Browse Definitions :
Definition

forensic image

What is a forensic image?

A forensic image (forensic copy) is a bit-by-bit, sector-by-sector direct copy of a physical storage device, including all files, folders and unallocated, free and slack space. Forensic images include all the files visible to the operating system (OS), as well as deleted files and pieces of files left in the slack and free space.

Forensic imaging is one element of computer forensics, which is the application of computer investigation and analysis techniques forensic examiners use to gather digital evidence for presentation in a court of law.

Not all imaging and backup software creates forensic images. For example, Windows backup creates image backups that aren't complete copies of the physical device. Forensic images can be created through specialized forensic tools, such as forensic software. Some disk imaging utilities not marketed for forensic use also make complete disk images.

Forensic imaging in cybersecurity

In the case of cybercrime, additional evidence might be discovered other than what is available through an OS. This type of original evidence includes incriminating data that has been deleted to prevent electronic discovery. Unless the data is deleted securely and overwritten, it is often recoverable with forensic or data recovery software.

Creating forensic images and backing them up prevents data loss from drive failures. The loss of data as evidence can be detrimental to legal cases. Forensic digital image files can also prevent the loss of critical files in general.

The three types of forensic images

When capturing the contents of a storage device, three types of forensic images can be created. Which approach is used depends on the technology available and business requirements. The three types of images include the following:

  • Physical image. This image captures the entire contents of a storage device, including active data, unused or unallocated space, and deleted data that might still reside on the storage unit.
  • Logical image. A storage device is scanned to obtain this data, which is, in most cases, active data.
  • Targeted image. Specific data, such as that required for a legal examination, is identified and imaged.

Capturing and creating a forensic image

Generating a digital forensic image of a storage device requires tools and software to scan the device, capture the desired content and provide an exact copy of it to another storage device. Almost any device that has a storage function or capability can create a forensic image. For example, hard drives, CD-ROMs, flash drives, mobile phones, computers, smartphones and even web pages can all do this.

As an example, OpenText EnCase Forensic is software that creates an image format for storage and future forensic analysis. A successful forensic image has the following characteristics:

  • The device being scanned and the scanning technology are successfully connected.
  • The source device and its data haven't been modified.
  • The scanning technology generates a true copy of the data to be scanned.

Write blocking is a technology that prevents any changes to the source device before and during the scanning process. Write blockers typically sit between the source and the scanning system and are available for different storage devices.

Diagram of forensic imaging process
When data is scanned as part of a forensic imaging process, a write blocker is put in place so the data and the drive it's on can't be altered. The data is then scanned and formatted for storage and analysis.

Why is forensic imaging important?

Forensic imaging prevents the loss of original data. These imaging tools and techniques are the only way to ensure that electronic data can be successfully admitted as evidence in a court or legal proceeding.

A detailed image of a memory system or primary storage device provides accurate information on the contents of the device, enabling forensic experts to diagnose existing and potential problems. However, for a legal or compliance audit as part of a forensic investigation, law enforcement needs accurate and verifiable data.

Learn more about the tools and techniques required in a cloud computing forensics investigation.

This was last updated in March 2023

Continue Reading About forensic image

Networking
  • firewall as a service (FWaaS)

    Firewall as a service (FWaaS), also known as a cloud firewall, is a service that provides cloud-based network traffic analysis ...

  • private 5G

    Private 5G is a wireless network technology that delivers 5G cellular connectivity for private network use cases.

  • NFVi (network functions virtualization infrastructure)

    NFVi (network functions virtualization infrastructure) encompasses all of the networking hardware and software needed to support ...

Security
  • virus (computer virus)

    A computer virus is a type of malware that attaches itself to a program or file. A virus can replicate and spread across an ...

  • Certified Information Security Manager (CISM)

    Certified Information Security Manager (CISM) is an advanced certification that indicates that an individual possesses the ...

  • cryptography

    Cryptography is a method of protecting information and communications using codes, so that only those for whom the information is...

CIO
  • B2B (business to business)

    B2B (business-to-business) is a type of commerce involving the exchange of products, services or information between businesses, ...

  • return on investment (ROI)

    Return on investment (ROI) is a crucial financial metric investors and businesses use to evaluate an investment's efficiency or ...

  • big data as a service (BDaaS)

    Big data as a service (BDaS) is the delivery of data platforms and tools by a cloud provider to help organizations process, ...

HRSoftware
  • talent acquisition

    Talent acquisition is the strategic process an organization uses to identify, recruit and hire the people it needs to achieve its...

  • human capital management (HCM)

    Human capital management (HCM) is a comprehensive set of practices and tools used for recruiting, managing and developing ...

  • Betterworks

    Betterworks is performance management software that helps workforces and organizations to improve manager effectiveness and ...

Customer Experience
  • martech (marketing technology)

    Martech (marketing technology) refers to the integration of software tools, platforms, and applications designed to streamline ...

  • transactional marketing

    Transactional marketing is a business strategy that focuses on single, point-of-sale transactions.

  • customer profiling

    Customer profiling is the detailed and systematic process of constructing a clear portrait of a company's ideal customer by ...

Close