Friday, June 5, 2015

Forensic Imaging and their Formats - DD (raw)

Forensics imaging is the process of making an exact copy of a hard drive and or some other type of media. During the process, every 0 and 1 on the original disk/media is copied to the target disk/media. Prior to performing imaging, the destination drive must be zeroed or blanked (whereismydata.wordpress.com, 2009). 


The raw image format is a bit-by-bit copy of the raw data on the source media without any additions and or deletions. Images produced in raw format does not contain any metadata. However, this metadata may be stored in additional files. Tools such as dd and it’s derivatives (dc3dd, dcfldd, etc) typically writes images in the raw format (forensicswiki.org, n.d.).


The image below shows a successful acquisition of the contents of the drive /dev/sdb1. The input md5 and sha1 values of /dev/sdb1 matches the output value of the created image “forensicsImage.raw”

f44189506b2d888d810105af6ddbe760  forensicImage.raw
0aec1c7155dac2616adc0c577f4414c94b41590f  forensicImage.raw
 



Reference:
https://whereismydata.wordpress.com/2009/06/27/forensics-what-is-imaging/
http://forensicswiki.org/wiki/Raw_Image_Format


In this series

Working with media - Unallocated Space
Working with media - Allocated Space
Working with media - Partitioning
Working with media - Sectors
Working with media - Clusters
Working with media - Slack Space
Forensic Imaging and their Formats - The Advanced Forensic Format (AFF)
Forensic Imaging and their Formats - Encase Image (E01)
Forensic Imaging and their Formats - DD (raw)

No comments:

Post a Comment