Difference between pages "User:Pbrogdon" and "Disk Imaging"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
m (Creating user page with biography of new user.)
 
 
Line 1: Line 1:
Career Summary
+
{{expand}}
  
Patty Brogdon has 20 years experience in the high-tech industry in various technical and customer-facing roles. As a Technical Writer for FTP Software, Inc., Patty learned about networking protocols by working under the direction of James Van Bokkelen, Founder and President of FTP Software, Inc., and by using the LANWatch network analyzer product to dissect packets and determine their function and purpose. She wrote the first vendor’s manual on SNMP and her graphical depictions of the MIB (Management Information Base) were later used in text books on the subject.
+
Disk imaging is the process of making a bit-by-bit copy of a disk. Imaging (in more general terms) can apply to anything that can be considered as a bit-stream, e.g. a physical or logical volumes, network streams, etc.
  
After FTP Software, Patty went on to Bay Networks (formerly Wellfleet and then Nortel Networks) where she worked as a Technical Instructor, teaching customers how to install and configure Backbone routers and bridges. Following Bay Networks, Patty spent 7 years at Shiva Corporation in various roles including Technical Instructor, where she trained customers in the US and Europe on the set up and configuration of their VPNs and remote access security appliances;  Engineering Project Manager for VPN hardware and software releases; and Senior Technical Writer creating technical and user manuals for Shiva’s products.
+
The most straight-forward disk imaging method is reading a disk from start to end and writing the data to a [[:Category:Forensics_File_Formats|Forensics image format]].
 +
This can be a time consuming process especially for disks with a large capacity.
  
  After Shiva Corporation, Patty spent several years at Teloquent, a call-routing software company as a Technical Writer before switching to the healthcare IT field working at McKesson and Picis, Inc. in management roles including Manager of Training and Documentation and Manager of Sales Training and Education. At Sandstorm Enterprises, Patty was hired by James Van Bokkelen to provide market  innovation and gain targeted visibility for the company and its network forensics products.  
+
== Compressed storage ==
 +
A common technique to reduce the size of an image file is to compress the data.
 +
On modern computers, with multiple cores, the compression can be done in parallel reducing the output without prolonging the imaging process.
 +
Since the write speed of the target disk can be a bottleneck in imaging process parallel compression can reduce the total time of the imaging process.
 +
[[Guymager]] was one of the first imaging tools to implement the concept of multi-process compression.
  
In addition to Patty’s full-time job responsibilities, she has served as  a Networking Protocols Instructor at Northeastern University and a Technical Writing Instructor at Middlesex Community College for Raytheon employees. Patty also developed and taught an Energy Medicine course for Middlesex Community College. Patty holds an MBA from Northeastern University, a BS in Communications from Fitchburg State College, and a Technical Writing program certificate from MIT.
+
Other techniques like storing the data sparse or '''empty-block compression''' can reduce the total time of the imaging process and the resulting size of new non-encrypted (0-byte filled) disks.
 +
 
 +
== Error tolerance and recovery ==
 +
 
 +
== Smart imaging ==
 +
Smart imaging is a combination of techniques to make the imaging process more intelligent.
 +
* Selective imaging
 +
* Decryption while imaging
 +
 
 +
=== Selective imaging ===
 +
Selective imaging is a technique to only make a copy of certain information on a disk like the $MFT on an [[NTFS]] volume with the necessary contextual information.
 +
 
 +
=== Decryption while imaging ===
 +
Encrypted data is worst-case scenario for compression. Because the encryption process should be deterministic a solution to reduce the size of an encrypted image is to store it non-encrypted and compressed and encrypt it on-the-fly if required. Although this should be rare since the non-encrypted data is what undergoes analysis.
 +
 
 +
== Logical image ==
 +
 
 +
== Also see ==
 +
[[:Category:Forensics_File_Formats|Forensics File Formats]]
 +
 
 +
== External Links ==
 +
* [http://www.tableau.com/pdf/en/Tableau_Forensic_Disk_Perf.pdf Benchmarking Hard Disk Duplication Performance in Forensic Applications], by [[Robert Botchek]]
 +
 
 +
=== Hash based imaging ===
 +
* [http://www.dfrws.org/2010/proceedings/2010-314.pdf Hash based disk imaging using AFF4], by [[Michael Cohen]], [[Bradley Schatz]]

Revision as of 07:11, 21 July 2012

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Disk imaging is the process of making a bit-by-bit copy of a disk. Imaging (in more general terms) can apply to anything that can be considered as a bit-stream, e.g. a physical or logical volumes, network streams, etc.

The most straight-forward disk imaging method is reading a disk from start to end and writing the data to a Forensics image format. This can be a time consuming process especially for disks with a large capacity.

Contents

Compressed storage

A common technique to reduce the size of an image file is to compress the data. On modern computers, with multiple cores, the compression can be done in parallel reducing the output without prolonging the imaging process. Since the write speed of the target disk can be a bottleneck in imaging process parallel compression can reduce the total time of the imaging process. Guymager was one of the first imaging tools to implement the concept of multi-process compression.

Other techniques like storing the data sparse or empty-block compression can reduce the total time of the imaging process and the resulting size of new non-encrypted (0-byte filled) disks.

Error tolerance and recovery

Smart imaging

Smart imaging is a combination of techniques to make the imaging process more intelligent.

  • Selective imaging
  • Decryption while imaging

Selective imaging

Selective imaging is a technique to only make a copy of certain information on a disk like the $MFT on an NTFS volume with the necessary contextual information.

Decryption while imaging

Encrypted data is worst-case scenario for compression. Because the encryption process should be deterministic a solution to reduce the size of an encrypted image is to store it non-encrypted and compressed and encrypt it on-the-fly if required. Although this should be rare since the non-encrypted data is what undergoes analysis.

Logical image

Also see

Forensics File Formats

External Links

Hash based imaging