ABSTRACT
Many evidence collection and analysis tools are commercially available. A description of several reliable ones is provided in this chapter.
New Technologies, Inc. https://www.Forensics-Intl.com
Upon your initial arrival at a client site, obtain a bitstream backup of the compromised systems. A bitstream backup is different from the regular copy operation. During a copy operation, you are merely copying files from one medium (the hard drive, for instance) to another (e.g., a tape drive, Jaz Drive, etc). When performing a bitstream backup of a hard drive, you are obtaining a bit-by-bit copy of the hard drive, not just files. Every bit that is on the hard drive is transferred to your backup medium (another hard drive, Zip Drive, Jaz Drive, tape). If it comes as a surprise to you that hidden data exists on your hard drive (i.e., more is present on the hard drive than just the file names you see), then you are about to enter a new world, the world of the CyberForensic Investigator (CFI).
