Difference between revisions of "Raw Image Format"

From Forensics Wiki
Jump to: navigation, search
m (moved Raw image file to Raw Image Format: The name image file implies the format using a single file approach, which dis-accounts split RAW images.)

Revision as of 07:13, 27 September 2011

The RAW Image Format is used to store a disk or volume image.

File types

There are two variants of the RAW Image Format a split and a non-split variant.

There are various naming schemes for RAW Image Format files, some of the more common are:

  • PREFIX.dd
  • PREFIX.raw
  • PREFIX.0 - PREFIX.#; variations: starting with either 0 or 1, consisting of multiple digits e.g. PREFIX.000
  • PREFIX0 - PREFIX#; variations: starting with either 0 or 1, consisting of multiple digits e.g. PREFIX000
  • PREFIXaa - PREFIXzz; variations: consisting of more letters e.g. PREFIX.aaa
  • PREFIX.1of5 - PREFIX.5of5; variations: consisting of multiple segment files
  • PREFIX001.asb - PREFIX###.asb

Contents

The RAW Image Format is basically a bit-for-bit copy of the RAW data of either the disk or the volume, without any additions or deletions.

There is no metadata stored in RAW Image Format files. However sometimes the metadata is stored in secondary files.

The RAW Image Format was original used by dd, but is support by most of the computer forensics applications.