A question I get asked a lot is “what is a forensic image?” and what is the difference between an image made with tools like FTK Imager and Acronis true Image. A simple answer would be that a forensic image contains all data stored on a device. But I believe this subject deserves a more comprehensive explanation.
While it is possible to create a forensic image yourself. I would highly recommend hiring an expert to perform any kind of forensic data acquisition.
What is a forensic image?
The golden rule of forensics:
“Never touch, change, or alter anything until it has been documented, identified, measured, and photographed.”
The gold rule of forensic also applies to digital forensics. When you want to investigate a system you need to document everything you can about the system. And in digital forensics, we are able to something special. We are able to create a 100% identical copy of the evidence. It’s important however that you follow a strict set of procedures to ensure a proper forensically sound copy of the evidence is made.
There are several ways of creating a forensic copy, but they all have one thing in common. The source must be write protected. This usually involves using a write-blocker, a device that enables the investigator to read the drive, but not write to it. Some write-blockers have a build in cache that enables you to “write” to the device, all changes made are temporary however and only exist in the write-blocker. Never, in any case, should you be able to actually write to the evidence.
When creating the actual image, there are basically two types of images you can create. A physical image or a logical image.
A physical image is a complete image of all the contents of a storage device, a so called bitstream copy. A Bitstream copy involves the copy of all areas of a storage device. Because a bit stream copy is a bit-by-bit copy of the original storage device it will also include the unallocated areas of a storage device. This means you will be able to perform data recovery on this copy, something that is not possible with a normal copy or clone made by “normal” disk cloning software (e.g. Norton Ghost, Acronis Trueimage).
An other great “feature” of a physical image is the possibility to write the image back to a disk. Since a physical image is a bitstream copy of a storage device you will be able to write this image back to the other storage device and create an identical copy of the original. This can be extremely useful if you want to boot up the original system (e.g. for live examination of the system). The system will perform exactly as if the original drive has been inserted.
A logical image is a file system level image. These images are usually created when you are unable to create a physical image (e.g. device limitations) or when you just want to image a certain folder (e.g. a users mailbox, or a user directory on a server). It’s possible due to legal constraints you are are not allowed to capture anything more than the files located in a certain folder. Creating a logical image is the best way to only capture the data in a folder, a nothing more.
One major drawback of a logical image is that you do not capture any unallocated data. If the suspect has deleted important files prior to the creation of the logical image, there is no way to recover them with a logical image. You should always try to create a physical image when it is suspected that the user might have deleted important data.
When creating the image you also have several options regarding the format you store your image in. There really isn’t a good or bad format, it mainly depends on your personal preferences and the software you are going to use. The most common options offered by tools are:
The RAW image format is basically a bit-for-bit copy of the RAW data of either the disk or the volume stored in a single or multiple files.
There is no metadata stored in the image files. Most tools create a separate text file containing all the details regarding the image file including the used hardware/software, source and destination details and hash values.
The main advantage of the RAW image format is the fact the files only contain unmodified source data, nothing else. This means almost every tool supports raw images. Even non-forensic tools.
The main disadvantage of the RAW image format is the lack of any metadata, without the text file there is no way to determine the source of the image. It also lacks any form of compression making the images as large as the source drive, even if only a few GB’s have been used.
Raw images are also sometimes called dd images since the raw image format has its origins in the dd tool.
The EnCase Evidence File is next to the RAW image format E01 the most commonly used imaging format.
It contains a physical bitstream copy stored in a single or multiple files enriched with metadata, this metadata includes Case information, Examiner name, notes, checksums and an MD5 hash. It also offers compression and password protection.
The main advantage of this file format is the compression, password protection and per file checksum.
The main disadvantage of this file format is the fact it’s an undocumented closed format. While most forensic tools support this file format, it’s not supported by other (non-forensic) tools.
The SMART image format is mainly used by the SMART tool for Linux. The image is stored in a single or multiple segment files each with metadata.
This image format isn’t commonly used anymore.
At the moment of writing this article, the original websites are down and I was unable to determine if the format is still actively “supported”.
The Advanced Forensics Format is an open format for the storage of forensic images. Its goal is to offer a disk imaging format that is not tied to proprietary software.
This image format isn’t commonly used anymore.
In a perfect world, you would simply remove the storage device from the system and attach it to a write-blocker or forensic duplicator. In reality, you will find that most devices will pose a challenge in some way.
It’s possible that the device you want to image has an embedded storage device which is impossible to remove. If this is the case your only option is to use a live boot disk to image the device. Some devices might not allow you to boot from external storage. These devices are a real forensic challenge and might require live imaging. You should never attempt to live image a system after booting it if you are not a forensic examiner.
Another challenge you might face is a propitiatory connector on the drive. Some manufacturers choose to use their own connectors. Sometimes you have the luxury of ordering the right cables or adapters online, but in most cases time is limited and you will have to improvise. This is why you should try to collect all the strange cables and adapter cables you might find throughout the years. I have a drawer full of strange cables and adapters in my lab, just in case I get across that one drive that uses it.
