This is actually good to see. For years I’ve been telling people who are dealing with full disk forensic images that step one in their process is going to be identifying all the junk they don’t actually need. 😉
Now, occasionally, do you need to check for deleted files, etc. where a full disk image would be handy? Sure, but it’s not so common that the default process should be to image everything.
Section 8c of the newly revised Commentary is dedicated to forensic imaging, stating that: “Forensic data collection requires intrusive access to desktop, server, laptop, or other hard drives or media storage devices.” While noting the practice is acceptable in some limited circumstances, “making a forensic copy of computers is only the first step of an expensive, complex, and difficult process of data analysis . . . it should not be required unless circumstances specifically warrant the additional cost and burden and there is no less burdensome option available.”
Image by matsuyuki