The arrival of mass storage devices created even more problems as far as copies were concerned. Information was no longer stored in easily readable words but as a series of magnetic impulses recorded on tape and disk. How then was this to be copied or produced in readable form? There were two simple answers:

1. The answer to creating a copy was to take a ‘bit’ image of the drive which recorded all of the data on a disk. This proved a fairly reliable but cumbersome method, as the image had to be restored to the original or identical disk and only really existed in the world of the mainframe and mini-computer. 

The advent of the IBM PC and its many variants introduced new problems into the world of investigation: the volume of data, the ability to change data without trace and the ability to hide or delete data. Computing was made available to the masses which naturally included the criminal fraternity. It was apparent that specialist knowledge was needed to investigate this new technology and thus was born the art of ‘Forensic Computer Examination’.
Initially, the only method available to the investigator was to obtain a backup of the files on a disk, restore those files to another disk and go through them one at a time.

Many early backup packages used the ‘imaging’ method but by the mid to late 1980s were being replaced by software which allowed the user to backup and restore selected files. This was a leap forward as far as the user was concerned, but not much use for investigators. This is because selective backup operates at the file system level and consequently does not copy free and slack space (residual data): not very satisfactory when you are looking for that elusive deleted file.

The next step was to examine the original media with a disk editor.

Many a long hour has been spent with a disk editor going through each sector of the original disk, only to be met at the end of the day with the allegation the investigator has somehow tampered with the original media.  A principle that emerged from these allegations (which is now being widely adopted by law enforcement agencies) is:

"No action taken by anybody performing an investigation on a computer should change data held on that computer or other media which may subsequently be used as evidence." Whilst it seems to be common sense, it is surprising how many people do not realise the consequences of just ‘booting’ a PC under its own operating system. Date and Time stamps (which may be crucial) will change and allegations of tampering will be made.
This is where taking an ‘image’, and working solely on that image, preserves the data in its original form. The adaptation of imaging to the investigation of magnetic media, together with the appropriate software, now allows the ‘Forensic Computer Examiner’ free range to all of the data on a disk without fear of corrupting the original. The untrained or inexperienced user will fall into traps and cause problems – perhaps even invalidating any evidential data found. Today there are accepted guidelines for good practice.