Having a solid understanding of the facets of forensic imaging is important for incident response analysts. Having an understanding of the tools, techniques, and procedures ensures that evidence is handled properly and that the analyst has confidence in the evidence acquired. In addition, understanding the terminology allows the analysts to accurately prepare reports and testify as to their findings if the need arises.

One of the first concepts that should be understood is the difference between forensic imaging versus copying. Copying files from a suspect hard drive or other medium only provides analysts with the actual data associated with that file. Imaging, on the other hand, allows the analyst to capture the entire drive. This includes areas such as slack space, unallocated space, and possibly access deleted files. Imaging, also maintains the metadata on the volume to include the timestamps for files. This becomes critical in the event that a time line analysis is conducted to determine when specific files were accessed or deleted.

Oftentimes, the terms cloning and imaging are utilized in place of each other. When cloning a drive, a one-to-one copy of the drive is made. This means that the drive can then be inserted into a system and booted. Cloning a drive is often used to make a fully functional backup of a critical drive. While a cloned drive contains all the necessary files, it is cumbersome to work with, especially with forensic tools. As a result, an image file is taken. An image of a drive contains all the necessary files and in a configuration that will allow for detailed examination utilizing forensic tools.

The second concept that needs to be understood is the types of volumes that can be imaged. Volumes can be separated into either physical or logical. Physical volumes can be thought of as containing the entirety of a hard drive. This includes any partitions as well as the master boot record. When imaging a physical volume, the analyst captures all of this data. In contrast, a logical volume is a part of the overall hard drive. For example, in a hard drive that is divided into the master boot record and two partitions, a logical volume would be the D: drive. When imaging a logical volume, the analyst would only capture the data from that D: drive.

The following figure illustrates the data that is captured in imaging either a physical or logical volume:

The type of incident that is being investigated largely dictates the type of imaging that is conducted. For example, if an analyst is able to identify a potential malicious file being executed from the D: drive and is intent on only capturing that data, it might be faster to image only that volume. In other cases, where activity such as employee misconduct is suspected, the analyst would need to trace as much activity as possible, and time is not as much as a factor, a full image of the physical volume is conducted.

In Chapter 3, Network Evidence Collection, there was an extensive discussion of the acquisition of evidence such as log files and running memory from a live or powered up system. In much the same way, incident response analysts have the capability to obtain a logical volume from a running system. This technique is referred to as live imaging. Live imaging may be the best option if the potentially compromised system cannot be taken offline, say in a high-availability production server, and the potential evidence is located within a logical volume.

Dead imaging is performed on a system that is powered down and the hard drive removed. In this type of imaging, the analyst is able to capture the entire disk including all volumes and the master book record. This may become necessary in incidents where analysts want to be sure to capture the entirety of the source evidence so that there is no location that is not examined.

A final aspect to forensic imaging that an analyst should have knowledge in is the type of image files that can be created and leveraged during an investigation. There are a number of image files, some very specialized, but for the purposes of this book, the focus will be on the two most common types of evidence files that analysts would most likely create and work with during an incident:

• Raw image: A raw image file contains only the data from the imaged volume. There is no additional data that is provided in this type of image, although some imaging tools such as FTK Imager include a separate file with imaging information. Raw image outputs include the extensions .raw, .img, or .dd.
• EnCase evidence file: The EnCase evidence file or E01 or EX01 file is a proprietary file format that was developed by Guidance Software as part of their EnCase forensic tools in 1998. This format was based on the Expert Witness Format (EWF) found in the ASR Data's Expert Witness Compression Format. The EnCase evidence file or E01 file contains metadata about the image. The metadata that is contained in both the header and footer captures and stores information about the drive type, operating system, and timestamps. Another key feature of the E01 file is the inclusion of a Cyclical Redundancy Check (CRC). This CRC is a file integrity verification that takes place after every 64 KB of data is written to the image file. This CRC ensures the integrity of the preceding block of data over the entire image file. Finally, the E01 file contains the MD5 hash within the footer of the file. The following diagram illustrates what components of the E01 file are created during the imaging process:

The information presented is really an overview of some of the core concepts of imaging. As a result, there are a great many details concerning forensic imaging that could not be included within this book. Having a detailed understanding of forensic imaging will allow the incident response analyst to prepare an accurate report, but also be able to describe in detail how their actions produced the output that served as the foundation of their analysis.