A forensic image is
|“||an exact, sector-by-sector copy of a hard disk. Software capable of creating such copies of hard drives preserve deleted files, slack space, system files, and executable files and can be critical for later analysis of an incident.||”|
A forensic image "will preserve a record of the system at the time of the incident for later analysis and potentially for use as evidence at trial. This may require the assistance of law enforcement or professional incident response experts. In addition, the victim organization should locate any previously generated backups, which may assist in identifying any changes an intruder made to the network. New or sanitized media should be used to store copies of any data that is retrieved and stored. Once the victim organization makes such copies, it should write-protect the media to safeguard it from alteration. The victim organization should also restrict access to this media to maintain the integrity of the copy's authenticity, safeguard it from unidentified malicious insiders, and establish a chain of custody."
- ↑ Best Practices for Victim Response and Reporting of Cyber Incidents, at 8 n.8.
- ↑ Id. at 8.