Forensics imaging is the
process of making an exact copy of a hard drive and or some other type of
media. During the process, every 0 and 1 on the original disk/media is copied
to the target disk/media. Prior to performing imaging, the destination drive
must be zeroed or blanked (whereismydata.wordpress.com, 2009).
The
raw image format is a bit-by-bit copy of the raw data on the source media
without any additions and or deletions. Images produced in raw format does not
contain any metadata. However, this metadata may be stored in additional files.
Tools such as dd and it’s derivatives (dc3dd, dcfldd, etc) typically writes
images in the raw format (forensicswiki.org,
n.d.) .
The
image below shows a successful acquisition of the contents of the drive
/dev/sdb1. The input md5 and sha1 values of /dev/sdb1 matches the output value
of the created image “forensicsImage.raw”
f44189506b2d888d810105af6ddbe760 forensicImage.raw
0aec1c7155dac2616adc0c577f4414c94b41590f forensicImage.raw
0aec1c7155dac2616adc0c577f4414c94b41590f forensicImage.raw
Reference:
https://whereismydata.wordpress.com/2009/06/27/forensics-what-is-imaging/http://forensicswiki.org/wiki/Raw_Image_Format
In this series
Working with media - Unallocated Space
Working with media - Allocated Space
Working with media - Partitioning
Working with media - Sectors
Working with media - Clusters
Working with media - Slack Space
Forensic Imaging and their Formats - The Advanced Forensic Format (AFF)
Forensic Imaging and their Formats - Encase Image (E01)
Forensic Imaging and their Formats - DD (raw)
No comments:
Post a Comment