SlideShare a Scribd company logo

Introduction to forensic imaging

Marco Alamanni, profile picture
Marco Alamanni

The document provides an overview of the forensic image acquisition process using Kali Linux, detailing methods such as dcfldd and dc3dd, along with gui tools like Guymager. It explains the importance of acquiring a forensically sound image, including hardware and software write-blocking techniques, and covers different forensic image formats and hard disk geometry. Key features such as Device Configuration Overlay (DCO) and Host Protected Area (HPA) are also discussed, highlighting their relevance to digital forensics.

Software
1 of 21
Downloaded 40 times
1
2
3
4
5
6
Most read
7
8
9
10
11
12
13
14
15
16
17
Most read
18
19
20
21
Digital forensics with Kali Linux Marco Alamanni Section 2 Acquiring forensic images www.packtpub.com
In this Section, we are going to take a look at…  Introduction to the forensic image acquisition process.  Acquiring images with dcfldd and dc3dd.  Acquiring images with a GUI tool: Guymager
Digital forensics with Kali Linux Marco Alamanni Video 2.1 Introduction to forensic imaging
In this Video, we are going to take a look at… • Introduction to the basic concepts of forensic imaging. • Hardware and software write-blocking techniques. • Forensic image formats. • Hard disks geometry and ATA features: DCO and HPA
Introduction to forensic imaging • Forensic image acquisition is the process of acquiring a forensically sound copy or image of the device or media to analyze. • Forensically sound means that the we shall be able to verify that the image is an exact copy of the original and the procedure used to acquire it shall be documented. • The image file is the basis on which the examiner works to find the evidence.
Introduction to forensic imaging • A forensic image is a bit by bit copy of the media to analyze. • It’s not simply cloning the file system, it’s a copy of all the raw disk (or partition) sectors. • The original media must not be altered in any way! • The integrity of the image file shall be verified and I/O errors logged. (see NIST CFTT: Testing Disk Imaging Tools)
Introduction to forensic imaging • Two scenarios when acquiring a forensic image: the hard drive is removed or not removed from the suspect computer. • In the first case, we use a forensic live cd, like Kali Linux. Forensic live cds shall be booted in forensic mode. • In the second case, we must attach the drive to a forensic workstation using a write blocking mechanism.
Hardware and software write blocking • Write blocking mechanisms can be implemented in hardware or software. • Hardware write blockers are devices that protect the drive from writes and could have different type of connectors. • Are quite expensive but their use is preferable.
Hardware write blocker
Software write blocking • Software write blocking is quite a controversial topic. • Simply mounting a drive as read-only doesn’t fully guarantee that it is not written! • Various techniques have been developed.
Software write blocking • Linux write blocker kernel patch written by M.Suhanov. • It blocks the write commands at the device driver level. • But requires the kernel to be recompiled.
Forensic image formats • A raw image is a duplicate of all the sectors of a disk or partition. • It contains no additional metadata. • Can be obtained by tools like dd (Data Dump). Variants of dd have been developed for forensics.
Forensic image formats • Another open forensic format is the Advanced Forensic Format (AFF) (S. Garfinkel). • It supports compression and encryption of images. • AFFlib package to convert and manage AFF images.
Forensic image formats • Proprietary formats: Expert Witness Format (EWF) and SMART • Both supports compression and encryption of images. • libewf package to convert and manage ewf images.
Hard disk geometry
Hard disk addressing: CHS and LBA • CHS (Cylinder-Head-Sector) is the traditional physical block addressing scheme. • Outdated but still used. • LBA (Logical Block Addressing) is a linear addressing scheme that replaced CHS addressing. • Sectors are located by a 48 bits integer index.
Hard disk addressing: CHS and LBA
Hard disk forensics: DCO and HPA • Two features introduced in the ATA standard that are relevant to digital forensics: DCO (Device configuration overlay) and HPA (Host protected area). • DCO allows to configure reported disk capacity and features. • HPA hides disk areas to the OS and reserves them to store data. • Both features have been abused to hide illicit data.
Hard disk forensics: DCO and HPA • Both DCO and HPA can be revealed and removed with a command line tool: hdparm. • We are going to show its usage next.
Summary • Introduction to the basic concepts of forensic imaging. • Hardware and software write-blocking techniques. • Forensic image formats. • Hard disks geometry and ATA features: DCO and HPA
Next Video Introduction to dcfldd and dc3dd

More Related Content

PPTX
Module 02 ftk imager
ParminderKaurBScHons
 
PPTX
Memory forensics.pptx
9905234521
 
PPTX
Digital Forensics best practices with the use of open source tools and admiss...
Sagar Rahurkar
 
