An open-source forensic image tool can save you money and let you keep more control over your data security processes.
In computer forensics and data analysis, a forensic image is an exact snapshot of the state of a drive or partition at a given point in time. This snapshot preserves details that aren’t visible to most users, such as file access times and last modified dates. These details become critical in the analysis process, allowing investigators to identify when and how files were accessed by different users.
Even if you don't have a dedicated information security person in-house, it pays to have someone on staff that knows how to make a forensic image of a suspicious system. While you may have to contract the actual forensic analysis out to a third party, getting the forensic image as quickly as possible is critical. Whether the issue is an infected laptop, or the computer of someone you suspect has been stealing data, a forensic image created as soon as you realize there's an incident may be key to getting answers.
Forensic images typically break down into two types. Forensic disk images and forensic memory dumps. We’ll discuss memory dumps in a separate article. Read on to learn about the five best open-source tools for creating a forensic disk image.
Clonezilla
Clonezilla is a Linux distribution that is most commonly used to create a forensic image of a hard drive. It is a specialized version of the open-source XPUD GNU/Linux distribution and comes equipped with a number of utilities commonly used in forensics. Clonezilla can be run from a live disk or inside a virtual machine to make a disk image of an entire drive or just a partition. Clonezilla’s most prominent use is in forensics, but it also has other uses. On a single drive, Clonezilla works by using dd to create an image of the drive’s data. As such, it is well-suited for government and enterprise use. Clonezilla is also effective for data recovery, since it can make a copy of a drive that is failing.
Foremost
Foremost is a Linux utility designed to extract as much information as possible from a disk image. It is designed to recognize many different file types, including deleted files, and extract them. Foremost is best used when a disk image is in non-standard file formats. Foremost can also be used to extract metadata from a file. It can be used to uncover information such as who the file was created by, when it was modified, and who last modified it. This information is critical in forensic analysis, since it can be used to pin down exactly when a file was accessed by a particular user.
Dcfldd
Dcfldd is a specialized version of dd that is designed to create a forensic image of a hard drive. It is available for both Windows and Linux, and is often used to create images of drives inside of a virtual machine, such as VMware. Dcfldd is a very powerful tool, with a low barrier to entry. It can be used to create both raw and compressed disk images, and supports a wide range of input/output file formats. Dcfldd is also an excellent general-purpose disk imaging tool. If a drive is damaged, it can be used to create a snapshot of the drive while it is still functional.
Sleuthkit
The Sleuthkit is a collection of tools designed to work together to analyze and process computer evidence. It contains tools to process data, visualizations to make that data easier to understand, and tools to graphically represent the data. The Sleuthkit is typically used in a virtual machine environment. It can be used to process and analyze multiple data sources, including images of hard drives, unallocated space, deleted files, and file system metadata. The Sleuthkit is a great open-source tool for forensic analysis, but it is not easy to use. Sleuthkit can also be used in conjunction with Autopsy, a GUI interface for analysis of the forensic image created by Sleuthkit.
FTK
FTK provides a comprehensive computer forensics solution. It consolidates the most frequent forensic tools into one place, making it easy for investigators to locate the tools they need. Forensics for hard drives and mobile devices can be created using this tool, which processes a wide range of data types from many sources. It is one of the faster tools available, and can leverage multi-core CPUs to speed up tasks by running them in parallel.
Ddrescue
Ddrescue is a data recovery tool that can be used to extract data from a damaged drive. It can be used to copy a drive that has been physically damaged or one that contains corrupt data. ddrescue can be used to create a forensic image of a drive, and also excels at data recovery. This makes it a great tool for law enforcement and forensics professionals, yet non-security professionals will like that it’s a bit easier to use than the instance of dd that comes with most linux distributions.
Conclusion
A forensic image is an exact snapshot of the state of a drive or partition at a given point in time. This snapshot preserves details that are not visible to most users, such as file access times and last modified dates. These details become critical in the analysis process, allowing investigators to identify when and how files were accessed by different users. An open-source forensic image tool can save you money and let you keep more control over your data security processes. Sadly, many tools are closed source and come with hefty price tags. Luckily, there are also many free, open-source tools available. Clonezilla, Foremost, dcfldd, ddrescue, and FTK are all excellent choices.
