Professional Documents
Culture Documents
LECTURER MR D.MUSUNDIRE
A sparse file is a type of computer file that attempts to use file system space more efficiently
when the file itself is mostly empty. This is achieved by writing brief information, metadata,
representing the empty blocks to disk instead of the actual "empty" space which makes up the
block, using less disk space. The full block size is written to disk as the actual size only when the
A bitstream image, is an exact bit-for-bit copy of a hard drive. Meaning that every bit is
duplicated on a separate, forensically clean piece of media, for example a hard drive. The Disk
Cloning process creates what is known as a 'one-to-one' copy. This duplicate is fully functional
and in the event that it is swapped to replace the original drive, it will work just like the
original. The computer, when booted using the cloned drive, has its operations and data,
identical to the original drive. However cloning a drive can be time consuming and therefore
it usually makes more sense to do the cloning in the lab as opposed to at the scene, but in this
Hard drives are susceptible to failure therefore being in possession of two clones gives the
forensic investigator one to examine and one to fall back on. In the eyes of the court, a
called the destination drive. The destination drive must be at least as large as or even slightly
The source drive is usually removed from the computer then connected via cable to a cloning
device or to another computer. A write block is a crucial piece of hardware or software that
is used to safeguard the original evidence during the cloning process. Therefore having some
type of write blocking in place before starting the process is essential. The hardware write
The destination drive must be forensically cleaned before cloning a suspect’s drive to it. Most
forensic imaging tools such as Helix will generate some type of paper trail, proving that this
cleaning has taken place. This paperwork becomes part of the case file. Cloning is successful
when the hash values for the source and clone match.
Disk Imaging is the process of copying a hard drive as a backup copy or an archive. This
involves copying all the data stored on the source drive including data like the master boot
record and table allocation information. This image, however, is a single file that can be stored
in any storage device and not necessarily an identical hard drive. In the event that a
restoration is necessary, the image will have to be applied to the hard drive. A system restore
is not possible by just copying the image file on the hard drive, unlike with the cloning method.
A software imaging program will have to be employed to install and open the image on the
hard drive. The backup device can therefore be used to store multiple image files, unlike the
cloned drive where only a single clone can be stored on the duplicate drive.
dd is a Unix-based copy program that also copies data at the byte level. Many variations of
the dd program have been developed, including forensic implementations that automatically
produce hash values of the image files and log any errors. Many forensic practitioners run dd
through Helix. Helix is a forensic implementation of Linux that ensures that all drives attached
to a machine the CD is used on will be write-protected until the user indicates otherwise.
Access Data's Forensic Imager has the ability to create dd and EnCase formatted images, its
Forensic Toolkit will read certain versions of EnCase image files as well as dd. Other Imaging
programs that can be used include dcfldd, which is an enhanced version of GNU dd with