SANS Digital Forensics and Incident Response Blog: Tag - Evidence Acquisition

Putting Disk Imaging in the Fast Lane

When it comes to imaging a hard disk, I believe that keeping it simple is best. I also believe that faster is better. The less time it takes to prepare for imaging, and the faster the imaging speed, the sooner I can begin analysis.

I've imaged disks using many different methods. A few of the more common methods are:

  • Connecting the suspect drive to a computer using Tableau write block devices and using EnCase or dcfldd
  • Booting the suspect system using the Helix CD-ROM; saving the disk image to external media or to a network share
  • Using a self-sustaining device such as the