Chapter 5: Capturingthe Data Image


In This Chapter

  • Understanding full volume images

  • Understanding partial volume images

  • Understanding the pros and cons of imaging full and partial volumes

  • Exploring disk and memory imaging and capture tools

Now that you have a background in what constitutes computer evidence, and you are familiar with the various the computer components and some of the common tasks a computer forensics investigator performs , it's time to look at what happens when an investigation begins. Just like any other items of evidence, computer system components and other electronic devices must be handled correctly. An examiner must follow certain procedures for documenting their receipt and handling. Each computer examination is unique, and the investigator must consider the total effects of the circumstances as the investigation proceeds.

A forensic investigator must also be familiar with the types of evidence that may be encountered on a machine and how to properly preserve each type. Properly processing computer evidence starts with capturing the data in proper order. When you encounter a particular situation, should you immediately turn the machine off or should you leave it running and examine it quickly? What happens to the evidence when the machine is shut down? This chapter will answer these questions and more as we look at how to extract the evidence once an investigation is needed.




Computer Forensics JumpStart
Computer Forensics JumpStart
ISBN: 0470931663
EAN: 2147483647
Year: 2004
Pages: 153

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net