Chapter 5

Capturing the Data Image

• Understanding full volume images
• Understanding partial volume images
• Understanding the pros and cons of imaging full and partial volumes
• Exploring disk and memory imaging and capture tools

It’s time to look at what happens as an investigation begins. As with any other items of evidence, computer system components and other electronic devices must be handled correctly. An examiner must follow certain procedures to document their receipt and handling. Each computer examination is unique, and the investigator must consider the total effects of the circumstances as the investigation proceeds.

A forensic investigator must also be familiar with the types of evidence that may be encountered on a machine and how to properly preserve each type. Properly processing computer evidence is extremely important because information gathered may end up as evidence in a legal proceeding. Forensic investigators must start by capturing the data in the proper order. When you encounter a situation, should you immediately turn the machine off or should you leave it running and examine it quickly? What happens to the evidence when the machine is shut down? This chapter answers these questions and more as we explain how to extract the evidence once an investigation gets underway.