Q&A Difference between Imaging System using Forensic tool and Backup solution

DDE_Server

Level 22
Verified
Sep 5, 2017
1,091
I am studying CHFI course Right now.one of the questions which popped up in my mind . what the difference between Imaging software and backup solution, Forensic science to try to imaging/Duplicate the original evidence wit minimal interaction with the system to avoid the corruption of the evidence after investigation ?? is that the only difference. for example software called R-Drive used for imaging with extension .dd why not taking a backup with for example Norton ghost to take ghost image ??
R-drive also need to be installed on the live machine "it isn't portable for example which mean it will avoid creating additional process in the process table what is the advantage here?? is it the type of the data for example "Which may be raw format and ne analyzed in hex editor software :unsure::unsure::unsure: ?? let is have your opinion gents
 
  • Like
Reactions: venustus

Zero Knowledge

Level 7
Dec 2, 2016
321
You will need a full image if your doing forensic work as a consultant or for the police. Your job is to prove the crime/event without polluting the evidence pool and introducing reasonable doubt. If you have to give evidence on the stand you have to have bulletproof evidence for conviction otherwise it won't stand up in court. Backup's can be taken too for evidence but that's more to do with network breaches at large corporations.
 

DDE_Server

Level 22
Verified
Sep 5, 2017
1,091
You will need a full image if your doing forensic work as a consultant or for the police. Your job is to prove the crime/event without polluting the evidence pool and introducing reasonable doubt. If you have to give evidence on the stand you have to have bulletproof evidence for conviction otherwise it won't stand up in court. Backup's can be taken too for evidence but that's more to do with network breaches at large corporations.
it is different reason. after posting this question ,i found the instructor hit this point in the module video. the main reason is that forensic image software is specific imaging software which are doing "Bit to Bit " duplication which means copying all hard drive sectors including Bad sectors ,slack space and unused clusters to new shrink wrap or sanitized hard drive however backup solutions only copy live system files and user files to keep the output with in optimum size and take a backup in efficient and speed way.so for normal usage backup is good for rapid and efficient solution for consumer and business and Bit tp bit imaging is suitable for forensic analysis to male a duplication for the images which when it is hash is being calculated , it gives the same hash value of the original evidence which could be admissible in the court as an evidence.
 
  • Like
Reactions: venustus

Andy Ful

Level 71
Verified
Trusted
Content Creator
Dec 23, 2014
6,015
it is different reason. after posting this question ,i found the instructor hit this point in the module video. the main reason is that forensic image software is specific imaging software which are doing "Bit to Bit " duplication which means copying all hard drive sectors including Bad sectors ,slack space and unused clusters to new shrink wrap or sanitized hard drive however backup solutions only copy live system files and user files to keep the output with in optimum size and take a backup in efficient and speed way.so for normal usage backup is good for rapid and efficient solution for consumer and business and Bit tp bit imaging is suitable for forensic analysis to male a duplication for the images which when it is hash is being calculated , it gives the same hash value of the original evidence which could be admissible in the court as an evidence.
Disk imaging is a common backup technique in good backup software also for home users (like Paragon Backup&Recovery free or Macrium Reflect).
It is good for any home user to make such a backup after buying the computers (especially laptops). The full disk image can save factory partitions that can have non-default size and content. Usually, the disk image is created with all disk partitions and boot sectors. This can protect the user against some nasty ransomware and disk corruption. I have such backups (disk images) from many computers - some images are 20 years old. If I correctly remember the user can choose to skip free space to make the disk image smaller. This option and some others make the disk image slightly different from the original disk, but this difference is not important for home users.
As you already noticed, the forensic software can make an exact copy of the disk, so one can recover deleted files, deleted partitions, and partially overwritten sectors to retrieve some useful data.
 

sepik

Level 11
Aug 21, 2018
521
I always image my drive via Macrium USB stick. Not within a Windows. If PBA (pre-boot authentication) used by some device encryption softwares, like many agencies, even NATO uses Sophos Safeguard (ex Utimaco), i think it does not work.
 

DDE_Server

Level 22
Verified
Sep 5, 2017
1,091
I always image my drive via Macrium USB stick. Not within a Windows. If PBA (pre-boot authentication) used by some device encryption softwares, like many agencies, even NATO uses Sophos Safeguard (ex Utimaco), i think it does not work.
Do you know if AOMEI backupper has imaging as an option ?! For Macrium is it available in the free version??
 

Andy Ful

Level 71
Verified
Trusted
Content Creator
Dec 23, 2014
6,015
It seems so:
https://www.ubackup.com/articles/create-hdd-image-0708.html
https://macrium-reflect-free.en.uptodown.com/windows

See also
https://blog.macrium.com/techie-tuesday-image-or-clone-e6be74abb089
 
Last edited:
Top