Information Technology Reference
In-Depth Information
When.it.is.time.to.gather.that.data.for.whatever.reason,.
you.now.have.the.information.readily.available.to.know.who.
owns.it.and.how.to.gain.access.to.it..The.next.important.step.
is.to.acquire.that.data.in.a.forensically.sound.manner..To.do.
that,.start.with.some.type.of.tool.that.allows.you.to.make.one.
of.those.ingerprints.we.spoke.of.earlier.called.a.
hash
..Run.
that. application. and. create. a. hash. value. for. every. piece. of.
information.that.you.will.be.preserving.
Many. computer. forensics. applications. have. this. capacity.
built.into.them..If.you.or.your.computer.forensics.specialist.are.
using.those.tools.to.create.an.exact.copy.(sometimes.called.an.
image
.or.a.
snapshot
).of.a.set.of.data,.those.applications.will.
automatically.verify.the.integrity.of.the.data.by.creating.a.hash.
value.before.and.after.the.data.are.copied..In.many.cases,.they.
will.use.two.or.more.types.of.hash.algorithms.to.add.even.more.
surety.to.the.integrity.of.the.copied.data..They.will.sometimes.
store.those.hash.values.in.a.text.ile.that.you.can.save.with.the.
copied. data,. or. sometimes. these. applications. actually. attach.
those.hash.values.as.metadata.to.the.copied.data.
However,.you.do.not.have.to.have.these.specialized.tools..
Some.operating.systems.will.do.what.is.known.as.a.
veriied.
copy
..This.is.usually.done.from.the.command.line.with.spe-
cial.switches.in.the.command.that.you.type.
An.example.of.this.in.a.Windows.operating.system.would.
be.to.open.up.the.command.window.by.selecting.Start,.Run,.
and.typing.
cmd
.to.get.the.command.window.(a.window.will.
pop.up.with.a.black.screen.and.usually.a.DOS.prompt,.C:\)..
Then.you.can.type.in.“Copy.[source—path.and.name.of.the.
ile.you.want.to.copy].[destination—where.you.want.to.copy.
it].and./V”.(without.the.quotes)..An.example.of.this.type.of.
command.line.might.look.like.“C:\.Copy.c:\myiles\sample.
doc.d:\evidence\sample.doc./V”.(again.without.the.quotes).
The./V.option.at.the.end.tells.Windows.to.verify.that.the.
copied. ile. is. the. same. and. was. copied. successfully.. To. do.
this,.Windows.hashes.the.ile.in.the.background.using.a.rela-
tively. simple. hash. algorithm. called. a.
checksum
. before. and.
after.and.checks.to.ensure.the.hashes.are.the.same.
