Over 500+ Successful Court Cases & Counting: See Reviews ➔
500+ Successful Court Cases & Counting: See Reviews ➔
athor image
Tim Bilecki

What is a Forensic Image?

hard drive

If you are new to the world of digital forensics, you may come across the term “forensic image.” What exactly is a forensic image? A forensic image is a bit for bit copy of the source device and is stored in a forensic image format. A forensic image allows you to conduct your investigation on an exact copy of the source device. Now your source device may be a thumb drive, hard drive, or SSD drive.

You do not want to do your exam on the original evidence due to its fragility. It is very easy to change digital evidence inadvertently. Using a forensic image protects the data during the examination, so we cannot accidentally change the data. Some standard formats of the forensic image are DD, E01, and AFF.

DD is one of the oldest imaging tool available for forensic investigators. It originally was a UNIX command but has now been migrated to all the major operating systems. There are now unique versions of DD that you can use, one of the more common versions is dc3dd, has been developed by Jesse Kornblum.

E01 is the expert witness format used by the EnCase forensic software suite. E01 differs from DD and that it creates a “header” that contains the evidence name/number, acquisition dates and times, notes from the investigator, and information about the forensic tool that created the forensic image. This format also creates a CRC value every 64 sectors to help verify the data in the forensic image has not changed. AFF is the advanced forensics format. This is an open-source forensic image format that was developed by Simson Garfinkel and Basis Technology. In my experience, DD images and E01 images are considered to be the “standard” for forensic images. I do not remember the last time I did not receive a forensic image that was not in either format. If you want to learn more about the forensic images in the process used to create them, please check out my book “Learn Digital Forensics” https://www.amazon.com/dp/B086WBP289 on Amazon.com.

Defending Service Members Globally

Wherever Duty Calls, Our Defense Follows

More Cases Like this

Air Force

Joint Base Pearl Harbor - Hickam, Hawaii

Sexual Assault

Navy

Whidbey Island, Washington

Violation of Article 120c of the UCMJ

Army

Grafenwoehr, Germany

Sexual Assault

0 +

Years of Experience

0 +

Court Martial Verdicts

0 +

Service Members Represented

0 m+

Miles Traveled

Scroll to Top