7. Data Acquisition
A key rule of digital forensic investigation is that one never works with the original data. In some cases, as with live memory, that isn’t feasible in any case. The primary reason, however, is that working on a copy offers several advantages:
• The hash codes of the original can be compared to the copy to assure authenticity.
• If one makes a mistake, it is easy enough to start over on a fresh copy.
• The approach used for one type of data may not work well with another type, and a fresh copy, complete with matching hash values, assures integrity of the data.
• Loss, theft, or corruption of the copy image does not end the investigation.
• The courts insist that investigators work that way unless demonstrably impossible.
Get Digital Archaeology: The Art and Science of Digital Forensics now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
