scanning a mounted windows forensic image wont this miss files in use by Windows like NTUSER.DAT, SAM, etc..? Will it be better to scan the mounted image in Linux so all files can be scanned?
When you mount an acquired image as a volume, the OS in the volume isn't active…your host system is still the one that is active. You may be subject to permissions issues, depending upon how you mount the image, but that's an easy fix.
Although I still think there is no reason not to scan evidence every time, I now need to temper my comment regarding size balooning over 8TB. oops
Unfortunately, I have had a few cases now where data topped this number. cry
I primarily blame myself for lack of fortitude to press for relevancy, and my legal cohorts lack of care in this area. evil
If it is not the report length, as others have noted it would be a very short paragraph at best, it is not the technology, as it is readily available and it is not time, since in my experience, albeit anecdotal, few cases balloon to 8TB - what is the reason not to do it?