SecPlusTrainer / Glossary / What is a forensic copy (image)?
D4 · Operations

What is a forensic copy (image)?

A forensic copy is a bit-for-bit duplicate of storage media — including deleted files and unallocated space. Hash values verify the copy matches the original exactly.
Always work on forensic copies — never on original evidence. Tool: dd (Linux), FTK Imager. Hash before and after copying (MD5 + SHA-256). The original must remain untouched for legal admissibility.

Related Terms

What is Advanced Malware Protection (AMP)? What is agent-based vs agentless monitoring? What is application allowlisting? What is anomaly detection in security?
← Back to Glossary Practice Questions →