cover image for Forensic Drive Imaging

Forensic Drive Imaging


What is a Forensic Drive Image?

A forensic image is an electronic copy of a drive, (e.g. a hard drive, USB, etc.). It’s a bit for bit or bit stream file that’s an exact, unaltered copy of the media being duplicated. Forensic images allow the investigator to create and restore drive image files, which are bit-by-bit copies of a partition, physical disk or volume.

To prevent write access to the disk, we use various write blockers and forensic methodologies. In addition, we calculate a cryptographic hash of the entire disk before imaging the device. Commonly-used cryptographic hashes are MD5, SHA1 and/or SHA256. Calculating the hash gives the image integrity so that it can be determined if the data in the image has been changed or altered.

Why image a disk? Forensic imaging? A forensic image Prevents tampering with the original data or evidence and allows you to analyze the copy, without worrying about destroying the original data.

Once a forensic image sample is collected correctly, it is far more useful in evidence, and or stands a much greater chance of being admissible in the event of prosecution. Using the latest forensic tools and techniques for drive imaging, our team is able to conduct a comprehensive examination of the provided data or image and give a detailed report of the findings.

Further reading

Disk Image?

WHat is a Cryptographic hash function?

Forensic Toolkit