A bitstream is a sequence of bits that is transferred from one device to another. Remember that all types of data are made up of bits, the most basic unit of information. As such, a bitstream applies to all data, be it an audio, image, or any other type of file. For example, every time you listen to your favorite song, you hear a bitstream audio or a sequence of bits that make it up.

In digital forensics, the term “bitstream” means having an exact bit-by-bit copy of a picture, file, folder, or any data point that serves as digital evidence. It can even refer to any kind of electronic media and all its contents. Even the available space in a copied disk is also reflected in a bitstream.

Other interesting terms…

Read More about “Bitstream”

In criminal investigations, a bitstream is used to create an exact image of evidence. It is commonly referred to as a “bitstream image,” although it is also known by different names, including “mirror image,” “exact-copy image,” “disk duplicate,” and “forensic image.” Regardless of what they are called, bitstream images are essentially duplicate copies of an original electronic media, such as cellular phones, laptops, computers, and hard drives.

What Does a Bitstream Image Include?

Since bitstream images or copies are bit-by-bit duplications of any electronic medium, they capture every detail, including relevant spaces, such as:

  • Used space where the files are stored
  • Unallocated space, which is the free space where new files are stored
  • Slack space or the unused portion of the space allocated to a file or program

Everything within these spaces is copied, including deleted files, hidden data, and other information indicating past activities performed on the hard drive.

Why Are Bitstream Images Important?

Accuracy is critical when working with any evidence, whether physical or digital. For instance, investigators take as many pictures of every corner and detail as possible when analyzing a crime scene. That way, they can still see how the area looks and where critical items are placed, even after processing and cleaning the crime scene.

A bitstream image uses a similar method to preserve computer evidence, protecting it from getting contaminated and allowing it to retain its original state. This preservation ensures the evidence would be admissible in court.

What’s the Difference between a Bitstream Image and a Forensics Clone?

Knowing what a bitstream is may lead to confusion when you hear of other terms, such as “forensic clone.” Are the two the same? If not, how do they differ?

The main difference between a bitstream or forensics image and a forensics clone lies in their purpose. A bitstream image is meant for evidence preservation while a forensics clone is created for evidence analysis.

Since bitstream images are designed for evidence preservation, they can only be read using specialized digital forensic tools. If you need to analyze the data on bitstream images, a more appropriate duplication method is forensic cloning.

Like a bitstream image, a forensic clone is a bit-by-bit copy of an electronic medium. However, it is designed for evidence analysis instead of preservation. Crime investigators and analysts can open the file without worrying about their operating system (OS) writing to the copy.

How Do You Verify the Accuracy of a Bitstream Image?

Now that you know what a bitstream is, you may be wondering how accurate it is. You aren’t alone. Forensic examiners and lawyers also want to make sure that a bitstream image used in a case is faultless and hasn’t been tampered with.

Verification is performed by forensic examiners using a unique identifier called a “hash value.” A hash value is a numerical code unique to every bit of data.

Before creating a bitstream image of a device, crime investigators create a hash value first. Once the hash value is created, the investigator proceeds with creating the bitstream image, along with the copy’s hash value. The hash values of the original device and the bitstream image are then compared. Any discrepancy would invalidate the accuracy of the bitstream image.

Evidence preservation is one of the most critical aspects of crime investigations. Without it, crimes may not be adequately solved, and law enforcers may not catch the right culprits. In fact, evidence preservation has helped exonerate hundreds of people, including those on death row.

For this reason, it’s essential to create bitstream images of electronic media involved in any case. That prevents anyone from tampering with evidence, whether intentionally or by mistake.