Information Technology Reference
In-Depth Information
Once.your.device.is.connected.to.a.write.blocker,.you.next.
make.a.connection.to.a.storage.device..Then.you.use.either.
an.application.or.possibly.command.lines.to.initiate.a.byte-
by-byte.copy.of.the.hard.drive.or.other.large.portions.of.data.
This.is.sometimes.also.called.a.
mirror.image
,.though.I.do.
not.like.that.term.because.in.a.mirror.everything.is.backwards,.
and.in.a.successful.forensic.image.everything.is.the.same.as.in.
the.original..These.images.become.a.ile.with.an.extension.of.
.dd,.or..e01,.or.other.types.of.recognized.image.iles.
Of.course.if.this.is.an.image.of.a.hard.disk,.they.can.be.
very.large.iles..In.some.cases.the.forensic.imaging.applica-
tions.that.create.them.will.automatically.divide.them.up.into.
pieces.the.right.size.to.it.onto.CDs.or.DVDs.so.that.you.can.
transport. them. on. those. media.. The. forensic. imaging. soft-
ware.will.also.sometimes.allow.you.to.compress.the.resultant.
image.iles.by.keeping.track.of.but.not.actually.copying.empty.
sections.of.the.hard.drive..When.it.sees.empty.parts.of.the.
drive,. it. tracks. and. records. where. those. are. so. that. if. you.
need.to.reproduce.the.exact.hard.drive.it.can.put.those.empty.
sections.back.where.they.were.on.the.original.
If.you.prefer.using.command.lines.to.create.your.image,.
the.
dd
.command.will.work.in.both.Windows.and.UNIX.oper-
ating.systems..This.command.syntax.is.a.little.different.from.
most.UNIX.commands.and.can.be.used.for.many.different.
tasks..The.basic.UNIX.command.line.for.copying.one.drive.to.
another.might.look.like:.“dd.if=/dev/ad0.of=/dev/ad1”.(with-
out.the.quotes).where./dev/ad0.refers.to.one.drive.partition.
and. /dev/ad1. another.. The. “if”. and. “of”. in. this. command.
refer.to.the.input.ile.(if).and.output.ile.(of).
The. Windows. version. of. that. command. would. be:. “dd.
exeif=\\.\PhysicalDrive0of=d:\images\PhysicalDrive0.img”.
(again. without. the. quotes). to. which. you. could. add. some.
hash. commands. to. verify. that. it. copied. correctly,. such. as:.
“--md5sum.--verifymd5.--md5out=d:\images\PhysicalDrive0.
img.md5”.(again.without.the.quotes).
Now.this.is.not.meant.to.be.a.technical.how-to.topic,.and.
there. are. many. different. tools. and. applications. that. assist. in.
