Content deleted Content added
add another photo |
Citation bot (talk | contribs) Alter: template type. Add: isbn, publisher, pages, year, title, chapter, jstor, chapter-url, author pars. 1-1. Removed or converted URL. Converted bare reference to cite template. Some additions/deletions were actually parameter name changes. Correct ISBN10 to ISBN13. | You can use this bot yourself. Report bugs here. | Suggested by Josve05a | via #UCB_toolbar |
||
Line 21:
Using hardware to protect the hard drive from writes is very important for several reasons. First, many [[operating system]]s, including [[Microsoft Windows|Windows]], may write to any hard disk that is connected to the system. At the very least, Windows will update the [[access time]] for any file accessed, and may write things to the disk unexpectedly - such as creating hidden folders for the [[recycle bin]] or saved hardware configuration. [[Computer virus|Virus]] infections or [[malware]] on the system used for analysis may attempt to infect the disk being inspected. Additionally, the [[NTFS]] file system may attempt to commit or rollback unfinished transactions, and/or change flags on the volume to mark it as "in use". At the worst, undesired files may allocate and overwrite deleted space on the hard disk which may potentially destroy evidence in the form of previously deleted files.
Protecting an evidence drive from writes during investigation is also important to counter potential allegations that the contents of the drive were altered during the investigation.<ref>{{Cite book|chapter-url=https://www.jstor.org/stable/j.ctt5hh5mg.8|jstor=j.ctt5hh5mg.8|chapter=Forensic Acquisition of Data|last1=Clarke|first1=Nathan|title=Computer Forensics|year=2010|pages=26–33|publisher=IT Governance|isbn=9781849280396}}</ref> Of course, this can be alleged anyway, but in the absence of technology to protect a drive from writes, there is no way for such an allegation to be refuted.
==References==
| |||