Part 2 of 5

Disk Imaging Techniques

🕑 150-180 minutes 📖 Intermediate Level 📋 Module 4

Introduction

Forensic disk imaging is the foundation of digital forensics. Creating an exact bit-for-bit copy of storage media ensures that the original evidence remains pristine while allowing thorough analysis on the duplicate. This part covers the standards, tools, and techniques essential for forensically sound imaging.

📚 Learning Objectives

By the end of this part, you will understand forensic imaging standards and best practices, properly use write blockers to prevent evidence contamination, create forensic images using dd and FTK Imager, and verify image integrity using cryptographic hash functions.

Forensic Imaging Standards

Forensic imaging must meet strict standards to ensure evidence is admissible in court. The primary goal is to create an exact duplicate that can be verified as identical to the original.

Key Principles

  • Bit-for-bit copy: Every sector must be copied, including unused space and slack
  • No modification: The original evidence must not be altered in any way
  • Verification: Hash values must confirm the copy is identical to the original
  • Documentation: Every step must be thoroughly documented

Image Types

Image Type Description Use Case
Physical Image Complete bit-for-bit copy of entire drive Full forensic analysis, recovery
Logical Image Copy of specific files/folders only Targeted collection, limited time
Sparse Image Only non-zero sectors copied Large drives, mostly empty
Always Prefer Physical Imaging

When time and storage permit, always create a physical image. Logical images miss deleted files, slack space, and other potentially crucial evidence. A physical image captures everything, including what the file system cannot see.

Forensic Imaging Workflow

A standardized workflow ensures consistency and thoroughness in every imaging operation.

Standard Forensic Imaging Process
1
Document
Evidence
2
Connect
Write Blocker
3
Calculate
Source Hash
4
Create
Image
5
Verify
Image Hash
6
Document
Results

Step 1: Document Evidence

Before touching the drive, document everything:

  • Photograph the drive and any labels
  • Record make, model, and serial number
  • Note interface type and physical condition
  • Document date, time, and examiner name

Step 2: Connect Through Write Blocker

Never connect evidence directly to a forensic workstation. Always use a verified write blocker.

Step 3: Calculate Source Hash

Before imaging, calculate hash values of the source drive. This establishes the baseline for verification.

Step 4: Create Image

Use appropriate forensic imaging software to create a bit-for-bit copy.

Step 5: Verify Image Hash

Calculate hash of the created image and compare to source hash. They must match exactly.

Step 6: Document Results

Record all hash values, image file details, any errors encountered, and total time taken.

Write Blocking

Write blockers prevent any data from being written to the evidence drive. This is essential for maintaining evidence integrity and is a fundamental requirement for forensic acquisition.

Types of Write Blockers

Hardware Write Blockers

Physical devices that intercept write commands at the hardware level:

  • Most reliable and court-accepted method
  • Available for SATA, SAS, USB, IDE, NVMe interfaces
  • No software dependencies
  • Examples: Tableau, WiebeTech, CRU

Software Write Blockers

Operating system utilities that prevent write operations:

  • Lower cost alternative
  • Depends on OS functioning correctly
  • May not block all write paths
  • Examples: Linux mount options, Windows Registry modifications
🔍 Hardware vs Software Blockers

For court-admissible evidence, hardware write blockers are strongly preferred. They operate independently of the operating system and cannot be circumvented by software bugs or malware. Software blockers may be acceptable for internal investigations or preliminary analysis but document which method was used.

Write Blocker Verification

Before each use, verify the write blocker is functioning correctly:

  1. Connect a test drive through the blocker
  2. Attempt to write data to the drive
  3. Verify the write operation failed or was blocked
  4. Document the test results
SSD and Write Blockers

Standard write blockers may not block all SSD operations. TRIM commands, for example, can erase data even when the drive appears read-only. Use write blockers specifically designed for SSDs or disable TRIM at the OS level before connecting evidence SSDs.

Hash Verification

Cryptographic hash functions create a unique fingerprint of data. In forensics, hashes prove that evidence has not been modified.

Common Hash Algorithms

Algorithm Length Forensic Use
MD5 128-bit (32 hex) Legacy support, fast, but cryptographically broken
SHA-1 160-bit (40 hex) Legacy, also broken - avoid for new work
SHA-256 256-bit (64 hex) Current standard, recommended
SHA-512 512-bit (128 hex) Highest security, slower
💡 Best Practice: Use Multiple Hashes

Calculate both MD5 and SHA-256 hashes for each acquisition. MD5 provides backward compatibility with older systems and databases, while SHA-256 provides cryptographic security. If both match, you have strong verification.

