SlideShare una empresa de Scribd logo

Intro to digital forensic imaging

Descargar como PPTX, PDF
D
Detectalix

Introduction to the basic concepts of digital forensic image acquisition, hardware/software write-blocking techniques and forensic image formats * * * Subscribe to the YouTube channel: https://youtube.com/channel/UC4bvx2ub2h7F_FrZKF9QGIg

Software
1 de 10
INTRODUCTION TO FORENSIC IMAGING
FORENSIC ACQUISITION • Forensic acquisition is the process of acquiring a forensically sound copy or image of the device or media to analyze. • “Forensically sound” means that the we shall be able to verify that the image is an exact copy of the original and the procedure used to acquire it shall be documented.
FORENSIC IMAGE • A forensic image is a bit by bit copy of the media to acquire and the basis on which the examiner works to extract the evidence. • It’s not simply cloning the file system, it’s a copy of all the raw disk (or partition) sectors. • The original media must not be altered in any way! • The integrity of the image file shall be verified and I/O errors logged.
ACQUISITION SCENARIOS • Two scenarios when acquiring a forensic image: the hard drive can be removed or not from the suspect computer. • In the first case, the drive should be attached to a forensic workstation using a write blocking mechanism. • In the second case, we can use a forensic live cd, booted in forensic mode.
WRITE BLOCKING METHODS • Write blocking mechanisms can be implemented in hardware or software. • Hardware write blockers are devices that protect the drive from writes and could have different type of connectors (SATA,IDE,USB,FireWire...) • Are quite expensive but their use is preferable.
SOFTWARE WRITE BLOCKING • Software write blocking is quite a controversial topic. • Simply mounting a drive as read-only doesn’t fully guarantee that it is not written! • Various techniques have been developed.
SOFTWARE WRITE BLOCKING • An example is the Linux write blocker kernel patch written by M.Suhanov. (https://github.com/msuhanov/Linux- write-blocker) • It blocks the write commands at the device driver level. • But requires the kernel to be recompiled.
FORENSIC IMAGE FORMATS • A raw image is a duplicate of all the sectors of a disk or partition. • It contains no additional metadata. • Can be obtained by tools like dd (Data Dump). Variants of ‘dd’ have been developed for forensics.
FORENSIC IMAGE FORMATS • Another open forensic format is the Advanced Forensic Format (AFF) • It supports compression and encryption of images. • AFFlib package to convert and manage AFF images.
FORENSIC IMAGE FORMATS • Proprietary formats: Expert Witness Format (EWF) and SMART • Both support compression and encryption of images. • libewf package to convert and manage ewf images.

Recomendados

Forensic imaging
Forensic imagingForensic imaging
Forensic imaging
DINESH KAMBLE
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory Forensics
n|u - The Open Security Community
 
Electornic evidence collection
Electornic evidence collectionElectornic evidence collection
Electornic evidence collection
Fakrul Alam
 
Windows registry forensics
Windows registry forensicsWindows registry forensics
Windows registry forensics
Taha İslam YILMAZ
 
Anti-Forensics: Real world identification, analysis and prevention
Anti-Forensics: Real world identification, analysis and preventionAnti-Forensics: Real world identification, analysis and prevention
Anti-Forensics: Real world identification, analysis and prevention
Seccuris Inc.
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows System
Conferencias FIST
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
Vikas Jain
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensic
Online
 

Recomendados

Forensic imaging
Forensic imagingForensic imaging
Forensic imaging
DINESH KAMBLE
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory Forensics
n|u - The Open Security Community
 
Electornic evidence collection
Electornic evidence collectionElectornic evidence collection
Electornic evidence collection
Fakrul Alam
 
Windows registry forensics
Windows registry forensicsWindows registry forensics
Windows registry forensics
Taha İslam YILMAZ
 
Anti-Forensics: Real world identification, analysis and prevention
Anti-Forensics: Real world identification, analysis and preventionAnti-Forensics: Real world identification, analysis and prevention
Anti-Forensics: Real world identification, analysis and prevention
Seccuris Inc.
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows System
Conferencias FIST
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
Vikas Jain
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensic
Online
 
