SANS Digital Forensics and Incident Response Blog: Tag - evidence

Robocopy - a Computer Forensics tool?

The usual practice for obtaining potential evidence would be to acquire a bit for bit forensic image of the drive and to lock the image up in an evidence safe. Depending upon the legal team's request, one may also replace the original hard drive and keep it in the safe instead of just an image. Another option I like is having a third party acquire the drive on our behalf and keep it in their secure area for us. Sometimes, however, for various reasons, a forensic image may not be feasible. So, then, what is another option?

In a recent e-mail exchange with Rob Lee, I asked him what he thought about using