<<< Hard Disk Data Acquisition and BIOS | Index | Live Acquisition >>> |
The first phase of a digital investigation is the preservation of the digital crime scene.
The general procedure for acquiring a storage device is to copy one byte from the original storage device to a destination storage device and repeat the process.
The chunks of data that are transferred each time are typically a multiple of 512 bytes.
If an error is encountered while reading from the suspect drive most programs will write a zero to the destination drive.
The National Institute of Standards and Technology (NIST) has conducted tests on common acquisition tools:
The acquisition process is a two step process:
First, you need to read data from a source, and
Second the data is written to the destination source.
<<< Hard Disk Data Acquisition and BIOS | Index | Live Acquisition >>> |