CHAPTER 7
Forensic Duplication
 
In the previous chapters, we’ve explained how to obtain volatile data from Windows and Unix systems. In many cases, the data collection process is a prelude to performing a forensic duplication, which is the subject of this chapter. The decision of when to perform a forensic duplication should be based on the response strategy that you’ve already formulated (see Chapter 2).
Before we explain the actual procedures for forensic duplication, we will address how forensic duplication data can be used as legal evidence and define related terms. Then, we will look at some generally accepted tools and techniques used to obtain a forensically sound duplicate image.
FORENSIC DUPLICATES AS ADMISSIBLE EVIDENCE
What requirements ...

Get Incident Response & Computer Forensics, 2nd Ed., 2nd Edition now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.