Computer Forensic Imaging

At its core, a forensic image preserves data. This data can reside on any media, such as a hard drive, a mobile device, a thumb drive, a network share, a GPS unit, a drone, or many others. The tools and techniques depend on the specific type of device, the storage media, the collection's circumstances, and the investigation's needs. When discussing forensic copies, it's essential to recognize that this term encompasses more than file duplication. 

Computer users are familiar with making a copy of data. This data is generally understood to be a logical data copy. The Windows 'Copy' and 'Paste' commands transfer data from one location to another. Some users are often shocked to discover that on most operating systems, the file name does not reside inside the file itself. Furthermore, changing the file name doesn't alter any data within it. For example, on Windows 10, the file name is stored within a particular system file called $MFT, which stands for Master File Table. This table is full of a file's metadata, which includes the file name, file created date, file modified date, file size, and many other items don't change the data. However, the loss of metadata can severely hamper an investigation or inquiry. A logical data copy is insufficient for data forensics purposes.

In the forensics community, terms can be co-mingled when discussing imaging or images. These include data extraction, forensic images, file copies, mirror images, etc. The term nuances are often debated among recognized experts. For this article, let's break them down to help provide you with a perspective.

Data extraction

In mobile forensics, data extraction refers to retrieving digital data from a mobile device like a cell phone. This process is crucial for investigations and involves using specialized tools and techniques to access a stored information while minimizing data alteration or damaging the original data, GPS unit, or drone.

There are three main types of data extraction in mobile forensics:

1. Manual Extraction: This involves physically accessing and navigating through the device's user interface to record visible data, such as messages, call logs, or photos, much like a user would. It's limited to what is viewed and accessed manually. Often, the process involves creating pictures of the screen and manually logging the information.
2. Logical Extraction: This method retrieves a device's data through its operating system, using software tools to extract information like contacts, messages, call logs, and app data. However, it may not access deleted files or data stored in encrypted areas.
3. Physical Extraction: The most comprehensive involves accessing the phone's raw storage to capture all data, including deleted or hidden information. This method provides a complete image of the device's memory, often requiring more advanced tools and techniques, but it allows for the recovery of files that logical extraction might miss.

The exact specifics will depend on the particular software and techniques used. When preparing any report or official documentation, the examiner should reply to the specific terminology used by the software's manufacturer and their training relative to a particular type of device or model.

The entire physical forensic image is an exact bit-by-bit copy of media into a specialized container file. An example is the expert witness format, which was popularized by the Encase program. A forensic logical image exists but is beyond the scope of this article.

Forensic file copy refers to copying specific files from a location with their date/time stamps and other metadata preserved. An example is Microsoft's robocopy program. With the appropriate options, it copies specific file(s) or folder(s) to another location along with the associated metadata. A forensic file copy places data from one location on another, such as external media. For example, on a large file server with hundreds of user's data, an investigation might only need a single user's data within a specific location. Only this user's data is needed for this matter. A forensic file copy could place a copy of this data onto an external hard drive or thumb drive. The other information on the file share might not be relevant to the investigation.

The mirror image/copy is the cloning of all data from one specific media to another media of the same or larger size. In the 1990s, this was the primary means of preserving data. The forensic examiner would create a mirror image and examine the clone of the data while leaving the original data unaltered. For example, an examiner may run on the clone to recover deleted data.

Now that we've covered the broader range of terms and techniques, let's explore a full physical forensic image more closely. This image has some specific hallmarks. 

The first trait is data integrity, which protects data from alteration to the extent technically possible. A write blocker is a device or software tool that prevents any data from being written to a storage device (such as a hard drive, SSD, or USB) while still allowing data to be read. A write blocker ensures the forensic investigator can access and copy data from the storage device without accidentally modifying it. Write blockers can be hardware-based (physical devices) or software-based (programs that achieve the same result through the operating system).  Digital Intelligence sells a range of industry-accepted write blockers.

Auditing is another trait. Many computer forensic imaging software packages create a digital fingerprint of the data, called a hash value. Examples include the MD5 hash, message digest #5, or the secure hashing algorithm (SHA). By applying a digital algorithm to the data, any data change will result in a different hash value being created. A log file can stores these values.  A digital fingerprint provides high assurance that data is unadulterated. As computer technology advances, so do the complexity of the algorithms. 

The final trait is completeness. A forensic image captures all the data, including the logical data, metadata, file slack, folder structure, and less obvious information, such as the unused data area. A computer forensics image is a true and accurate copy of the data. A forensic image represents a single point in time.

File Slack

The leftover space at the end of a cluster that isn't fully utilized by a file can contain data fragments from previously stored files, which might hold evidentiary value. When data transfers to a new location, old data may reside there. If the older data was larger than the latest data, specific old data might remain on the media even after the new data was partly overwritten. This remaining older data can be very revealing to a computer forensic examiner.

Metadata

Refers to data about data, which provides information about a file's structure, context, and characteristics, such as how, when, and by whom it was created, accessed, or modified. Some examples include:

• • Creation date and time: When a file is saved into a specific path.
  • Modification date and time: When a file was last altered.
  • Access date and time: When a file was last opened or accessed.
  • File size and location: Size of the file in bytes and its directory on the system.
  • File permissions: Who can read, write, or execute the file?

Partition Slack

Refers to the unused space at the end of disk partitions, which may hold critical traces of past activities.

Unused Space

Unused space might sound trivial, but it can contain remnants of previously deleted files or other data that has yet to be overwritten. Identifying and copying this space can reveal crucial information.

Several computer programs create a computer forensics image. For example:

• Open Text's software is called Encase.
  
• Access Data's software, called FTK Imager.
  
• Linux command called DD.
  

Encase is one of the community's most widely known data forensics programs. It creates a forensic image in a specific format called Expert Witness data format. This format has error checking, logging, and many other features. It allows segmentation of large data into logically organized and consistent smaller files. When segmented, the first file's extension will be E01. If the image exceeds a specified size, a second file is created with the file extension of E02, and so on.

Access Data created FTK Imager and is well known within the forensic community. 

DD works for many cases on Linux, Apple, and Unix systems. While this file contains all the data, it does not have inherent error checking.

If you would like to walk through creating a step-by-step forensic image, refer to the following forensic imaging training course.