DefensibleDataCollectionTechniquesintheEnterprise·Chapter6 153 capture all sectors of a hard drive the user must change the default operation of the program. You must use a third-party application to determine the hash value of the Ghost image files created. A variety of handheld hardware devices can also create forensic hard-drive images. From an e-discovery perspective, the end result is the same: the production of a forensic image. Although handheld devices may offer slight advantages in speed and portability, their use is a matter of preference because their functionality is limited. Logical file captures of PC data may also be appropriate based on the circumstances of the collection. We will discuss logical file collection tools in the next section, as you can use the tools for both forms of ESI. File Servers: Group Network Shares and Personal Network Shares You can use any of the forensic imaging tools discussed previously to capture file server data, including handheld hardware devices. But some of these methodologies may prove problematic when dealing with servers that use Redundant Array of Independent Disk (RAID) technology. This means multiple hard drives are configured in a way to increase a system's speed and/or redundancy. It is critical to inquire at the outset how the RAID is implemented so that it can be reconfigured later for data extraction. It is also possible to image the RAID in the volume configuration in which it presents itself via the operating system as opposed to imaging each individual hard drive in the RAID configuration. But this method is time-consuming due to the large amount of space on servers, and large amounts of