Windows forensic
Windows forensicWindows forensic
Windows forensic
MD SAQUIB KHAN
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkit
Milap Oza
 
Introduction to forensic imaging
Introduction to forensic imagingIntroduction to forensic imaging
Introduction to forensic imaging
Marco Alamanni
 
Windowsforensics
WindowsforensicsWindowsforensics
Windowsforensics
Santosh Khadsare
 
Audio and Video Forensics
Audio and Video ForensicsAudio and Video Forensics
Audio and Video Forensics
Dipika Sengupta
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
Mithileysh Sathiyanarayanan
 
Encase Forensic
Encase ForensicEncase Forensic
Encase Forensic
Megha Sahu
 
Introduction to Cyber Forensics Module 1
Introduction to Cyber Forensics Module 1Introduction to Cyber Forensics Module 1
Introduction to Cyber Forensics Module 1
Anpumathews
 
Digital Anti-Forensics: Emerging trends in data transformation techniques
Digital Anti-Forensics: Emerging trends in data transformation techniquesDigital Anti-Forensics: Emerging trends in data transformation techniques
Digital Anti-Forensics: Emerging trends in data transformation techniques
Seccuris Inc.
 
Next Generation Memory Forensics
Next Generation Memory ForensicsNext Generation Memory Forensics
Next Generation Memory Forensics
Andrew Case
 
Registry Forensics
Registry ForensicsRegistry Forensics
Registry Forensics
Somesh Sawhney
 
Autopsy Digital forensics tool
Autopsy Digital forensics toolAutopsy Digital forensics tool
Autopsy Digital forensics tool
Sreekanth Narendran
 
05 Duplication and Preservation of Digital evidence - Notes
05 Duplication and Preservation of Digital evidence - Notes05 Duplication and Preservation of Digital evidence - Notes
05 Duplication and Preservation of Digital evidence - Notes
Kranthi
 
Disk forensics
Disk forensicsDisk forensics
Disk forensics
Chiawei Wang
 
Introduction to filesystems and computer forensics
Introduction to filesystems and computer forensicsIntroduction to filesystems and computer forensics
Introduction to filesystems and computer forensics
Mayank Chaudhari
 
CHA & LBA Addressing
CHA & LBA Addressing CHA & LBA Addressing
CHA & LBA Addressing
DINESH KAMBLE
 
Registry forensics
Registry forensicsRegistry forensics
Registry forensics
Prince Boonlia
 
Digital Forensic ppt
Digital Forensic pptDigital Forensic ppt
Digital Forensic ppt
Suchita Rawat
 
Computer Forensics
Computer ForensicsComputer Forensics
Computer Forensics
Shreya Singireddy
 
Anti forensic
Anti forensicAnti forensic
Anti forensic
Milap Oza
 
File000127
File000127File000127
File000127
Desmond Devendran
 
Protecting Hosts
Protecting HostsProtecting Hosts
Protecting Hosts
primeteacher32
 

Más contenido relacionado

La actualidad más candente

Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkit
Milap Oza
 
Audio and Video Forensics
Audio and Video ForensicsAudio and Video Forensics
Audio and Video Forensics
Dipika Sengupta
 
Digital Anti-Forensics: Emerging trends in data transformation techniques
Digital Anti-Forensics: Emerging trends in data transformation techniquesDigital Anti-Forensics: Emerging trends in data transformation techniques
Digital Anti-Forensics: Emerging trends in data transformation techniques
Seccuris Inc.
 
05 Duplication and Preservation of Digital evidence - Notes
05 Duplication and Preservation of Digital evidence - Notes05 Duplication and Preservation of Digital evidence - Notes
05 Duplication and Preservation of Digital evidence - Notes
Kranthi
 
Anti forensic
Anti forensicAnti forensic
Anti forensic
Milap Oza
 

La actualidad más candente (20)

Windows forensic
Windows forensicWindows forensic
Windows forensic
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkit
 
Introduction to forensic imaging
Introduction to forensic imagingIntroduction to forensic imaging
Introduction to forensic imaging
 
