When examining a hard disk without a write-blocker, you should not start windows because Windows will write data to the:
When examining a hard disk without a write-blocker, you should not start windows because Windows will write data to the:
When examining a hard disk without a write-blocker, you should not start Windows because Windows will write data to the Recycle Bin. This could alter the state of the disk and potentially compromise the integrity of the forensic examination. It's crucial to avoid any kind of manipulation of the data on the drive, and opening Windows can inadvertently cause unwanted changes.
Can anyone elaborate on this? There's ton of evidence and reasons why to use a write-blocker, but very little I could find on specific files changed when mounting a drive to Windows.
From EC Council materials: Consider using a hardware acquisition tool (such as UFED Ultimate or IM SOLO-4 G3 IT RUGGEDIZED) that can access the drive at the BIOS level to copy data in the Host Protected Area (HPA)
C > BIOS