Chapter 3. The Basics of Hard Drives and Storage Media
We hear a lot of questions about hard drives and what to do with them. The answer is simple: Make an image copy and then restore the image to a freshly wiped hard drive for analysis (as we describe in Chapter 7). After you’ve restored the image, you have to mount it so that it can be recognized during your analysis—this step is different depending upon the filesystem used on the original drive. At this point, you have two different forms of evidence—the original drive and one or more exact copies of it. Remember, we are talking about evidence that may eventually wind up in either criminal or civil court, so you have to take proper precautions to ensure that the evidence is not damaged or ...
Get Computer Forensics: Incident Response Essentials now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
