Skip to main content

Digital Forensics: Imaging

Hello! Sorry for being inactive so much time but summer lasted a little bit longer than usual..!

Regarding my digging in digital forensics, i decided to create a series of posts beginning with imaging. So today i will show you the three most prevalent formats of "post-mortem" imaging and how to obtain them (on a *nix system) from a test disk.

The discussed formats are the following:
(1) Raw Format
(2) Expert Witness Compression Format (or ewf)
(3) Advanced Forensic Format (or aff)
Suppose that a test disk is connected to the computer (Not Mounted!). In the first place, we should determine what's the device identifier of the test disk. There are many ways we can use to solve this problem.

One of them is the command fdisk which can be used (e.g. sudo fdisk -l) to retrieve the partition tables of the connected devices. Usually, in linux systems device identifiers are /dev/sda, /dev/sdb, /dev/sdc etc. The first disk in which you may have installed your OS is /dev/sda, so the connected disk should have the device identifier /dev/sdb (if nothing else is connected). BSD systems use a different name convention, best described here. For convenience reasons we suppose that test disk's device identifier is /dev/sdb.

Raw Format
The raw file format acquisition process of /dev/sdb is described in the following lines.

Open a terminal and type:
sudo sha256sum /dev/sdb
First of all, we should calculate the hash value of the contents of the device, in order to verify the generated image later (you can also use md5sum, sha1sum, sha512sum etc). 
sudo dd if=/dev/sdb of=/destination/of/image/file/image.dd
Using dd command we can obtain an exact copy of the /dev/sdb device. This command saves the desired image file in the selected directory. Be careful, the size of image.dd is the same with the storage capacity of /dev/sdb device and independent of device's currently occupied storage space.
sudo sha256sum /destination/of/image/file/image.dd
This command will verify that the generated image is exactly the same with the /dev/sdb device, comparing the hash value with the hash value of "sudo sha256sum /dev/sdb" command.

Finally, after following this process you are ready to apply your forensics analysis to generated image instead of playing (and modifying) with the original one.

Expert Witness Compression Format
In order to use this file format you should install ewf-tools package. The key feature of ewf format is compression. There are four options for compression (none, best, fast and empty-block)
After installing ewf-tools calculate the md5sum value of /dev/sdb.
sudo md5sum /dev/sdb
Now, use ewfacquire command to obtain the image of the disk
sudo ewfacquire /dev/sdb
In this step, ewfacquire demands some options (name, compression, path, type etc) from the user. So complete this fields as you wish. It will take some time to finish (less than raw format) and in the end, the md5 hash value of the image will be displayed by default in order to verify the successful completion.

Advanced Forensics Format
The last one is the AFF format which supports both compression and encryption. Currently, AFF is on version 3 and version 4 is under development. You can take an aff image of a device using aimage (withdrawn from support) or guymager. Although, it comes with both of the desired features, version 3 is deprecated while the community waits for version 4. So, it is pointless to show you how to obtain an aff image when it's creator (Simson Garfinkel) suggests not to use it any more! Presented only for encyclopedic reasons.

Waiting for you feedback!


  1. Well written article Anastasios. I will add dc3dd (Special patched version of GNU dd for computer forensics) as a better option due to its increased level of reporting for progress, errors and other features.


    regards ;)


Post a Comment

Popular posts from this blog

Hi folks!

Eventually, after some brainstorming conversations with Kostas we decided to create this blog in order to post our work.

As you may guess my name is Anastasios. My interests are comprised of computer security, linux, operating systems and many more low level programming concepts :P.

Finally and before my first post, I would like to thank Kostas for taking care of because i wasn't involved in the creation process. May the source be with you Kostas :) .

So regarding my first post, last days i encountered a very interesting way to execute ptrace. What is ptrace system call ?

ptrace is a system call found in several Unix and Unix-like operating systems. By using ptrace (the name is an abbreviation of "process trace") one process can control another, enabling the controller to inspect and manipulate the internal state of its target. ptrace is used by debuggers and other code-analysis tools, mostly as aids to software development. (

As you can see i…

Revisiting "Stick Soldiers"

Update 16 Sep 2016: The project mentioned in this post has its own page on Gamejolt and now: Visit "Stick Veterans" on Gamejolt or for more info.
Some of you may have played the classic games Stick Soldiers 1 and 2 by WhiteSpaceUnlimited. Stick Soldiers belongs to the list of small, humble games that manage to captivate our interest and have made many of us spend a lot of our free time and have a lot of fun. (you can download them here: SS1, SS2)

Stick Soldiers has remained discontinued for the past years after the hiatus of the development team and the cancellation of the long-awaited sequel Stick Soldiers 3 by Andrew Russell Studios.

For a long time, I have aspired to revive the Stick Soldiers series by making a fan sequel to the game. Since school's start, I spent about a whole year working on a Game Maker / Ultimate3D project, aiming to evolve it to a complete and worthy sequel, which I called "Stick Soldiers: Encore". Second year of school …