With all of the advancements in technology and the expanding use of cloud computing, most organizations still allow, and even encourage, users to store information on their hard drives. That means that information contained on hard drives must be preserved for e-discovery purposes once custodians and types of ESI have been identified. Removal of that information must be done forensically — keeping both the deleted information and the active information on the drive intact as well as the metadata for that information. There are two types of images that can be made: an active image, that copies only the active information on the drive, i.e. what has not been deleted, and a forensic image that copies both the active and the deleted information. In e-discovery, unless you have an agreement with the other side to only image active information, failure to preserve the deleted information (sometimes called unallocated space) may be spoliation.
So know your requirements and communicate with IT. Make sure IT knows that legal needs a forensic image and not just an active one. If you are using an outside vendor, make sure the tool that’s being used copies the unallocated space and the active information and preserves the metadata. The cost difference is minor considering the risk.