The phrase “forensic collection” often is associated in our minds with a bit-by-bit copy of a computer’s entire hard drive. This may be crucial in cases where we might expect authentication issues or where investigation of slack and fragmented space may be important. Criminal cases are a prime example. But a collection of electronically stored information (ESI) may be limited to only certain files that are likely to be relevant and still be forensically sound.
What makes a collection forensically sound, whatever its scope, is not that the entire storage media has been copied bit by bit, but that the files that have been collected can be shown to be exact copies of what was on the source, including associated metadata. This requires that the collection method not alter the files or their metadata It also usually includes some way of ensuring non-alteration after collection, which generally means taking a digital fingerprint in the form of a hash value that can be securely stored and used later to verify that the document still is exactly like it was at the time of collection.
But a completely forensically sound collection is not always necessary. Much of the benefit of a forensically sound collection can still be obtained without using specialized collection software. Some simple methods for collecting ESI do alter some metadata fields, which usually are less important and may be unnecessary in many cases, such as the creation date, last modified date, last accessed date, source path, etc.
For the best results: