Overview: The Three Types of Forensic Collections – Physical vs. Logical vs. Targeted

According to a recent EDRM survey, nearly a third of its respondents reported that in most or all of their legal matters involved data collected from mobile devices. While evidence and data from mobile devices has long been important in legal projects, requests to collect forensic images from mobile phones, laptops, and the like continue to increase.

Generally, there are three primary types of forensic image collection techniques: 1) creating a physical forensic image of the device; 2) collecting a logical image; or 3) doing a targeted collection of device data.

Determining the appropriate forensic image format depends on the nature of the legal matter and budget.

Physical Image

A physical device collection is a bit-by-bit copy of the device, i.e., an exact copy. Conducting physical imaging of a mobile device is the most thorough and acquires the greatest amount of data. It is used to acquire the entire physical volume of a drive. Physical forensic images capture deleted space, file fragments and provides access to deleted and encrypted data.

As with all types of forensic collections, there are pros and cons to physical device collections. The pros: full access to device artifacts (e.g. event logs, files, and timestamps). The cons: More data = more money.

For high stakes matters such as internal investigations or criminal matters, the most defensible and forensically sound device collection method is acquiring a physical forensic image of devices at issue.

Logical Image

A logical image of a device or hard drive captures all files visible to the user and typically does not recover deleted items, data in deleted areas of the device, nor does it collect file fragments.

Basically, a logical device collection isolates only “active” files on a device. Creating a logical image of a mobile device is often sufficient for civil litigation matters unless they are highly contentious.

Pros of logical forensic collections: less data and less expensive. Cons: does not provide much insight into deleted files.

Targeted Image

Finally, a targeted collection is just what it sounds like: a forensic collection of specific files or folders relevant to a legal matter. This method is the least expensive because it collects the least amount of data and is best suited for civil matters with cost sensitivity considerations, eDiscovery proportionality concerns or for subpoena responses. 

Pros of targeted forensic collections: speeds up e-discovery process because of less processing time. Cons: may need to go back to collection source if additional data is needed that was not in original targeted collection.

Need Help With a Forensic Collection? Let us know.

Other Articles You May Like

Employee Theft Investigation: a Digital Forensics Case Study

When Must Litigant Provide Computer to Opponent for Examination?