Difference between revisions of "Imager NG Ideas"
From Forensics Wiki
Joachim Metz (Talk | contribs) |
Joachim Metz (Talk | contribs) (→Features) |
||
| (8 intermediate revisions by one user not shown) | |||
| Line 4: | Line 4: | ||
The scope is mainly a software-based imaging tools, but not limited to. Some features might not be doable, because of limitations of certain image file formats. | The scope is mainly a software-based imaging tools, but not limited to. Some features might not be doable, because of limitations of certain image file formats. | ||
| − | Please, do not delete text (ideas) here. | + | Please, do not delete text (ideas) here, use the discussion page if you want to discuss the usefulness of a feature. |
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
= License = | = License = | ||
| Line 39: | Line 28: | ||
* Support multiple image format | * Support multiple image format | ||
** not all image formats have support for all the features | ** not all image formats have support for all the features | ||
| + | * Built-in write blocking (software write blocker) | ||
== Compression == | == Compression == | ||
| Line 47: | Line 37: | ||
** sparse ranges | ** sparse ranges | ||
** de-duplication | ** de-duplication | ||
| + | |||
| + | === de-duplication === | ||
| + | * hash-based imaging | ||
| + | * sparse or repeated ranges | ||
| + | * pattern-fill | ||
== Integrity checks == | == Integrity checks == | ||
* Integrity hash (MD5, SHA1, SHA256) | * Integrity hash (MD5, SHA1, SHA256) | ||
* piecewise hashing | * piecewise hashing | ||
| + | |||
| + | = Supportive tooling = | ||
| + | == Image conversion == | ||
| + | |||
| + | == Image verification == | ||
| + | * modes: | ||
| + | ** full verification and print a report at the end | ||
| + | ** stop on error (useful for automation?) | ||
= Image format = | = Image format = | ||
| Line 61: | Line 64: | ||
** multiple images in one image format | ** multiple images in one image format | ||
** support for additional information e.g. case data | ** support for additional information e.g. case data | ||
| + | |||
| + | = See Also = | ||
| + | * [[Disk Imaging]] | ||
| + | * [[Memory Imaging]] | ||
| + | * [[Piecewise hashing]] | ||
| + | * [[:Category:Forensics_File_Formats|Forensics File Formats]] | ||
| + | |||
| + | = External Links = | ||
[[Category:Research]] | [[Category:Research]] | ||
Latest revision as of 13:22, 6 September 2012
This page is for discussing ideas regarding next-generation (NG) imaging tools.
Note that some of the ideas mentioned can be already used by imaging tools, but the idea of this page is to determine how useful these features could be for next-generation of imaging tools. The scope is mainly a software-based imaging tools, but not limited to. Some features might not be doable, because of limitations of certain image file formats.
Please, do not delete text (ideas) here, use the discussion page if you want to discuss the usefulness of a feature.
Contents |
[edit] License
[edit] Features
- Compression
- Integrity checks
- Encryption
- Error correction (parity)
- Pre-processing during imaging
- User suspend/resume, resume after failure
- Remote imaging
- Error resistance in reading storage media, e.d. disks
- maybe have different techniques, e.g. to use for heavily damaged storage media
- Support different types of storage media
- disk
- volume
- optical discs
- memory
- files and directories
- Store relevant data about the storage media and the imaging process
- read errors
- Support multiple image format
- not all image formats have support for all the features
- Built-in write blocking (software write blocker)
[edit] Compression
- Reduces the amount of data that needs to be written; improved the overall imaging speed.
- hash-based imaging
- detection of easy (emtpy-block) and hard (encrypted block) to compress data
- multi-threaded compression
- sparse ranges
- de-duplication
[edit] de-duplication
- hash-based imaging
- sparse or repeated ranges
- pattern-fill
[edit] Integrity checks
- Integrity hash (MD5, SHA1, SHA256)
- piecewise hashing
[edit] Supportive tooling
[edit] Image conversion
[edit] Image verification
- modes:
- full verification and print a report at the end
- stop on error (useful for automation?)
[edit] Image format
Implied features for an image format
- High-speed imaging
- Compact storage
- Error-resistant storage (over a longer time)
- Minimal overhead on read
- Evidence bag
- multiple images in one image format
- support for additional information e.g. case data
