Scribd
Upload
36 views

Imaging Basics

Incident response analysts often need to image digital evidence to find files, user data, and other details related to incidents like fraud or data leakage. Forensic imaging involves acquiring a complete and court-admissible copy of a suspect drive using appropriate tools and documentation. There are two main types of imaging - live imaging captures logical volumes from a running system, while dead imaging removes and copies an entire disk, including all volumes and metadata. Common image file types include raw images, which only contain drive data without extra information, and logical images, which include file system and partition details.

Uploaded by

SADRONU
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
36 views

Imaging Basics

Incident response analysts often need to image digital evidence to find files, user data, and other details related to incidents like fraud or data leakage. Forensic imaging involves acquiring a complete and court-admissible copy of a suspect drive using appropriate tools and documentation. There are two main types of imaging - live imaging captures logical volumes from a running system, while dead imaging removes and copies an entire disk, including all volumes and metadata. Common image file types include raw images, which only contain drive data without extra information, and logical images, which include file system and partition details.

Uploaded by

SADRONU
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

Understanding Forensic

5
Imaging
One critical task that incident response analysts will often have to perform is imaging of
digital evidence. As was previously discussed in prior chapters, a great deal of evidence
related to an incident can be found within log files, memory, and other areas that can be
acquired relatively quickly. In some incidents, such as internal malicious activity such as
fraud, industrial espionage, or data leakage, may require a more detailed search for
evidence. This evidence includes the Master File Table entries, files, and specific user data
that are contained on the hard drive of a suspect system. In the event that incident response
analysts encounter such circumstances, they will be required to obtain an image of a suspect
drive. As with any aspect of digital forensics, obtaining a usable and court- defensible
image relies on the appropriate tools, techniques, and documentation. This chapter will
explore the fundamental concepts of digital imaging and the preparation and use of tools to
acquire a forensically sound image of a physical drive or other logical volume.

Overview of forensic imaging


Having a solid understanding of the facets of forensic imaging is important for incident
response analysts. Having an understanding of the tools, techniques, and procedures
ensures that evidence is handled properly and that the analyst has confidence in the
evidence acquired. In addition, understanding the terminology allows the analysts to
accurately prepare reports and testify as to their findings if the need arises.
Understanding Forensic Imaging

The type of incident that is being investigated largely dictates the type of imaging that is
conducted. For example, if an analyst is able to identify a potential malicious file being
executed from the D: drive and is intent on only capturing that data, it might be faster to
image only that volume. In other cases, where activity such as employee misconduct is
suspected, the analyst would need to trace as much activity as possible, and time is not as
much as a factor, a full image of the physical volume is conducted.

In Chapter 3, Network Evidence Collection, there was an extensive discussion of the


acquisition of evidence such as log files and running memory from a live or powered up
system. In much the same way, incident response analysts have the capability to obtain a
logical volume from a running system. This technique is referred to as live imaging. Live
imaging may be the best option if the potentially compromised system cannot be taken
offline, say in a high-availability production server, and the potential evidence is located
within a logical volume.

Dead imaging is performed on a system that is powered down and the hard drive removed.
In this type of imaging, the analyst is able to capture the entire disk including all volumes
and the master book record. This may become necessary in incidents where analysts want
to be sure to capture the entirety of the source evidence so that there is no location that is
not examined.

A final aspect to forensic imaging that an analyst should have knowledge in is the type of
image files that can be created and leveraged during an investigation. There are a number
of image files, some very specialized, but for the purposes of this book, the focus will be on
the two most common types of evidence files that analysts would most likely create and
work with during an incident:

Raw image: A raw image file contains only the data from the imaged volume.
There is no additional data that is provided in this type of image, although some
imaging tools such as FTK Imager include a separate file with imaging
information. Raw image outputs include the extensions .raw, .img, or .dd.

[ 101 ]

You might also like