Difference between revisions of "Imager NG Ideas"

From ForensicsWiki
Jump to: navigation, search
(Features)
 
(14 intermediate revisions by the same user not shown)
Line 4: Line 4:
 
The scope is mainly a software-based imaging tools, but not limited to. Some features might not be doable, because of limitations of certain image file formats.
 
The scope is mainly a software-based imaging tools, but not limited to. Some features might not be doable, because of limitations of certain image file formats.
  
Please, do not delete text (ideas) here. Use something like this:
+
Please, do not delete text (ideas) here, use the discussion page if you want to discuss the usefulness of a feature.
 
+
<pre>
+
<s>bad idea</s>
+
good idea
+
</pre>
+
 
+
This will look like:
+
 
+
<s>bad idea</s>
+
 
+
good idea
+
  
 
= License =
 
= License =
Line 21: Line 10:
 
= Features =
 
= Features =
 
* Compression
 
* Compression
* Integrity hash calculations
+
* Integrity checks
 
* Encryption
 
* Encryption
 
* Error correction (parity)
 
* Error correction (parity)
 
* Pre-processing during imaging
 
* Pre-processing during imaging
 +
* User suspend/resume, resume after failure
 +
* Remote imaging
 +
* Error resistance in reading storage media, e.d. disks
 +
** maybe have different techniques, e.g. to use for heavily damaged storage media
 +
* Support different types of storage media
 +
** disk
 +
** volume
 +
** optical discs
 +
** memory
 +
** files and directories
 +
* Store relevant data about the storage media and the imaging process
 +
** read errors
 +
* Support multiple image format
 +
** not all image formats have support for all the features
 +
* Built-in write blocking (software write blocker)
  
 
== Compression ==
 
== Compression ==
 
* Reduces the amount of data that needs to be written; improved the overall imaging speed.
 
* Reduces the amount of data that needs to be written; improved the overall imaging speed.
** Hash-based imaging
+
** hash-based imaging
 
** detection of easy (emtpy-block) and hard (encrypted block) to compress data
 
** detection of easy (emtpy-block) and hard (encrypted block) to compress data
 
** multi-threaded compression
 
** multi-threaded compression
 
** sparse ranges
 
** sparse ranges
 
** de-duplication
 
** de-duplication
 +
 +
=== de-duplication ===
 +
* hash-based imaging
 +
* sparse or repeated ranges
 +
* pattern-fill
 +
 +
== Integrity checks ==
 +
* Integrity hash (MD5, SHA1, SHA256)
 +
* piecewise hashing
 +
 +
= Supportive tooling =
 +
== Image conversion ==
 +
 +
== Image verification ==
 +
* modes:
 +
** full verification and print a report at the end
 +
** stop on error (useful for automation?)
 +
 +
= Image format =
 +
Implied features for an image format
 +
* High-speed imaging
 +
* Compact storage
 +
* Error-resistant storage (over a longer time)
 +
* Minimal overhead on read
 +
* Evidence bag
 +
** multiple images in one image format
 +
** support for additional information e.g. case data
 +
 +
= See Also =
 +
* [[Disk Imaging]]
 +
* [[Memory Imaging]]
 +
* [[Piecewise hashing]]
 +
* [[:Category:Forensics_File_Formats|Forensics File Formats]]
 +
 +
= External Links =
 +
 +
[[Category:Research]]

Latest revision as of 14:22, 6 September 2012

This page is for discussing ideas regarding next-generation (NG) imaging tools.

Note that some of the ideas mentioned can be already used by imaging tools, but the idea of this page is to determine how useful these features could be for next-generation of imaging tools. The scope is mainly a software-based imaging tools, but not limited to. Some features might not be doable, because of limitations of certain image file formats.

Please, do not delete text (ideas) here, use the discussion page if you want to discuss the usefulness of a feature.

License

Features

  • Compression
  • Integrity checks
  • Encryption
  • Error correction (parity)
  • Pre-processing during imaging
  • User suspend/resume, resume after failure
  • Remote imaging
  • Error resistance in reading storage media, e.d. disks
    • maybe have different techniques, e.g. to use for heavily damaged storage media
  • Support different types of storage media
    • disk
    • volume
    • optical discs
    • memory
    • files and directories
  • Store relevant data about the storage media and the imaging process
    • read errors
  • Support multiple image format
    • not all image formats have support for all the features
  • Built-in write blocking (software write blocker)

Compression

  • Reduces the amount of data that needs to be written; improved the overall imaging speed.
    • hash-based imaging
    • detection of easy (emtpy-block) and hard (encrypted block) to compress data
    • multi-threaded compression
    • sparse ranges
    • de-duplication

de-duplication

  • hash-based imaging
  • sparse or repeated ranges
  • pattern-fill

Integrity checks

  • Integrity hash (MD5, SHA1, SHA256)
  • piecewise hashing

Supportive tooling

Image conversion

Image verification

  • modes:
    • full verification and print a report at the end
    • stop on error (useful for automation?)

Image format

Implied features for an image format

  • High-speed imaging
  • Compact storage
  • Error-resistant storage (over a longer time)
  • Minimal overhead on read
  • Evidence bag
    • multiple images in one image format
    • support for additional information e.g. case data

See Also

External Links