Windowsforensics
WindowsforensicsWindowsforensics
Windowsforensics
 
Audio and Video Forensics
Audio and Video ForensicsAudio and Video Forensics
Audio and Video Forensics
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
 
Encase Forensic
Encase ForensicEncase Forensic
Encase Forensic
 
Introduction to Cyber Forensics Module 1
Introduction to Cyber Forensics Module 1Introduction to Cyber Forensics Module 1
Introduction to Cyber Forensics Module 1
 
Digital Anti-Forensics: Emerging trends in data transformation techniques
Digital Anti-Forensics: Emerging trends in data transformation techniquesDigital Anti-Forensics: Emerging trends in data transformation techniques
Digital Anti-Forensics: Emerging trends in data transformation techniques
 
Next Generation Memory Forensics
Next Generation Memory ForensicsNext Generation Memory Forensics
Next Generation Memory Forensics
 
Registry Forensics
Registry ForensicsRegistry Forensics
Registry Forensics
 
Autopsy Digital forensics tool
Autopsy Digital forensics toolAutopsy Digital forensics tool
Autopsy Digital forensics tool
 
05 Duplication and Preservation of Digital evidence - Notes
05 Duplication and Preservation of Digital evidence - Notes05 Duplication and Preservation of Digital evidence - Notes
05 Duplication and Preservation of Digital evidence - Notes
 
Disk forensics
Disk forensicsDisk forensics
Disk forensics
 
Introduction to filesystems and computer forensics
Introduction to filesystems and computer forensicsIntroduction to filesystems and computer forensics
Introduction to filesystems and computer forensics
 
CHA & LBA Addressing
CHA & LBA Addressing CHA & LBA Addressing
CHA & LBA Addressing
 
Registry forensics
Registry forensicsRegistry forensics
Registry forensics
 
Digital Forensic ppt
Digital Forensic pptDigital Forensic ppt
Digital Forensic ppt
 
Computer Forensics
Computer ForensicsComputer Forensics
Computer Forensics
 
Anti forensic
Anti forensicAnti forensic
Anti forensic
 

Similar a Intro to digital forensic imaging

Chapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docx
Chapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docxChapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docx
Chapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docx
christinemaritza
 
Accessing Forensic Images
Accessing Forensic ImagesAccessing Forensic Images
Accessing Forensic Images
CTIN
 
Information Computer Technology Handouts (Part I)
Information Computer Technology Handouts (Part I)Information Computer Technology Handouts (Part I)
Information Computer Technology Handouts (Part I)
ella dimaiwat
 
Securing the Container Pipeline
Securing the Container PipelineSecuring the Container Pipeline
Securing the Container Pipeline
Salesforce Engineering
 

Similar a Intro to digital forensic imaging (20)

File000127
File000127File000127
File000127
 
Protecting Hosts
Protecting HostsProtecting Hosts
Protecting Hosts
 
CNIT 152 8. Forensic Duplication
CNIT 152 8. Forensic DuplicationCNIT 152 8. Forensic Duplication
CNIT 152 8. Forensic Duplication
 
CNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationCNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic Duplication
 
Chapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docx
Chapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docxChapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docx
Chapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docx
 
kbrgwillis.pdf
kbrgwillis.pdfkbrgwillis.pdf
kbrgwillis.pdf
 
Preserving and recovering digital evidence
Preserving and recovering digital evidencePreserving and recovering digital evidence
Preserving and recovering digital evidence
 
Android forensics an Custom Recovery Image
Android forensics an Custom Recovery ImageAndroid forensics an Custom Recovery Image
Android forensics an Custom Recovery Image
 
Hard Disk Data Acquisition
Hard Disk Data AcquisitionHard Disk Data Acquisition
Hard Disk Data Acquisition
 
Accessing Forensic Images
Accessing Forensic ImagesAccessing Forensic Images
Accessing Forensic Images
 
Clape n
Clape nClape n
Clape n
 
Information Computer Technology Handouts (Part I)
Information Computer Technology Handouts (Part I)Information Computer Technology Handouts (Part I)
Information Computer Technology Handouts (Part I)
 
