Forensic Imaging
What is Forensic Imaging?
Forensic ImagingCreating a bit-for-bit copy of a storage medium, verified by cryptographic hashes, for use in forensic analysis and as legally admissible evidence.
Forensic imaging produces an exact replica of source media (disk, partition, removable drive) including unallocated space and slack, written to a forensic container such as EWF/E01, AFF4, or raw DD. The original is normally protected by a hardware or software write blocker, and the resulting image is verified by SHA-256 (or paired MD5/SHA-1 for legacy compatibility) so any modification is detectable. Practitioners follow ISO/IEC 27037 and NIST SP 800-86 guidance, capturing both before- and after-acquisition hashes and documenting tool versions. Common tools include FTK Imager, Guymager, dc3dd, EnCase, and X-Ways. Imaging enables repeatable analysis without altering the source.
● Examples
- 01
Acquiring an E01 image of a suspect SSD with FTK Imager behind a Tableau write blocker.
- 02
Capturing an AFF4 image of a RAID volume during on-site response.
● Frequently asked questions
What is Forensic Imaging?
Creating a bit-for-bit copy of a storage medium, verified by cryptographic hashes, for use in forensic analysis and as legally admissible evidence. It belongs to the Forensics & IR category of cybersecurity.
What does Forensic Imaging mean?
Creating a bit-for-bit copy of a storage medium, verified by cryptographic hashes, for use in forensic analysis and as legally admissible evidence.
How do you defend against Forensic Imaging?
Defences for Forensic Imaging typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Forensic Imaging?
Common alternative names include: Bit-stream imaging, Disk imaging.