Difference between pages "Disk Imaging" and "Virtual Hard Disk (VHD)"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Selective imaging)
 
 
Line 1: Line 1:
 
{{expand}}
 
{{expand}}
  
Disk imaging is the process of making a bit-by-bit copy of a disk. Imaging (in more general terms) can apply to anything that can be considered as a bit-stream, e.g. a physical or logical volumes, network streams, etc.
+
Used by:
 +
* Microsoft Virtual PC
 +
* Microsoft Virtual Server
 +
* Microsoft Hyper-V Server
  
The most straight-forward disk imaging method is reading a disk from start to end and writing the data to a [[:Category:Forensics_File_Formats|Forensics image format]].
+
== Image types ==
This can be a time consuming process especially for disks with a large capacity.
+
There are multiple types of Virtual Hard Disk (VHD) images:
 +
* Fixed-size hard disk image; the image contains all data
 +
* Dynamic-size (or sparse) hard disk image; the image contains used data only
 +
* Differencing (or delta) hard disk image; the image contains changes relative to its parent image
  
== Hardware solutions ==
+
== Snapshots ==
 +
Snapshot Differencing Disk file (AVHD)
  
== Software solutions ==
+
== See Also ==
 +
* [[Disk Images]]
  
== Compressed storage ==
+
== External Links ==
  
A common technique to reduce the size of an image file is to compress the data.
+
* [http://en.wikipedia.org/wiki/VHD_(file_format) VHD (file format)], by Wikipedia
On modern computers, with multiple cores, the compression can be done in parallel reducing the output without prolonging the imaging process.
+
* [http://technet.microsoft.com/en-us/library/bb676673.aspx Virtual Hard Disk Image Format Specification], by Microsoft, October 2006
Since the write speed of the target disk can be a bottleneck in imaging process parallel compression can reduce the total time of the imaging process.
+
[[Guymager]] was one of the first imaging tools to implement the concept of multi-process compression for the [[Encase image file format]]. This technique is now used by various imaging tools including [http://www.tableau.com/index.php?pageid=products&model=TSW-TIM Tableau Imager (TIM)]
+
 
+
Other techniques like storing the data sparse or '''empty-block compression''' can reduce the total time of the imaging process and the resulting size of new non-encrypted (0-byte filled) disks.
+
 
+
== Error tolerance and recovery ==
+
 
+
== Smart imaging ==
+
Smart imaging is a combination of techniques to make the imaging process more intelligent.
+
* Deduplication
+
* Selective imaging
+
* Decryption while imaging
+
 
+
=== Deduplication ===
+
Deduplication is the process of determining and storing data that occurs more than once on-disk, only once in the image.
+
It is even possible to store the data once for a corpus of images using techniques like hash based imaging.
+
 
+
=== Selective imaging ===
+
Selective imaging is a technique to only make a copy of certain information on a disk like the $MFT on an [[NTFS]] volume with the necessary contextual information.
+
 
+
[[EnCase]] Logical Evidence Format (LEF) is an example of a selective image; although the format can only handle a limited set of contextual information.
+
 
+
=== Decryption while imaging ===
+
Encrypted data is worst-case scenario for compression. Because the encryption process should be deterministic a solution to reduce the size of an encrypted image is to store it non-encrypted and compressed and encrypt it on-the-fly if required. Although this should be rare since the non-encrypted data is what undergoes analysis.
+
 
+
== Also see ==
+
[[:Category:Forensics_File_Formats|Forensics File Formats]]
+
 
+
== External Links ==
+
* [http://www.tableau.com/pdf/en/Tableau_Forensic_Disk_Perf.pdf Benchmarking Hard Disk Duplication Performance in Forensic Applications], by [[Robert Botchek]]
+
  
=== Hash based imaging ===
+
[[Category:File Formats]]
* [http://www.dfrws.org/2010/proceedings/2010-314.pdf Hash based disk imaging using AFF4], by [[Michael Cohen]], [[Bradley Schatz]]
+

Revision as of 11:41, 14 September 2012

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Used by:

  • Microsoft Virtual PC
  • Microsoft Virtual Server
  • Microsoft Hyper-V Server

Image types

There are multiple types of Virtual Hard Disk (VHD) images:

  • Fixed-size hard disk image; the image contains all data
  • Dynamic-size (or sparse) hard disk image; the image contains used data only
  • Differencing (or delta) hard disk image; the image contains changes relative to its parent image

Snapshots

Snapshot Differencing Disk file (AVHD)

See Also

External Links