Before you have a chance to begin the imaging process, your supervisor calls to tell you that the organization's legal team has been asking questions about types, sources, and collection of digital information. They have also asked about file formats. Your supervisor asks you to prepare a brief explanatory memo. You use the department's technical manual to compose your memo on locations of valuable forensic information and formats in which digital evidence can be stored. You also review imaging and verification procedures.
For the first step in this project, prepare a memo (1-2 pages in length) that summarizes possible locations of valuable digital forensic information, as well as collection and storage options in laymen's language. For each location described, include a short description of the following:
- Area
- Types of data that can be found there
- Reasons why the data has potential value to an investigation in general, and for this case in particular
The locations to be addressed are: USB sticks, RAM and swap space, and operating system hard disks.
Also describe possible digital evidence storage formats (raw, E01 (ewf), and AFF), the advantages and disadvantages of each, and how digital forensic images are collected (local and remote, memory and disk) and verified.