There are two goals when making an image:

Completeness (imaging all of the information)
Accuracy (copying it all correctly)
The imaging process is verified by using the SHA-1 message digest algorithm (with a program such as sha1sum) or other still viable algorithms. To make a forensically sound image, you need to make two reads that result in the same output by the message digest algorithm. Generally, a drive should be hashed in at least two algorithms to help ensure its authenticity from modification in the event one of the algorithms is cracked. This can be accomplished by first imaging to one tape labeled as the Master and then make an image labeled Working. If onsite and time is critical, the second read can be made to Null.

Note: Ultimately the methodology used by computer forensic investigators in capturing potential evidence on a system (such as imaging hard drives) will be dictated by the proportionality of the likely importance of that evidence in the matter for which these services are engaged. Additional influences such as claims of privilege and potential damages sought for business interruption create potential headaches for corporate investigations where forensic soundness is often sacrificed for practicality. Law enforcement personnel moving into the corporate environment tend to be overly strict in their application of computer forensic principles in litigations where the burden of proof does not require it. There is an increasing need to capture servers live and capturing less than whole disks worth of data in an effort to work within a time and cost framework. Even an unsolved murder investigation must be wound up at some point where there are diminishing gains to be had in progressing the investigation, so too with computer forensic investigations in both the corporate and criminal arenas where the sheer quantity of digital evidence can become overwhelming and threaten to overburden investigators. Also, it must be remembered that any computer evidence is potentially admissible regardless of the methodology by which it came to the attention of the court. If an examiner fails to create a SHA or MD5 hash on the original hard drive, the data is not necessarily worthless or non admissible. Traditional discovery has been happening for at least a decade (often without a hashes). Application of proper forensic principles will however improve its overall credibility and diminish admissibility challenges. However, reasonable attempts should be made to ensure that the most complete and accurate image possible is obtained.

E-mail review
E-mail has become one of the primary mediums of communication in the digital age, and vast amounts of evidence may be contained therein, whether in the body or enclosed in an attachment. Because users may access email in a variety of ways, it's important to look for different kinds of emails. The user may have used a dedicated program, or Mail User Agent (MUA), a web browser, or some other program to read and write email. Additionally, files for each of these programs may be stored on a local hard drive, a network device, or a removable device. A good examiner will search all of these locations for email data. Be aware that many email clients will save a copy of outgoing messages, so both the sender and the recipient may have a copy of each message. Finally, mail may also be stored on a dedicated mail server, either awaiting delivery or as permanent storage.

E-mail headers
Main article: E-mail#Internet e-mail header
All email programs generate headers that attach to the messages. The study of these headers is complex. Some investigators favor reading the headers from the bottom up, others from the top down. Under normal circumstances, headers are supposed to be created by the mail user agent and then prepended by mail servers, the bottom up method should work. But a malicious mail server or forger may make this difficult.

The headers added by an MUA are different from those added by mail servers. For example, here is the format for headers generated by Mozilla Thunderbird 1.0 running on Microsoft Windows.

Message-ID: <41b5f981.5040504@example.net>
Date: Tue, 07 Dec 2004 13:42:09 -0500
From: User Name
User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: recipient@example.com
Subject: Testing
Content-Transfer-Encoding: 7bit
Extensions such as enigmail may add extra headers.

The Message-ID field has three parts:

The time the message was sent in seconds past the epoch in hexadecimal (Unix 32 bit Big Endian Hex Value)
A random value called a salt. The salt is of the format #0#0#0# where # is a random digit. Because Thunderbird treats the salt like a number, it may be shorter if the leading digits are zeros. For example, a salt of "0030509" would display as "30509".
The fully qualified domain name of the sender.
Message-ID: [time].[salt]@[domain-name]
Information on the Message-ID header was derived from the source code in mozilla/mailnews/compose/src/nsMsgCompUtils.cpp in function msg_generate_message_id() and therefore applies only to mail sent by this application. Generally the format of the Message-ID is arbitrary, and you should refer to the applicable RFCs.

Sorting through the masses
While theoretically possible to review all e-mails, the sheer volume that may be subject to review may be a daunting task; large-scale e-mail reviews cannot look at each and every e-mail due to the sheer impracticality and cost. Forensics experts use review tools to make copies of and search through e-mails and their attachments looking for incriminating evidence using keyword searches. Some programs have been advanced to the point that they can recognize general threads in e-mails by looking at word groupings on either side of the search word in question. Thanks to this technology vast amounts of time can be saved by eliminating groups of e-mails that are not relevant to the case at hand.

Also, emails may contain In-Reply-To: headers that allow threads to be reconstructed. Good email clients can do this.

Computer forensic examples
Forensics can be defined as the use of technology and science for investigation and fact recovery when dealing with criminal matters. Computer forensics is the technological aspect of retrieving evidence to use within criminal or civil courts of law. They are able to recover damaged and deleted files. Some cases in particular used the art of computer forensics as their lead of evidence to indict a criminal offender or find the location of a missing person.

Example
Chandra Levy, who went missing on April 30, 2001, was a Washington, D.C. intern whose disappearance was widely publicized. While her location was unknown, she had used the Internet as well as e-mail to make travel arrangements and to communicate with her parents. The use of this technology helped a computer criminalist trace her whereabouts. The information found on her computer led police to her location, even though she had been missing for one year.

Example two
There have been a number of cases at private schools where authority figures have been charged with possession of child pornography. These discoveries were made using computer forensics. By tracking the buying and selling of pornography online, computer forensic investigators have been able to locate people involved in these crimes. They are able to use information found on the computers as circumstantial evidence in court, allowing prosecution to occur.

Example three
A final example of how computer forensics is affecting the current workplace is the aspect of security. Employees' work computers are now being monitored to ensure no illegal actions are taking place in the office. They also have heightened security so outsiders cannot access a company’s confidential files. If this security is broken a company is then able to use computer forensics to trace back to which computer was being tampered with and what information was extracted from it, possibly leading to the guilty parties and other potential parties involved.

Comparison to Physical Forensics
There are many core differences between computer forensics and "physical forensics." [3] At the highest level, the physical forensic sciences focus on identification and individualization. Both of these processes compare an item from a crime scene with other substances to identify the class of the item (i.e. is the red liquid fruit juice or blood?) or the source of the item (i.e. did this blood come from person X?). Computer forensics on the other hand focuses on finding the evidence and analyzing it. Therefore, it is more analogous to a physical crime scene investigation[4] than the physical forensic processes.