Duration the source disk can be kept in custody, or whether it can be retained at all.(e.g.: PST or OST mail files, RAID servers) Determining the best acquisition method
Files in free or slack space won't get acquiredīoth logical & sparse acquisition is used for very large disks that would make no sense acquiring a complete copy of the whole thing.Same as logical acquisition - but only collecting data from allocated files.Can take a long time to find and selectively choose files.Captures only specific files of interest.When disk-to-image copy is not possible.Copies are bit-for-bit replications ( i.e.Image files can be copied multiple times.logical disk-to-disk / disk-to-data file.Cross platform & OS Types of acquisitions: Provide space in image file or segmented files for metadata No size restrictions for disk-to-image files proprietary formats will not have cross-tool compatibility (Expert Witness is the originating company of SMART and EnCase tools)Ĭan split images into smaller segmented filesīut. The Expert Witness format is the unofficial standard. cmp (ProDiscover non-compressed / compressed) requires as much storage as original disk/dataĮ.g.: E01 (EnCase), Ex01 (Expert Witness). Forensics acquisition tools will store data as an image file 3 image file formatsĬopies bit-stream data directly into files as in a bit-stream image file.ĭata transfers will be fast, no additional operations needed, just copy 1-to-1.īut.