Difference between revisions of "Disk image"

From ForensicsWiki
Jump to: navigation, search
(New page: Creating a disk image is important in forensics prior to analyzing anything in order to ensure that disk information is not inadvertantly changed during analysis. By performing an origina...)
 
Line 1: Line 1:
Creating a disk image is important in forensics prior to analyzing anything in order to ensure that disk information is not inadvertantly changed during analysis.  By performing an original disk image and storing the original disk, it is possible to reproduce forensic test results with an exact reproduction of analysis methods.
+
A disk image is a full disk copy of the data making up the partition table, file allocation tables and data partitions without regard for operating system.
 +
 
 +
A disk image should be made prior to performing any forensic analysis of the disk.  Creating a disk image is important in forensics for several reasons:
 +
 
 +
1. Ensure that disk information is not inadvertantly changed during analysis.   
 +
2. By performing an original disk image and storing the original disk, it is possible to reproduce forensic test results with an exact reproduction of analysis methods on the original evidence.
 +
3. Disk imaging will capture information invisible to the operating system in use *E.g. hidden partitions, ext3 partitions on a Windows machine, etc.
 +
 
 +
Software
 +
Popular software used to create disk images includes Norton Ghost

Revision as of 09:44, 16 July 2008

A disk image is a full disk copy of the data making up the partition table, file allocation tables and data partitions without regard for operating system.

A disk image should be made prior to performing any forensic analysis of the disk. Creating a disk image is important in forensics for several reasons:

1. Ensure that disk information is not inadvertantly changed during analysis. 2. By performing an original disk image and storing the original disk, it is possible to reproduce forensic test results with an exact reproduction of analysis methods on the original evidence. 3. Disk imaging will capture information invisible to the operating system in use *E.g. hidden partitions, ext3 partitions on a Windows machine, etc.

Software Popular software used to create disk images includes Norton Ghost