Forensic Image Research - sullivaneg/TechJournal-SYS140 GitHub Wiki

A digital forensic image is a bit-for-bit copy of an entire device such as a hard drive, SSD, or other storage device. Digital forensic images are made with the intent to essentially screenshot the current state of the device and the evidence on it. Forensic images are used by investigators to analyze the data. This could be used on the device of someone who committed a cybercrime to find evidence against them or on the device of the victim of cybercrime to gather data about the crime committed. A digital forensic image also makes sure that the data has integrity. It prevents the evidence from being altered when you preserve the original state of the drive.

A RAW image format is a bit-for-bit copy of the RAW data of whatever device you are trying to gather data from. Images have no metadata, all that data gets saved to a text file. Images in the RAW image format only have source data, nothing else. They also aren’t compressed at all so the images are the same size as the source. The RAW format is also compatible with almost every tool because of the fact it’s just the source data.

Proprietary forensic image format is a format that is specific to a tool/software. Different digital forensic softwares might each have different proprietary formats. These formats often have metadata unlike RAW. Some proprietary formats include EnCase (E01) and SMART (S01). These formats are capable of compressing the images and encrypting information.

A write-blocker is a hardware or software that can be used to prevent any edits to the original data during the imaging process. The write-blocker does this by making sure that everything is read-only while the image of the drive is being made. This is used to protect the integrity of the data, meaning that none of the original data is changed or compromised in any way.