Difference between pages "Disk image" and "Forensic Linux Live CD issues"

From ForensicsWiki
(Difference between pages)
Redirect page
Jump to: navigation, search
 
(moved Forensic Linux Live CD issues to Forensic Live CD issues: No need for this article to be Linux specific.)
 
Line 1: Line 1:
A disk image is a full disk copy of the data making up the partition table, file allocation tables and data partitions without regard for operating system.
+
#REDIRECT [[Forensic Live CD issues]]
 
+
A disk image should be made prior to performing any forensic analysis of the disk.  Creating a disk image is important in forensics for several reasons:
+
 
+
1. Ensure that disk information is not inadvertantly changed during analysis. 
+
 
+
2. By performing an original disk image and storing the original disk, it is possible to reproduce forensic test results with an exact reproduction of analysis methods on the original evidence.
+
 
+
3. Disk imaging will capture information invisible to the operating system in use *E.g. hidden partitions, ext3 partitions on a Windows machine, etc.
+
 
+
 
+
== Software ==
+
 
+
Popular software used to create disk images includes Norton Ghost.  A raw image (bit-by-bit) copy of the original media should be done using the software, which may not be the default settings on the software. 
+
 
+
Other possible software, programs include dd, dcfldd, EnCase, and FTK
+

Latest revision as of 09:37, 28 July 2012