Forensics: What is imaging?

What does “imaging” a hard drive mean?

Imaging is the process of taking an exact copy of a hard drive, and is the very foundation of computer forensics, data recovery and electronic discovery processing.  It takes every single 0 and 1 on one hard drive and puts it on another

The imaging process, for most tools, takes an exact copy of each sector, starting at the first sector, Sector 0, then continues until the last sector.

Once a sector is read by the imaging tool it is then written down again onto another media.  Depending on the tool, the settings, and the users requirements, will depend on the how the data is stored.

Generally the options are:

Copy one sector to another sector: Cloning.  In this process each sector is mirrored onto another sector. Sector 1 of the source is copied to sector 1 of the destination, sector 63 is copied to sector 63, etc. At the end of the process the media being written to will be an exact copy of the original drive. In theory you could put the cloned drive into the computer the original computer came from and it would boot successfully. For example, if the original drive is 100 GB, with one 100GB partition)  and the destination media is 250 GB all of the 100 GB would be cloned to the 250 GB drive and the rest of the 250 GB would be blank. If the 250 GB drive was connected to a hard it would state that there was one 100 GB partition, and the remaining 150 GB would be “unused”.  The drive could be navigated and used as if it were the original drive.

As long as the exact number of sectors that have been imaged have been recorded the exact end of the 100GB clone on the 250 GB drive could be demonstrated.  This is a perfectly legitimate method of imaging drives, and historically was the most popular.

Note for this reason the destination drive must be zeroed/blank before the process starts.

Copying to a file: Raw/DD. In this process every sector is copied to another sector on the destination drive, but rather than cloning the data. e.g. Sector 1 is copied to Sector 1,  the data is put into a file. This is a very important difference. Firstly it means that the destination media HAS to be formatted, i.e the imaging drive cannot be completely blank. Secondly it means that you cannot boot a physical machine from the image directly (there are options using virtual machines, mounting the drive, or creating a clone). It is also important to understand that as the data does not have to be sequential or contiguous in a file (as it can be fragmented) the data being written on the destination drive will not be necessarily be sequential.

Example A 40 GB drive is to be imaged to a 250 GB hard drive. The 250 GB drive is formatted with NTFS. The imaging tool is set to create a raw file, called image1.raw, on the destination (250 GB) drve.  Sector 0 of the source drive is read and written to the first sector of image1.raw, sector 1 is then read and written to sector 2 of the file…sector 63 is then writen to the 64th sector of file..etc.  While the sector numbers appear very similar they are not because the first sector of the file image1.raw, could be 1,453,642, and therefore the second sector would be 1,453,643, and the third 1,453,644. As NTFS has the ability to fragment files, the 4th sector could be 2,743,203, or any other available sector. The actual physical sectors on the destination hard drive do not matter because that is handled by the NTFS. This will continue until every sector of the 250 GB drive is completed. The end result is a 100 GB file that is an exact duplicate of the original hard drive, that can be moved between media, across networks, backed up, and examined by tools like Encase, FTK, etc.

The difference between a Raw and DD format is that the latter will chunk up the data into set sizes, so that a single large file does not have to be created. For example, if a 1 TB drive is required to be imaged then the raw image would create 1 1 TB file, which could be problematic. However, if DD is used it will create multiple files of a set size (determined by the user) e.g. the max file size for the DD file could be set to 2 GB. This would mean that 500 2GB images would be created. This would result in image files like this image1.dd.1 image1.dd.2…image1.dd.500. When the DD is opened by FTK,  EnCase, or the like the DD image is then reassembled and the drive is viewed as if it were a raw or clone.

Copying to an image/propietary  file: E.g. E01.

This is the next stage on from an a raw or DD file. In this case when a sector is written down it is not a case of 1 sector to 1 sector, this is for several reasons. Firstly, programs like EnCase allow for compression, this means that muple sectors are compresed into a single sector. This is most effective when imaging hard drives with a lot of blank data. This means that a very large drive can be compressed significantly, an example of this is the Eo1 image created for the NTFS quiz on this site. This is a 40 GB drive, that has been compressed down to a few hundred MB, using EnCase, because most of the drive is blank. In addition to the compression of image files, such as E01, put in a variety of check sums and security features todetect if the files have been tampered with. More information on the E01 file is avaiable here.

Imaging Tools

There are many imaging tools and systems on the market from the boot drive BackTrack which has a DD imaging tool installed and ready to Encase, the most famous/popular/expensive of forensic toosl which can only create E01 files, to FTK Imager, a light weight free imaging tool that can produce E01 Files, RAW, or DD images.

Despite claims of perfect imaging etc, no image tool is really perfect and deals with errors in different ways, this article shows the effectiveness of different imaging tools

Advertisements

3 Responses to “Forensics: What is imaging?”

  1. Forensics: Computer Forensics – Police or Civil? « Data – Where is it? Says:

    […] 5,000 pieces of media, a couple of hundred, for one case, is certainly not rare.  Some firms have imaged over a petabyte of data, for one […]

  2. Forensic Cloners « Data – Where is it? Says:

    […] replace the original hard drive in the hardware if necessary. Modern cloners can now produce other image formats with a DD or Raw images available. Currently the no hardware cloner produces an E01 image format. […]


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: