Restoration

Restoring the evidence file to another drive produces a cloned drive that can be used for many purposes. Often, this technique is used to boot the suspect’s machine with the cloned drive to conduct a myriad of special examinations, ranging from restore point analysis to using applications on the system. Also, using this method, you can see the system very much as the suspect did, which can provide valuable information that is difficult to obtain any other way.

EnCase provides the option to restore either the logical or physical drive. If your original evidence is a physical device, restoring the logical device only does not allow for verification as an exact copy. Usually, the physical drive is the best method for restoration, especially ...

Get EnCE EnCase Computer Forensics: The Official EnCase Certified Examiner Study Guide, 3rd Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

EnCE EnCase Computer Forensics: The Official EnCase Certified Examiner Study Guide, 3rd Edition by Steve Bunting

Restoration

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly