System and file forensics

- [Instructor] Digital evidence often comes from computers,…mobile devices, and digital media…that store the information required by investigators.…That's where forensic investigators use…system and file forensics techniques…to collect and preserve digital evidence.…Remember that the first rule of evidence collection…is that investigators must never…take any action that alters the evidence itself…and may lead to the misinterpretation of that evidence.…When it comes to systems and files,…forensic investigators preserve this principle…by never working with the actual physical evidence…unless absolutely necessary.…

Investigators do this by creating copies…or images of the physical evidence,…and then using those images for forensic analysis.…When a forensic analyst creates an image…of a hard drive or other media,…the analyst must connect a device to the drive…and use that device to copy off the data…stored on the media.…Whenever media is connected to a system,…there is always the risk that the analysis process…will inadvertently write data to the media.…