Skip to main content

Digital Forensics: Imaging

Hello! Sorry for being inactive so much time but summer lasted a little bit longer than usual..!

Regarding my digging in digital forensics, i decided to create a series of posts beginning with imaging. So today i will show you the three most prevalent formats of "post-mortem" imaging and how to obtain them (on a *nix system) from a test disk.

The discussed formats are the following:
(1) Raw Format
(2) Expert Witness Compression Format (or ewf)
(3) Advanced Forensic Format (or aff)
Suppose that a test disk is connected to the computer (Not Mounted!). In the first place, we should determine what's the device identifier of the test disk. There are many ways we can use to solve this problem.

One of them is the command fdisk which can be used (e.g. sudo fdisk -l) to retrieve the partition tables of the connected devices. Usually, in linux systems device identifiers are /dev/sda, /dev/sdb, /dev/sdc etc. The first disk in which you may have installed your OS is /dev/sda, so the connected disk should have the device identifier /dev/sdb (if nothing else is connected). BSD systems use a different name convention, best described here. For convenience reasons we suppose that test disk's device identifier is /dev/sdb.

Raw Format
The raw file format acquisition process of /dev/sdb is described in the following lines.

Open a terminal and type:
sudo sha256sum /dev/sdb
First of all, we should calculate the hash value of the contents of the device, in order to verify the generated image later (you can also use md5sum, sha1sum, sha512sum etc). 
sudo dd if=/dev/sdb of=/destination/of/image/file/image.dd
Using dd command we can obtain an exact copy of the /dev/sdb device. This command saves the desired image file in the selected directory. Be careful, the size of image.dd is the same with the storage capacity of /dev/sdb device and independent of device's currently occupied storage space.
sudo sha256sum /destination/of/image/file/image.dd
This command will verify that the generated image is exactly the same with the /dev/sdb device, comparing the hash value with the hash value of "sudo sha256sum /dev/sdb" command.

Finally, after following this process you are ready to apply your forensics analysis to generated image instead of playing (and modifying) with the original one.

Expert Witness Compression Format
In order to use this file format you should install ewf-tools package. The key feature of ewf format is compression. There are four options for compression (none, best, fast and empty-block)
After installing ewf-tools calculate the md5sum value of /dev/sdb.
sudo md5sum /dev/sdb
Now, use ewfacquire command to obtain the image of the disk
sudo ewfacquire /dev/sdb
In this step, ewfacquire demands some options (name, compression, path, type etc) from the user. So complete this fields as you wish. It will take some time to finish (less than raw format) and in the end, the md5 hash value of the image will be displayed by default in order to verify the successful completion.

Advanced Forensics Format
The last one is the AFF format which supports both compression and encryption. Currently, AFF is on version 3 and version 4 is under development. You can take an aff image of a device using aimage (withdrawn from support) or guymager. Although, it comes with both of the desired features, version 3 is deprecated while the community waits for version 4. So, it is pointless to show you how to obtain an aff image when it's creator (Simson Garfinkel) suggests not to use it any more! Presented only for encyclopedic reasons.

Waiting for you feedback!


  1. Well written article Anastasios. I will add dc3dd (Special patched version of GNU dd for computer forensics) as a better option due to its increased level of reporting for progress, errors and other features.


    regards ;)


Post a Comment

Popular posts from this blog

Barbara vs Zombies

A few years back I made a game, Barbara vs Zombies, for my then-girlfriend Barbara. She used to like an old light-gun game, House of the Dead , so I depicted her dodging and shooting zombies in this one. Included a backstory with silly romanticism, cats, and inside jokes. It's been nearly a year since we broke up, and this game has been sitting forgotten in my hard disk. I eventually decided it shouldn't go to waste. It is, after all, a game meant to remind us of happy times. Download and play the game on Gamejolt  or . I had made an Android version too, maybe I'll get around to publishing it someday. Hang in there, 2020 was a tough year, but you've made it this far already, so congrats. 💖 -Kostas

Stick Veterans online: Good news & Bad news

After loads of work, online multiplayer for Stick Veterans seems to be progressing very well. In fact, it is nearly complete, as showing in recent tests. Today I ran the first playtest with 3 people; we connected over Hamachi , a free VPN solution, and it pretty much went smoothly (except for some non-critical bugs). Bad news is that LAN connections might be the only thing supported , with little hope for worldwide online games. I already mentioned that in the game's web pages ( post / Gamejolt post ) but I shall lay down the whole story here. In commercial games, online multiplayer is achieved by putting up dedicated 24/7 servers (preferably in various locations throughout the world) to which the players connect. In non-commercial games  (like Stick Veterans), we have to make do without servers, as they cost money (non-trivial amounts of it). As such, we simply allow any player to act as a server themselves, and other players connect to them. This is called

Stick Veterans 1.1 (Grenades, Body Armor)

Found the time and courage to push out another update for Stick Veterans . Version 1.1 brings hand grenades  and body armor  into the game, among other additions. Body armor is just a way to endure more damage (RPGs will no longer frag you in one shot). Grenades are quite a game changer, as it means you will have more strategic ways to fight your opponents, but you'll also have one more hazard to look out for. :) Finally, a feature called Game Rules  has been added. This allows customization of score limit, grenade acquisition rules, respawn delay, and a few more rules. More might be added in the future. To be honest, there were more features that I wanted to include in this update. Seeing how I lacked the time to finish them in a reasonable timeframe, and knowing that there were some pending bugfixes, I decided to push this update as it is. This doesn't make the update any less important, though. I can't promise when a new update will come again, and certainl