Forensic Image Analysis with FOG
-
Hello everyone,
I just had a sort of general question as to whether or not it is possible to use a captured raw dd image in FTK. I would like to use the image to perform a forensic analysis on the contents of the drive and need to use raw dd since it is a sector by sector copy.
I have a one terabyte image captured but the resulting image is only ~92 GB, I’m assuming due to compression? But I also thought you couldn’t compress a raw dd image. The image extension is also .000 when typically raw images start at .001.
When I try to load the image into FTK it only displays “GZIP” in the evidence tree but has no content. I’ve tried capturing the image many different times with the same results. Not sure if anyone will know, just thought I would ask
-
@icescout27 you can disable the compression in 1.5.7.
That said it isn’t quite a dd raw image per say as it’s not using dd in its native form. It’s using partclones imager format which is still a raw copy, just not from dd. The reasoning for this is then our scripts would simply call partclone.restore to place that image on disk regardless of type (raw, btrfs, ntfs, ext, etc…)
If you really need a true sector by sector you can manually run a dd instance if you know how.
Typically, though, fog isn’t really intended for forensic usage.as we typically are capturing images to be used for mass on other systems. This of course is not to say fog couldn’t be used for this, just it’s not something we are familiar with as part of our product.
If you need any help I’m sure we can provide some assistance.
-
@icescout27 Just to add to what Tom said: You can manually extract the image if you don’t want to recapture it (with compression disabled).
mv file.000 file.gz zcat fiel.gz | partclone.restore --restore_raw_file -C -s - -O hda.img -
If you are imaging for Forensic Analysis for legal reasons you should not use FOG. You need to use something like “Arsenal Recon” or “SANS SIFT” (which could be delivered by PXE booting in FOG). This software needs to be nationally recognized that exports its information in AFF format. If you don’t use a legally approved method the image collection will be discarded as tainted evidence.
