X

Windows Imaging

What does “imaging” mean?

  • Forensic image = a bit-for-bit copy of a source (disk/partition/USB)

  • Goal: preserve original evidence and work from verified copies.

  • Integrity is proven with cryptographic hashes (e.g., SHA-256 before/after).

In short, an image is a clone/copy of the data, with an exact cryptographic match.

Image types & formats

  • Physical (full disk) image: entire device including boot records, partitions, unallocated space.

  • Logical image: selected files/folders (faster, but generally misses unallocated artifacts).

  • Formats of Images:

    • RAW (.dd): simple sector dump; max compatibility, big size.

    • EWF/E01: compressed + metadata + segmented; industry standard.

    • AFF/AD1: alternative forensic formats with metadata/compression.

Imaging options

  • Dead: power the system off, remove the drive, use a hardware write-blocker, image from a trusted workstation. This is the preferred method of imaging.

  • Live: when you can’t shut down (servers, full-disk encryption, uptime constraints). Capture volatile data first (RAM), then disks.

Key Windows artifacts

  • File system: $MFT, $LogFile, $UsnJrnl, ADS (alternate data streams).

  • Registry hives: SAM, SYSTEM, SOFTWARE, SECURITY, NTUSER.DAT, UsrClass.dat.

  • Execution & usage: Prefetch, Amcache, Shimcache (AppCompatCache), SRUM, RecentDocs, Jump Lists, LNK files.

  • Logs: Windows Event Logs (.evtx), WMI, Task Scheduler XML.

  • User data: Desktop, Documents, Downloads, cloud-sync folders (OneDrive), Outlook PST/OST.

  • Web: browser histories/cookies/Local Storage (Edge/Chrome/Firefox).

  • Recycle Bin: $I*/$R*.

  • Shadow Copies: previous versions of files.

References

LogoDeployment and imaging overviewMicrosoftLearn
LogoHow to create a Windows system image | SmartDeploysmartdeploy
PreviousMobile ImagingNextPhoto Forensics

Last updated