Content deleted Content added
m Added reference |
m Added reference |
||
Line 22:
Using hardware to protect the hard drive from writes is very important for several reasons. First, many [[operating system]]s, including [[Microsoft Windows|Windows]], may write to any hard disk that is connected to the system. At the very least, Windows will update the [[access time]] for any file accessed, and may write things to the disk unexpectedly - such as creating hidden folders for the [[recycle bin]] or saved hardware configuration. [[Computer virus|Virus]] infections or [[malware]] on the system used for analysis may attempt to infect the disk being inspected. Additionally, the [[NTFS]] file system may attempt to commit or rollback unfinished transactions, and/or change flags on the volume to mark it as "in use". At the worst, undesired files may allocate and overwrite deleted space on the hard disk which may potentially destroy evidence in the form of previously deleted files.
Protecting an evidence drive from writes during investigation is also important to counter potential allegations that the contents of the drive were altered during the investigation.
==References==
| |||