A couple of people pinged and asked if I could have done a StorageCraft backup instead of the EnCase one I did for the examination of the laptop. Honestly it would have been easier. EnCase is sometimes a bear to get it to make a true boot image of the acquired drive. The issue is not really whether Storagecraft could have done a better job (it could), an easier job (way easier), but rather more of a standard in the Industry. If I know that an examination will not be used for court reasons, StorageCraft is actually my preferred imaging tool (remember of course that the ITPro version is the one that works with a bootable iso and thus doesn’t touch the drive/make any inpact to the date stamps). EnCase along with Paraben are two of the heavy hitters in litigation. If you go into court you merely say “I acquired it using EnCase” and there’s not a lengthly voir dire (that’s Attorney speak for “we question the heck out of it to see if we can poke holes”) of the tools used in the process.
EnCase takes a hash of the drive, has “EnCase scripts” to examine for certain information (emails, sensitive data, queries, etc). It’s more of a situation that if I’m doing a ‘casual’ investigation, I’ll do StorageCraft to a vmware/vpc. If a courtcase, it’s the full blown EnCase.
The key is the right tool for the right situation. You must have a block image/doesn’t touch the data imaging program that ensures that the original data is not written to during the acquisition process.
And that’s the key, select the right tool for the job.