0PricingLogin
Cyber Security Academy · Lesson

Disk Imaging and File System Analysis

Recovering artifacts from storage.

Bit-for-Bit Imaging

A forensic image is a bit-for-bit copy of a storage device, including slack space, unallocated areas, and deleted-file remnants. A simple file copy misses all of this.

Two common formats:

  • Raw (dd / .img): identical bytes, no metadata, large
  • Expert Witness Format (E01): compressed, with embedded hashes and case metadata

Acquiring with dd and dcfldd

Classic raw acquisition uses dd, but forensic variants like dcfldd or dc3dd add inline hashing and progress.

Always image through a write blocker and hash before and after.

# Forensic raw image with inline hashing and verification
dcfldd if=/dev/sdb of=evidence.dd \
  hash=sha256 hashlog=evidence.hashlog \
  bs=4M conv=sync,noerror

# Verify the image matches the source
sha256sum /dev/sdb evidence.dd

All lessons in this course

  1. Forensic Fundamentals and Chain of Custody
  2. Disk Imaging and File System Analysis
  3. Network Forensics with PCAP
  4. Timeline Analysis and Reporting
← Back to Cyber Security Academy