Definition Edit

A forensic image is

an exact, sector-by-sector copy of a hard disk. Software capable of creating such copies of hard drives preserve deleted files, slack space, system files, and executable files and can be critical for later analysis of an incident.[1]

Overview Edit

A forensic image "will preserve a record of the system at the time of the incident for later analysis and potentially for use as evidence at trial. This may require the assistance of law enforcement or professional incident response experts. In addition, the victim organization should locate any previously generated backups, which may assist in identifying any changes an intruder made to the network. New or sanitized media should be used to store copies of any data that is retrieved and stored. Once the victim organization makes such copies, it should write-protect the media to safeguard it from alteration. The victim organization should also restrict access to this media to maintain the integrity of the copy's authenticity, safeguard it from unidentified malicious insiders, and establish a chain of custody."[2]

References Edit

  1. Best Practices for Victim Response and Reporting of Cyber Incidents, at 8 n.8.
  2. Id. at 8.

Ad blocker interference detected!

Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.