|
|
|
|
|
|
by ksaj
1592 days ago
|
|
|
In forensics, this would only be done on an image, and not on the live file system. This both avoids triggers like you mention, and also claims that the forensic person has altered the evidence in some way. Forensic agents have to prove before and after that no changes were made to the file system(s) and any data that may reside on them. Source: I have prior certification, and have acted as a court designated technical expert. I don't do this anymore, but those elements have not changed over time. |
|
|