Forensic Imaging

Disk forensic imaging is the process of making a bit-by-bit copy of a disk. Imaging can apply to anything that can be considered as a bit-stream, e.g. a physical or logical volume, network streams, etc.

The most straight-forward disk imaging method is reading a disk from start to end and writing the data to a Forensics image format. This can be a time-consuming process especially for disks with a large capacity.

Disk imaging, on the other hand, is NOT a direct disk-to-disk method and requires an intermediary process. One cannot create a copy of a hard drive simply by placing a disk image file on it; the image needs to be opened and installed (restored) on the drive via the same imaging software that was used to create it.

  1. Create a disk image and save to external media
  2. Restore that image from external media to selected drive


In most computer forensic examinations, the next step is to make an exact copy of the data residing on the evidence hard disk (or other electronic digital storage devices). The need to create such a copy is consistent with the essential concern not to change the evidence.

Two types of methodology can be followed for acquiring the image of digital evidence such as follows.

  1. Live Acquisition
  2. Dead/Offline Acquisition

Image Integrity

Often when creating a disk image a cryptographic hash is calculated of the entire disk. Commonly used cryptographic hashes are MD5, SHA1 and/or SHA256.

By recalculating the integrity hash at a later time, one can determine if the data in the disk image has been changed. This by itself does not protect against intentional tampering but can indicate that the data was altered, e.g. due to corruption. The integrity hash does not indicate where in the data the alteration has occurred. Therefore some image tools and/or formats provide for additional integrity checks like:

  • A checksum
  • Parity data
  • Piecewise hashing

There are so many courts approved imaging devices available in the market to image any type of digital media (IDE, SATA, SCSI, SAS, USB, etc.). Few examples are mentioned below:

  1. Ditto Forensic FeildStation
  2. Atola Bandura
  3. Atola Forensic
  4. Forensic Falcon