Brain Dump

Digital Image

Tags
security

Creating a digital clone or reference copy of data-storage medium such as a hard-disk or a computers RAM. This is key part of preservation & collection for digital-forensics.

Includes not only files visible to the OS but every bit of data, every sector, partition, files, folders, master boot records, deleted files and un-allocated spaces.

[see page 3, Variants]:

  • Disk to image: Copy disk to a binary image file which can be loaded as a virtual disk.
  • Disk to disk: Copy disk data to another disk.

Formats of a disk image [see page 4, can be]:

  • DD, direct bit by bit copy of the original image
  • E01 extension of DD which stores extra info (example: hash of disk)
  • AFF (Advanced Forensics File) (stores more info than the other 2)

Can use FTK Imager or the dd (Disk Dump) command.

Verifying Image Integrity

[see page 8, How] do we guarantee the contents of a copy is the same as the original?

We produce an [see page 9, MD5 hash] of both the original and copies disk data and then compare the hashes to assert whether their the same or not.

This process can also be repeated at any point in the forensics process to ensure the integrity of the disk data.