Look Into a Mirror

My idea is to take a mirror image of each drive and store it on our network-attached storage infrastructure. Technicians at our remote offices will create the images and store them on a mapped network drive. We'll set permissions and apply other methods of access control to ensure the availability and confidentiality of the data.

To make sure that we create forensically sound images, we'll need write blockers, which prevent data from being written to a hard drive. That's a small expense, but the workstations for the image processing should be free, since our freed up a bunch of hardware.

We can choose between AccessData's Forensic Toolkit and 's EnCase for the imaging; we already use both for other purposes. I had our development team create a Web form to track all the information regarding the imaging process. The form is searchable, so we'll know where a particular image is maintained.

I'm hoping that this form can also serve as a chain of custody, so that we can minimize the amount of paperwork needed. I figure that we can recoup our initial investment in about 30 days and save the company about $100,000 per year.