In the course of examining a computer system for forensic evidence, data on the suspect media
were inadvertently altered. Which of the following should have been the FIRST course of action in
the investigative process?
A.
Perform a backup of the suspect media to new media.
B.
Perform a bit-by-bit image of the original media source onto new media.
C.
Make a copy of all files that are relevant to the investigation.
D.
Run an error-checking program on all logical drives to ensure that there are no disk errors.
Explanation:
The original hard drive or suspect media should never be used as the source for analysis. The
source or original media should be physically secured and only used as the master to create a bitby-bit image. The original should be stored using the appropriate procedures, depending on
location. The image created for forensic analysis should be used. A backup does not preserve 100
percent of the data, such as erased or deleted files and data in slack space—which may be critical
to the investigative process. Once data from the source are altered, they may no longer be
admissible in court. Continuing the investigation, documenting the date, time and data altered, are
actions that may not be admissible in legal proceedings. The organization would need to know the
details of collecting and preserving forensic evidence relevant to their jurisdiction.