PPT
Windowsforensics
Santosh Khadsare
 
PPTX
Network Forensics
primeteacher32
 
PPTX
Memory forensics
Sunil Kumar
 
PPT
Linux forensics
Santosh Khadsare
 
PPTX
Mobile Forensics
primeteacher32
 
Module 02 ftk imager
ParminderKaurBScHons
 
Memory forensics.pptx
9905234521
 
Digital Forensics best practices with the use of open source tools and admiss...
Sagar Rahurkar
 
Windowsforensics
Santosh Khadsare
 
Network Forensics
primeteacher32
 
Memory forensics
Sunil Kumar
 
Linux forensics
Santosh Khadsare
 
Mobile Forensics
primeteacher32
 

What's hot (20)

PPTX
Data Acquisition
primeteacher32
 
PDF
Digital Forensic: Brief Intro & Research Challenge
Aung Thu Rha Hein
 
PPTX
Introduction to filesystems and computer forensics
Mayank Chaudhari
 
PPTX
Digital forensic tools
Parsons Corporation
 
PDF
Memory Forensics
n|u - The Open Security Community
 
PDF
LTEC 2013 - EnCase v7.08.01 presentation
Damir Delija
 
PPTX
Cyber Forensics Overview
Yansi Keim
 
PPTX
Digital Forensic ppt
Suchita Rawat
 
PPTX
Windows Forensic 101
Digit Oktavianto
 
PPTX
Computer forensics toolkit
Milap Oza
 
PDF
Email Forensics
Gol D Roger
 
PPTX
Autopsy Digital forensics tool
Sreekanth Narendran
 
PDF
Current Forensic Tools
Jyothishmathi Institute of Technology and Science Karimnagar
 
PPTX
Memory Forensics
Anshul Tayal
 
PPT
Windows forensic artifacts
n|u - The Open Security Community
 
PPTX
Computer forensic ppt
Priya Manik
 
PPT
Introduction to computer forensic
Online
 
PDF
Database forensics
Denys A. Flores, PhD
 
PPTX
Incident response process
Bhupeshkumar Nanhe
 
PPTX
Virtual Machine Forensics
primeteacher32
 
Data Acquisition
primeteacher32
 
Digital Forensic: Brief Intro & Research Challenge
Aung Thu Rha Hein
 
Introduction to filesystems and computer forensics
Mayank Chaudhari
 
Digital forensic tools
Parsons Corporation
 
Memory Forensics
n|u - The Open Security Community
 
LTEC 2013 - EnCase v7.08.01 presentation
Damir Delija
 
Cyber Forensics Overview
Yansi Keim
 
Digital Forensic ppt
Suchita Rawat
 
Windows Forensic 101
Digit Oktavianto
 
Computer forensics toolkit
Milap Oza
 
Email Forensics
Gol D Roger
 
Autopsy Digital forensics tool
Sreekanth Narendran
 
Current Forensic Tools
Jyothishmathi Institute of Technology and Science Karimnagar
 
Memory Forensics
Anshul Tayal
 
Windows forensic artifacts
n|u - The Open Security Community
 
Computer forensic ppt
Priya Manik
 
Introduction to computer forensic
Online
 
Database forensics
Denys A. Flores, PhD
 
Incident response process
Bhupeshkumar Nanhe
 
Virtual Machine Forensics
primeteacher32
 
Ad

Similar to Introduction to forensic imaging (20)

PPTX
Intro to digital forensic imaging
Detectalix
 
PDF
kbrgwillis.pdf
Kblblkb
 
PDF
CNIT 152 8. Forensic Duplication
Sam Bowne
 
PDF
CNIT 121: 8 Forensic Duplication
Sam Bowne
 
PPT
Guide to computer forensics and investigation.ppt
MaluOffice
 
PDF
File000127
Desmond Devendran
 
PPTX
Lecture 4 - Data Acquisition1234_MH.pptx
muhammadosama0121
 
PDF
cyber forensics and digitalforensics.pdf
mcjaya2024
 
PPT
data acquisition in computer forensics and
ssuserec53e73
 
PPT
Ch 04 Data Acquisition for Digital Forensics.ppt
whbwi21Basri
 
PPTX
Computer Forensics and investigation module 3
ssuserec53e73
 
PPTX
computer forensic tools-Hardware & Software tools
N.Jagadish Kumar
 
PDF
You suck at Memory Analysis
Francisco Ribeiro
 
PPT
Preserving and recovering digital evidence
Online
 
PPTX
Clape n
Joy Dhar
 
PDF
Kernel Recipes 2015: Solving the Linux storage scalability bottlenecks
Anne Nicolas
 
