A forensic image (forensic clone) is a sector-by-sector direct copy of a physical storage device, including all data, files, folders and unallocated, free space. Forensic images include not only all the files visible to the operating system but also deleted files and pieces of files left in the unallocated space.
Forensic imaging is one element of computer forensics, which is the application of computer analysis and investigation techniques to gather evidence suitable for presentation in a court of law.
Not every imaging and/or backup software create forensic images. Windows Operating System backups, for example, creates image backups that are not complete copies of the physical device/hard drive. Forensic images can only be created using specialized forensic software. Some disk cloning utilities not advertised for forensic use also make complete disk images. We use government approved software.
In the case of cyber-crime, additional evidence may be discovered other than what is available through an operating system (Linux, Windows, and/or other) in the form of incriminating data that has been deleted to prevent discovery. Unless the data is deleted securely and overwritten, it can often be recovered safely with forensic or data recovery software.
Creating and backing up a forensic image helps prevent loss of data due to original drive failures. The loss of data as evidence can be damaging to legal cases. Moreover, forensic imaging can prevent the loss of critical files.