Earlier we contrasted the historic seizure context versus the current context and discussed how the historic context placed a focus on the on-scene seizure of data objects, as compared to the current situation where the focus of the on-scene activities is to seize all the physical containers. The question I pose to you is this: Are we heading in the right direction by focusing on the seizure of the physical hardware (the container items) rather than focusing on the seizure of the relevant information (data objects)?

Earlier seizures of digital evidence focused on data objects because it was impractical to attempt to image an entire server, based on the high costs of storage media. I suggest we are heading toward a similar impracticality although this time our inability to seize all the information is based on a number of different factors, including massively large storage arrays, whole disk encryption, the abundance of non-evidentiary information on media and related privacy concerns, and the time involved in laboratory forensic analysis. At some point in the future, the process by which we image entire pieces of media for forensic analysis will become obsolete (Hosmer, 2006).

I suggest we make the distinction that there other options beyond wholesale seizure available to our responders. We need to train our responders to have the ability to perform on-scene data preview, full data-image, and imaging of only the relevant data objects. Further, we need to begin to change the wholesale...