Computer Forensic Imaging Software
Forensic Imager is a Windows based program that will acquire, convert, or verify a forensic image in one of the following common forensic file formats:
- DD /RAW (Linux “Disk Dump”)
- AFF (Advanced Forensic Format)
- E01 (EnCase®)
Forensic Image provides three separate functions:
- Acquire: The acquire option is used to take a forensic image (an exact copy) of the target media into an image file on the investigators workstation;
- Convert: The convert option is used to copy an existing image file from one image format to another, e.g. DD to E01;
- Hash or verify: The hash or verify option is used to calculate a hash value, MD5, SHA1 or SHA256, for a device or an existing image file.
Includes the option to SHA256 sector hash a device so that known sectors can be located within an image files (e.g. a single sector of a jpeg file left in unallocated clusters can be identified by its sector hash).
Records a detailed log file including source and verification hash information for each image taken.
Forensic Imager should be run as local Administrator to ensure that sufficient access rights are available for access to devices.
Forensic Imager uses EnCase® v6 E01 format. Images independently verified with EnCase® should be done using V6 or above.
Forensic Imager does NOT support DOS acquisition. If acquisition from a DOS boot disk is required alternative forensic acquisition software should be used.
Forensic Imager does not currently support the acquisition of HPA or DCO areas. The HPA and DOC are two areas of a hard drive that are not normally visible to an operating system or an end user. Whilst the HPA and DCO are hidden, it is technically possible for a user to access these areas and store/hide data.
Mount Image Files
Mount E01, DD and AFF files created by Forensic Explorer with Mount Image Pro from www.mountimage.com
EnCase® is a registered trademark of Guidance Software
For information about Advanced Forensic Format, visit www.afflib.org