Part of the Dalhousie Libraries Documentation Wiki
Step three - Acquire data from digital storage devices
Introduction
- This page describes the general procedures for acquiring data from digital storage devices.
- The preferred procedure is to acquire raw (dd) images of each device, but alternative methods are sometimes necessary.
Data acquisition workflows
There are three basic workflows for acquiring data:
Workflow | Description | Rationale |
---|---|---|
Workflow #1 – Create forensic image, transfer to digital backlog, and delete image from local RAID storage after transfer is validated. | Select this workflow in cases where forensic processing is unscheduled | A secondary copy is not necessary if forensic processing is unscheduled. The primary image can backed up in digital backlog and a copy can be transferred back to the Forensics Lab when processing is scheduled. |
Workflow #2 – Create two copies of forensic image, transfer copy to digital backlog before processing primary image | Select this workflow in cases where forensic processing is scheduled and total storage requirements for primary forensic images does not exceed 1 TB | A secondary copy is necessary anytime forensic processing takes place but, with cases that involve more than 500 GB of data, the secondary copy will occupy too much space on local RAID storage. |
Workflow #3 – Create two copies of forensic image and keep both copies on forensic tower while processing one version of the image | Select this workflow in cases where forensic processing is scheduled and the total storage requirements for primary and secondary copies of forensic images does not exceed 1 TB | A secondary copy is necessary anytime forensic processing takes place but, with cases that involve less than 500 GB of data, the secondary copy can be stored on local RAID storage until processing is complete. This protects the primary copy and reduces unnecessary data transfer. |