Forensic Acquisition & Imaging

Creating Forensically Sound Evidence Copies

Section 2 of 12

Understanding Storage Media

Hard Disk Drives (HDD)

  • Magnetic storage with spinning platters
  • Data can persist even after deletion
  • Easier to recover deleted data
  • Standard imaging techniques apply

Solid State Drives (SSD)

  • Flash memory with no moving parts
  • TRIM function complicates recovery
  • Wear leveling affects data location
  • Immediate imaging is critical

USB Flash Drives

  • Portable flash storage devices
  • Often contain critical evidence
  • Require write-blockers
  • File system may differ

Memory Cards

  • SD cards, microSD, CompactFlash
  • Common in phones and cameras
  • Small form factor storage
  • Use specialized readers

Write-Blocking Technologies

Why Write-Blockers?

Write-blockers prevent any modifications to the original evidence during acquisition. This is critical for maintaining evidence integrity and legal admissibility.

⚠️ Warning:

Without write-blocking, even connecting a drive can alter timestamps, create log files, or trigger file system updates!

Types of Write-Blockers

Hardware Write-Blockers

Physical devices between drive and computer

  • • Most reliable and trusted method
  • • Supports multiple interfaces (SATA, IDE, USB)
  • • Examples: Tableau, CRU WiebeTech

Software Write-Blockers

OS-level write protection

  • • Less expensive than hardware
  • • May not block all write operations
  • • Examples: Linux mount -o ro, Windows Registry

Forensic Image Formats

Raw Format (DD)

.dd, .raw, .img

Bit-by-bit copy of the entire drive. Simple, universal format supported by all forensic tools.

Advantages:

  • • Universal compatibility
  • • Simple structure
  • • Fast acquisition

Disadvantages:

  • • No compression
  • • No metadata storage
  • • Large file sizes

Expert Witness Format (E01)

.E01

Industry-standard format created by Guidance Software (EnCase). Includes compression and metadata.

Advantages:

  • • Built-in compression
  • • Stores case metadata
  • • Error correction (CRC)
  • • Can split into segments

Disadvantages:

  • • Proprietary format
  • • Slower than raw
  • • More complex

Advanced Forensic Format (AFF)

.aff, .afd

Open-source forensic format designed to overcome limitations of proprietary formats.

Advantages:

  • • Open source
  • • Compression support
  • • Extensive metadata
  • • Encryption capable

Disadvantages:

  • • Less widely adopted
  • • Limited tool support

Creating Forensic Images with DD

bash 
# Basic DD command for disk imaging
sudo dd if=/dev/sdb of=/evidence/case001/suspect_drive.dd bs=4096 conv=noerror,sync status=progress

# Using dcfldd (enhanced dd) with hash verification
sudo dcfldd if=/dev/sdb of=/evidence/case001/suspect_drive.dd \
  hash=md5,sha256 \
  hashwindow=1G \
  hashlog=/evidence/case001/hash.log \
  bs=4096 \
  conv=noerror,sync \
  status=on

# Verify the image integrity
md5sum /evidence/case001/suspect_drive.dd
sha256sum /evidence/case001/suspect_drive.dd

Command Explanation

  • if= Input file (source drive)
  • of= Output file (image destination)
  • bs= Block size (4096 recommended)
  • conv=noerror,sync Continue on errors, pad with zeros
  • status=progress Show progress during imaging

Best Practices

  • Always use write-blockers
  • Calculate and document hashes
  • Use sufficient destination storage
  • Document the entire process
  • Never work on original evidence

FTK Imager - GUI Tool

What is FTK Imager?

Free forensic imaging tool from AccessData (now Exterro). Provides a graphical interface for creating forensic images in multiple formats including E01, DD, and AFF.

FTK Imager Workflow

1

Add Evidence Source

Select physical drive, logical drive, or image file

2

Create Disk Image

Choose format (E01, DD, AFF), compression, and segmentation

3

Add Case Information

Enter case number, examiner name, notes, and evidence details

4

Verify Image

FTK automatically calculates and verifies MD5 and SHA1 hashes

Features

  • • Multiple format support
  • • Automatic hash verification
  • • Preview files before imaging
  • • Mount images as drives

Use Cases

  • • Windows-based investigations
  • • Quick triage imaging
  • • Evidence preview
  • • Image conversion

Hash Functions & Verification

Why Hash Verification?

Cryptographic hash functions create unique "fingerprints" of data. By comparing hash values before and after imaging, we can prove the data hasn't been altered.

Properties of Hash Functions

  • Deterministic: Same input = same hash
  • One-way: Cannot reverse hash to get data
  • Collision-resistant: Hard to find two inputs with same hash
  • Avalanche effect: Small change = completely different hash

Common Hash Algorithms

MD5

128-bit hash (32 hex characters)

d41d8cd98f00b204e9800998ecf8427e

⚠️ Cryptographically broken - use for legacy only

SHA-1

160-bit hash (40 hex characters)

da39a3ee5e6b4b0d3255bfef95601890afd80709

⚠️ Deprecated - vulnerable to collision attacks

SHA-256

256-bit hash (64 hex characters)

e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

✓ Current standard - highly secure