Advice Request Difference between Imaging System using Forensic tool and Backup solution

Please provide comments and solutions that are helpful to the author of this topic.

DDE_Server

Level 22
Thread author
Verified
Top Poster
Well-known
Sep 5, 2017
1,168
I am studying CHFI course Right now.one of the questions which popped up in my mind . what the difference between Imaging software and backup solution, Forensic science to try to imaging/Duplicate the original evidence wit minimal interaction with the system to avoid the corruption of the evidence after investigation ?? is that the only difference. for example software called R-Drive used for imaging with extension .dd why not taking a backup with for example Norton ghost to take ghost image ??
R-drive also need to be installed on the live machine "it isn't portable for example which mean it will avoid creating additional process in the process table what is the advantage here?? is it the type of the data for example "Which may be raw format and ne analyzed in hex editor software :unsure::unsure::unsure: ?? let is have your opinion gents
 
  • Like
Reactions: Venustus

Zero Knowledge

Level 20
Verified
Top Poster
Content Creator
Dec 2, 2016
841
You will need a full image if your doing forensic work as a consultant or for the police. Your job is to prove the crime/event without polluting the evidence pool and introducing reasonable doubt. If you have to give evidence on the stand you have to have bulletproof evidence for conviction otherwise it won't stand up in court. Backup's can be taken too for evidence but that's more to do with network breaches at large corporations.
 

DDE_Server

Level 22
Thread author
Verified
Top Poster
Well-known
Sep 5, 2017
1,168
You will need a full image if your doing forensic work as a consultant or for the police. Your job is to prove the crime/event without polluting the evidence pool and introducing reasonable doubt. If you have to give evidence on the stand you have to have bulletproof evidence for conviction otherwise it won't stand up in court. Backup's can be taken too for evidence but that's more to do with network breaches at large corporations.
it is different reason. after posting this question ,i found the instructor hit this point in the module video. the main reason is that forensic image software is specific imaging software which are doing "Bit to Bit " duplication which means copying all hard drive sectors including Bad sectors ,slack space and unused clusters to new shrink wrap or sanitized hard drive however backup solutions only copy live system files and user files to keep the output with in optimum size and take a backup in efficient and speed way.so for normal usage backup is good for rapid and efficient solution for consumer and business and Bit tp bit imaging is suitable for forensic analysis to male a duplication for the images which when it is hash is being calculated , it gives the same hash value of the original evidence which could be admissible in the court as an evidence.
 
  • Like
Reactions: Venustus

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
it is different reason. after posting this question ,i found the instructor hit this point in the module video. the main reason is that forensic image software is specific imaging software which are doing "Bit to Bit " duplication which means copying all hard drive sectors including Bad sectors ,slack space and unused clusters to new shrink wrap or sanitized hard drive however backup solutions only copy live system files and user files to keep the output with in optimum size and take a backup in efficient and speed way.so for normal usage backup is good for rapid and efficient solution for consumer and business and Bit tp bit imaging is suitable for forensic analysis to male a duplication for the images which when it is hash is being calculated , it gives the same hash value of the original evidence which could be admissible in the court as an evidence.
Disk imaging is a common backup technique in good backup software also for home users (like Paragon Backup&Recovery free or Macrium Reflect).
It is good for any home user to make such a backup after buying the computers (especially laptops). The full disk image can save factory partitions that can have non-default size and content. Usually, the disk image is created with all disk partitions and boot sectors. This can protect the user against some nasty ransomware and disk corruption. I have such backups (disk images) from many computers - some images are 20 years old. If I correctly remember the user can choose to skip free space to make the disk image smaller. This option and some others make the disk image slightly different from the original disk, but this difference is not important for home users.
As you already noticed, the forensic software can make an exact copy of the disk, so one can recover deleted files, deleted partitions, and partially overwritten sectors to retrieve some useful data.
 

sepik

Level 11
Verified
Well-known
Aug 21, 2018
505
I always image my drive via Macrium USB stick. Not within a Windows. If PBA (pre-boot authentication) used by some device encryption softwares, like many agencies, even NATO uses Sophos Safeguard (ex Utimaco), i think it does not work.
 

DDE_Server

Level 22
Thread author
Verified
Top Poster
Well-known
Sep 5, 2017
1,168
I always image my drive via Macrium USB stick. Not within a Windows. If PBA (pre-boot authentication) used by some device encryption softwares, like many agencies, even NATO uses Sophos Safeguard (ex Utimaco), i think it does not work.
Do you know if AOMEI backupper has imaging as an option ?! For Macrium is it available in the free version??
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
It seems so:
https://www.ubackup.com/articles/create-hdd-image-0708.html
https://macrium-reflect-free.en.uptodown.com/windows

See also
https://blog.macrium.com/techie-tuesday-image-or-clone-e6be74abb089
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top