Computer Systems Forensic Analysis

Storing Acquired Data

There are 2 main approaches to acquiring data.

Cloning

  • it is recommended to use drives of the same size.

  • If the clone driver is bigger, where does the cloned data end?

  • It is highly recommended to zero out first the drive before cloning.

  • The drive geometry of the clone might be different.

  • Some OS, namely Windows, by default auto mount drives, so you need to write blockers to analyze the clones.

Imaging

Imaging the drive is the most common approach.

  • it is not vulnerable to auto-mount by the OS.

  • An image will always be mounted as read-only, with no need for a write blocker.

  • It is possible to simulate read/write operations.

  • The changes will be stored in a cache file, leaving the original intact.

  • This way one drive can store image files from several different media.

  • The image file can be split into smaller files to fit in a DVD.

PreviousWrite Protection of Evidence MediaNextImage File Acquisition

Last updated