Content deleted Content added
Disambiguated: FTK → Forensic Toolkit |
|||
Line 53:
[[File:Tableau TD3 Forensic Imager 2014-06-26 07-05.jpg|thumb|Example of a portable disk imaging device]]
Once exhibits have been seized an exact [[Disk sector|sector]] level duplicate (or "forensic duplicate") of the media is created, usually via a [[Forensic disk controller|write blocking]] device, a process referred to as ''[[Disk imaging#Hard drive imaging|Imaging]]'' or ''Acquisition''.<ref name="horenbeeck"/> The duplicate is created using a hard-drive duplicator or software imaging tools such as [[DCFLdd]], [[IXimager]], [[Guymager]], TrueBack, [[EnCase]], [[Forensic Toolkit|FTK]] Imager or FDAS. The original drive is then returned to secure storage to prevent tampering.
The acquired image is verified by using the [[SHA-1]] or [[MD5]] [[cryptographic hash function|hash function]]s. At critical points throughout the analysis, the media is verified again, known as "hashing", to ensure that the evidence is still in its original state.
| |||