ForensicAnalysis·Chapter9 231 a time-consuming process and one the defense attorney might challenge. The defense attorney would not have to prove that the integrity of the clone was lost, only that the potential for it to be lost was possible. This chapter will illustrate the process of turning a copy of a drive into something that an investigator can use with confidence, knowing that he can get back to the original state with the push of a button. By using a virtual machine, the contents of the machine can be viewed in the same ways that the suspect viewed them. The chapter will also discuss the concept of "best evidence," the acceptability of evidence obtained from virtual instances of a suspect's computer, and will describe a method proposed by Derek Bem and Ewa Huebner, University of Western Sydney, Australia, that combines traditional methods with virtual technology to gain the benefits of virtualization and still meet the rigors expected by the courts. Preparing Your Forensic Environment Before capturing the suspect's machine and creating images, you should prepare a computer for use as your forensic system. The computer should be the fastest