Computer Forensic Imaging Software

Forensic Imager

Forensic Imager is a Windows based program that will acquire, convert, or verify a forensic image in one of the following common forensic file formats:

Program Functions

Forensic Image provides three separate functions:

Includes the option to SHA256 sector hash a device so that known sectors can be located within an image files (e.g. a single sector of a jpeg file left in unallocated clusters can be identified by its sector hash).

Records a detailed log file including source and verification hash information for each image taken.

System Requirements

Forensic Imager should be run as local Administrator to ensure that sufficient access rights are available for access to devices.

Forensic Imager uses EnCase® v6 E01 format. Images independently verified with EnCase® should be done using V6 or above.

Forensic Imager does NOT support DOS acquisition. If acquisition from a DOS boot disk is required alternative forensic acquisition software should be used.

Forensic Imager does not currently support the acquisition of HPA or DCO areas. The HPA and DOC are two areas of a hard drive that are not normally visible to an operating system or an end user. Whilst the HPA and DCO are hidden, it is technically possible for a user to access these areas and store/hide data.

Mount Image Files

Mount E01, DD and AFF files created by Forensic Explorer with Mount Image Pro from www.mountimage.com

EnCase® is a registered trademark of Guidance Software
For information about Advanced Forensic Format, visit www.afflib.org