Forensics imaging is the
process of making an exact copy of a hard drive and or some other type of
media. During the process, every 0 and 1 on the original disk/media is copied
to the target disk/media. Prior to performing imaging, the destination drive
must be zeroed or blanked (whereismydata.wordpress.com, 2009).
The E01 extension is primarily used by Encase Forensic Imager. However, this format can also be found in tools such as FTK Imager. The image below shows part of the process of an image being acquired in E01 format in FTK Imager.
Reference:
https://whereismydata.wordpress.com/2009/06/27/forensics-what-is-imaging/
In this series
Working with media - Unallocated Space
Working with media - Allocated Space
Working with media - Partitioning
Working with media - Sectors
Working with media - Clusters
Working with media - Slack Space
Forensic Imaging and their Formats - The Advanced Forensic Format (AFF)
Forensic Imaging and their Formats - Encase Image (E01)
Forensic Imaging and their Formats - DD (raw)
https://whereismydata.wordpress.com/2009/06/27/forensics-what-is-imaging/
In this series
Working with media - Unallocated Space
Working with media - Allocated Space
Working with media - Partitioning
Working with media - Sectors
Working with media - Clusters
Working with media - Slack Space
Forensic Imaging and their Formats - The Advanced Forensic Format (AFF)
Forensic Imaging and their Formats - Encase Image (E01)
Forensic Imaging and their Formats - DD (raw)
No comments:
Post a Comment