Why do you need to be careful about the utilities you choose to use for disk imaging?
What is an HPA?
How does a mirror image differ from a forensic duplicate?
How can you verify that in imaging the source media, the original media is unchanged?
Name a tool that can be used to image the data in the memory of a PDA.
What does the Netstat utility do?
When collecting evidence, which do you want to extract first: the information in memory or on the hard drive?
Why can choosing the method used to shut down a suspect computer be a difficult decision to make?
If you need to boot a suspect computer to make an image copy, how should you do it?
Name three programs or utilities that can be used to collect forensic images.