Read as
Why this module exists. Disk imaging is the foundational forensic activity — without a forensically sound image, every subsequent analysis is challengeable in court or audit. This module covers what “forensically sound” actually means, the canonical tools for different operating systems, and the operational gotchas that get cases thrown out.
Why this module exists. “We made a copy of the disk” is not the same as “we forensically imaged the disk.” The difference matters for evidence admissibility, chain of custody, and for the analyst three weeks later trying to reproduce a finding. This module is the practitioner-level disk imaging guide.
What forensically sound actually means
Four properties:
- Bit-for-bit copy. Every sector of the source, including unallocated space, slack space, and the host-protected area (HPA). A file-copy via
cp -ais not a forensic image. - Read-only source. The source disk is not written to during imaging — usually enforced by a hardware write-blocker.
- Integrity verified. A hash (typically SHA-256, ideally also MD5 for historical compatibility) is computed before and after. They must match.
- Documented chain of custody. Who took the image, when, from what serial number, using what tool, with what hash.
Worried about your exposure?
Get a free attack-surface review
We check what an attacker would see about your business — leaked credentials, exposed services, dark-web mentions. 30 minutes, no obligation.
Book exposure review
Replies in 4 working hrs · India-only · Senior consultants