Content deleted Content added
Fixed some of the grammar problems. |
|||
Line 42:
Once exhibits have been seized, an exact [[Disk sector|sector]] level duplicate (or "forensic duplicate") of the media is created, usually via a [[Forensic disk controller|write blocking]] device. The duplication process is referred to as ''[[Disk imaging#Hard drive imaging|Imaging]]'' or ''Acquisition''.<ref name="horenbeeck"/> The duplicate is created using a hard-drive duplicator or software imaging tools such as [[DCFLdd]], [[IXimager]], [[Guymager]], TrueBack, [[EnCase]], [[Forensic Toolkit|FTK]] Imager or FDAS. The original drive is then returned to secure storage to prevent tampering.
The acquired image is verified by using the [[SHA-1]] or [[MD5]] [[cryptographic hash function|hash function]]s. At critical points throughout the analysis, the media is verified again, a process known as "hashing", to ensure that the evidence is still in its original state.
==Analysis==
| |||