ATTENTION: The new home of the Digital Forensics Wiki is at https://forensicswiki.xyz/. Yeah, it's a silly name, but it was cheap.
This wiki will be going offline permanently in the near future. An exact date will be announced soon. Thank you for being a part of this community.
If you wish to work on the new forensicswiki, please join the Google Group forensicswiki-reborn

Difference between revisions of "Raw Image Format"

From ForensicsWiki
Jump to: navigation, search
m (moved Raw image file to Raw Image Format: The name image file implies the format using a single file approach, which dis-accounts split RAW images.)
(No difference)

Revision as of 12:13, 27 September 2011

The RAW Image Format is used to store a disk or volume image.

File types

There are two variants of the RAW Image Format a split and a non-split variant.

There are various naming schemes for RAW Image Format files, some of the more common are:

  • PREFIX.dd
  • PREFIX.raw
  • PREFIX.0 - PREFIX.#; variations: starting with either 0 or 1, consisting of multiple digits e.g. PREFIX.000
  • PREFIX0 - PREFIX#; variations: starting with either 0 or 1, consisting of multiple digits e.g. PREFIX000
  • PREFIXaa - PREFIXzz; variations: consisting of more letters e.g. PREFIX.aaa
  • PREFIX.1of5 - PREFIX.5of5; variations: consisting of multiple segment files
  • PREFIX001.asb - PREFIX###.asb

Contents

The RAW Image Format is basically a bit-for-bit copy of the RAW data of either the disk or the volume, without any additions or deletions.

There is no metadata stored in RAW Image Format files. However sometimes the metadata is stored in secondary files.

The RAW Image Format was original used by dd, but is support by most of the computer forensics applications.