Hi: I need to do forensics on a Hard Drive, that is, I need to replicate a hard drive, including any deleted files, onto CDROM disc(s) for examination viz. a possible legal proceeding. I have not seen the computer equipment or talked to the client but essentially this is the situation: Boss fears an employee is stealing client information in order to start up his own business. A desktop PC and a laptop computer needs to be examined to determine if there's any digital evidence of this conduct. He's a good employee so Boss does not wish to offend the employee with this suspicion. I plan to do a sector by sector copy of the hard drives. I intend to remove the hard drives in question (don't want to start up the systems themselves and lose the swap file, caches, etc.), hook them up to a basic DOS system and run GHOST 5.2 to create the image. Later, I will burn the CDROM disc(s). The process needs to be documented to preserve a chain of evidence and avoid any questionable handling which might undermine the evidence gathering. First, does anyone on this list do such forensic work? If so, what are your recommendations? Additionally, does anyone see a flaw in this course of action or can suggest a better method? Ultimately, what is the custom and trade practice of expert witnesses on this subject? Suggestions for books are appreciated. My background: I've been an attorney for over 20 years and an engineering professor for 6 years but I haven't done expert witness work in this area. Thanks, in advance, for your help. John Chin Visit our website regularly for FAQs, articles, how-to's, tech tips and much more http://freepctech.com