Embedded Files
Cloning a hard drive or making a Forensic Copy
https://www.cse.scu.edu/~tschwarz/coen152_05/Lectures/HDDuplication.html
https://atola.com/products/insight/disk-duplication.html
https://acumendisc.com/products/forensic-3hdd
The newly introduced Forensic Hard Drive Duplicator offer a convenient way to quickly clone your hard drive with the flexibility of disk-to-disk and disk-to-file duplication for SATA hard drive.
It is a quick and easy 3 target(s) hard drive copier, which you can duplicate your original drive to 3 different SATA Hard Drives or Solid State Drives.
The Forensic Kit comes with a durable case to protect the Hard Drive Duplicator as it features as a stand alone machine. So you do not have to connect the duplicator to a computer. Simply plug in the source drive and the target drive(s) into their respect slot and with a press of a button, your hard drive(s) will be duplicated.
Key Features of the Forensic duplicator includes blocking any modification to the source HDD. No data will be changed when the computer access the source HDD through USB connection.
What is a Forensic Image? What is a Clone? How is a Forensic Image different than a Clone?
A Forensic Image is a comprehensive duplicate of electronic media such as a hard-disk drive. Artifacts (Information or data created as a result of the use of an electronic devices that show past activity) such as deleted files, deleted file fragments, and hidden data may be found in slack (Unused space that is created between the end-of-file marker and the end of the hard drive cluster in which the file is stored and unallocated space (The unused portion of a hard drive). This exact duplicate of the data is referred to as a bit-by-bit copy of the source media and is called an Image. Images are petrified snapshots, that are used for analysis and evidence preservation. Images cannot be used as working copies.
A Forensic Clone is also a comprehensive duplicate of electronic media such as a hard-disk drive. Artifacts such as deleted files, deleted file fragments, and hidden data may be found in its slack and unallocated space. This exact duplicate of the data is referred to as a bit-by-bit copy of the source media and is called a Clone. Clones are working snapshots, that are modifiable and not necessarily preserved. Clone are used as working copies to replace original evidence for analysis as well as data preservation purposes.
A hash (An error detection scheme which performs calculation on the binary value of the packet/frame and then which is appended to the packet/frame as a fixed-length field. Once the packet/frame is received a similar calculation is performed. If the result does not match the first calculation then a data change occurred during transmission. The calculation can be a sum (Checksum), a remainder of a division or the resulting of a hashing function) of an original device can validate if media is an exact duplicate (forensically sound copy). Any variation in the hash value of an original to its Clone or Image will confirm that they are not exact copies. This is of importance to know when dealing with legal matters.
Why does it matter at your law firm for a legal case?
While a Clone can be used for digital forensic analysis, it is typically used to create working copies or exact replacement drive.
Images are primarily used to forensically analyze and to preserve original data. They are petrified and in their Image format cannot be modified.
An attorney was led to believe an Image and Clone were the same. The attorney asked for an Image so they could review files from a computer. Capsicum is a good company and their experts explained that without forensic tools the Image was not readable. They explained that while a Clone could be reviewed and searched, original data would be modified. In the end, after collaborating with the attorney, they produced both Clone and Image.
Page updated
Google Sites
Report abuse