Full forensic image meaning

A full forensic image is a bit‑for‑bit copy of a data source (for example a hard drive, server, mobile phone or cloud account) that captures all electronically stored information (esi), including system and file metadata, deleted items and unallocated/slack space. It is performed using forensic tools and write‑blockers, with cryptographic hash values recorded and a documented chain of custody, so the integrity and authenticity of the evidence can be verified. The term is not defined in legislation or case law; it is a technical expression used across civil disclosure/eDisclosure, criminal proceedings, and regulatory or internal investigations. Practitioners commission a full forensic image to preserve electronic evidence in a defensible manner, enable repeatable analysis without altering the original, and support disclosure and investigatory duties. In England and Wales it commonly underpins disclosure exercises under the CPR (including PD 57AD and PD 31B). Comparable practices are followed in Scotland, Northern Ireland and Ireland, and while procedural rules vary, the core approach to forensically sound preservation is broadly consistent. By contrast, a logical or targeted collection captures only selected files. Because a full forensic image is broader, issues of proportionality, privacy and legal authority should be assessed.