Digital Forensics: Imaging

Hello! Sorry for being inactive so much time but summer lasted a little bit longer than usual..!

Regarding my digging in digital forensics, i decided to create a series of posts beginning with imaging. So today i will show you the three most prevalent formats of "post-mortem" imaging and how to obtain them (on a *nix system) from a test disk.

The discussed formats are the following:
(1) Raw Format
(2) Expert Witness Compression Format (or ewf)
(3) Advanced Forensic Format (or aff)
Suppose that a test disk is connected to the computer (Not Mounted!). In the first place, we should determine what's the device identifier of the test disk. There are many ways we can use to solve this problem.

One of them is the command fdisk which can be used (e.g. sudo fdisk -l) to retrieve the partition tables of the connected devices. Usually, in linux systems device identifiers are /dev/sda, /dev/sdb, /dev/sdc etc. The first disk in which you may have installed your OS is /dev/sda, so the connected disk should have the device identifier /dev/sdb (if nothing else is connected). BSD systems use a different name convention, best described here. For convenience reasons we suppose that test disk's device identifier is /dev/sdb.


Raw Format
The raw file format acquisition process of /dev/sdb is described in the following lines.

Open a terminal and type:

sudo sha256sum /dev/sdb

First of all, we should calculate the hash value of the contents of the device, in order to verify the generated image later (you can also use md5sum, sha1sum, sha512sum etc). 

sudo dd if=/dev/sdb of=/destination/of/image/file/image.dd

Using dd command we can obtain an exact copy of the /dev/sdb device. This command saves the desired image file in the selected directory. Be careful, the size of image.dd is the same with the storage capacity of /dev/sdb device and independent of device's currently occupied storage space.

sudo sha256sum /destination/of/image/file/image.dd

This command will verify that the generated image is exactly the same with the /dev/sdb device, comparing the hash value with the hash value of "sudo sha256sum /dev/sdb" command.

Finally, after following this process you are ready to apply your forensics analysis to generated image instead of playing (and modifying) with the original one.

Expert Witness Compression Format

In order to use this file format you should install ewf-tools package. The key feature of ewf format is compression. There are four options for compression (none, best, fast and empty-block)

After installing ewf-tools calculate the md5sum value of /dev/sdb.

sudo md5sum /dev/sdb

Now, use ewfacquire command to obtain the image of the disk

sudo ewfacquire /dev/sdb

In this step, ewfacquire demands some options (name, compression, path, type etc) from the user. So complete this fields as you wish. It will take some time to finish (less than raw format) and in the end, the md5 hash value of the image will be displayed by default in order to verify the successful completion.

Advanced Forensics Format

The last one is the AFF format which supports both compression and encryption. Currently, AFF is on version 3 and version 4 is under development. You can take an aff image of a device using aimage (withdrawn from support) or guymager. Although, it comes with both of the desired features, version 3 is deprecated while the community waits for version 4. So, it is pointless to show you how to obtain an aff image when it's creator (Simson Garfinkel) suggests not to use it any more! Presented only for encyclopedic reasons.

Waiting for you feedback!