Acquiring Forensic Data

• Image entire drives

  • dd can preserve block for block images
  • Ghost is not generally acceptable
  • Stand alone drive copiers / imagers

• Partition images may be used for analysis

• Logical images generally insufficient

  • Misses Free / Slack Space

• Logs (on other systems) should be preserved

• Network flows and captures should be preserved

• Other media?

  • Flash RAM
  • CD's
  • PDA's

Notes: