The Imaging Process
Part of your role as an investigator is to ensure that a nearly perfect snapshot of the system can be taken. The challenge is that nearly anything you do to a system can change it. For example, unplugging the network cable will change the system—but leaving the network plugged in will change it, too. Even if you decide to do nothing, the system will change because its clock will continue keeping time. It’s easy to see the dilemma that a computer forensic investigator faces!
It’s important to capture as accurate a representation of the system as possible and to document each step that you take along the way. Remember, any information gathered may end up in court so you need to be ready (and able) to defend your processes. At ...
Get Computer Forensics JumpStart, Second Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
