Acquisition and Evidence Preservation methods may vary depending upon the nature of the investigation. If the investigation is a criminal investigation then the integrity of the evidence must be preserved. This is achieved through a Chain of Custody, which begins when the computer or hard drive is identified by law enforcement as potential evidence and by creating a hash value when the hard drive is forensically imaged. Depending on the size of the hard drive, a full forensic image can take days to create. In some cases, both for criminal and non-criminal investigations, it may be necessary to access the data on the drive immediately. In those instances, it may be necessary to create a custom image prior to the full image – or create a memory image in order to capture what was in active memory prior to the seizure of the device. As part of the Chain of Custody, it is necessary to document information regarding the transfer of evidence.