Authoritative Guide on Collecting Data from a Hard Drive with EnCase
For a good guide on how to collect data from a hard drive in a manner that is defensible under Minnesota state law, see Novacheck, Mary T.; Thornton, Molly B.; Beard, Jeffrey J.; and Burns, Mark (2014) "IT Technologies and How to Preserve ESI Cost Effectively," William Mitchell Law Review: Vol. 40: Iss. 2, Article 6, available at: http://open.mitchellhamline.edu/wmlr/vol40/iss2/6. See Appendix A, 'Sample Technologies for Preservation and Collection - Hard Drives'. The guide shows how data can be collected with EnCase. The authors are a partner at Bowman and Brooke LLP, a partner at Dorsey & Whitney LLP, an information governance consultant for IBM, an e-discovery manager for Boston Scientific, and a manager with KPMG's Forensic Technology Services practices.
Follow these basic steps:
1. First document each step in the process with a checklist.
2. The hard drive of the source computer is extracted, connected to a write blocker, which is then in turn connected to the forensic expert's PC.
3. EnCase allows for individual directories to be collected. When you're ready to proceed, click 'Acquire'.
4. The paper recommends the following settings for the output. A file output from from EnCase will have a .E01 file extension. EnCase outputs data in 640 MB image files by default.