PPTX
Android forensics an Custom Recovery Image
Mohamed Khaled
 
PDF
LST Toolkit: Exfiltration Over Sound, Light, Touch
Dimitry Snezhkov
 
PPTX
Hard Disk Data Acquisition
Taha İslam YILMAZ
 
DOCX
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
smile790243
 
Intro to digital forensic imaging
Detectalix
 
kbrgwillis.pdf
Kblblkb
 
CNIT 152 8. Forensic Duplication
Sam Bowne
 
CNIT 121: 8 Forensic Duplication
Sam Bowne
 
Guide to computer forensics and investigation.ppt
MaluOffice
 
File000127
Desmond Devendran
 
Lecture 4 - Data Acquisition1234_MH.pptx
muhammadosama0121
 
cyber forensics and digitalforensics.pdf
mcjaya2024
 
data acquisition in computer forensics and
ssuserec53e73
 
Ch 04 Data Acquisition for Digital Forensics.ppt
whbwi21Basri
 
Computer Forensics and investigation module 3
ssuserec53e73
 
computer forensic tools-Hardware & Software tools
N.Jagadish Kumar
 
You suck at Memory Analysis
Francisco Ribeiro
 
Preserving and recovering digital evidence
Online
 
Clape n
Joy Dhar
 
Kernel Recipes 2015: Solving the Linux storage scalability bottlenecks
Anne Nicolas
 
Android forensics an Custom Recovery Image
Mohamed Khaled
 
LST Toolkit: Exfiltration Over Sound, Light, Touch
Dimitry Snezhkov
 
Hard Disk Data Acquisition
Taha İslam YILMAZ
 
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
smile790243
 
Ad

More from Marco Alamanni (7)

ODP
Introduction to memory forensics
Marco Alamanni
 
ODP
File carving tools
Marco Alamanni
 
ODP
File carving overview
Marco Alamanni
 
ODP
Extracting and analyzing browser,email and IM artifacts
Marco Alamanni
 
ODP
Brief introduction to digital forensics
Marco Alamanni
 
PPT
Oracle Database Vault
Marco Alamanni
 
PDF
Trust:concetti generali e teoria formale
Marco Alamanni
 
Introduction to memory forensics
Marco Alamanni
 
File carving tools
Marco Alamanni
 
File carving overview
Marco Alamanni
 
Extracting and analyzing browser,email and IM artifacts
Marco Alamanni
 
Brief introduction to digital forensics
Marco Alamanni
 
Oracle Database Vault
Marco Alamanni
 
Trust:concetti generali e teoria formale
Marco Alamanni
 

Recently uploaded (20)

PPTX
Log360_SIEM_Solutions Overview PPT_Feb 2020.pptx
nonameist3434
 
PPTX
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
PDF
System and Network Administraation Chapter 3
jaramharo
 
PDF
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
PDF
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
PPTX
Odoo POS Development Services by CandidRoot Solutions
CandidRoot Solutions Private Limited
 
PDF
Softaken Excel to vCard Converter Software.pdf
markwillsonmw004
 
PDF
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
PPTX
Embracing Complexity in Serverless! GOTO Serverless Bengaluru
SheenBrisals
 
PPTX
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
PDF
top salesforce developer skills in 2025.pdf
CloudMetic
 
PDF
Which alternative to Crystal Reports is best for small or large businesses.pdf
Varsha Nayak
 
PDF
How to Choose the Right IT Partner for Your Business in Malaysia
Asian Business Services & Technologies
 
PDF
EN-Survey-Report-SAP-LeanIX-EA-Insights-2025.pdf
deepakkhaitan3
 
PDF
Product Update: Alluxio AI 3.7 Now with Sub-Millisecond Latency
Alluxio, Inc.
 
PPTX
Reimagine Home Health with the Power of Agentic AI​
AutomationEdge Technologies
 
PPTX
Introduction to Artificial Intelligence
lohedi9363
 
PDF
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
PDF
PTS Company Brochure 2025 (1).pdf.......
pts464036
 
PDF
iTop VPN Free 5.6.0.5262 Crack latest version 2025
itskinga12
 
Log360_SIEM_Solutions Overview PPT_Feb 2020.pptx
nonameist3434
 
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
System and Network Administraation Chapter 3
jaramharo
 
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
Odoo POS Development Services by CandidRoot Solutions
CandidRoot Solutions Private Limited
 
Softaken Excel to vCard Converter Software.pdf
markwillsonmw004
 
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
Embracing Complexity in Serverless! GOTO Serverless Bengaluru
SheenBrisals
 
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
top salesforce developer skills in 2025.pdf
CloudMetic
 
Which alternative to Crystal Reports is best for small or large businesses.pdf
Varsha Nayak
 
How to Choose the Right IT Partner for Your Business in Malaysia
Asian Business Services & Technologies
 
EN-Survey-Report-SAP-LeanIX-EA-Insights-2025.pdf
deepakkhaitan3
 
Product Update: Alluxio AI 3.7 Now with Sub-Millisecond Latency
Alluxio, Inc.
 
