Disk Imaging & Acquisition

What a Forensic Image Actually Is

A forensic image is not a backup. It is not a file copy. It is a bit-for-bit, sector-by-sector duplicate of a storage device — every allocated file, every deleted file fragment, every byte of slack space, every sector of unallocated space, every partition table entry.

When you copy files using cp, robocopy, or drag-and-drop, you get the logical contents — the files the operating system knows about. You miss:

A forensic image captures all of this. That is why it is the gold standard for evidence preservation — and why Lesson 9.1 spent so much time on handling it properly.

Image Formats: E01 vs DD

Two formats dominate forensic imaging. Each has trade-offs.

E01 (Expert Witness Format / EnCase Format)

E01 is a proprietary format created by Guidance Software (now OpenText) for EnCase. Despite its proprietary origin, it has become an industry standard supported by virtually every forensic tool.

DD (Raw Format)

DD is the simplest possible image — a byte-for-byte copy of the device with no wrapper, no metadata, and no compression. It is named after the Unix dd command.

When to Use Which

Click to enlarge

FTK Imager: GUI-Based Forensic Imaging

FTK Imager (by Exterro, formerly AccessData) is the most widely used free forensic imaging tool on Windows. It provides a GUI workflow for creating verified forensic images.

The FTK Imager Workflow

Step 1: Connect the evidence drive through a write blocker. FTK Imager cannot replace a write blocker — it reads whatever the OS presents, and the OS will write to unprotected drives.

Step 2: Select "Create Disk Image" from the File menu. Choose the source type:

• Physical Drive — images the entire disk (recommended)
• Logical Drive — images a single partition (C:, D:, etc.)
• Image File — converts between formats (E01 → DD or vice versa)

Step 3: Choose the output format. E01 is the default and recommended choice. Fill in the evidence metadata fields: case number, evidence number, examiner name, description, and notes.

Step 4: Set the destination path and filename. FTK Imager will create segmented E01 files (filename.E01, filename.E02, etc.). Ensure the destination has enough free space — at minimum, 70% of the source drive size for E01 (with compression) or 100% for DD.

Step 5: Click "Start" and wait. FTK Imager reads every sector from the source drive, compresses it (for E01), and writes it to the destination. A progress bar shows estimated time remaining.

Step 6: Verify. FTK Imager automatically computes MD5 and SHA1 hashes during imaging and verifies them against a second pass. The verification result appears in the summary — "Verify Result: Match" is what you need.

dd and dcfldd: Command-Line Imaging on Linux

The dd command creates raw forensic images on Linux and macOS. It is pre-installed on every Unix-like system, requires no additional software, and produces universally readable output.

Basic dd Imaging

dd if=/dev/sdb of=/evidence/case-2026-0142/disk.dd bs=4M status=progress

Hashing with dd

dd does not compute hashes internally. You must hash separately:

md5sum /dev/sdb > /evidence/case-2026-0142/source.md5
dd if=/dev/sdb of=/evidence/case-2026-0142/disk.dd bs=4M status=progress
md5sum /evidence/case-2026-0142/disk.dd > /evidence/case-2026-0142/image.md5
diff /evidence/case-2026-0142/source.md5 /evidence/case-2026-0142/image.md5

dcfldd: The Forensic dd

dcfldd (DoD Computer Forensics Lab version of dd) adds forensic features that dd lacks:

dcfldd if=/dev/sdb of=/evidence/case-2026-0142/disk.dd bs=4M   hash=md5,sha256 hashwindow=1G hashlog=/evidence/case-2026-0142/hash.log   statusinterval=32

KAPE: Triage Imaging at Speed

KAPE (Kroll Artifact Parser and Extractor) does not create full disk images. Instead, it collects specific forensic artifacts — the files and registry keys that contain the most investigative value — in a fraction of the time.

Click to enlarge

KAPE uses two types of configuration files:

Example KAPE Collection

kape.exe --tsource C: --tdest D:\Evidence\Case-0142 --target KapeTriage

The KapeTriage compound target collects:

• Windows Event Logs (*.evtx)
• Registry hives (SAM, SYSTEM, SOFTWARE, NTUSER.DAT, UsrClass.dat)
• Prefetch files (C:\Windows\Prefetch\*.pf)
• MFT ($MFT)
• Amcache.hve
• SRUM database
• Scheduled tasks
• Browser artifacts (Chrome, Firefox, Edge)
• Recent files and Jump Lists
• PowerShell console history and transcription logs

A full KapeTriage collection from a 500GB drive typically completes in 5–15 minutes and produces 1–5 GB of output — compared to hours for a full image.

Remote Acquisition with Velociraptor

In a cloud-first, distributed environment, you often cannot physically access the endpoint. The server might be in AWS. The laptop might be in another country. Velociraptor solves this with remote forensic acquisition — collecting artifacts over the network using its pre-installed endpoint agent.

What Velociraptor Can Collect Remotely

Remote Acquisition Workflow

1. Velociraptor Server → selects target endpoint from client list
2. Server creates a "Collection Flow" — specifies which artifacts to collect
3. Agent on target receives the collection request
4. Agent collects artifacts locally, compresses them, and uploads to server
5. Server stores collected data + generates hash of the upload
6. Examiner downloads the collection for analysis

The key advantage: the Velociraptor agent is already running on the endpoint. It does not require a new login session, does not install new software, and its forensic footprint is minimal compared to RDP/SSH access.

Hash Verification: The Math of Trust

Every imaging method — FTK Imager, dd, dcfldd, KAPE, Velociraptor — must end with hash verification. The hash proves the image is an exact copy of the source.

Best practice: compute both MD5 and SHA256. MD5 for backward compatibility with older case management systems, SHA256 for actual integrity assurance.

md5sum disk.dd
sha256sum disk.dd

If the source hash and image hash match, the image is forensically sound. If they do not match, the image must be discarded and recreation attempted — after investigating what went wrong (bad sectors, failing drive, interrupted write).

Imaging Best Practices and Common Pitfalls

Key Takeaways

• A forensic image is a bit-for-bit sector copy that preserves deleted files, slack space, and unallocated data — unlike a file-level copy
• E01 format embeds metadata, compression, and hashing; DD format is raw, universal, and simple — choose based on case requirements
• FTK Imager provides GUI-based imaging with automatic hash verification; dd/dcfldd provides CLI-based imaging with full scripting control
• KAPE collects specific high-value artifacts in minutes — use it alongside full imaging for a triage-first workflow
• Velociraptor enables remote forensic acquisition without physical access — critical for cloud and distributed environments
• Hash verification (MD5 + SHA256) at the end of every imaging session is mandatory — a mismatch means the image cannot be trusted
• The triage-first workflow (KAPE/Velociraptor for quick artifacts + full image in background) gives you speed without sacrificing completeness

What's Next

With evidence properly collected and imaged, Lesson 9.3 dives into Windows Forensic Artifacts — the specific files, registry keys, and system databases that reveal what happened on a Windows endpoint. You will learn to read Prefetch, Amcache, ShimCache, UserAssist, Shellbags, Jump Lists, LNK files, browser artifacts, USB history, and Recycle Bin contents — the breadcrumbs attackers leave behind.