Content deleted Content added
m Reverted edits by Parzival_Tron_Neo (talk): not providing a reliable source (WP:CITE, WP:RS) (HG) (3.4.4) |
|||
Line 40:
[[File:Tableau TD3 Forensic Imager 2014-06-26 07-05.jpg|thumb|Example of a portable disk imaging device]]
Once exhibits have been seized, an exact [[Disk sector|sector]] level duplicate (or "forensic duplicate") of the media is created, usually via a [[Forensic disk controller|write blocking]] device. The duplication process is referred to as ''[[Disk imaging#Hard drive imaging|Imaging]]'' or ''Acquisition''.<ref name="horenbeeck"/> The duplicate is created using a hard-drive duplicator or software imaging tools such as [[DCFLdd]]
The acquired image is verified by using the [[SHA-1]] or [[MD5]] [[cryptographic hash function|hash function]]s. At critical points throughout the analysis, the media is verified again to ensure that the evidence is still in its original state. The process of verifying the image with a hash function is called "hashing."
| |||