You might also encounter a dying drive, drives that make strange sounds like clicking, buzzing or keep spinning up again every few minutes are telltale signs of dying disks. In these cases, I highly recommend using a specialized cloning device like the Tableau Forensic Duplicator since they detect bad disks and work just keep imaging documenting and skipping damaged area’s they are unable to read. When imaging with software, I have experienced imaging failures with damaged drives. This is mainly caused by Microsoft Windows disconnecting the drive or locking up if the drive stops responding.
Encrypted disks are a whole other story. If an encrypted disk is offline and in an encrypted state you should simply create an offline physical image. If the disk is live and in a decrypted state, you should proceed with creating a live physical image and a RAM image before you pull the plug (read: Should you pull the plug?).
As you might imagine there are a lot more challenges I haven’t mentioned, but this is what makes digital forensics challenging.
One of the most important steps of making a forensic image forensically sound is documentation. Like stated before it’s the golden rule of forensics that you never touch, change or alter anything until it has been documented.
It depends on where you work and what kind of investigations you do on how extensive the documentation is going to be. But there are some basics that should always be documented:
- Used hardware (Make, Model, Firmware, Serial Number)
- Used software (Distributor, Version)
- Case name/number
- Investigator name/number
- Evidence identification
- Short description of the case
- Serial Number
- Short description of the evidence
- MD5 / SHA1 hash values
The same as the source, but this depends on the way you acquire the image. Most of the times you will create the image to a dedicated hard drive that will be used throughout the investigation. However, it’s also possible to use a centralized storage solution (like a NAS) to store your images during the investigation. In these cases, you will want to document the specifics of this storage solution.
- Used software/hardware
- Source Name/ID
- Destination Name/ID
- Start timestamp
- End timestamp
- Hash values
The above is the bare minimum of whats needs to be documented. Luckily most imaging tools already create a log file containing this information. Making documentations a lot easier.
The most important part of the documentation is the hash value. Hash values can be thought of as fingerprints for digital evidence. The contents of a drive are processed through a cryptographic algorithm, and a unique numerical value (the hash value) is produced. If your copy has been modified in the slightest way, the value of your forensic copy will not match that of the evidence.
Without a hash value, a suspect could argue that someone tampered with the evidence and the incriminating evidence was planted. The hash value also provides the investigator with an easy way to verify the copy is 100% identical to the original. This is why hash values are so important to document and verify (read: Always use multiple hash algorithms).
There are several tools on the market to create a forensic image. I will name a few popular ones here. Make sure to check my list of free forensic acquisition tools (click here).
- FTK Imager (AccessData)
- EnCase Forensic Imager (Guidance)
- Magnet ACQUIRE (Magnet)
- X-Ways Imager (X-Ways)
When using a software tool to image hard drives it’s necessary to use a write blocker. Personally, I’m not a huge fan of software write blockers as I have seen them fail in the past.
According to the Hardware Write Blocker (HWB) Assertions and Test Plan Version 1.0 and Hardware Write Blocker Device (HWB) Specification, Version 2.0, available at the CFTT Web site (http://www.cftt.nist.gov/hardware_write_block.htm) a Write-Blocker must comply with the following requirements:
- A hardware write block (HWB) device shall not transmit a command to a protected storage device that modifies the data on the storage device.
- An HWB device shall return the data requested by a read operation.
- An HWB device shall return without modification any access-significant information requested from the drive.
- Any error condition reported by the storage device to the HWB device shall be reported to the host.
There are quite a few write-blockers on the market, I have personally used the Tableau and Wiebetech products and can highly recommend both devices.
Imagers / Duplicators
Hardware duplicators are the easiest and most reliable way to create a forensic image. Forensic duplicators feature an easy to use interface and you are able to create a forensic image with the required log files with the press of a few buttons. This can all be used in the field without the use of a computer system. In general most (modern) duplicators are also much faster than imaging using software and a write blocker.Most devices are fool proof making it possible for almost anyone to create a forensic image.
Whenever possible you should always try to use a write blocker or a duplicator with a build in write blocker. However, there might be situations where this isn’t possible. In these cases, you might want to use a forensic live-cd.
Some situations where a live-cd might be used:
- The storage device might be embedded on the mainboard.
- The device might be damaged in a way that extracting the storage device isn’t possible.
- The storage device is part of a raid array.
- The storage device is encrypted and the key is stored in the TPM chip.
Special forensic boot disks enable the investigator to collect evidence in a forensically sound manner. These disks have a build in software write blocker or mount the internal drives as read-only.
I will discuss Live-Boot cd’s in detail in an upcoming article.
While this article isn’t meant as a guide on how to create a forensic image, I hope it gives a general idea of what a forensic image is. It isn’t just the contents that make it a forensic image, but also the way it is created and documented. A forensic image that isn’t created properly might have disastrous consequences in court. This is why these images should be created by experts.