Pat I've heard success stories from members of this community that have done their time in court on the admittance of logical files and/or printed versions of such files, usually emails. But, in the development of standards we have gotten away from logical file approaches in favor of processes that allow for repeatability. A full image increases court confidence and can help if opposing counsel challenges your handling methods. I am confident that a large percentage of the members on this list will agree that chain of evidence handling and a full image of digital media are key in a national and international standard. Thanks, Matthew Brown, CISSP pat.beardmoreat_private 07/03/2001 01:42 AM To: forensicsat_private cc: Subject: Preview in Encase (or other package) rather than image Before I give my own opinions, has anyone come across the practice of previewing a drive and then taking off the relevant files rather than doing a full image. Does anyone want to comment on the advantages and disadvantages of this methodology? thanks, Patrick Beardmore ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jul 03 2001 - 14:12:25 PDT