STUDENT NAME KUZIVA CELFIN MAGADU

STUDENT NUMBER N0161340W

DEPARTMENT COMPUTER SCIENCE

LECTURER MR D.MUSUNDIRE

COURSE DIGITAL FORENSICS

COURSE CODE SCI 4201

Case Project 4

Creating a Sparse Copy

A sparse file is a type of computer file that attempts to use file system space more efficiently

when the file itself is mostly empty. This is achieved by writing brief information, metadata,

representing the empty blocks to disk instead of the actual "empty" space which makes up the

block, using less disk space. The full block size is written to disk as the actual size only when the

block contains "real", non-empty, data.

Disk Cloning Method

A bitstream image, is an exact bit-for-bit copy of a hard drive. Meaning that every bit is

duplicated on a separate, forensically clean piece of media, for example a hard drive. The Disk

Cloning process creates what is known as a 'one-to-one' copy. This duplicate is fully functional

and in the event that it is swapped to replace the original drive, it will work just like the

original. The computer, when booted using the cloned drive, has its operations and data,

identical to the original drive. However cloning a drive can be time consuming and therefore

it usually makes more sense to do the cloning in the lab as opposed to at the scene, but in this

case the suspect media is 2GB making this method an option.

Hard drives are susceptible to failure therefore being in possession of two clones gives the

forensic investigator one to examine and one to fall back on. In the eyes of the court, a

properly authenticated forensic clone is as good as the original.

When cloning, the suspect’s drive is called the source drive and the drive being cloned to is

called the destination drive. The destination drive must be at least as large as or even slightly

bigger than the source drive.

The source drive is usually removed from the computer then connected via cable to a cloning

device or to another computer. A write block is a crucial piece of hardware or software that

is used to safeguard the original evidence during the cloning process. Therefore having some

type of write blocking in place before starting the process is essential. The hardware write

block is placed between the cloning device and the source.

The destination drive must be forensically cleaned before cloning a suspect’s drive to it. Most

forensic imaging tools such as Helix will generate some type of paper trail, proving that this

cleaning has taken place. This paperwork becomes part of the case file. Cloning is successful

when the hash values for the source and clone match.

Disk Imaging Method

Disk Imaging is the process of copying a hard drive as a backup copy or an archive. This

involves copying all the data stored on the source drive including data like the master boot

record and table allocation information. This image, however, is a single file that can be stored

in any storage device and not necessarily an identical hard drive. In the event that a

restoration is necessary, the image will have to be applied to the hard drive. A system restore

is not possible by just copying the image file on the hard drive, unlike with the cloning method.

A software imaging program will have to be employed to install and open the image on the

hard drive. The backup device can therefore be used to store multiple image files, unlike the

cloned drive where only a single clone can be stored on the duplicate drive.
dd is a Unix-based copy program that also copies data at the byte level. Many variations of

the dd program have been developed, including forensic implementations that automatically

produce hash values of the image files and log any errors. Many forensic practitioners run dd

through Helix. Helix is a forensic implementation of Linux that ensures that all drives attached

to a machine the CD is used on will be write-protected until the user indicates otherwise.

Access Data's Forensic Imager has the ability to create dd and EnCase formatted images, its

Forensic Toolkit will read certain versions of EnCase image files as well as dd. Other Imaging

programs that can be used include dcfldd, which is an enhanced version of GNU dd with

features useful for forensics and security as well as guymager.