Most common method and offers most flexibility Can make more than one copy Copies are bit-for-bit replications of the original drive ProDiscover, EnCase, FTK, SMART, Sleuth Kit, XWays, iLookIX Determining the best method depends on the circumstances of the investigation Guide to Computer Forensics and Investigations Fifth Edition.Four methods of data collection – – – –Ĭreating a disk-to-image file Creating a disk-to-disk Creating a logical disk-to-disk or disk-to-data file Creating a sparse data copy of a file or folder.Types of acquisitions – Static acquisitions and live acquisitions.Design goals (cont’d) – Internal consistency checks for self-authentication.Design goals – Provide compressed or uncompressed image files – No size restriction for disk-to-image files – Provide space in the image file or segmented files for metadata – Simple design with extensibility – Open source for multiple platforms and OSs.Garfinkel as an opensource acquisition format The Expert Witness format is unofficial standard Guide to Computer Forensics and Investigations Fifth Edition.Disadvantages – Inability to share an image between different tools – File size limitation for each segmented volume.Features offered – Option to compress or not compress image files – Can split an image into smaller segmented files – Can integrate metadata into the image file.Most forensics tools have their own formats.Disadvantages – Requires as much storage as original disk or data – Tools might not collect marginal (bad) sectors.Advantages – Fast data transfers – Ignores minor data read errors on source drive – Most computer forensics tools can read raw format.Makes it possible to write bit-stream data to files.Three formats – Raw format – Proprietary formats – Advanced Forensics Format (AFF).Data in a forensics acquisition tool is stored as an image file.Understanding Storage Formats for Digital Evidence
PRODISCOVER BASIC ADVANTAGES HOW TO
Explain how to use remote network acquisition tools.Explain how to validate data acquisitions.Guide to Computer Forensics and Investigations Fifth Edition Describe contingency planning for data acquisitions.Explain ways to determine the best acquisition method.Guide to Computer Forensics and Investigations Fifth Edition Chapter 3 Data Acquisition