Ch 04 Data Acquisition for Digital Forensics.ppt
Ch 04 Data Acquisition for Digital Forensics.pptCh 04 Data Acquisition for Digital Forensics.ppt
Ch 04 Data Acquisition for Digital Forensics.ppt
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory Forensics
 
Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)
 
Securing the Container Pipeline
Securing the Container PipelineSecuring the Container Pipeline
Securing the Container Pipeline
 
computer forensic tools-Hardware & Software tools
computer forensic tools-Hardware & Software toolscomputer forensic tools-Hardware & Software tools
computer forensic tools-Hardware & Software tools
 
Computer Architecture - Software - Lesson 10 - Hard Drive Management / Logica...
Computer Architecture - Software - Lesson 10 - Hard Drive Management / Logica...Computer Architecture - Software - Lesson 10 - Hard Drive Management / Logica...
Computer Architecture - Software - Lesson 10 - Hard Drive Management / Logica...
 
Watching the Detectives: Using digital forensics techniques to investigate th...
Watching the Detectives: Using digital forensics techniques to investigate th...Watching the Detectives: Using digital forensics techniques to investigate th...
Watching the Detectives: Using digital forensics techniques to investigate th...
 
SCA Accessioning Born-Digital Materials Workshop, Nov. 8, 2012
SCA Accessioning Born-Digital Materials Workshop, Nov. 8, 2012SCA Accessioning Born-Digital Materials Workshop, Nov. 8, 2012
SCA Accessioning Born-Digital Materials Workshop, Nov. 8, 2012
 

Último

Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
chiefasafspells
 
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
masabamasaba
 
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
masabamasaba
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
shinachiaurasa2
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
masabamasaba
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
masabamasaba
 
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg
 

Último (20)

Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
 
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
 
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
 
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
 
%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare
 
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
 
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
 
WSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go PlatformlessWSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go Platformless
 
tonesoftg
tonesoftgtonesoftg
tonesoftg
 

Intro to digital forensic imaging

  • 2. FORENSIC ACQUISITION • Forensic acquisition is the process of acquiring a forensically sound copy or image of the device or media to analyze. • “Forensically sound” means that the we shall be able to verify that the image is an exact copy of the original and the procedure used to acquire it shall be documented.
  • 3. FORENSIC IMAGE • A forensic image is a bit by bit copy of the media to acquire and the basis on which the examiner works to extract the evidence. • It’s not simply cloning the file system, it’s a copy of all the raw disk (or partition) sectors. • The original media must not be altered in any way! • The integrity of the image file shall be verified and I/O errors logged.
  • 4. ACQUISITION SCENARIOS • Two scenarios when acquiring a forensic image: the hard drive can be removed or not from the suspect computer. • In the first case, the drive should be attached to a forensic workstation using a write blocking mechanism. • In the second case, we can use a forensic live cd, booted in forensic mode.
  • 5. WRITE BLOCKING METHODS • Write blocking mechanisms can be implemented in hardware or software. • Hardware write blockers are devices that protect the drive from writes and could have different type of connectors (SATA,IDE,USB,FireWire...) • Are quite expensive but their use is preferable.
  • 6. SOFTWARE WRITE BLOCKING • Software write blocking is quite a controversial topic. • Simply mounting a drive as read-only doesn’t fully guarantee that it is not written! • Various techniques have been developed.
  • 7. SOFTWARE WRITE BLOCKING • An example is the Linux write blocker kernel patch written by M.Suhanov. (https://github.com/msuhanov/Linux- write-blocker) • It blocks the write commands at the device driver level. • But requires the kernel to be recompiled.
  • 8. FORENSIC IMAGE FORMATS • A raw image is a duplicate of all the sectors of a disk or partition. • It contains no additional metadata. • Can be obtained by tools like dd (Data Dump). Variants of ‘dd’ have been developed for forensics.
  • 9. FORENSIC IMAGE FORMATS • Another open forensic format is the Advanced Forensic Format (AFF) • It supports compression and encryption of images. • AFFlib package to convert and manage AFF images.
  • 10. FORENSIC IMAGE FORMATS • Proprietary formats: Expert Witness Format (EWF) and SMART • Both support compression and encryption of images. • libewf package to convert and manage ewf images.