Difference between pages "Disk image" and "Forensic Linux Live CD issues"
From Forensics Wiki
(Difference between pages)
|
|
| Line 1: |
Line 1: |
| − | A disk image is a full disk copy of the data making up the partition table, file allocation tables and data partitions without regard for operating system.
| + | #REDIRECT [[Forensic Live CD issues]] |
| − | | + | |
| − | A disk image should be made prior to performing any forensic analysis of the disk. Creating a disk image is important in forensics for several reasons:
| + | |
| − | | + | |
| − | 1. Ensure that disk information is not inadvertantly changed during analysis.
| + | |
| − | | + | |
| − | 2. By performing an original disk image and storing the original disk, it is possible to reproduce forensic test results with an exact reproduction of analysis methods on the original evidence.
| + | |
| − | | + | |
| − | 3. Disk imaging will capture information invisible to the operating system in use *E.g. hidden partitions, ext3 partitions on a Windows machine, etc.
| + | |
| − | | + | |
| − | | + | |
| − | == Software ==
| + | |
| − | | + | |
| − | Popular software used to create disk images includes Norton Ghost. A raw image (bit-by-bit) copy of the original media should be done using the software, which may not be the default settings on the software.
| + | |
| − | | + | |
| − | Other possible software, programs include dd, dcfldd, EnCase, and FTK
| + | |
Latest revision as of 08:37, 28 July 2012
- REDIRECT Forensic Live CD issues
