CHAPTER 7
Forensic Duplication
In the previous chapters, we’ve explained how to obtain volatile data from Windows and Unix systems. In many cases, the data collection process is a prelude to performing a forensic duplication, which is the subject of this chapter. The decision of when to perform a forensic duplication should be based on the response strategy that you’ve already formulated (see Chapter 2).
Before we explain the actual procedures for forensic duplication, we will address how forensic duplication data can be used as legal evidence and define related terms. Then, we will look at some generally accepted tools and techniques used to obtain a forensically sound duplicate image.
FORENSIC DUPLICATES AS ADMISSIBLE EVIDENCE
What requirements ...
Get Incident Response & Computer Forensics, 2nd Ed., 2nd Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
