ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.

Imager NG Ideas

From ForensicsWiki
Revision as of 05:49, 6 September 2012 by Joachim Metz (Talk | contribs) (Image format)

Jump to: navigation, search

This page is for discussing ideas regarding next-generation (NG) imaging tools.

Note that some of the ideas mentioned can be already used by imaging tools, but the idea of this page is to determine how useful these features could be for next-generation of imaging tools. The scope is mainly a software-based imaging tools, but not limited to. Some features might not be doable, because of limitations of certain image file formats.

Please, do not delete text (ideas) here. Use something like this:

<s>bad idea</s>
good idea

This will look like:

bad idea

good idea



  • Compression
  • Integrity checks
  • Encryption
  • Error correction (parity)
  • Pre-processing during imaging
  • User suspend/resume, resume after failure
  • Remote imaging


  • Reduces the amount of data that needs to be written; improved the overall imaging speed.
    • hash-based imaging
    • detection of easy (emtpy-block) and hard (encrypted block) to compress data
    • multi-threaded compression
    • sparse ranges
    • de-duplication

Integrity checks

  • Integrity hash (MD5, SHA1, SHA256)
  • piecewise hashing

Image format

Implied features for an image format

  • High-speed imaging
  • Compact storage
  • Error-resistant storage (over a longer time)
  • Minimal overhead on read
  • Evidence bag
    • multiple images in one image format
    • support for additional information e.g. case data