What is Disk Imaging? Show
As we came across in few earlier posts that we never do a forensic investigation on a live system’s disk (can also be done in some special cases to be discussed later ). So, this is done so that the original disk can be prevented from any alteration or modification which can occur during Forensic Analysis. So, now the question still remains how , we examine the hard disks or the storage media’s. The Solution to that is Disk Imaging. It is the process in which, we use tools that make an exact copy of the hard disk that can be examined using some special forensic investigation tools covered in the later sections. What is a Disk Image? A Disk Image is a copy of the storage device that not only includes only the data visible to the user, but also includes hidden directories, boot records, partitioned tables , deleted files, the unallocated sectors etc. In short ,we can say that a Forensic Disk Image is the exact sector by sector cloned copy of any computer system that is used for investigation purposes to prevent data alteration on the actual system. Types of Forensic Disk Image ? In this section, we will be discussing the types of Forensic Disk Images which can be broadly classified into two types:
How to make a Forensic Disk Image? Creating a proper forensic disk image is a very easy task that can be efficiently performed with the help of the tools in the forensic toolkit. The basic thing that we need to keep in mind, that no data should be altered or removed in any way from the disk. So , whenever the disk is used in a Windows Environment, the windows creates several log files and some other files on the system, and can even manipulate USB records etc. So , to prevent this and run the disk safely in a windows environment, we use a special Device called a WRITE BLOCKER. Its Simple motive is to prevent any data alteration on the media under investigation. These write blockers can also be in form of a software blocker instead of the hardware one’s . Now ,we will be covering the steps to make a Forensic Disk Image For investigation. So , to complete this , we have several tools like
How to make a Forensic Disk Image using Encase: As we read about how to create a disk image, now , we will be talking on how to read the created image using different tools like Autopsy, Encase etc 1. Download Encase Imager. 2. Select the local device option to display all the components of hard disk under investigation that we need to be present on the cloned disk . 3. Whatever information investigators are likely to require, will be present on the physical drives or logical partitions .So, all drives should be carefully selected to make sure everything is covered. 4. Encase then lists the selected drives to be cross checked by the investigator. 5. The 'ACQUIRE' button is clicked for the imaging to initialize. 6. The 'OK' command starts the image acquisition after we fill details like case number, examiner name etc details. 7. Within few minutes the image will be created. The time can vary depending on the source disk size to be copied.
OSFClone is a free, self-booting solution which enables you to create or clone exact raw disk images quickly and independent of the installed operating system. In addition to raw disk images, OSFClone also supports imaging drives to the open Advance Forensics Format (AFF), AFF is an open and extensible format to store disk images and associated metadata, and Expert Witness Compression Format (EWF). An open standard enables investigators to quickly and efficiently use their preferred tools for drive analysis. After creating or cloning a disk image, you can mount the image with PassMark OSFMount before conducting analysis with PassMark OSForensics™. OSFClone creates a forensic image of a disk, preserving any unused sectors, slack space, file fragmentation and undeleted file records from the original hard disk. Boot into OSFClone and create disk clones of FAT, NTFS and USB-connected drives! OSFClone can be booted from CD/DVD drives, or from USB flash drives. OSFClone can create disk images in the dc3dd format. The dc3dd format is ideal for computer forensics due to its increased level of reporting for progress and errors, and ability to hash files on-the-fly. Verify that a disk clone is identical to the source drive, by using OSFClone to compare the MD5 or SHA1 hash between the clone and the source drive. After image creation, you can choose from a range of compression options to reduce the size of the newly created image, increasing portability and saving disk space. Use OSFClone to save forensic meta-data (such as case number, evidence number, examiner name, description and checksum) for cloned or created images. The current version of OSFClone is v1.4.1000. Click to download the OSFClone zip (373 MB) OSFClone does its best not to leave artifacts or alter the source evidence drive. However due to different hardware, drivers variations and disk states, there could be a small chance of contamination, especially when the source drive is from a Linux / Unix machine. When integrity is of the utmost importance, we recommend using a write blocker in conjunction with OSFClone. CD or DVD (OSFClone V1.2 or older) To install OSFClone to a CD or DVD, you will need a CD/DVD writer and CD/DVD image writing software of your choosing. To run OSFClone, download and burn the osfclone.iso image to a CD or DVD, and choose to boot from the CD/DVD drive during system start up. Users with Windows 7 and a CD/DVD writer can natively transfer*.iso images to CDs or DVDs. To install OSFClone using this method, right-click on the osfclone.iso image from Windows Explorer and select the Burn disc image menu-item. This will launch Windows Disc Image Burner. From this window, you can click "Burn" to transfer osfclone.iso to a CD or DVD. USB Flash Drives (UFD) Warning: The process of installing OSFClone to an UFD will overwrite all existing data on the drive. The installation of OSFClone requires an UFD which is at least 2 GB in size.
Issue: OSFClone may be unable to boot on some UEFI enabled computer systems. Solution: User may need to go into their BIOS and switch the Boot Mode from Unified Extensible Firmware Interface (UEFI) to Compatibility Support Mode (CSM) on their system. Issue: OSFClone may not be forensically sound when imaging drives with ext2/3/4 filesystems. During internal testing it was found that if the evidence drive is connected during system start up, it is possible the first superblock (typically offset 1024 within the partition) on the ext2/3/4 filesystem the drive may be altered. Values that were changed include the last mount time, last write time, mount count and a byte at location 0x0178 within the superblock. Solution(s):
Issue: OSFClone fails to write image to NTFS location which drive contains the Windows OS installation. Solution: User will need to disable "Turn on fast startup" in Control Panel within Windows (Power Options --> Choose what the power buttons do) and then perform a shutdown (not reboot). Once done, you'll be able to access the NTFS partitions normally with read/write permissions in OSFClone. OSFClone contains the following components: Porteus Linux Perl which is licensed under GPL. AFF and AFFLIB Copyright (c) 2005, 2006, 2007, 2008 Simson L. Garfinkel and Basis Technology Corp. All rights reserved. libewf which is licensed under GPL v3.0. OSFClone software which is licensed under GPL v3.0. Collapse all v1.4.1000, 14 Sep 2022
v1.3.1001, 11 Apr 2022
v1.3.1000, 5 Apr 2018
v1.2.1000, 24 Jul 2017
v1.1.1001, 4 May 2016
v1.1.1000, 6 Apr 2016
v1.0.1009 - INTERNAL, 2 May 2014
v1.0.1008b, 27 May 2011
v1.0.1008, 24 May 2011
v1.0.1007, 18 Apr 2011
v1.0.1006, 13 Apr 2011
v1.0.1005, 13 Dec 2010
v1.0.1004, 07 Dec 2010
v1.0.1003, 02 Dec 2010
v1.0.1002, 16 Nov 2010
v1.0.1001, 3 Nov 2010
v1.0.1000, 20 Oct 2010 |