Here's a continuation of my outline of the 2016 edition of Craig Ball's Electronic Discovery Workbook which I last posted about January 10, 2017.
VIII. Forensic Imaging
A. Forensically sound preservation preserves data, metadata, and deleted data in unallocated clusters. Three commandments:
1. Don’t Alter the Evidence
2. Accurately replicate the contents
3. Prove the preceding objects were met.
B. Distinguishing Between Clones, Collections and Images
1. Targeted collection – copying of active data.
2. Drive Image – all of the data and metadata but structurally different but can be restored to be forensically sound duplicate.
C. Don’t Alter the Evidence
1. Write blocking prevents source evidence from being altered.
a. Write blocking hardware.
b. Write blocking software, or
c. Use of operating systems like Linux that can be configured not to write to evidence media.
D. Replicating Contents
1. Drive Image
2. Clone Drive – fully operational one to one copy. Cloning is an outmoded approach that has given way to imaging. Attaching a clone to a PC without using write blocking procedures may destroy the integrity of the evidence.
E. Prove the Image is Forensically Sound
1. Hash values – an alphanumeric code (message digest output) which can only be generated by one input. Can be fingerprint of drive’s contents.
F. FTK Imager
1. Can be downloaded for free
2. Attach thumb drive – Run FTK Imager and click Add Evidence Item.
3. Select Source Evidence Type (Physical Drive: Logical Drive; Image File; or Contents of Folder)
4. File > Create Disk Image
5. Select Image Type (E01; Raw (dd); SMART; AFF)
6. Select Image Destination
7. Hash values are automatically generated to authenticate the image.
8. 7GB+ imaged in about 10 minutes.
9. 7GB+ can be reduced in size to about 400 MB.
10. csv has listing of the contents of the drive.