Dealing with digital evidence falls under the Murhpy’s Law: “If anything can go wrong, it will go wrong!” Therefore, investigators need to take precautions to protect the evidence. Investigators should make a duplicate of the disk-to-image file and keep the original image intact for emergencies in case if something go wrong. It is the most common and time-consuming technique for preserving an evidence.
So, the standard practice is to make at least 2 images of the collected evidence. It is also advised to create each image with a different imaging tool, if possible, such as ProDiscover, FTK, or X-Ways Forensics. If there’s only one imaging tool, it is suggested to create an image with compression and another with no compressions with tools like EnCase or ProDiscover.
Keep in mind, there are many acquisition tools that don’t copy data in the Host Protected Area (HPA) unless using a hardware acquisition tool that can access the drive at the BIOS level like ProDiscover with the NoWrite FPU write-blocker, ImageMASSter Solo, or X-Ways Replica.
Source: GCFI, 4th ed, Ch4