November 12, 2021 • Prepared for trial testimony • • • • • • Forensic examination— captures data (imaging— bit-for-bit copy), puts it through software to categorize information; huge amounts of data on computer; software helps organize to assist with review • Information stored on a hard drive in a computer; hard drive stores non-volatile data (anything saved on the drive will be on drive if you unplug it); digital device to store data • Typically knows nothing about a case when analyzes digital evidence • was shown GX 54 (has initials, case number, unique identifier on it, date) • Every piece of evidence that Uexamines gets unique bar code numbers and gets another sticker with case number, date initials, and reference to unique number on other sticker • Received GX 54 in a box with photocopy of different drive on front; led to believe was copy of drive on the front of it; had to determine how best to capture information on drive, had to see if image files or a clone • was shown GX 55: first marked it; after marking it, connect hard drive to a writeblocker and connect that to computer to view data on drive without altering it; looked to figure out if image files or clone • Clone: bit for bit copy of one piece of media to another (e.&, from one hard drive to another) • As digital forensics progressed, moved away from clones and towards images; image is a bit for bit copy, but saved onto another hard drive as image files; advantage is that containerizes it, more difficult to change data on an image file than a clone • After determined drive was a clone, imaged it; made a bit for bit copy of the clone; copies to storage area network for processing • To make an image, have several tools available; FTK made by Access Data; also have FBI created product; also have physical devices that are duplicators (TX1 made by Tableau) to create image files • Hard drive is electromechanical device, has platters spinning around, several