Contingency Planning for Image Acquisition

Posted: September 18, 2013 in Uncategorized
Tags: , ,

Dealing with digital evidence falls under the Murhpy’s Law: “If anything can go wrong, it will go wrong!” Therefore, investigators need to take precautions to protect the evidence. Investigators should make a duplicate of the disk-to-image file and keep the original image intact for emergencies in case if something go wrong. It is the most common and time-consuming technique for preserving an evidence.

So, the standard practice is to make at least 2 images of the collected evidence. It is also advised to create each image with a different imaging tool, if possible, such as ProDiscover, FTK, or X-Ways Forensics. If there’s only one imaging tool, it is suggested to create an image with compression and another with no compressions with tools like EnCase or ProDiscover.

Keep in mind, there are many acquisition tools that don’t copy data in the Host Protected Area (HPA) unless using a hardware acquisition tool that can access the drive at the BIOS level like ProDiscover with the NoWrite FPU write-blocker, ImageMASSter Solo, or X-Ways Replica. 

 

Source: GCFI, 4th ed, Ch4

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s