Disk Imaging and Acquisition

1 min read Advanced Security Topics

Disk Imaging and Acquisition

Creating forensic images preserves the entire disk state for analysis:

Imaging Methods:

Physical Imaging: Bit-for-bit copy of entire disk

  • Captures deleted files and slack space
  • Includes hidden partitions
  • Requires more storage space
  • Tools: dd, dcfldd, FTK Imager, EnCase

Logical Imaging: Copies active file system

  • Faster than physical imaging
  • Smaller storage requirements
  • Misses deleted data
  • Suitable for targeted collection

Write Blocking: Hardware or software write blockers prevent accidental modification:

  • Hardware blockers: Tableau, WiebeTech
  • Software blockers: Windows Registry modification, Linux mounting options

Imaging Process:

  1. Document source media (model, serial, capacity)
  2. Connect through write blocker
  3. Calculate source hash
  4. Create forensic image
  5. Verify image hash matches source
  6. Create working copy for analysis