Forensic Hard Drive Imaging

Forensic Hard Drive Imaging

Ashish Gawai

Independent Cyber Security Researcher


To understand Forensic hard-drive imaging or Digital forensic in general we must first know what is Forensic Science. “Forensic science is the application of science to criminal and civil laws, mainly on the criminal side during criminal investigation, as governed by the legal standards of admissible evidence and criminal procedure”.

Forensic scientists collect, preserve, and analyse scientific evidence during the course of an investigation. While some forensic scientists travel to the scene of the crime to collect the evidence themselves, others occupy a laboratory role, performing analysis on objects brought to them by other individuals.

Forensic hard drive imaging falls under “Collection” part of the Forensic science procedure, While on the crime scene the digital forensic investigator takes the “Forensically Sound Image” of the suspects hard drive, pen drive, flash drives etc., which can then be used in the court of law.

What is Forensic Hard Drive Imaging?

When a computer is identified as possibly containing electronic evidence, it is imperative to follow a strict set of procedures to ensure a proper (i.e. admissible) extraction of any evidence that may exist on the subject computer. The first thing to remember is the “golden rule of electronic evidence” – never, in any way, modify the original media if at all possible. Thus, before any data analysis occurs, it usually makes sense to create an exact, bit stream copy of the original storage media that exists on the subject computer. A forensic image, is sometimes referred to as a mirror image or ghost image. Mirror imaging or ghost imaging does not always generate a true forensic image. The same is true for cloning a hard drive. A forensic image may include a single or multiple hard drives, floppy disk(s), CD(s), Zip drive(s) or DVD(s), plus many other types of storage media that now exist. Imaging the subject media by making a bit-for-bit copy of all sectors on the media is a well-established process that is commonly performed on the hard drive level, hence often referred to as hard drive imaging, bit stream imaging or forensic imaging.

The creation of a true forensic hard drive image is a highly detailed process. If you do not have it performed by a trained professional, you may severely compromise your chances of obtaining admissible evidence as a result of your discovery efforts. Also, to avoid accusations of evidence tampering or spoliation, it is a recommended best practice that imaging be performed by an objective third party. Suggested protocols for hard drive imaging can be found within guidelines standardized by institutions and organizations based on the country where the investigation is being done.

A computer forensics expert may use large number of software and hardware to obtain a forensic image. What is important is that you qualify the expert’s experience and that you ensure a rigid process by asking the right questions. A good start is to always make sure that the integrity of all evidence is maintained, chain of custody is established, and all relevant hash values are documented.

Once imaging is completed, any good tool should generate a digital fingerprint of the acquired media, otherwise known as a hash. A hash generation process involves examining all of the 0’s and 1’s that exist across the sectors examined. Altering a single 0 to a 1 will cause the resulting hash value to be different. Both the original and copy of the evidence are analysed to generate a source and target hash. Assuming they both match, we can be confident of the authenticity of the copied hard drive or other media.

The industry standard for imaging currently recommends the use of the MD5 algorithm. The creator of the MD5, Ronald L. Rivest of MIT, describes the algorithm as follows:

[The MD5 algorithm] takes as input a message of arbitrary length and produces as output a 128-bit “fingerprint” or “message digest” of the input . . . The MD5 algorithm is intended for digital signature applications, where a large file must be “compressed” in a secure manner before being encrypted with a private (secret) key under a public-key cryptosystem such as RSA.

The above statement simply says that the MD5 is an excellent method of verifying the integrity of data. An MD5 value obtained from the image of the hard drive should match the value of the original hard drive. Even the smallest modification on a hard drive, for example, adding a comma to a MS Word document, would vastly change the resulting MD5 hash value.

Types of Forensic Imaging:

Physical Image:

A physical image of a hard drive will capture all of the ones and zeroes contained on the drive. It will capture the deleted space on the hard drive even if the drive has been recently formatted. It will capture deleted files and file fragments on a hard drive. If one is making a physical image of a 1 TB drive the resulting image file(s) will be 1 TB, unless compression algorithms are used.

Logical Image:

A logical image of a hard drive will capture all the “active” data. If you look at the My Computer icon on your computer and browse through the C drive you are viewing the logical drive and active files. This is what will be captured if one performs a logical capture. Typically, deleted space, deleted files and fragments will NOT be captured. If one is making a logical image of a 1 TB drive, but only 30 GB is active files, then the resulting image will be 30 GB uncompressed.

Note :

  • Physical image is preferred over the Logical Image if the investigation will go to Court, Thus it is strongly advised that while investigating you should always take a forensic image in Physical form i.e. Bit-Stream Copy.

  • In the event of Incidence Response carried out in a corporate environment Physical Imaging should be advised, In case you have to use the live system make a not of all the actions taken by you while using the live system. Making a video of the activities is advised hear.

Write Blocker :

Up until this point we haven’t mentioned anything about “Write-Blockers”, because understanding the concept of imaging must be the first priority while learning about Forensic Imaging.

Now we know how imaging works we also discussed the necessity of “hashing” before and after performing a forensic image, a digital evidence will loose its value in the court of law if the data is being tampered during or after taking an image of suspects hard drive. To minimise the tamping of data a “hardware” or a “software” write blocker is used by the forensic investigator.

Write blockers are devices that allow acquisition of information on a drive without creating the possibility of accidentally damaging the drive contents. They do this by allowing read commands to pass but by blocking write commands at the time of acquisition.

A write blocker, when used properly, can guarantee the protection of the data chain of custody. NIST‘s (National Institute of Standards and Technology) general write blocking requirements hold that:

  • The tool shall not allow a protected drive to be changed.

  • The tool shall not prevent obtaining any information from or about any drive.

  • The tool shall not prevent any operations to a drive that is not protected.


Forensic Write-Blocker by Tapsystem

Software write-blocker Vs Hardware write-blocker:

Software and hardware write blockers do the same job. They prevent writes to storage devices. The main difference between the two types is that software write blockers are installed on a forensic computer workstation, whereas hardware write blockers have write blocking software installed on a controller chip inside a portable physical device.

As determined by NIST’s Software Write Block specifications, a software write block tool operates by monitoring and filtering drive I/O commands sent from an application or OS through a given access interface.

Programs running in the DOS environment can, in addition to direct access via the drive controller, use two other interfaces: DOS service interface (interrupt 0x21) or BIOS service interface (interrupt 0x13).

The primary purpose of a hardware write blocker is to intercept and prevent (or ‘block’) any modifying command operation from ever reaching the storage device. Some of its functions include monitoring and filtering any activity that is transmitted or received between its interface connections to the computer and the storage device.

Hardware write blockers provide built in interfaces to a number of storage devices, and can connect to other types of storage with adapters. Hardware devices that write block also provide visual indication of function through LEDs and switches. This makes them easy to use and makes functionality clear to users.

The Proof of Concept of this topic is divided in three parts :

  1. Command line Forensic Imaging in Linux.

  2. GUI Forensic Imaging in Linux.

  3. GUI Imaging in Windows.

The respective Proof of Concepts will be added in my blog accordingly.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s