mistake!

The comments to this entry are closed.

Sign Up for the E-Discovery and Compliance Newsletter

An Affiliate of the Law.com Network

From the Law.com Newswire

Sign up to receive Legal Blog Watch by email
View a Sample



Contact EDD Update


Subscribe to this blog's feed



RSS Feed: LTN Podcast

Monica Bay's Law Technology Now Podcasts are also available as an RSS feed.

Go to RSS Subscribe page




March 2013

Sun Mon Tue Wed Thu Fri Sat
          1 2
3 4 5 6 7 8 9
10 11 12 13 14 15 16
17 18 19 20 21 22 23
24 25 26 27 28 29 30
31            

Blog Directory - Blogged