Forensic Imaging of Digital Evidence
More often than not it is advisable in Forensics that we create a bit stream image of any hard drive and using it for analysis rather than just copying the contents of the drive. dd is one of the most commonly used tool for the purpose.
1 . dd and dc3dd
dd is available by default in Linux. In order to use the tool on Windows based system, you will have to download the ‘.exe’ file of the same. dc3dd is a slightly advanced version of dd and comes with added features
2. FTK Imager
FTK Imager is a part of Forensics Toolkit software or commonly known FTK. FTK Imager is a tool contained with FTK. The main purpose of FTK Imager is to create a bit stream image of any hard drive. In addition to this, it also allows you to scan through the data. With FTK Imager you can easily reconstruct data for other purposes. FTK Imager also provides data integrity as it creates MD5 hash values for all the data before system is shut down. FTK Imager is available for download, once you sign up for it.
OSForensics is a complete suit for Forensic Investigation. One version of the suit is available for free, which includes all the basic services of OSForensics. OSForensics provides a separate section for disk imaging, where in your can create disk images with various formats. It also allows you various other options like searching files, extraction of login id’s and passwords, etc…
WinHex is a universal HEX Editor, which is commonly used in the realm for Computer Forensics, data recovery. WinHex is primitive application for low level data edition, but still is one of the most used applications. The editor allows you to edit the HEX data of file systems like FAT12, FAT16, FAT 32 and NTFS. It can also make an immediate copy of your RAM.
Choosing the best tool suited to image a given evidence based on its type and specs is the main thing to think when make a bit stream image. Hashing the image is often a good way to keep track of the integrity of the evidence image throughout the process of trial in the court or throughout the process of forensic analysis of a specific cyber crime case. Always make sure to use a compatible hardware write blocker to protect the evidence hard drive from tampering.