Forensic image = a bit-for-bit copy of a source (disk/partition/USB)
Goal: preserve original evidence and work from verified copies.
Integrity is proven with cryptographic hashes (e.g., SHA-256 before/after).
In short, an image is a clone/copy of the data, with an exact cryptographic match.
Physical (full disk) image: entire device including boot records, partitions, unallocated space.
Logical image: selected files/folders (faster, but generally misses unallocated artifacts).
Formats of Images:
RAW (.dd): simple sector dump; max compatibility, big size.
.dd
EWF/E01: compressed + metadata + segmented; industry standard.
AFF/AD1: alternative forensic formats with metadata/compression.
Dead: power the system off, remove the drive, use a hardware write-blockerarrow-up-right, image from a trusted workstation. This is the preferred method of imaging.
Live: when you can’t shut down (servers, full-disk encryption, uptime constraints). Capture volatile data first (RAM), then disks.
File system: $MFT, $LogFile, $UsnJrnl, ADS (alternate data streams).
$MFT
$LogFile
$UsnJrnl
Registry hives: SAM, SYSTEM, SOFTWARE, SECURITY, NTUSER.DAT, UsrClass.dat.
SAM
SYSTEM
SOFTWARE
SECURITY
NTUSER.DAT
UsrClass.dat
Execution & usage: Prefetch, Amcache, Shimcache (AppCompatCache), SRUM, RecentDocs, Jump Lists, LNK files.
Logs: Windows Event Logs (.evtx), WMI, Task Scheduler XML.
.evtx
User data: Desktop, Documents, Downloads, cloud-sync folders (OneDrive), Outlook PST/OST.
Desktop
Documents
Downloads
Web: browser histories/cookies/Local Storage (Edge/Chrome/Firefox).
Recycle Bin: $I*/$R*.
$I*
$R*
Shadow Copies: previous versions of files.
Last updated 4 months ago
