Gathering Evidence

Any evidence on RAM is under threat of destruction

Interacting with a running computer in any way causes changes to the system

Sudden loss of power could damage the data

System may be unencrypted when powered on but return to an encrypted stage when powered off

Any evidence on RAM is under threat of destruction

Interacting with a running computer in any way causes changes to the system

Sudden loss of power could damage the data

Change to a system may invalidate evidence

Data on hard disk

Routing table

CPU

Temporary file system/swap space

Access data via find my phone

Turn it off

Put it in a Faraday bag

Put it in an empty paint can

Member of the republic's army

bit-for-bit copy of a hard drive

A program for file carving

Copy-and-pasted copy of a hard drive

Clone gets data in unallocated space such as deleted or partially overwritten files

Clone also gets file system data

Clones allow for a "do over" if investigation alters the system

Clones only get active data

If they do not have the proper warrants to take the drive to a lab

If the device is a personal computer

If the device is a server generating revenue for a business

If the investigation is a missing persons case

They can be used to verify that a system is identical to the original

Any change to a system will change the hash value

They are used to create and edit files

They are used to help clone a device