Forensics & IR
Forensic Imaging
Also known as: Bit-stream imaging, Disk imaging
Definition
Creating a bit-for-bit copy of a storage medium, verified by cryptographic hashes, for use in forensic analysis and as legally admissible evidence.
Examples
- Acquiring an E01 image of a suspect SSD with FTK Imager behind a Tableau write blocker.
- Capturing an AFF4 image of a RAID volume during on-site response.
Related terms
Evidence Acquisition
Evidence Acquisition — definition coming soon.
Write Blocker
A hardware or software tool that permits read access to a storage device while preventing any write operations that could alter evidence.
Disk Forensics
The analysis of non-volatile storage media — HDDs, SSDs, USB drives — to recover, examine, and interpret file-system, application, and operating-system artefacts.
Preservation of Evidence
Preservation of Evidence — definition coming soon.
Chain of Custody
The chronological, documented trail showing every person, location, and action affecting a piece of evidence from seizure through final disposition.
Digital Forensics
The scientific discipline of identifying, preserving, analysing, and reporting on digital evidence from computers, networks, and devices in a legally defensible way.