Skip to content

CTF Handbook

What is Disk Imaging

CTF Handbook

Home
Forensics
Forensics
- Overview
- File Formats
  File Formats
  - What are File Formats
- Metadata
  Metadata
  - What is Metadata
- Wireshark
  Wireshark
  - What is Wireshark
- Steganography
  Steganography
  - What is Steganography
- Disk Imaging
  Disk Imaging
  - What is Disk Imaging What is Disk Imaging
    Table of contents
    
    Forensic Image Extraction Exmple
- Memory Forensics
  Memory Forensics
  - What is Memory Forensics
- Hex Editors
  Hex Editors
  - What is a Hex Editor
Cryptography
Cryptography
- Overview
- XOR
  XOR
  - What is XOR
- Substitution Cipher
  Substitution Cipher
  - What is a Substitution Cipher
  - Caesar Cipher/ROT 13
- Vigenere Cipher
  Vigenere Cipher
  - What is a Vigenere Cipher
- Hashing Functions
  Hashing Functions
  - What are Hashing Functions
- Modes of Operation
  Modes of Operation
  - What are Block Ciphers
  - What are Stream Ciphers
- RSA
  RSA
  - What is RSA
Web Exploitation
Web Exploitation
- Overview
- SQL Injection
  SQL Injection
  - What is SQL Injection
- Command Injection
  Command Injection
  - What is Command Injection
- Directory Traversal
  Directory Traversal
  - What is Directory Traversal
- Cross Site Request Forgery
  Cross Site Request Forgery
  - What is Cross Site Request Forgery
- Cross Site Scripting (XSS)
  Cross Site Scripting (XSS)
  - What is Cross Site Scripting
- Server Side Request Forgery
  Server Side Request Forgery
  - What is Server Side Request Forgery
- PHP
  PHP
  - What is PHP?
Reverse Engineering
Reverse Engineering
- Overview
- Assembly/Machine Code
  Assembly/Machine Code
  - What is Assembly/Machine Code
- The C Programming Language
  The C Programming Language
  - What is C
- Disassemblers
  Disassemblers
  - What are Disassemblers
- Debuggers
  Debuggers
  - What is GDB
- Decompilers
  Decompilers
  - What are Decompilers
Binary Exploitation
Binary Exploitation
- Overview
- Registers
  Registers
  - What are Registers
- The Stack
  The Stack
  - What is the Stack
- Calling Conventions
  Calling Conventions
  - What are Calling Conventions
- Global Offset Table (GOT)
  Global Offset Table (GOT)
  - What is the GOT
- Buffers
  Buffers
  - What are Buffers
  - Buffer Overflow
- Return Oriented Programming (ROP)
  Return Oriented Programming (ROP)
  - What is ROP
- Binary Security
  Binary Security
- The Heap
  The Heap
  - What is the Heap
  - Heap Exploitation
- Format String Vulnerability
  Format String Vulnerability
  - What is a Format String Vulnerability
FAQ
FAQ

Disk Imaging

A forensic image is an electronic copy of a drive (e.g. a hard drive, USB, etc.). It’s a bit-by-bit or bitstream file that’s an exact, unaltered copy of the media being duplicated.

Wikipedia said that the most straightforward disk imaging method is to read a disk from start to finish and write the data to a forensics image format. “This can be a time-consuming process, especially for disks with a large capacity,” Wikipedia said.

To prevent write access to the disk, you can use a write blocker. It’s also common to calculate a cryptographic hash of the entire disk when imaging it. “Commonly-used cryptographic hashes are MD5, SHA1 and/or SHA256,” said Wikipedia. “By recalculating the integrity hash at a later time, one can determine if the data in the disk image has been changed. This by itself provides no protection against intentional tampering, but it can indicate that the data was altered, e.g. due to corruption.”

Why image a disk? Forensic imaging: - Prevents tampering with the original data evidence - Allows you to play around with the copy, without worrying about messing up the original

Forensic Image Extraction Exmple

This example uses the tool AccessData FTK Imager.

Step 1: Go to File > Create Disk Image

File Image Demo

Step 2: Select Physical Drive, because the USB or hard drive you’re imaging is a physical device or drive.

File Image Demo

Step 3: Select the drive you’re imaging. The 1000 GB is my computer hard drive; the 128 MB is the USB that I want to image.

File Image Demo

Step 4: Add a new image destination

File Image Demo

Step 5: Select whichever image type you want. Choose Raw (dd) if you’re a beginner, since it’s the most common type

File Image Demo

Step 6: Fill in all the evidence information

File Image Demo

Step 7: Choose where you want to store it

File Image Demo

Step 8: The image destination has been added. Now you can start the image extraction

File Image Demo

Step 9: Wait for the image to be extracted

File Image Demo

Step 10: This is the completed extraction

File Image Demo

Step 11: Add the image you just created so that you can view it

File Image Demo

Step 12: This time, choose image file, since that’s what you just created

File Image Demo

Step 13: Enter the path of the image you just created

File Image Demo

Step 14: View the image.

Evidence tree Structure of the drive image
File list List of all the files in the drive image folder
Properties Properties of the file/folder being examined
Hex viewer View of the drive/folders/files in hexadecimal

File Image Demo

Step 15: To view files in the USB, go to Partition 1 > [USB name] > [root] in the Evidence Tree and look in the File List

File Image Demo

Step 16: Selecting fileA, fileB, fileC, or fileD gives us some properties of the files & a preview of each photo

File Image Demo

Step 17: Extract files of interest for further analysis by selecting, right-clicking and choosing Export Files

File Image Demo