Chapter 5 — Key Takeaways
The big idea
The forensic process is the scientific method applied to a storage device, and it is the reason your findings are worth anything. Anyone can "find a file." Only a disciplined method lets you answer the question that decides whether the work counts: how do you know you didn't change it, and how do you know it was there before you arrived? Four phases — identification, preservation, analysis, reporting — carry a single unbroken thread beneath them: document everything. Preservation is the heart. Because even reading a drive on a live system alters it, you write-block; because a backup misses the deleted files and slack where answers hide, you make a bit-for-bit image of every sector; because you must prove the copy is faithful, you hash the source and the image and show they match; and because admissibility depends on accounting for the evidence's whole life, you keep an unbroken, signed chain of custody. None of it counts without lawful authority. The method is the product — in forensics for admissibility, in recovery for irreplaceability.
The four phases (and their other names)
| This book | NIST SP 800-86 | What it accomplishes |
|---|---|---|
| Identification | Collection | Find every source — including the volatile and the hidden (HPA/DCO) |
| Preservation | (Collection) | Protect the original: write-block, image, hash, chain of custody |
| Analysis | Examination → Analysis | Examine the verified copy; test hypotheses both ways |
| Reporting | Reporting | Explain the findings to a non-technical reader, precisely |
ACPO compresses the whole chapter into four principles: change nothing; if you must touch the original, be competent and explain it; keep an audit trail an independent party can reproduce; the person in charge is responsible.
Preservation is the heart
- The original is sacred. Never analyze the original — for admissibility (the court must trust it) and for irreplaceability (the client's data may exist nowhere else, and one bad write destroys it).
- Even looking is dangerous. An OS writes to a disk just by mounting it — journal, timestamps, indexing. The defense is not carefulness; it is a write-blocker that makes writing physically impossible. Hardware blockers (Tableau, WiebeTech/CRU), CFTT-tested, beat software backstops.
- A forensic image is not a backup. It copies every sector — unallocated space, slack, partition gaps, HPA/DCO — not just the files the file system admits to. That is why deleted data is recoverable from an image and invisible to a backup.
Hashing and chain of custody
- Hash to prove the copy equals the source. SHA-256 (256-bit) is the standard; compute MD5 (128-bit) alongside it. The avalanche effect means one flipped bit changes ~half the digest. Dual-hashing defeats the collision cross-examination.
- A matching hash proves integrity only — not authorship, origin, ownership, or guilt. Confusing "the hash matches" with "the suspect did it" is a category error.
- The chain of custody proves the handling: who had it, when, what they did, with two signatures per transfer and no gaps. The hash proves the bits; the chain proves the people. If it isn't documented, it didn't happen.
Recovery vs. forensics — same foundation, different consequences
| 💾 Recovery | 🔍 Forensics | |
|---|---|---|
| Image the source? | When valuable/failing | Always, first |
| Write-block / chain of custody | Best practice / usually none | Mandatory / unbroken, signed |
| Authorization | Client owns/authorizes | Warrant / consent / corporate |
| Deliverable | Recovered files | A court-admissible report |
Ask on every job: could this become a case? The instant the answer is yes, upgrade to the forensic workflow and start the chain from now.
You can now…
- ☐ Name the four phases and map them to the NIST and ACPO frameworks an examiner is expected to know.
- ☐ Justify why the original is never touched, and use write-blocking and bit-for-bit imaging to protect it — distinguishing a forensic image from a backup.
- ☐ Compute and verify MD5/SHA-256, and answer the collision question well enough to survive cross-examination.
- ☐ Maintain a gap-free chain of custody and identify the lawful bases — warrant, consent, corporate authority — and the scope discipline each imposes.
- ☐ Recognize the moment a routine recovery must be upgraded to a forensic process, and act on it.
Looking ahead
Chapter 6 — Logical Recovery. You now know how to make a verified image. Next you go hunting inside it: recovering deleted files from the MFT and inode remnants that still point at "deleted" data, rebuilding formatted and corrupted partitions, and proving at the byte level that deleted does not mean destroyed.
One sentence to carry forward: Find it, protect it, examine the copy, and explain what you found — and write down every step, because if it isn't documented, it didn't happen.