Subject: Digital Forensics

Topic: Initial response and forensic duplication

Difficulty: High

Most IR teams will create and process three primary types of forensic images: complete disk, partition, and logical. Each has its purpose, and your team should understand when to use one rather than another.

Complete Disk Image

The process for obtaining a “complete disk image” is intended to duplicate every addressable allocation unit on the storage medium.

Partition Image

Most forensic imaging tools allow you specify an individual partition, or volume, as the source for an image. A partition image is a subset of a complete disk image and contains all of the allocation units from an individual partition on a drive. This includes the unallocated space and file slack present within that partition.

Logical Image A logical image is less of an “image” and more of a simple copy, and it’s the type of duplication we referred to previously as a “simple duplication.” Although logical copies are typically the last resort and make most examiners cringe when they hear one is inbound, there are solid reasons why they are the duplication of choice.