SlideShare a Scribd company logo

Introduction to forensic imaging

Marco Alamanni, profile picture
Marco Alamanni

The document provides an overview of the forensic image acquisition process using Kali Linux, detailing methods such as dcfldd and dc3dd, along with gui tools like Guymager. It explains the importance of acquiring a forensically sound image, including hardware and software write-blocking techniques, and covers different forensic image formats and hard disk geometry. Key features such as Device Configuration Overlay (DCO) and Host Protected Area (HPA) are also discussed, highlighting their relevance to digital forensics.

Software
1 of 21
Downloaded 40 times
1
2
3
4
5
6
Most read
7
8
9
10
11
12
13
14
15
16
17
Most read
18
19
20
21
Digital forensics with Kali Linux Marco Alamanni Section 2 Acquiring forensic images www.packtpub.com
In this Section, we are going to take a look at…  Introduction to the forensic image acquisition process.  Acquiring images with dcfldd and dc3dd.  Acquiring images with a GUI tool: Guymager
Digital forensics with Kali Linux Marco Alamanni Video 2.1 Introduction to forensic imaging
In this Video, we are going to take a look at… • Introduction to the basic concepts of forensic imaging. • Hardware and software write-blocking techniques. • Forensic image formats. • Hard disks geometry and ATA features: DCO and HPA
Introduction to forensic imaging • Forensic image acquisition is the process of acquiring a forensically sound copy or image of the device or media to analyze. • Forensically sound means that the we shall be able to verify that the image is an exact copy of the original and the procedure used to acquire it shall be documented. • The image file is the basis on which the examiner works to find the evidence.
Introduction to forensic imaging • A forensic image is a bit by bit copy of the media to analyze. • It’s not simply cloning the file system, it’s a copy of all the raw disk (or partition) sectors. • The original media must not be altered in any way! • The integrity of the image file shall be verified and I/O errors logged. (see NIST CFTT: Testing Disk Imaging Tools)
Introduction to forensic imaging • Two scenarios when acquiring a forensic image: the hard drive is removed or not removed from the suspect computer. • In the first case, we use a forensic live cd, like Kali Linux. Forensic live cds shall be booted in forensic mode. • In the second case, we must attach the drive to a forensic workstation using a write blocking mechanism.
Hardware and software write blocking • Write blocking mechanisms can be implemented in hardware or software. • Hardware write blockers are devices that protect the drive from writes and could have different type of connectors. • Are quite expensive but their use is preferable.
Hardware write blocker
Software write blocking • Software write blocking is quite a controversial topic. • Simply mounting a drive as read-only doesn’t fully guarantee that it is not written! • Various techniques have been developed.
Software write blocking • Linux write blocker kernel patch written by M.Suhanov. • It blocks the write commands at the device driver level. • But requires the kernel to be recompiled.
Forensic image formats • A raw image is a duplicate of all the sectors of a disk or partition. • It contains no additional metadata. • Can be obtained by tools like dd (Data Dump). Variants of dd have been developed for forensics.
Forensic image formats • Another open forensic format is the Advanced Forensic Format (AFF) (S. Garfinkel). • It supports compression and encryption of images. • AFFlib package to convert and manage AFF images.
Forensic image formats • Proprietary formats: Expert Witness Format (EWF) and SMART • Both supports compression and encryption of images. • libewf package to convert and manage ewf images.
Hard disk geometry
Hard disk addressing: CHS and LBA • CHS (Cylinder-Head-Sector) is the traditional physical block addressing scheme. • Outdated but still used. • LBA (Logical Block Addressing) is a linear addressing scheme that replaced CHS addressing. • Sectors are located by a 48 bits integer index.
Hard disk addressing: CHS and LBA
Hard disk forensics: DCO and HPA • Two features introduced in the ATA standard that are relevant to digital forensics: DCO (Device configuration overlay) and HPA (Host protected area). • DCO allows to configure reported disk capacity and features. • HPA hides disk areas to the OS and reserves them to store data. • Both features have been abused to hide illicit data.
Hard disk forensics: DCO and HPA • Both DCO and HPA can be revealed and removed with a command line tool: hdparm. • We are going to show its usage next.
Summary • Introduction to the basic concepts of forensic imaging. • Hardware and software write-blocking techniques. • Forensic image formats. • Hard disks geometry and ATA features: DCO and HPA
Next Video Introduction to dcfldd and dc3dd

