A forensic image is an exact copy of the whole of a hard drive, USB memory stick, or other digital media or, dependent upon the circumstances, individual files or folders. Forensic imaging is the core start point of computer forensic investigations in that the original media is preserved in its current state and all further work is carried out on the forensic copy, which itself has been run through a process to check and verify that it is a true copy of the original item.

In certain circumstances, it may be necessary to access the original data held on a computer or on storage media, but the person doing so must be competent and be able to give evidence explaining the relevance and the implications of their actions.

Whilst most forensic imaging proceeds smoothly, using industry standard tools, software and procedures, this outcome can never be relied upon and the personnel undertaking this process should be well trained.

Similarly, when beginning a forensic imaging process, one can never know exactly where any subsequent investigation will end up. It is not uncommon for an analyst processing a case which is purely for email recovery, for example, to stumble across material which results in the dismissal of an employee, or a prosecution in a criminal court. The forensic personnel and the processes used should always be capable of withstanding rigorous examination by a court or tribunal.