In the previous chapters, we’ve explained how to obtain volatile data from Windows and Unix systems. In many cases, the data collection process is a prelude to performing a forensic duplication, which is the subject of this chapter. The decision of when to perform a forensic duplication should be based on the response strategy that you’ve already formulated (see Chapter 2).
Before we explain the actual procedures for forensic duplication, we will address how forensic duplication data can be used as legal evidence and define related terms. Then, we will look at some generally accepted tools and techniques used to obtain a forensically sound duplicate image.
FORENSIC DUPLICATES AS ADMISSIBLE EVIDENCE
What requirements ...