More Related Content

PPTX
Autopsy Digital forensics tool
Sreekanth Narendran
 
PPTX
Computer forensic ppt
Priya Manik
 
PDF
CNIT 121: 8 Forensic Duplication
Sam Bowne
 
PPTX
Forensic imaging
DINESH KAMBLE
 
PDF
04 Evidence Collection and Data Seizure - Notes
Kranthi
 
ODT
Operating System Forensics
ArunJS5
 
PPTX
Network Forensics
primeteacher32
 
PPTX
computer forensic tools-Hardware & Software tools
N.Jagadish Kumar
 
Autopsy Digital forensics tool
Sreekanth Narendran
 
Computer forensic ppt
Priya Manik
 
CNIT 121: 8 Forensic Duplication
Sam Bowne
 
Forensic imaging
DINESH KAMBLE
 
04 Evidence Collection and Data Seizure - Notes
Kranthi
 
Operating System Forensics
ArunJS5
 
Network Forensics
primeteacher32
 
computer forensic tools-Hardware & Software tools
N.Jagadish Kumar
 

What's hot (20)

PPTX
Digital Forensic ppt
Suchita Rawat
 
PPTX
Introduction to filesystems and computer forensics
Mayank Chaudhari
 
PPT
Preserving and recovering digital evidence
Online
 
PPTX
Network forensic
Manjushree Mashal
 
PDF
A brief Intro to Digital Forensics
Manik Bhola
 
PPT
Introduction to computer forensic
Online
 
PPTX
Difference between Cyber and digital Forensic.pptx
Applied Forensic Research Sciences
 
PPTX
Module 02 ftk imager
ParminderKaurBScHons
 
PPTX
E-mail Investigation
edwardbel
 
PPTX
Anti forensic
Milap Oza
 
PPTX
Encase Forensic
Megha Sahu
 
PPTX
Digital forensic tools
Parsons Corporation
 
PPTX
Digital Forensics by William C. Barker (NIST)
AltheimPrivacy
 
PPTX
Computer forensics powerpoint presentation
Somya Johri
 
PPTX
Data recovery
Abhinav Parihar
 
PPT
Windows forensic artifacts
n|u - The Open Security Community
 
PPTX
Digital forensics
vishnuv43
 
PPTX
Digital Evidence by Raghu Khimani
Dr Raghu Khimani
 
PPTX
Data Acquisition
primeteacher32
 
PPT
Data recovery
Mir Majid
 
Digital Forensic ppt
Suchita Rawat
 
Introduction to filesystems and computer forensics
Mayank Chaudhari
 
Preserving and recovering digital evidence
Online
 
Network forensic
Manjushree Mashal
 
A brief Intro to Digital Forensics
Manik Bhola
 
Introduction to computer forensic
Online
 
Difference between Cyber and digital Forensic.pptx
Applied Forensic Research Sciences
 
Module 02 ftk imager
ParminderKaurBScHons
 
E-mail Investigation
edwardbel
 
Anti forensic
Milap Oza
 
Encase Forensic
Megha Sahu
 
Digital forensic tools
Parsons Corporation
 
Digital Forensics by William C. Barker (NIST)
AltheimPrivacy
 
Computer forensics powerpoint presentation
Somya Johri
 
Data recovery
Abhinav Parihar
 
Windows forensic artifacts
n|u - The Open Security Community
 
Digital forensics
vishnuv43
 
Digital Evidence by Raghu Khimani
Dr Raghu Khimani
 
Data Acquisition
primeteacher32
 
Data recovery
Mir Majid
 
Ad

Similar to Introduction to forensic imaging (20)

PPTX
Lecture 4 - Data Acquisition1234_MH.pptx
muhammadosama0121
 
PPTX
Intro to digital forensic imaging
Detectalix
 
PPT
Guide to computer forensics and investigation.ppt
MaluOffice
 
PPT
Ch 04 Data Acquisition for Digital Forensics.ppt
whbwi21Basri
 
PDF
CNIT 152 8. Forensic Duplication
Sam Bowne
 
PPT
data acquisition in computer forensics and
ssuserec53e73
 
PDF
kbrgwillis.pdf
Kblblkb
 
PDF
Accessing Forensic Images
CTIN
 
PDF
Debian Linux as a Forensic Workstation
Vipin George
 
PDF
dataacquisition.pdf
Jayaprasanna4
 
PPTX
Capturing forensics image
Chris Harrington
 
PPTX
First Responder Course - Session 10 - Static Evidence Collection [2004]
Phil Huggins FBCS CITP
 
PPTX
Computer Forensics and investigation module 3
ssuserec53e73
 
PPT
Codebits 2010
Tiago Henriques
 
PDF
Foundation of Digital Forensics
Victor C. Sovichea
 
PPTX
Deft
saddamhusain hadimani
 
PDF
Digital Forensics
Vikas Jain
 
PDF
Workshop 2 revised
peterchanws
 
PPTX
Beauty of open source in cyber forensics
saddamhusain hadimani
 
DOCX
Computer Forensics chap 3+4.DS_Store__MACOSXComputer Foren.docx
maxinesmith73660
 
