August 2013
Intermediate to advanced
600 pages
16h 8m
English
A key rule of digital forensic investigation is that one never works with the original data. In some cases, as with live memory, that isn’t feasible in any case. The primary reason, however, is that working on a copy offers several advantages:
• The hash codes of the original can be compared to the copy to assure authenticity.
• If one makes a mistake, it is easy enough to start over on a fresh copy.
• The approach used for one type of data may not work well with another type, and a fresh copy, complete with matching hash values, assures integrity of the data.
• Loss, theft, or corruption of the copy image does not end the investigation.
• The courts insist that investigators work that way unless demonstrably impossible.