Raw Image Format

From ForensicsWiki
Revision as of 08:17, 27 September 2011 by Joachim Metz (Talk | contribs)

Jump to: navigation, search

The RAW Image Format is used to store a disk or volume image.

File types

There are two variants of the RAW Image Format a split and a non-split variant.

There are various naming schemes for RAW Image Format files, some of the more common used for disk or volume images are:

  • PREFIX.dd
  • PREFIX.raw
  • PREFIX.0 - PREFIX.#; variations: starting with either 0 or 1, consisting of multiple digits e.g. PREFIX.000
  • PREFIX0 - PREFIX#; variations: starting with either 0 or 1, consisting of multiple digits e.g. PREFIX000
  • PREFIXaa - PREFIXzz; variations: consisting of more letters e.g. PREFIX.aaa
  • PREFIX.1of5 - PREFIX.5of5; variations: consisting of multiple segment files
  • PREFIX001.asb - PREFIX###.asb


Note that there are also RAW Image Formats specific to the storage media, e.g. RAW optical disc image.

These often are accompanied by a table of contents file often in the CUE Sheet format, e.g.

  • BIN/CUE
  • ISO/CUE

Contents

The RAW Image Format is basically a bit-for-bit copy of the RAW data of either the disk or the volume, without any additions or deletions.

There is no metadata stored in RAW Image Format files. However sometimes the metadata is stored in secondary files.

The RAW Image Format was original used by dd, but is support by most of the computer forensics applications.