Lecture 4 - Data Acquisition1234_MH.pptx
muhammadosama0121
 
Intro to digital forensic imaging
Detectalix
 
Guide to computer forensics and investigation.ppt
MaluOffice
 
Ch 04 Data Acquisition for Digital Forensics.ppt
whbwi21Basri
 
CNIT 152 8. Forensic Duplication
Sam Bowne
 
data acquisition in computer forensics and
ssuserec53e73
 
kbrgwillis.pdf
Kblblkb
 
Accessing Forensic Images
CTIN
 
Debian Linux as a Forensic Workstation
Vipin George
 
dataacquisition.pdf
Jayaprasanna4
 
Capturing forensics image
Chris Harrington
 
First Responder Course - Session 10 - Static Evidence Collection [2004]
Phil Huggins FBCS CITP
 
Computer Forensics and investigation module 3
ssuserec53e73
 
Codebits 2010
Tiago Henriques
 
Foundation of Digital Forensics
Victor C. Sovichea
 
Deft
saddamhusain hadimani
 
Digital Forensics
Vikas Jain
 
Workshop 2 revised
peterchanws
 
Beauty of open source in cyber forensics
saddamhusain hadimani
 
Computer Forensics chap 3+4.DS_Store__MACOSXComputer Foren.docx
maxinesmith73660
 
Ad

More from Marco Alamanni (7)

ODP
Introduction to memory forensics
Marco Alamanni
 
ODP
File carving tools
Marco Alamanni
 
ODP
File carving overview
Marco Alamanni
 
ODP
Extracting and analyzing browser,email and IM artifacts
Marco Alamanni
 
ODP
Brief introduction to digital forensics
Marco Alamanni
 
PPT
Oracle Database Vault
Marco Alamanni
 
PDF
Trust:concetti generali e teoria formale
Marco Alamanni
 
Introduction to memory forensics
Marco Alamanni
 
File carving tools
Marco Alamanni
 
File carving overview
Marco Alamanni
 
Extracting and analyzing browser,email and IM artifacts
Marco Alamanni
 
Brief introduction to digital forensics
Marco Alamanni
 
Oracle Database Vault
Marco Alamanni
 
Trust:concetti generali e teoria formale
Marco Alamanni
 

Recently uploaded (20)

PDF
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
PPTX
Computer Software and OS of computer science of grade 11.pptx
GauravDahal9
 
PPTX
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
PPTX
history of c programming in notes for students .pptx
Vijayakumari829030
 
PDF
Nekopoi APK 2025 free lastest update
umarali35kp
 
PDF
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
PPTX
Log360_SIEM_Solutions Overview PPT_Feb 2020.pptx
nonameist3434
 
PPTX
Advanced SystemCare Ultimate Crack + Portable (2025)
adanataj41
 
PPTX
WiFi Honeypot Detecscfddssdffsedfseztor.pptx
singlesrihari
 
PPTX
Reimagine Home Health with the Power of Agentic AI​
AutomationEdge Technologies
 
PDF
Product Update: Alluxio AI 3.7 Now with Sub-Millisecond Latency
Alluxio, Inc.
 
PPTX
Monitoring Stack: Grafana, Loki & Promtail
GhanshyamSwami3
 
PDF
Tally Prime Crack Download New Version 5.1 [2025] (License Key Free
itskinga12
 
PPTX
Oracle Fusion HCM Cloud Demo for Beginners
DharanOracleerp
 
PPTX
Embracing Complexity in Serverless! GOTO Serverless Bengaluru
SheenBrisals
 
PPTX
AMADEUS TRAVEL AGENT SOFTWARE | AMADEUS TICKETING SYSTEM
philipnathen82
 
PPTX
Operating system designcfffgfgggggggvggggggggg
rmskumara09
 
PDF
iTop VPN Crack Latest Version Full Key 2025
hashmianya37
 
PPTX
assetexplorer- product-overview - presentation
nonameist3434
 
DOCX
Greta — No-Code AI for Building Full-Stack Web & Mobile Apps
niloyislam1187
 
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
Computer Software and OS of computer science of grade 11.pptx
GauravDahal9
 
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
history of c programming in notes for students .pptx
Vijayakumari829030
 
Nekopoi APK 2025 free lastest update
umarali35kp
 
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
Log360_SIEM_Solutions Overview PPT_Feb 2020.pptx
nonameist3434
 
Advanced SystemCare Ultimate Crack + Portable (2025)
adanataj41
 
WiFi Honeypot Detecscfddssdffsedfseztor.pptx
singlesrihari
 
Reimagine Home Health with the Power of Agentic AI​
AutomationEdge Technologies
 
Product Update: Alluxio AI 3.7 Now with Sub-Millisecond Latency
Alluxio, Inc.
 
