Forensic Image File Format.
A forensic image can have different file formats; some are free and others are proprietary formats developed by the company behind the forensic software used to create the forensic image. The following are the main one used in the industry.
The most used file format, Raw format is a bit-by-bit copy of the raw data of the drive under investigation, and it can be used to image either the complete drive or a single
volume (partition) within it. Raw file format’s main advantages lie in its ability to ignore minor read errors from the source drive in addition to its fast data transfer. Raw format
cannot store metadata within it; however, some applications store such metadata (e.g., hash value of the image file, drive serial number, etc.) in a separate file.
Raw format is
supported by most computer forensics software and it is the default file format for the output generated from the famous Linux/UNIX dd command. Raw format has several naming schema (extensions), such as 001, dd, dmg, raw, and img. The main shortcoming of Raw format is that it requires the same storage space as the source drive, because you cannot compress data when it is in Raw format and this could be a problem when acquiring large hard drives.
Advanced forensic format (AFF) is an open source extensible file format for forensics images; its source code can be freely integrated into other open source and propriety programs. AFF supports two compression algorithms: zlib and LZMA. You can also split the resulting forensic image file into multiple files. AFF supports encryption of drive images (beginning from AFF V2.0), so you can protect your acquired image with a password. AFF allows wide arrays of metadata info to be stored within the image file itself; this should effectively reduce the hassle and allow for one file that stores all information related to the acquired forensic image (e.g., a metadata file can contain the chain of evidence or audit trail). The last version is AFF4 while AFF3 and AFFLIBv3 have been deprecate and should not be used for new projects. The following computer forensics software supports newer versions of AFF: Sleuthkit, Autopsy, OSFMount, Xmount, FTK Imager, and FTK. AFF uses the “.afd” extension for segmented image files and “.afm” for AFF metadata.
Expert Witness (EnCase)
This is a propriety file format created by Guidance Software (now OpenText) for their famous product “EnCase Forensic,” which is widely used by law enforcement in criminal
investigations around the globe. This file format can be used to store different types of digital evidence;,it is compressible and searchable and the resultant image can be split into multiple files.
Metadata can be associated with the same image file; however, the quantity and type of metadata are limited compared with the AFF file format.
The EnCase file format has the extension “. E01”; however, when EnCase captures hard drives, it will automatically divide the resultant image into a chunk of
640 MB. Because of this division of forensic image data, file extensions will change according to chunk number (for example first chuck extension “.e01,” second chunk extension
“.e02,” etc.). Other File Formats There are other less popular file formats for forensics images; these are proprietary formats used by some computer forensics suites (like Safeback by NTI, ILook Imager, and ProDiscover).
Forensics Image File Validation
Acquired forensics image files must be validated to ensure their authenticity; validation ensures that the acquired image is 100% identical to the source and that it has not been altered during the acquisition process. Hashing is the acceptable standard in the computer forensics industry to validate acquired forensics images. Hash value is considered as an electronic fingerprint of the resultant image file. Most computer forensics software will automatically produce a hash value of the captured data upon completion; however, you can use third-party tools or the standard utility, available in modern Windows versions through PowerShell (we already covered
how to do this in previous sections of our ocsaly course), to calculate the hash value of any piece of data.