Can I ask a pretty novice forensics question.
If say you have an internal forensics investigator with a dedicated offline machine – and he has encrypted drives so he images the suspect drive using his write blocker or whatever, once it is imaged – where does he typically save the imaged copy? Locally on the forensics analysis machine – on an encrypted drive?
For example best practices seem to be not to network the machine – so it can’t be saved on any networked drive – so I assume it just gets saved locally? What about backups though. What if the drive you just imaged then failed, and the drive you imaged it to also fails. Then you’ve lost the evidence haven’t you? What do forensics investigators do in this case?
My second question is – if big boss says thanks for imaging it and doing your analysis on the image – I now want to take the findings in the encase case file away with me and view it on my laptop? How? Can you give him like a light version of your findings in encase format – or, does he need a copy of the actual imaged drive (is this the E01?) AND the case file on his laptop to review? Or can you just give a copy of the findings as opposed to whole imaged device and case file?
For info- these are just for internal disciplinarians and nothing legal.