When to Hash

  • Before imaging: Establish original state of evidence
  • During imaging: Some tools calculate as they copy
  • After imaging: Verify image matches source
  • Before analysis: Confirm image hasn't changed
  • After analysis: Prove image wasn't modified

Imaging with dd

The dd command is a powerful Unix/Linux utility for low-level data copying. It's commonly used in forensics for creating raw disk images.

Basic dd Syntax

Bash 
# Basic forensic imaging command
dd if=/dev/sdb of=/evidence/case001/disk.raw bs=4M conv=noerror,sync status=progress

Key Parameters

  • if= (input file): The source device to image
  • of= (output file): The destination image file
  • bs= (block size): Size of each read/write operation (4M is efficient)
  • conv=noerror: Continue on read errors instead of stopping
  • conv=sync: Pad error blocks with zeros to maintain alignment
  • status=progress: Show progress during copying

dd with Hash Verification

Bash 
# Calculate source hash first
sha256sum /dev/sdb > source_hash.txt

# Create image and calculate hash simultaneously
dd if=/dev/sdb bs=4M conv=noerror,sync | tee disk.raw | sha256sum > image_hash.txt

# Verify hashes match
diff source_hash.txt image_hash.txt

dc3dd: Forensic dd Alternative

dc3dd is a patched version of dd with forensic features built-in:

Bash 
# dc3dd with automatic hashing and logging
dc3dd if=/dev/sdb of=disk.raw hash=md5 hash=sha256 log=imaging.log
Critical Warning: if and of

Double-check your input (if=) and output (of=) parameters! Reversing these will overwrite your evidence with zeros, destroying it completely. Always verify device names with 'lsblk' or 'fdisk -l' before running dd.

FTK Imager

FTK Imager is a free forensic imaging tool from Exterro (formerly AccessData). It provides a graphical interface and supports multiple image formats.

Supported Image Formats

Format Extension Features
Raw (dd) .raw, .001 Universal compatibility, no compression
E01 (EnCase) .E01 Compression, built-in hashing, metadata
AFF .aff Open format, compression, extensible
SMART .s01 ASR Data format, compression

FTK Imager Features

  • Create physical, logical, and memory images
  • Mount images for preview without modification
  • Export individual files from images
  • Verify existing images
  • Create file hashes
  • Split large images into segments

Creating an Image with FTK Imager

  1. Connect evidence through write blocker
  2. Launch FTK Imager
  3. File → Create Disk Image
  4. Select source type (Physical Drive)
  5. Select the evidence drive
  6. Add image destination (choose format, e.g., E01)
  7. Enter case information and evidence details
  8. Select verification options (MD5, SHA1, SHA256)
  9. Click Start to begin imaging
  10. Review verification results upon completion
💡 E01 Format Benefits

E01 (Expert Witness Format) is often preferred because it includes compression (saving storage space), embeds hash values and case metadata, supports file segmentation, and is widely supported by forensic tools. The compression is lossless - every bit is preserved.

Other Imaging Tools

Various other tools are available for forensic imaging, each with specific strengths.

Guymager

Fast, GUI-based Linux imaging tool. Supports E01, AFF, and raw formats. Popular in forensic distributions like CAINE.

Free / Open Source

EnCase Forensic

Industry-standard commercial tool. Comprehensive imaging and analysis. Creates E01 format natively.

Commercial

Autopsy/Sleuth Kit

Open source forensic platform. Can create and analyze images. Good for Linux-based workflows.

Free / Open Source

X-Ways Forensics

German commercial tool known for speed and efficiency. Supports various image formats.

Commercial

Image Format Considerations

Choosing the right image format depends on your workflow, tools, and storage constraints.

Raw vs Forensic Formats

Aspect Raw (.raw/.dd) E01
Compression None Lossless compression
Storage Size Same as source Often 30-50% smaller
Metadata None embedded Case info, hashes included
Compatibility Universal Most forensic tools
Speed Fastest creation Slower (compression)
📚 Key Takeaways
  • Always use write blockers - hardware preferred for court-admissible evidence
  • Calculate hashes before, during, and after imaging to verify integrity
  • Use both MD5 and SHA-256 for compatibility and security
  • Document everything: drive details, hash values, time, examiner, any errors
  • dd is powerful but dangerous - always verify if/of parameters
  • FTK Imager provides user-friendly interface and E01 format support
  • E01 format offers compression and embedded metadata - often the best choice
  • Test write blockers before each use to ensure proper function
Previous: Storage Media Fundamentals Next: File System Analysis