Understanding full volume images
Understanding partial volume images
Understanding the pros and cons of imaging full and partial volumes
Exploring disk and memory imaging and capture tools
Now that you have a background in what constitutes computer evidence, and you are familiar with the various the computer components and some of the common tasks a computer forensics investigator performs , it's time to look at what happens when an investigation begins. Just like any other items of evidence, computer system components and other electronic devices must be handled correctly. An examiner must follow certain procedures for documenting their receipt and handling. Each computer examination is unique, and the investigator must consider the total effects of the circumstances as the investigation proceeds.
A forensic investigator must also be familiar with the types of evidence that may be encountered on a machine and how to properly preserve each type. Properly processing computer evidence starts with capturing the data in proper order. When you encounter a particular situation, should you immediately turn the machine off or should you leave it running and examine it quickly? What happens to the evidence when the machine is shut down? This chapter will answer these questions and more as we look at how to extract the evidence once an investigation is needed.