Computer Forensics Investigating Data & Image File [C|EH]

[EC Council / [C|EH] – Full Disclousure

Introduction to Data Acquisition and Duplication

This chapter focuses on data acquisition and data duplication. Data acquisition is the act of taking possession of or obtaining control of data and adding it to a collection of evidence. Data duplication is the act of making a copy of data already acquired to preserve the original evidence in pristine condition. The chapter starts by discussing how to determine the best data acquisition methods for a certain situation. It then discusses how to make sure crucial data is not lost during the acquisition process. The chapter then covers the importance of data duplication before moving on to descriptions of the tools investigators use for data acquisition and duplication.

Data Recovery Contingencies

Investigators must make contingency plans when data acquisition failure occurs. To preserve digital evidence, investigators must create a duplicate copy of the evidence files. In case the original data recovered is corrupted, investigators can make use of the second copy. Investigators can use forensic tools such as EnCase and SafeBack to obtain multiple copies. Typically, computer forensic investigators make at least bit-stream image copies of the digital evidence that is collected. Investigators have at their disposal more than one bit-streaming tool. They should use at least two of these tools to make copies of the digital evidence in case one tool doesn’t properly acquire the data. During the data recovery process, an investigator must remember not to make any changes to the digital evidence. Forensic activities must be performed only on the bit-stream copies of digital evidence to ensure that the original evidence is not altered or corrupted.

Read More & Download In Here [PDF Format]

Some content on this page was disabled on March 8, 2017 as a result of a DMCA takedown notice from Cengage Learning. You can learn more about the DMCA here: