Disk Imaging and File System Forensics
Create forensic images with dd/FTK Imager, analyze FAT and NTFS file systems, recover deleted files.
Forensic Imaging Principles
Forensic imaging creates a bit-for-bit copy of storage media while preserving evidence integrity. The original evidence must never be modified — work from a write-blocked copy. Hash the original and copy to verify exact reproduction.
Write Blockers
Hardware write blockers physically prevent write commands from reaching evidence drives. Software write blockers (dc3dd, FTK Imager) prevent OS-level writes. Always use a write blocker before connecting evidence drives to prevent accidental evidence modification.
All lessons in this course
- Disk Imaging and File System Forensics
- Memory Acquisition and Volatility Framework
- Timeline Analysis and Artifact Correlation
- Network Forensics with Wireshark