Skip to content

CH3: Creating Forensic Images and Evidence Acquisition

Chapter Overview

In the previous chapters, we established the legal frameworks and the internal architecture of the Windows file system. Now, we move into the practical application of digital forensics: the acquisition phase. This is arguably the most high-stakes stage of any investigation because it involves the initial interaction with the evidence. A mistake here—such as altering a timestamp or failing to capture a hidden partition—cannot be undone. The integrity of the entire case rests on the examiner’s ability to create a verifiable, unaltered copy of the suspect device.

This chapter guides you through the technical and procedural requirements of creating forensic images. We will move beyond simple file copying to understand "bit-stream" imaging, which captures not just the files you see, but the deleted data and slack space you don't. We will also explore the critical role of cryptographic hashing in validating evidence, the use of hardware write blockers to prevent contamination, and the industry-standard tools used to preserve digital evidence for court.

Learning Objectives

By the end of this chapter, students should be able to:

  • Differentiate between standard disk cloning and the creation of a forensic bitstream image.
  • Compare and contrast Logical vs. Physical acquisition methods, specifically regarding their ability to capture deleted data and slack space.
  • Apply cryptographic hashing algorithms (MD5, SHA-1, SHA-256) to validate the integrity of digital evidence.
  • Analyze the NIST standards for forensic tool reliability and the importance of hardware write-blocking.
  • Demonstrate the workflow for creating forensic images using industry-standard tools like FTK Imager, OSForensics, and Autopsy.
  • Evaluate the contents of a forensic image by mounting it as a read-only drive to uncover user activity and recover deleted files.

3.1 The Key Concept: Disk Images vs. Forensic Images

In the world of IT support, "imaging" a computer usually means creating a backup or a clone to deploy to other machines. If an IT professional copies a hard drive, they care about the active data—the operating system, the installed programs, and the user's visible documents. If a few bytes of empty space are ignored, or if a corrupt file is skipped, the process is still considered a success.

In Digital Forensics, this approach is catastrophic.

A Forensic Image is a bit-for-bit, sector-by-sector copy of a storage medium. It captures everything: the active data, the empty space (unallocated clusters), the hidden partitions, and even the "slack space" where fragments of old data reside.

The "Dead Box" Paradigm

When we acquire evidence from a powered-off system (Dead Box), we never work on the original evidence drive if we can avoid it. The "Golden Rule" of forensics is: Preserve the Original.

  • Risk of Alteration: Simply booting up a suspect's computer changes thousands of files (logs, timestamps, registry keys).
  • Risk of Hardware Failure: A hard drive seized from a crime scene might be damaged. Running it extensively to analyze it risks a total head crash.

Therefore, the first step in any lab analysis is to create a forensic image. Once verified, the original drive is locked in an evidence safe, and all analysis is conducted on the image file.

3.2 NTFS Storage Fundamentals

To understand how data is recovered in a forensic investigation, one must first understand how the NTFS file system arranges that data on the physical disk. We visualize this using a hierarchy: the Physical Sector and the Logical Cluster.

The Physical Layer: Sectors

The Sector is the smallest unit of physical storage on a hard disk drive (HDD) or solid-state drive (SSD).

  • Legacy Standard: Historically, sectors were fixed at 512 bytes.
  • Modern Standard: Advanced Format drives often use 4096 bytes (4KB) per sector.
  • Forensic Note: Regardless of the file size, a drive cannot write "half a sector." It is an atomic unit of storage.

The Logical Layer: Clusters

The Operating System does not address individual sectors for file storage; doing so would be inefficient due to the sheer number of addresses required. Instead, the file system groups sectors into Clusters (also known as allocation units).

  • The Cluster: This is the smallest amount of disk space that can be allocated to hold a file.
  • Default Size: For most Windows NTFS volumes under 16TB, the default cluster size is 4096 bytes (4KB).
  • The Math: If your sector size is 512 bytes and your cluster size is 4096 bytes, each cluster contains exactly 8 contiguous sectors.

Practical Analysis: The fsutil Command

As a forensic analyst or administrator, you can verify the geometry of a live volume using the Windows command line tool fsutil.

Command: 

C:\> fsutil fsinfo ntfsinfo C:

Key Output Fields:

  • Bytes Per Sector: (e.g., 512) – Defines the physical granularity.
  • Bytes Per Cluster: (e.g., 4096) – Defines the logical granularity.
  • Bytes/Clusters Per FileRecord Segment: Defines the size of MFT (Master File Table) entries, typically 1024 bytes.

The Forensic Artifact: Slack Space

The relationship between file size and cluster size creates a critical area for forensic evidence called Slack Space.

Because a cluster is the minimum allocation unit, a file that does not perfectly fill a cluster will leave unused space at the end.

  • Example: A 2KB file saved to a 4KB cluster.
  • Used Space: The first 2KB is the actual file data.
  • Slack Space: The remaining 2KB is "slack."

Why this matters: The operating system marks the entire cluster as "allocated" to that file, meaning the OS will not overwrite the slack space until the file is deleted or resized. However, this slack area may contain residual data from previous files that occupied that physical space—data that the user believes is gone. This is often where forensic investigators find fragments of deleted emails, logs, or hidden metadata.

3.3 Physical vs Logical Acquisition

Physical Acquisition

A physical acquisition copies the storage device from the very first sector (Sector 0) to the very last sector, ignoring the file system entirely.

  • Scope: It captures the Master Boot Record (MBR), the partition tables, and the "Unallocated Space" (the free space where deleted files live).
  • Pros: It is the most complete form of evidence. It allows for "file carving" (recovering deleted files based on headers/footers) from the unallocated space.
  • Cons: It takes the longest time and requires the most storage. A 4TB hard drive requires a 4TB destination image, even if the drive only contains 1GB of data.

Logical Acquisition

A logical acquisition interacts with the file system (NTFS, FAT32, exFAT). It asks the operating system, "Please give me all the active files."

  • Scope: It captures active files and directories visible to the user. It typically does not capture unallocated space or deleted files that have been removed from the Master File Table (MFT).
  • Pros: Fast and efficient. If a 1TB drive only has 50GB of data, the logical image is only 50GB.
  • Cons: You miss the "smoking gun" if the suspect deleted it.

The Sparse Acquisition (Targeted)

In modern investigations involving massive server arrays or cloud storage, physical imaging is impossible. We use "Sparse" or "Targeted" acquisition to capture specific artifacts (e.g., "Collect only the Users folder and the Registry Hives"). While less comprehensive, this is often the only legally or technically viable option in corporate environments.

3.4 Hashing Algorithms: The Digital Fingerprint

In digital forensics, proving that a piece of evidence has not changed from the moment of seizure to the moment of trial is the most critical requirement. We achieve this through cryptographic hashing.

A Hash Function is a mathematical algorithm that takes an input of any length (a file, a drive, a string of text) and produces a fixed-length string of characters, known as the "digest" or "hash value." You can think of this as the digital fingerprint of the data.

The Avalanche Effect

Hashing relies on a property called the Avalanche Effect. If you change a single bit of data on a 4TB hard drive—perhaps changing a single letter in a text file from "A" to "B"—the resulting hash value will change completely. This allows examiners to detect even the most microscopic alteration to the evidence.

Common Algorithms

  • MD5 (Message Digest 5): Produces a 128-bit hash value. While technically "broken" for high-security cryptography (meaning collisions can be artificially created), it remains a standard for file integrity verification because it is fast.
  • SHA-1 (Secure Hash Algorithm 1): Produces a 160-bit hash. It is more secure than MD5 but slightly slower.
  • SHA-256: Part of the SHA-2 family. It is extremely secure and is becoming the new industry standard, though it is computationally intensive and can slow down the imaging process.
Use this hashing activity to review what you've learned previously in CFS137 about hashing fundamentals.

Practical Hashing: Native Windows Tools

As a forensic examiner, you will often need to verify a file's integrity quickly without installing third-party software. Windows includes two powerful native tools for this: the Command Prompt (CertUtil) and PowerShell.

CertUtil (Command Line)

CertUtil.exe is a built-in Windows command-line program originally designed for managing certificates, but it includes a handy feature for hashing files. It is installed on almost every Windows system by default, making it perfect for "Live Response" scenarios where you cannot install new tools.

Syntax: 

certutil -hashfile [FilePath] [Algorithm]

Example: To verify the MD5 hash of a suspicious executable named malware.exe:

C:\Evidence> certutil -hashfile malware.exe MD5
MD5 hash of malware.exe:
5e884898da28047151d0e56f8dc62927
CertUtil: -hashfile command completed successfully.

Supported Algorithms: MD5, SHA1, SHA256, SHA512.

PowerShell (Get-FileHash)

For more advanced work, PowerShell is the superior choice. The Get-FileHash cmdlet allows you to script the process, verifying thousands of files at once.

Basic Syntax: 

Get-FileHash -Path [FilePath] -Algorithm [Algorithm]

Example 1: Single File Check 

PS C:\Evidence> Get-FileHash -Path .\suspicious.docx -Algorithm SHA256

Algorithm       Hash                                                                   Path
---------       ----                                                                   ----
SHA256          E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855       C:\Evidence\suspicious.docx

Example 2: Batch Hashing (Recursive) One of the most powerful features of PowerShell is the "pipeline" (|). You can grab a list of every file in a folder (and its subfolders) and pipe it directly into the hashing engine. This is useful if you want to baseline a specific directory, such as System32.

Get-ChildItem "C:\Windows\System32" -Recurse -File | Get-FileHash -Algorithm MD5 | Export-Csv "C:\Reports\System32_Hashes.csv"
  • Get-ChildItem: Lists the files.
  • Get-FileHash: Calculates the hash for each one found.
  • Export-Csv: Saves the results to a spreadsheet for your report.
Practice your manual hashing with command line in this simulator activity.

Practical Hashing: GUI Tools (NirSoft HashMyFiles)

While command-line tools are powerful, they can be cumbersome when you need to visually compare dozens of files or generate a quick HTML report for a non-technical client. For this, NirSoft HashMyFiles is a lightweight, portable industry favorite.

You can download HashMyFiles for free at NirSoft.

Key Features:

  • Context Menu Integration: Once configured, you can simply Right-Click any file or folder in Windows Explorer and select "HashMyFiles" to immediately calculate hashes.
  • Batch Processing: You can drag and drop an entire folder into the window. The tool will recursively scan every subfolder and list the hashes for every file found.
  • Visual Comparison: If you are trying to find duplicate files (e.g., a user renamed CompanySecrets.pdf to Recipe.pdf), HashMyFiles will highlight identical hashes in matching colors, making them instantly visible.

Workflow Example:

  1. Open HashMyFiles.
  2. Drag the "Users" folder into the window.
  3. Wait for the calculation to finish.
  4. Select all items -> Save HTML Report.
  5. This generates a clean, readable table of evidence that can be attached strictly to your forensic report.

The Verification Process

Regardless of the tool used, the verification workflow in forensics remains constant:

  1. Acquisition: The forensic tool reads the source drive and writes the image file (e.g., .E01).
  2. Post-Acquisition Hash: The tool reads the newly created image and calculates the hash.
  3. Verification: The tool compares the hash of the source data against the hash of the image.
  4. Match: If the characters match exactly, the image is verified as a forensic duplicate.

Examiner's Note: Always document which algorithm you used. If you hash evidence with MD5 on Monday, and then try to verify it with SHA-256 on Tuesday, the values will not match, and you will have no way to prove the integrity of the evidence.

3.5 Best Practices and NIST Standards

Admissibility in court relies on standard methodologies. In the United States, the National Institute of Standards and Technology (NIST) oversees the Computer Forensics Tool Testing (CFTT) program. They test tools like FTK Imager and EnCase to ensure they don't alter data.

Recognized by NIST CFTT

It is important to clarify a key distinction: NIST does not "certify" tools or designate them as "industry standard". NIST produces test reports that document how a specific version of a tool performed against a rigorous set of test cases. The goal is to provide "measurable assurance" so that agencies and labs can make their own informed decisions.

However, the tools listed below are among the most common, widely recognized platforms that have voluntarily submitted to or been select for NIST CFTT testing.

Disk Imaging & Acquisition Tools

These tools are tested for their ability to create bit-for-bit duplicate copies of evidence without altering the source.

  • FTK Imager (AccessData/Exterro): A widely used free tool for creating forensic images. NIST has released federated test reports for versions such as 4.3.0.18.
  • EnCase Forensic (OpenText): One of the longest-standing commercial forensic suites. NIST has tested multiple versions of its imaging capabilities (e.g., v7 and v8).
  • X-Ways Forensics: A powerful, lightweight tool favored by many advanced examiners. NIST has published reports on its acquisition capabilities.
  • Tableau Forensic Imagers (e.g., TX1, TD3): Hardware imagers used to acquire data at high speeds in the field. The TX1 and TD3 are frequently tested hardware units.
  • Logicube Falcon (e.g., Falcon-NEO): Another industry-standard hardware imager often used for high-volume onsite acquisition.
  • DC3dd: An enhanced version of the command-line dd tool, developed specifically for forensic use and tested for reliability.

Mobile Device Forensics

Mobile tools are tested on their ability to extract data (contacts, messages, call logs, app data) from various handsets without modifying the device.

  • Cellebrite UFED & Physical Analyzer: Perhaps the most ubiquitous mobile forensic tool. NIST has tested numerous versions of UFED 4PC and Physical Analyzer over the years.
  • Magnet AXIOM: A comprehensive investigation platform that NIST has tested specifically for mobile acquisition capabilities (e.g., v6.x).
  • MSAB XRY: A major European-based mobile forensics platform frequently used by law enforcement, with recent test reports available (e.g., XRY Kiosk v10.9).
  • Oxygen Forensic Detective: Known for strong cloud and app support; NIST has validated its acquisition methods in recent reports (e.g., v15, v17).
  • GrayKey (Grayshift/Magnet): A specialized tool for unlocking and acquiring data from iOS and Android devices, which has been subject to NIST testing (e.g., Graykey OS v1.7).

Hardware Write Blockers

These devices are critical for ensuring that connecting a hard drive to an investigator's computer does not alter the evidence.

  • Tableau Forensic Bridges: The "T-series" (e.g., T35u, Universal Bridge) are standard staples in forensic labs and have been extensively tested.
  • WiebeTech (CRU) Docks: Including the Forensic UltraDock and ComboDock, these are commonly tested for their ability to block write commands.
  • CRU WriteBlockers: Various USB and NVMe write blockers from CRU are regularly subjected to federated testing.

The "Federated Testing" Option

Because software updates happen faster than NIST can test them, NIST launched the Federated Testing Project. This allows your lab to download a "test suite" (a bootable Linux ISO) and test your own tools using NIST's methodology.

  • This is why you will see reports for tools like Paladin, OSForensics, or newer updates of FTK listed as "Federated Testing" results—they were tested by external labs using NIST’s validated shared test suite.

The Hardware Write Blocker

The most critical piece of equipment in the preservation phase is the Write Blocker.

When you plug a USB drive into Windows, the OS immediately attempts to "mount" it. It updates access timestamps, creates "System Volume Information" folders, and creates Recycle Bins. This alters the evidence.

  • Hardware Write Blocker: A physical bridge (USB, SATA, IDE) that sits between the evidence drive and the forensic workstation. It allows "Read" commands to pass through but physically blocks "Write" commands.
  • Software Write Blocker: A registry modification (USBRegistryWrite) that tells Windows not to write to USB devices. This is considered less reliable than hardware blocking and typically necessitates a rigorous validation process to be accepted in court.

Handling Bad Sectors

Old hard drives often have physical damage (bad sectors). A standard IT copy (like Windows Explorer) will crash if it hits a bad sector. A forensic tool must handle this gracefully.

  • Best Practice: The forensic tool should attempt to read the sector multiple times. If it fails, it should write "zeros" (placeholders) to the image file to maintain alignment and log exactly which sectors were unreadable.

