Anyone who has taken part in a few E-Discovery collections recognizes the need for "logical evidence acquisition". In fact, many of the established Windows Forensics analysis tools offer the capability to collect logical files (and metadata) into forensic acquisition containers for ease of transport and integrity.

Interestingly enough, Andy Joyce (and Andy Rosen) have come up with a simple process for createing logical evidence containers under Linux.

Personally I think it's a simple but very smart design.

Take a few minutes and check it out here .

Enjoy!

M. Shannon, Principal

F-Response

June 10, 2009