Monitoring Stack: Grafana, Loki & Promtail
GhanshyamSwami3
 
Tally Prime Crack Download New Version 5.1 [2025] (License Key Free
itskinga12
 
Oracle Fusion HCM Cloud Demo for Beginners
DharanOracleerp
 
Embracing Complexity in Serverless! GOTO Serverless Bengaluru
SheenBrisals
 
AMADEUS TRAVEL AGENT SOFTWARE | AMADEUS TICKETING SYSTEM
philipnathen82
 
Operating system designcfffgfgggggggvggggggggg
rmskumara09
 
iTop VPN Crack Latest Version Full Key 2025
hashmianya37
 
assetexplorer- product-overview - presentation
nonameist3434
 
Greta — No-Code AI for Building Full-Stack Web & Mobile Apps
niloyislam1187
 

Introduction to forensic imaging

  • 1. Digital forensics with Kali Linux Marco Alamanni Section 2 Acquiring forensic images www.packtpub.com
  • 2. In this Section, we are going to take a look at…  Introduction to the forensic image acquisition process.  Acquiring images with dcfldd and dc3dd.  Acquiring images with a GUI tool: Guymager
  • 3. Digital forensics with Kali Linux Marco Alamanni Video 2.1 Introduction to forensic imaging
  • 4. In this Video, we are going to take a look at… • Introduction to the basic concepts of forensic imaging. • Hardware and software write-blocking techniques. • Forensic image formats. • Hard disks geometry and ATA features: DCO and HPA
  • 5. Introduction to forensic imaging • Forensic image acquisition is the process of acquiring a forensically sound copy or image of the device or media to analyze. • Forensically sound means that the we shall be able to verify that the image is an exact copy of the original and the procedure used to acquire it shall be documented. • The image file is the basis on which the examiner works to find the evidence.
  • 6. Introduction to forensic imaging • A forensic image is a bit by bit copy of the media to analyze. • It’s not simply cloning the file system, it’s a copy of all the raw disk (or partition) sectors. • The original media must not be altered in any way! • The integrity of the image file shall be verified and I/O errors logged. (see NIST CFTT: Testing Disk Imaging Tools)
  • 7. Introduction to forensic imaging • Two scenarios when acquiring a forensic image: the hard drive is removed or not removed from the suspect computer. • In the first case, we use a forensic live cd, like Kali Linux. Forensic live cds shall be booted in forensic mode. • In the second case, we must attach the drive to a forensic workstation using a write blocking mechanism.
  • 8. Hardware and software write blocking • Write blocking mechanisms can be implemented in hardware or software. • Hardware write blockers are devices that protect the drive from writes and could have different type of connectors. • Are quite expensive but their use is preferable.
  • 10. Software write blocking • Software write blocking is quite a controversial topic. • Simply mounting a drive as read-only doesn’t fully guarantee that it is not written! • Various techniques have been developed.
  • 11. Software write blocking • Linux write blocker kernel patch written by M.Suhanov. • It blocks the write commands at the device driver level. • But requires the kernel to be recompiled.
  • 12. Forensic image formats • A raw image is a duplicate of all the sectors of a disk or partition. • It contains no additional metadata. • Can be obtained by tools like dd (Data Dump). Variants of dd have been developed for forensics.
  • 13. Forensic image formats • Another open forensic format is the Advanced Forensic Format (AFF) (S. Garfinkel). • It supports compression and encryption of images. • AFFlib package to convert and manage AFF images.
  • 14. Forensic image formats • Proprietary formats: Expert Witness Format (EWF) and SMART • Both supports compression and encryption of images. • libewf package to convert and manage ewf images.
  • 16. Hard disk addressing: CHS and LBA • CHS (Cylinder-Head-Sector) is the traditional physical block addressing scheme. • Outdated but still used. • LBA (Logical Block Addressing) is a linear addressing scheme that replaced CHS addressing. • Sectors are located by a 48 bits integer index.
  • 17. Hard disk addressing: CHS and LBA
  • 18. Hard disk forensics: DCO and HPA • Two features introduced in the ATA standard that are relevant to digital forensics: DCO (Device configuration overlay) and HPA (Host protected area). • DCO allows to configure reported disk capacity and features. • HPA hides disk areas to the OS and reserves them to store data. • Both features have been abused to hide illicit data.
  • 19. Hard disk forensics: DCO and HPA • Both DCO and HPA can be revealed and removed with a command line tool: hdparm. • We are going to show its usage next.
  • 20. Summary • Introduction to the basic concepts of forensic imaging. • Hardware and software write-blocking techniques. • Forensic image formats. • Hard disks geometry and ATA features: DCO and HPA
  • 21. Next Video Introduction to dcfldd and dc3dd