Imagining

Creating a Forensic Image

You never want to use the original media. So, how do you go about doing an investigation if you are not able to use the evidence that is found? You will need to create an image of the drive(s). When you create an image of the drive you are taking the contents of the entire drive and creating a file on another hard drive that you will use later. In this course, we are going to keep it simple and use smaller sized USB drives to learn this technique. Though, do keep in mind that in practice you could be doing this process on extremely large drives.

Forensic Image Formats

There are various methods in which you can create your forensic image. There are some open source methods and proprietary methods. In this course will will focus on the open source methods: RAW and Advanced Foresnic Format (AFF).

RAW: This was a practical way of doing imaging before. You would just create a bit-by-bit copy from one disk to another that was equal or larger in size.

AFF: This is an enhanced method as it storages additional metadata, can do compression using zlib and LZMA, and supports encryption of the image.

Proprietary: Each vendor has thier own methodology and features to store the disc image.

Once you have created your forensic image, it is always a good idea to make a copy of this. This is a safety net in case the orginal gets corrupted.

Important

When you go to image the drive you do not want it to become visible/usable by the operating system. Depending on the OS this could corrupt data and possible make the data invalid. This is why when imaging a drive you will want to use a write blocker. This will prevent data from being written to the drive. You can do this using a piece of hardware or configure your system to disable automount or you a tool.

During this course, do not worry about this as I do not expect you to reconfigure your system, purchase expensive hardware or remember to use a utility. Just make sure you do recall this is critical when doing this in the future!

Partitioning a Drive

Being able to partition a USB drive in Kali Linux is essential, as it will allow you to practice the commands covered in this module and future modules. Make sure you are comfortable partitioning a drive, as you will need to possess this skill for this course.

Creating Your Image

I have provided demonstrations with explanations on how to image a drive in Linux and Windows. In Kali Linux, I will show you several different options that can be used.

dd

The dd command in Linux can be used for copy data. This command does work in a forensic environment, but probably is not the best to use.

dcfldd

The dcfldd command is an enhanced version of the dd command. The dcfldd command provides additional features such as hashing, encryption and a progress report while it is doing data copy.

dc3dd

The dc3dd command is a specialized tool developed for digital forensics. It has advanced features like hashing and data verification during the imaging process.

Guymager

Guymager is a graphic user interface (GUI) tool that can be used for imaging. It has some advanced features, but also does not support a wide range of hashing algorithms.

FTK Imager

FTK Imager is our Windows acquisition software. It is an easy to use tool that has the ability to create forensic images.

Google Sites

Report abuse