± Forensic Focus Partners

± Your Account



Site Members:

New Today: 1 Overall: 33061
New Yesterday: 3 Visitors: 180

± Follow Forensic Focus

Forensic Focus Facebook Page Forensic Focus on Twitter Forensic Focus LinkedIn Group Forensic Focus YouTube Channel

RSS feeds: News Forums Articles

± Latest Articles

± Latest Webinars

Windows Drive Acquisition

Thursday, October 19, 2017 (12:00:10)

Windows Drive Acquisition

by Oleg Skulkin & Scar de Courcier

Before you can begin analysing evidence from a source, it first of all needs to be imaged. This describes a forensic process in which an exact copy of a drive is made. This is an important step, especially if evidence needs to be taken to court, because forensic investigators must be able to demonstrate that they have not altered the evidence in any way.

The term forensic image can refer to either a physical or a logical image. Physical images are precise replicas of the drives they reference, whereas a logical image is a copy of a certain volume within that drive. In general, logical images show what the machine’s user will have seen and dealt with, whereas physical images give a more comprehensive overview of how the device works at a higher level.

Read More

0 comments

Log in to post a comment. The comments are owned by the poster. Forensic Focus is not responsible for their content.
Threshold


Build a Mobile Site
View Site in Mobile | Classic
Share by: