Disk Imaging is a fundamental process in digital forensics.
Storage devices are one of the many evidences we encounter at the crime scene.
It is of prime significance that every evidence needs to be handled with care
and there should not occur any alteration during the investigation of digital
crime. During digital investigation, there are chances that the data collected
may get intentionally or accidentally destroyed, at such times; the evidence
cannot be present in the court. Investigator has to follow the proper chain of
custody. To avoid changes in seized storage devices one instruction that is to
be followed by investigator is “DO NOT TOUCH THE ORIGINAL EVIDENCE”, it means
that we are not suppose to perform any operation related to analysis directly
on original device.
In disk imaging, we make exact copies of storage devices or
its partition and then store it in a larger storage or directly burn it on
another device. It looks like a copy- paste operation but it is not. In copy
paste operation, we just move data from one location to another location but
there is no possibility that the source addressing is maintained. Also in
copy-paste operation, data existing on target location is not overwritten
because it is stored only in free location. Whereas in cloning or imaging data
and its location is considered. In an image, file data is stored along with its
source location and in cloning process data from source will be replicated as
it is and old address scheme is considered.
Let us learn through the given video lecture.
No comments:
Post a Comment