A Forensic Image is most often needed to verify the integrity of the image after an acquisition of a Hard Drive has occurred. This is usually performed by law enforcement for court because, after a forensic image has been created, its integrity can be checked to verify that it has not been tampered with. Forensic Imaging is defined as the processes and tools used in copying an electronic media such as a hard-disk drive for conducting investigations and gathering evidence that will be presentable in the law of court. This copy not only includes files that are visible to the operating system but every bit of data, every sector, partition, files, folders, master boot records, deleted files, and unallocated spaces. The image is an identical copy of all the drive structures and contents. Show Further, a forensic image can be backed up and/or tested on without damaging the original copy or evidence. Also, you can create a forensic image from a running or dead machine. It is a literal snapshot in time that has integrity checking. Need for a Forensic Image
What Is FTK Imager?FTK Imager is a tool for creating disk images and is absolutely free to use. It was developed by The Access Data Group. It is a tool that helps to preview data and for imaging. With FTK Imager, you can:
There are many ways to create a forensic image. However, one of which is explained below. Approach: To create a forensic image with FTK imager, we will need the following:
Method : Step 1: Download and install the FTK imager on your machine. Step 2: Click and open the FTK Imager, once it is installed. You should be greeted with the FTK Imager dashboard. Step 3: In the menu navigation bar, you need to click on the File tab which will give you a drop-down, like given in the image below, just click on the first one that says, Add Evidence Item. Step 4: After that, there will be a pop-up window that will ask you to Select the Source of the Evidence. If you have connected a physical hard drive to the laptop/computer you are using to make the forensic image, then you will select the Physical Drive here. Click on Next. Now, Select the Physical Drive that you would like to use. Please make sure that you are selecting the right drive, or you will waste your time exporting a forensic image of your own OS drive. Step 5: Now, we will export the forensic images.
Lastly, you will need to wait for the Forensic Image to be created and then verified. The speed of creating the forensic image will vary based on your hardware. Once both have occurred, you have your forensic images ready. Pros Of FTK Imager
Cons Of FTK Imager
What is forensic analysis of the hard disk?By performing the digital forensic analysis, it is possible to identify the types of crime committed and the criminal behind the crime. The Computer hard disk is a main source of evidence against such crimes as it maintains the digital information on it.
What type of evidence is on hard drive?Evidence is most commonly found on hard drives. Data within the hard drives of com- puters consist of volatile and nonvolatile data. Volatile data disappear when the computer is powered off, whereas nonvolatile data are stored and preserved in the hard drive when the computer is powered off.
What type of data is considered forensic data?Data forensics – also known as forensic data analysis (FDA) – refers to the study of digital data and the investigation of cybercrime. FDA may focus on mobile devices, computers, servers and other storage devices, and it typically involves the tracking and analysis of data passing through a network.
What types of storage can we perform forensics on?Forensics & Storage Devices. Solid State Disks (SSD) Solid State Disks (SSD's) store data with the use of flash-memory chips (called NAND flash memory). ... . Magnetic Media. Magnetic media store data on a magnetized medium. ... . Digital Audio Tapes. ... . Digital Linear Tapes.. |