In the field or in the lab, forensics investigators normally collect one or more bit-stream images of the original evidence media. This image collection allows for subsequent analysis and reporting, leaving the original media (or another image) safely locked away. The method and number of image collection vary greatly by investigator preference and by mitigating factors presented by the case.
When collecting an image, the investigator can use the following high-level approaches:
Collect a bit-stream image from original media to an evidence file, referred to by NIST as a bit-for-bit copy (unaligned clone) of the original disk media.
Collect a bit-stream image from original media to an evidence disk, referred to by NIST as a bit-stream ...
No credit card required