Honeybadger Solutions LLC

Forensic Imaging & Chain of Custody: The Methodology

Forensic imaging is the bit-for-bit capture of a storage device through a write-protected process, cryptographically hashed at acquisition and re-verified at every subsequent step, so the working copy is mathematically provable as identical to the original. Chain of custody is the unbroken, documented record of who held that evidence and when. Together they are what converts a hard drive into admissible testimony.

Every other finding in a digital forensic exam — the deleted file recovered, the timestamp reconstructed, the deleted message surfaced — is only as strong as the two disciplines underneath it. A brilliant analysis built on an unverified acquisition or a custody record with a gap is not evidence. It is an opinion a judge cannot rely on. This is the methodology Honeybadger Solutions applies on every engagement, from a single laptop in a Phoenix boardroom dispute to a multi-terabyte server farm seized as part of a national investigation.

What Actually Makes a Forensic Image Different From a Copy?

A copy — dragging files, exporting a backup, cloning a drive with consumer software — writes to the source, alters metadata, and leaves no cryptographic proof of what was captured. A forensic image is acquired through a process engineered to guarantee two things: the source media is never altered during acquisition, and the resulting image can be mathematically proven identical to the source at any later date. That proof comes from cryptographic hashing, and that protection comes from write-blocking. Neither is optional, and neither can be retrofitted after the fact. If the source was touched before imaging began, no amount of downstream rigor repairs it.

This is the standard described in NIST Special Publication 800-86, Guide to Integrating Forensic Techniques into Incident Response, which frames acquisition, examination, analysis, and reporting as a chain where each phase must be defensible on its own terms before the next can be trusted.

How Do Write-Blockers Prevent an Examiner From Contaminating the Evidence?

A write-blocker sits between the source media and the acquisition machine and physically or logically intercepts every write command, allowing read commands through while returning a success signal to the operating system without ever committing a change to the source. This matters because modern operating systems write to attached media constantly and invisibly — journaling, indexing, thumbnail caching, and drive-letter assignment all touch a disk the instant it is recognized. Without a blocker, simply connecting a drive to a standard workstation can alter access timestamps and, in some file systems, journal metadata before an examiner has typed a single command.

Hardware vs. Software Write-Blocking — Which Does Honeybadger Solutions Use?

Hardware write-blockers are dedicated physical devices with no operating system of their own, intercepting commands at the interface layer (SATA, SAS, USB, NVMe) before they reach the host bus — the highest evidentiary standard because the protection exists independent of any software that could be misconfigured or compromised. Software write-blockers operate as a driver-level filter on the acquisition workstation itself; they are appropriate for certain live-response and enterprise contexts where hardware blocking is impractical, but they inherit the trust assumptions of the host operating system and require documented validation before use. Our default posture is hardware blocking wherever the source media and case posture allow it, with software blocking reserved for scenarios — live systems, cloud instances, RAID controllers requiring vendor drivers — where hardware interception is not physically possible, and that reservation itself is documented as part of the exam notes.

Bit-for-Bit vs. Logical Acquisition: When Does Each Apply?

A bit-for-bit (physical or sector-level) acquisition captures every sector of a device — allocated space, unallocated space, slack space, and file-system metadata — regardless of what the operating system reports as “in use.” This is what recovers deleted files, reconstructs fragments in unallocated clusters, and preserves artifacts an operating system doesn’t expose through its normal file listing. A logical acquisition instead captures only the active, visible file system — the files and folders an operating system presents — and is faster and smaller, but by definition excludes deleted data, slack space, and much of the forensic residue that often decides a case.

The decision between them is not a preference — it is dictated by the source and the objective. A suspect workstation in a fraud or IP-theft matter is imaged bit-for-bit as a default; a cloud SaaS tenant or a mobile device under vendor-imposed extraction limits may only permit a logical acquisition, and that limitation is disclosed in the report rather than glossed over. Our digital forensics team documents the acquisition type selected and the reasoning behind it as a matter of course, because a competent opposing expert — or a judge applying Federal Rule of Evidence 901 — will ask.

Dead-Box vs. Live Acquisition: How Do Examiners Choose?

Dead-box acquisition — imaging a powered-off device with its storage removed or attached through a write-blocker — is the gold standard because the media is inert and the risk of alteration is at its lowest. Live acquisition — imaging a system while it remains powered on and running — is used when powering down would destroy volatile evidence that has no persistent counterpart: encryption keys held only in RAM, active network connections, running processes, and memory-resident malware. Live acquisition trades some of dead-box’s evidentiary cleanliness for the ability to capture volatile state that would otherwise vanish the instant the machine is shut down.

Every live acquisition decision is a documented judgment call: what is captured, in what order (memory before disk, always — volatility dictates sequence), what tools were used, and why a dead-box approach was not chosen or not yet possible. NIST SP 800-86 addresses this order-of-volatility principle directly, and it is one of the first questions we brief a client on before touching a live system in the field, whether that’s a server rack outside Phoenix or a remote site reached through our nationwide response network.

Which Image Format — Raw, E01, or AFF4 — Should the Case Use?

The acquisition tool doesn’t just copy bits — it wraps them in a container format, and that format’s structure determines how efficiently the image stores, how it verifies, and what metadata travels with it. The three formats an examiner chooses among cover nearly every case scenario encountered in the field.

FormatStructureBuilt-in VerificationBest Suited ForKey Limitation
Raw / ddUnstructured bit-stream, no embedded metadataNone native — hash stored in a separate sidecar fileCross-tool portability, legacy compatibility, simple single-disk capturesNo compression, no case metadata, no per-block integrity check
E01 / EWF (EnCase Evidence Format)Segmented, compressed container with embedded metadataEmbedded CRC per block plus a stored MD5/SHA-1 hash of the full imageCasework requiring embedded chain-of-custody metadata and industry-standard tool compatibilityProprietary lineage; very large volumes can mean many segment files
AFF4 (Advanced Forensic Format 4)Open, extensible container built on standard archive structureNative support for multiple simultaneous hash algorithms per blockVery large or cloud-based sources, long-term archival, multi-source captures in one containerYounger ecosystem; fewer legacy tools support it natively

Format choice is driven by source size, destination tooling, and retention horizon — but whichever container is used, the underlying discipline is the same: the image must carry a verifiable hash and enough embedded case metadata that a second examiner, years later, can confirm exactly what was captured, when, and by whom.

Why Is Dual-Hash Verification Non-Negotiable?

A cryptographic hash is a one-way mathematical fingerprint of a data set — change a single bit anywhere in the source, and the resulting hash value changes completely and unpredictably. Computing a hash at the moment of acquisition, then recomputing it against the finished image, is what proves the copy matches the original with a mathematical certainty far beyond “the examiner says so.” Relying on a single algorithm is no longer sufficient practice; dual-hash verification, most commonly a legacy MD5 alongside a cryptographically stronger SHA-256, is the current standard precisely because it hedges against the known weaknesses of any one function.

AlgorithmOutput LengthCollision ResistanceRole in a Modern Exam
MD5128-bitBroken for adversarial collision attacks; unsuitable as a sole integrity controlRetained for legacy tool compatibility and cross-referencing older case files, never used alone
SHA-1160-bitDemonstrated collision vulnerabilities in adversarial contextsSecondary/legacy verification value; being phased out as a primary control industry-wide
SHA-256256-bitNo practical collision attack known at presentPrimary integrity hash on every acquisition and every re-verification on ingest

In practice this means every acquisition generates at least two hash values at capture, those values are logged in the case file before the source device is disconnected from the blocker, and the receiving examiner re-hashes the image on ingest into the lab environment before opening it for analysis. Any mismatch halts the exam immediately and triggers a documented investigation of the discrepancy — it does not get quietly re-run until the numbers agree.

Why Do Examiners Never Analyze the Original?

The original media, once imaged and hash-verified, is sealed and placed into evidence storage and is not touched again except to produce additional verified copies if needed. All analysis — file recovery, timeline reconstruction, keyword indexing, artifact parsing — is performed exclusively on a working copy generated from the verified image, and that working copy is itself hashed and compared before each analysis session begins. This “original never touched again” discipline is what allows an examiner to testify, without qualification, that nothing about the source evidence was altered by the examination process — because it demonstrably wasn’t. It is also what allows a case to survive a defense motion challenging the integrity of the evidence: the original sits in a sealed, logged evidence locker while the analysis happens on a mathematically identical, independently verifiable stand-in.

How Do Encrypted Drives, RAID Arrays, SSDs, and Cloud Sources Change the Methodology?

Not every source behaves like a simple spinning disk, and the imaging methodology adapts without abandoning its core guarantees.

Full-disk encryption

A drive encrypted at rest can still be imaged bit-for-bit at the ciphertext level — the image simply captures encrypted sectors, which are themselves hashed and verified like any other acquisition. Decryption, where lawfully authorized keys or passphrases are available, happens afterward against a working copy, never against the source, and the decrypted output is separately hashed as its own evidentiary artifact.

RAID arrays

Each physical member disk is imaged individually and hash-verified before the array’s logical structure — striping, parity, controller configuration — is reconstructed in software against the collected images. Imaging the array “live” through its controller risks capturing an inconsistent or controller-dependent view; imaging each member disk independently preserves the raw data regardless of controller failure or replacement.

Solid-state drives

SSD controllers perform background garbage collection and TRIM operations that can alter unallocated data even with a write-blocker in place, simply because the drive’s own firmware reclaims space independent of host commands. This is disclosed as a documented limitation specific to flash media, and where the case turns on recovering recently deleted data from an SSD, the acquisition is prioritized and time-stamped accordingly, with the limitation stated plainly rather than implied.

Cloud and SaaS sources

There is no physical disk to write-block. Acquisition instead relies on provider-native export and eDiscovery APIs, each pull is logged with the exact query, timestamp, and account scope used, and the resulting export is hashed on receipt the same as any local image. The custody chain for cloud evidence documents the platform, the authenticated method of access, and the export’s completeness relative to what the provider’s own audit logs report was retained — because the defensibility question in a cloud case is less about media integrity and more about scope and completeness.

What Does a Complete Chain of Custody Actually Contain, From Seizure to Testimony?

Chain of custody is not a single form signed once — it is a running ledger updated at every point the evidence changes hands, location, or state. The protocol Honeybadger Solutions applies on every intake follows the same sequence regardless of case size:

  1. Document the scene and device state at seizure — photograph the device in place, note power state, connected peripherals, and visible physical condition before anything is touched.
  2. Assign a unique evidence identifier to every item, recorded on an intake log with date, time, location, and the name and signature of the receiving examiner.
  3. Photograph serial numbers, model information, and any damage or tamper indicators before the device is packaged.
  4. Package the original in tamper-evident materials and apply a numbered seal, logged against the evidence identifier.
  5. Transport under continuous physical control or through a documented, signed courier chain — no unlogged gaps in custody.
  6. Attach the device to a validated write-blocker before any connection to an acquisition system, and log the blocker’s make, model, and validation status.
  7. Acquire the forensic image, computing dual cryptographic hashes (e.g., MD5 and SHA-256) at the moment of capture.
  8. Seal the original into evidence storage; it is not reopened absent a documented, case-justified reason.
  9. Transfer the verified image to the analysis environment and re-hash on ingest, logging a pass/fail result before any analysis begins.
  10. Perform all examination on a working copy only, with every access, tool run, and finding logged with a timestamp and examiner identity.
  11. Produce a report documenting acquisition method, hash values, tools and versions used, and findings, with the full custody log attached as an exhibit ready for direct and cross-examination.

This sequence exists because Federal Rule of Evidence 901 requires that evidence be authenticated — proven to be what it purports to be — before it is admitted, and a documented custody chain paired with hash-verified imaging is how that authentication burden gets met without relying on an examiner’s unsupported word. The Scientific Working Group on Digital Evidence (SWGDE) publishes the community-vetted best practices this protocol is built from, and it is the standard we hold ourselves to on every matter, whether the outcome is a civil deposition or a criminal referral.

What Happens When This Methodology Isn’t Followed?

The consequences of a broken hash, an unlogged transfer, or an unblocked acquisition are not abstract — they are the difference between evidence a court relies on and evidence a court excludes. We’ve written in detail about how that failure plays out in why cases get thrown out over chain-of-custody defects, and about what a client can do before an examiner is even retained in how to preserve digital evidence before hiring an examiner. This article is the other half of that picture: the methodology an examiner follows once evidence is in hand, engineered from the first write-blocked connection to the final testified hash value so that the chain never has a link worth challenging.

The same rigor applies whether the source is a live workstation, a wiped drive requiring deeper recovery techniques — see forensic data recovery after wiping — or a device tied to a broader investigation spanning physical and digital evidence together.

Frequently Asked Questions

Is a forensic image legally the same as the original device?

Not literally the same object, but courts treat a properly hash-verified forensic image as functionally identical to the original for evidentiary purposes, provided the acquisition method, write-blocking, and hash verification are documented and testified to under Federal Rule of Evidence 901’s authentication standard. The image stands in for the original precisely because its integrity is mathematically demonstrable rather than merely asserted.

Can an examiner image a device that is still powered on and in active use?

Yes, through a live acquisition, and it is sometimes necessary to capture volatile evidence — encryption keys in memory, active connections, running processes — that would be lost the moment the device powers down. Live acquisition follows a strict order-of-volatility sequence and every action taken on the live system is logged, because unlike dead-box imaging it necessarily involves some interaction with a running environment.

What happens if the hash values don’t match after imaging?

A hash mismatch halts the process immediately. The examiner documents the discrepancy, investigates the likely cause (media error, connection fault, or a compromised blocker), and re-acquires the image under corrected conditions before any analysis proceeds. A mismatch is never resolved by simply accepting the second result without explaining the first — the discrepancy itself becomes part of the documented record.

Does chain of custody matter as much in civil cases as in criminal cases?

Yes. Authentication under Federal Rule of Evidence 901 and its state-law equivalents applies in civil litigation, employment disputes, and regulatory matters just as it does in criminal proceedings. A custody defect that would get evidence excluded in a criminal trial can just as easily get a business record excluded — or an opposing expert’s report struck — in a civil case, which is why the same protocol runs on every engagement regardless of forum.

About Honeybadger Solutions

Honeybadger Solutions is an Arizona-licensed security and investigations firm delivering in-house digital forensics, nationwide and internationally, from an Arizona home command. Our certified examiners perform hash-verified acquisitions and maintain continuous, documented chain of custody on every device — from a single laptop to a multi-terabyte enterprise environment — producing court-ready reports built to withstand cross-examination. We are headquartered in Casa Grande, with offices in Phoenix and Oro Valley, and we deploy remotely by design wherever a matter requires us.

If your matter depends on evidence that has to hold up — in a deposition, a hearing, or a courtroom — call 602-725-2818 to speak with our digital forensics team about acquisition, chain-of-custody documentation, and expert testimony support, anywhere in the United States or abroad.