One critical task that incident response analysts often have to perform is imaging digital evidence. As we discussed in prior chapters, a great deal of evidence related to an incident can be found within log files, memory, and other areas that can be acquired relatively quickly. In some incidents, such as internal malicious activity (for example, fraud, industrial espionage, or data leakage), a more detailed search for evidence may be required. This evidence includes master file table entries, files, and specific user data that is contained on the hard drive of a suspect system. In the event that incident response analysts encounter such circumstances, they will be required to obtain an image of a suspect drive. As with any aspect of digital forensics, obtaining a usable and court-defensible image depends on the appropriate tools, techniques, and documentation being used.

This chapter will explore the fundamental concepts of digital imaging and the preparation and tools that are needed to acquire a forensically sound image of a physical drive or other logical volume. More specifically, we will cover the following topics:

• Understanding digital imaging: Imaging a storage drive is a process where details matter. This section provides a solid foundation on forensic imaging, how it is accomplished, the various types of digital imaging process, and the various proprietary file formats.
• Tools for imaging: Like much of the previous material we covered, there are several tools available to the responder for imaging drives. Having an understanding of these tools provides responders with knowledge about which tool to apply to an incident.
• Preparing a stage drive: Just as important as learning how to handle the evidence drive, having a forensically sound stage drive to which the evidence will be imaged is critical. Responders will be walked through how to prepare this item.
• Write blockers: Write blockers are critical components and ensure that evidence is not tainted during the imaging process. In this section, responders will be exposed to physical and software write blockers.
• Imaging techniques: The main part of this chapter will focus on techniques that are available to responders who are called upon to image an evidence drive.

While this chapter presents some very technical and process-driven material, it is important that responders understand imaging. This process is critical to producing images that can be relied on for root-cause analysis and potential courtroom use.