You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
Evidence acquisition is the process of creating an exact, verifiable copy of digital evidence while ensuring the original data remains unaltered. This is arguably the most critical phase of any forensic investigation — if evidence is improperly acquired, everything that follows may be challenged or excluded.
A forensic image (also called a forensic copy or bit-stream image) is a sector-by-sector copy of a storage device, capturing every bit of data including:
| Type | Description | Use Case |
|---|---|---|
| Physical image | Bit-for-bit copy of the entire device (all sectors) | Full forensic analysis; captures everything |
| Logical image | Copy of the file system (files and directories only) | When only specific files or partitions are in scope |
| Targeted collection | Copies only specific files or folders | eDiscovery, triage, or when full imaging is impractical |
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.