Norton Ghost, Acronis Trueimage).Īn other great “feature” of a physical image is the possibility to write the image back to a disk. This means you will be able to perform data recovery on this copy, something that is not possible with a normal copy or clone made by “normal” disk cloning software (e.g. Because a bit stream copy is a bit-by-bit copy of the original storage device it will also include the unallocated areas of a storage device. Physical imageĪ physical image is a complete image of all the contents of a storage device, a so called bitstream copy. A Bitstream copy involves the copy of all areas of a storage device. When creating the actual image, there are basically two types of images you can create. Never, in any case, should you be able to actually write to the evidence. Some write-blockers have a build in cache that enables you to “write” to the device, all changes made are temporary however and only exist in the write-blocker. This usually involves using a write-blocker, a device that enables the investigator to read the drive, but not write to it. There are several ways of creating a forensic copy, but they all have one thing in common. It’s important however that you follow a strict set of procedures to ensure a proper forensically sound copy of the evidence is made. We are able to create a 100% identical copy of the evidence. And in digital forensics, we are able to something special. When you want to investigate a system you need to document everything you can about the system.
The gold rule of forensic also applies to digital forensics.
“Never touch, change, or alter anything until it has been documented, identified, measured, and photographed.” I would highly recommend hiring an expert to perform any kind of forensic data acquisition. While it is possible to create a forensic image yourself. But I believe this subject deserves a more comprehensive explanation. A simple answer would be that a forensic image contains all data stored on a device. A question I get asked a lot is “what is a forensic image?” and what is the difference between an image made with tools like FTK Imager and Acronis true Image.
0 kommentar(er)