3.6 Overview of Imaging Tools

While expensive commercial suites exist, several open-source or free tools are industry standards for acquisition.

FTK Imager

Owned by Exterro, FTK Imager is free and widely considered the "Swiss Army Knife" of forensics. It allows for:

  • Physical and Logical Imaging.
  • RAM Capture: Capturing live memory.
  • Previewing: Viewing files on a suspect drive without altering them (when used with a write blocker).
  • Mounting: Mounting images as read-only drives.

Autopsy

Autopsy is the premier open-source digital forensics platform. While primarily an analysis tool, it can ingest data directly. It is built on "The Sleuth Kit" (TSK), a library of command-line tools for analyzing disk images.

OSForensics

A commercial tool (with free educational versions) that provides a user-friendly interface for imaging, hashing, and verifying drives.

Image Formats

  • Raw (.dd / .001): A pure bit-stream copy. No metadata, no compression. Universal compatibility.
  • E01 (EnCase Image File): The industry standard. It wraps the raw data in a container that includes:
    • Header: Case info, examiner name, notes.
    • Checksums: CRC values for every block of data (integrity checks).
    • Compression: Reduces the size of the image file (especially for empty space).
    • Encryption: Can password protect the evidence.

3.7 Mounting Forensic Images

Once a forensic image (such as an .E01 or .dd file) has been created and verified, the investigator often needs to interact with the data in a way that simulates the original physical experience of the user. This is achieved through a process called Mounting.

The Concept of Virtual Emulation

A forensic image file is essentially a container—a flat file that sits on your analysis machine's hard drive. The Windows operating system cannot inherently "look inside" an .E01 file to see the user's documents, just as it cannot look inside a .zip file without first opening or extracting it.

Mounting software acts as a translation layer. It installs a virtual driver that tricks the operating system into believing a new physical disk has been connected to the computer.

  • The Container: The .E01 file sits on your storage drive.
  • The Bridge: The mounting software (e.g., FTK Imager, Arsenal Image Mounter) reads the sector data from the container.
  • The Result: Windows assigns a drive letter (e.g., Z:) to this data stream.

The Critical Safety Net: Read-Only Enforcement

The most vital function of forensic mounting tools is the enforcement of a Read-Only state.

When you plug a real USB drive into a Windows machine, the OS is "noisy." It updates access times, creates hidden System Volume Information folders, and modifies the Registry. However, when mounting a forensic image, the software intercepts any "Write" command sent by Windows and drops it, ensuring the integrity of the evidence container remains pristine.

Practical Applications of Mounting

While automated forensic suites (like Autopsy or EnCase) process images internally, mounting is essential for specific manual tasks:

  1. Native File Viewing: You can open a suspect's complex Excel spreadsheet using the actual Microsoft Excel application installed on your workstation to see exactly what the user saw, rather than a text-only preview.
  2. Antivirus Scanning: You can point standard endpoint security tools or antivirus scanners at the mounted Z: drive to detect malware signatures that forensic tools might miss.
  3. Registry Hierarchy: It allows you to use tools like RegEdit to load the suspect's hives (NTUSER.DAT, SYSTEM, SOFTWARE) as if they were local hives for manual inspection.
  4. Triage: It provides a method for "Quick Look" forensics—browsing the Downloads or Desktop folders via Windows Explorer to determine if the drive is relevant to the investigation before committing to a multi-hour automated scan.

3.8 Data Recovery and Manual File Carving

One of the most distinct skills of a file systems analyst is the ability to recover data without reliance on the file system's "table of contents."

In a perfect NTFS volume, the Master File Table (MFT) acts as a map. It tells the OS, "The file Report.pdf starts at Cluster 500 and ends at Cluster 505." However, if the MFT is corrupted, the file is deleted and the MFT record is reused, or the drive has been formatted, that map is gone. The data, however, often remains on the disk in the "Unallocated Space."

File Carving is the process of extracting this data by identifying the file content itself, rather than its metadata.