Reimagine Home Health with the Power of Agentic AI​
AutomationEdge Technologies
 
Introduction to Artificial Intelligence
lohedi9363
 
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
PTS Company Brochure 2025 (1).pdf.......
pts464036
 
iTop VPN Free 5.6.0.5262 Crack latest version 2025
itskinga12
 

Introduction to forensic imaging

  • 1. Digital forensics with Kali Linux Marco Alamanni Section 2 Acquiring forensic images www.packtpub.com
  • 2. In this Section, we are going to take a look at…  Introduction to the forensic image acquisition process.  Acquiring images with dcfldd and dc3dd.  Acquiring images with a GUI tool: Guymager
  • 3. Digital forensics with Kali Linux Marco Alamanni Video 2.1 Introduction to forensic imaging
  • 4. In this Video, we are going to take a look at… • Introduction to the basic concepts of forensic imaging. • Hardware and software write-blocking techniques. • Forensic image formats. • Hard disks geometry and ATA features: DCO and HPA
  • 5. Introduction to forensic imaging • Forensic image acquisition is the process of acquiring a forensically sound copy or image of the device or media to analyze. • Forensically sound means that the we shall be able to verify that the image is an exact copy of the original and the procedure used to acquire it shall be documented. • The image file is the basis on which the examiner works to find the evidence.
  • 6. Introduction to forensic imaging • A forensic image is a bit by bit copy of the media to analyze. • It’s not simply cloning the file system, it’s a copy of all the raw disk (or partition) sectors. • The original media must not be altered in any way! • The integrity of the image file shall be verified and I/O errors logged. (see NIST CFTT: Testing Disk Imaging Tools)
  • 7. Introduction to forensic imaging • Two scenarios when acquiring a forensic image: the hard drive is removed or not removed from the suspect computer. • In the first case, we use a forensic live cd, like Kali Linux. Forensic live cds shall be booted in forensic mode. • In the second case, we must attach the drive to a forensic workstation using a write blocking mechanism.
  • 8. Hardware and software write blocking • Write blocking mechanisms can be implemented in hardware or software. • Hardware write blockers are devices that protect the drive from writes and could have different type of connectors. • Are quite expensive but their use is preferable.
  • 10. Software write blocking • Software write blocking is quite a controversial topic. • Simply mounting a drive as read-only doesn’t fully guarantee that it is not written! • Various techniques have been developed.
  • 11. Software write blocking • Linux write blocker kernel patch written by M.Suhanov. • It blocks the write commands at the device driver level. • But requires the kernel to be recompiled.
  • 12. Forensic image formats • A raw image is a duplicate of all the sectors of a disk or partition. • It contains no additional metadata. • Can be obtained by tools like dd (Data Dump). Variants of dd have been developed for forensics.
  • 13. Forensic image formats • Another open forensic format is the Advanced Forensic Format (AFF) (S. Garfinkel). • It supports compression and encryption of images. • AFFlib package to convert and manage AFF images.
  • 14. Forensic image formats • Proprietary formats: Expert Witness Format (EWF) and SMART • Both supports compression and encryption of images. • libewf package to convert and manage ewf images.
  • 16. Hard disk addressing: CHS and LBA • CHS (Cylinder-Head-Sector) is the traditional physical block addressing scheme. • Outdated but still used. • LBA (Logical Block Addressing) is a linear addressing scheme that replaced CHS addressing. • Sectors are located by a 48 bits integer index.
  • 17. Hard disk addressing: CHS and LBA
  • 18. Hard disk forensics: DCO and HPA • Two features introduced in the ATA standard that are relevant to digital forensics: DCO (Device configuration overlay) and HPA (Host protected area). • DCO allows to configure reported disk capacity and features. • HPA hides disk areas to the OS and reserves them to store data. • Both features have been abused to hide illicit data.
  • 19. Hard disk forensics: DCO and HPA • Both DCO and HPA can be revealed and removed with a command line tool: hdparm. • We are going to show its usage next.
  • 20. Summary • Introduction to the basic concepts of forensic imaging. • Hardware and software write-blocking techniques. • Forensic image formats. • Hard disks geometry and ATA features: DCO and HPA
  • 21. Next Video Introduction to dcfldd and dc3dd