Any form of investigation on digital evidence can result in the contamination of or damage to the original data. With Ext4, for example, simply opening the data will change the accessed timestamp. Creating a logical copy of a file in NTFS will make a new create timestamp, even though the last modified date will not change. With any of these changes, the evidence would no longer be in the original form, and therefore could not be called best evidence.

In the following screenshot, the router checks the compressed image checksum to check that it's as expected and realizes that changes have been made. This is a much shorter hash than MD5 (this one is CRC-32, so 32 bits, rather than the 128 bits for MD5), so it has more collisions. This is suitable for checking basic identity, but is combined in Cisco iOS with other methods for verifying the image's integrity. The operating system image is rejected on this basis:

Despite not being best evidence, an altered disk image is not of zero value. An investigator may have to alter the information on an image as part of the process. An example of this might be opening a file in a hex editor to review its contents, or intentionally running a piece of malware in a sandbox to observe the process. These actions would change the data on the disk, but it would still be an important piece of evidence.