Our Members:

Computer Forensics Imaging

A computer forensics image preserves data. This data can reside on various media, such as a hard drive, a thumb drive, a network share, or many others. The tools and techniques used depend on the specific type of media and the circumstances of the collection. 

A computer forensics image has two hallmark traits. The first trait is preserving data integrity to the extent technically possible. Ultimately, this protects the data from alteration. The second trait is completeness. It captures all of the data, including the logical data and less obvious information such as the ‘file slack’ (see below) and the metadata.

A computer forensics image is a true and accurate copy of the data. It is unaltered to the greatest extent possible. This image represents all of the targeted data. A bit-by-bit image contains every single bit of data. 

Computer users are familiar with making a copy of data. This data is generally understood to be logical data. This information is copied or moved with the standard Windows ‘Copy’ command. 

When data is copied to a new location, old data may reside within that same location. If the older data was larger than the latest data, specific old data might remain on the media even after the new data has partly been overwritten. This remaining older data can be very revealing to an investigator, and it is called a ‘file slack.’

Computer users are often shocked to discover that on most operating systems, the file name does not reside inside the file itself. Changing the file name generally doesn’t alter any data within the file. For example, on Windows 10, the file name is stored within a particular system file called $MFT, which stands for Master File Table. This table is full of a file’s metadata. File metadata includes the file name, file created date, file modified date, file size, and many other items.

In many cases, many computer forensic imaging software packages create a digital fingerprint of the data, called a hash value. Examples include the MD5 hash, message digest #5, or the secure hashing algorithm (SHA). This value facilitates a quick and easy verification process in the future.

Several computer programs, offered by a variety of software manufacturers which will create a computer forensics image. For example:

  • Open Text’s software is called Encase.
  • Access Data’s software, called FTK Imager.
  • Linux command called DD.

Encase Forensically is one of the most widely known data forensics programs within the community. Encase creates a computer forensic image into a specific data format called Expert Witness. This format has error checking, and the first file’s extension will be E01. If the image exceeds a specified size, a second file is created with the file extension of E02, and so on. 

FTK Imager was created by Access Data and is common within the forensic community.

DD works for many cases on Linux, Apple, and Unix systems. While this file contains all the data, it has no inherent error checking.

While there are a variety of formats and ways to create a computer forensics image, the image must have integrity and be complete. The Expert Witness and DD formats do both; however, Expert Witness also contains a series of built-in checks to allow easy verification.

If you want more information about computer forensics images, please refer to other articles on the American Society of Digital Forensics and eDiscovery’s website at www.asdfed.com.




The American Society of

     Digital Forensics & eDiscovery, Inc®

      For Digital Evidence Experts™

      2451 Cumberland Parkway, Suite 3382 

     Atlanta, GA 30339-6157

     (404) 919-1143











Copyright 2024

All Rights Reserved

Powered by Wild Apricot Membership Software