Disk Imaging and Analysis
A Disk Image is a copy of the storage device that not only includes only the data visible to the user but also includes hidden directories, boot records, partitioned tables, deleted files, unallocated sectors, etc. In short, we can say that a Forensic Disk Image is an exact sector by sector cloned copy of any computer system that is used for investigation purposes to prevent data alteration on the actual system. It is the process in which, we use tools that make an exact copy of the hard disk that can be examined using some special forensic investigation tools covered in the later sections.
Types of Forensic Disk Image
In this section, we will be discussing the types of Forensic Disk Images which can be broadly classified into two types:
- Disk to File Image: In this type of copy, the data located on the drive under investigation is transferred to a file on another disk. In these processes, a sector by sector cloning is done. The usually found extensions of these kinds of disks are in DD(.raw) , and E01 (Encase formats).
- Disk to Disk Image: In this type the goal is simple, we just simply copy all the data to another disk with a condition that the Destination Disk Should be greater than that of the disk under investigation.
Disk Imaging and Analysis
Creating a proper forensic disk image is a very easy task that can be efficiently performed with the help of the tools in the forensic toolkit.
The basic thing that we need to keep in mind, that no data should be altered or removed in any way from the disk. So , whenever the disk is used in a Windows Environment, the windows creates several log files and some other files on the system, and can even manipulate USB records etc.
So , to prevent this and run the disk safely in a windows environment, we use a special Device called a WRITE BLOCKER. Its Simple motive is to prevent any data alteration on the media under investigation.