The Anatomy of a File: Headers and Footers

To a computer, a file is simply a stream of binary data (1s and 0s). To make sense of this stream, software developers established standardized File Signatures, often referred to as "Magic Bytes." These are unique hexadecimal sequences located at the very beginning (Header) and often the very end (Footer) of a file.

By scanning the raw hexadecimal code of a drive, an analyst can visually or programmatically identify these signatures.

Common Forensic File Signatures

You must memorize the most common signatures to be effective in manual analysis.

File Type Extension Header (Hex) Footer (Hex) ASCII Representation
JPEG Image .jpg / .jpeg FF D8 FF FF D9 JFIF...
Portable Network Graphic .png 89 50 4E 47 0D 0A 1A 0A 49 45 4E 44 AE 42 60 82 .PNG....
Adobe PDF .pdf 25 50 44 46 25 25 45 4F 46 %PDF... %%EOF
ZIP Archive / Office Docs .zip, .docx, .xlsx 50 4B 03 04 Dependent on structure PK..
Windows Executable .exe, .dll 4D 5A None (Size defined in header) MZ

The best resource for referencing file signature's for your file carving work is the File Signature Table created by Gary Kessler, now located at https://filesig.search.org/.

The Manual Carving Workflow

Manual carving usually involves a Hex Editor (such as HxD or WinHex). The process follows a logical sequence:

  1. Identification: The analyst scrolls through the raw hex of the unallocated space or runs a search for a specific header (e.g., searching for FF D8 FF).
  2. Validation: Upon finding a header, the analyst checks the immediate following bytes to ensure it isn't a false positive. For example, in a JPEG, FF D8 FF is usually followed by E0 or E1.
  3. Delimiting: The analyst must find where the file ends.
    • Footer Method: For files like JPEGs or ZIPs, the analyst searches forward for the footer tag (e.g., FF D9).
    • Length Method: For files without footers (like BMPs), the header contains a "File Size" value. The analyst must convert that hex value to decimal, count that many bytes forward from the start, and mark the end.
  4. Extraction: The analyst highlights the block of data from the first byte of the header to the last byte of the footer, copies it, and saves it as a new file.

Hex Tools

Some common free Windows hex editors include:

Your First Manual File Carving Experience

Try your hand at file carving in this simulated, interactive activity. Keep in mind that file carving is never quite as "clean" as you will experience here -- the goal of this exercise is to get you familiar with searching for the correct header and footer file signatures to carve out files from within a raw hex editor.

Practice your manual hashing with command line in this simulator activity.

The Challenge of Fragmentation

Manual carving assumes that the file is Contiguous, meaning the Operating System saved the file in clusters that sit right next to each other (e.g., Cluster 1, 2, 3, and 4).

However, if the drive was fragmented, a file might be split. A JPEG might start at Cluster 100, take up two clusters, and then continue at Cluster 5000.

  • The Consequence: If you carve linearly from the header to the next footer you find, you will capture the "middle" data that belongs to a completely different file occupying the space between the fragments. This results in a corrupt file that appears visually distorted or fails to open entirely.
  • Bifurcation: Advanced carving involves analyzing the internal data structures of the file to predict where the jump to the next fragment occurs, a skill that borders on reverse engineering.

Automated Carving Tools

While understanding the manual process is required for court testimony (to explain how evidence was found), professionals use tools to automate this.

  • Photorec: A powerful open-source command-line tool that ignores file systems and focuses entirely on underlying data.
  • Scalpel: A Linux-based tool that allows users to configure custom configuration files (scalpel.conf) to define new headers and footers for proprietary file types.

Chapter Summary

Creating a forensic image is the bedrock of digital investigation. It is the process that converts a physical object (a hard drive) into a digital artifact that can be analyzed, shared, and preserved indefinitely.

The distinction between Physical (bit-by-bit) and Logical (file-by-file) acquisition determines whether or not we can recover deleted data. By utilizing Hardware Write Blockers and verifying our work with Hashing Algorithms (MD5/SHA-256), we ensure that the evidence we present in court is authentic and unaltered. Whether using free tools like FTK Imager or enterprise suites, the adherence to these standards is what separates a forensic examiner from a computer technician.