eastbaycyber

Forensic Imaging: Definition, Workflow, and When You’ll Need It

Glossary 7 min read
EC
East Bay Cyber Editorial Team Reviewed 2026-05-16
Definition

Forensic imaging is the process of acquiring a forensically sound, bit-for-bit copy of a storage device or logical volume, preserving data exactly as it existed at acquisition time. It combines acquisition with:

Forensic imaging is the process of creating a forensically sound, bit-for-bit copy of storage media (or a defined logical scope) so you can investigate without changing the original evidence. A proper forensic imaging workflow pairs acquisition with hash verification and a documented chain of custody, which is what makes the resulting image defensible in incident response, HR/fraud inquiries, and legal or regulatory matters.

How forensic imaging works (step-by-step)

Forensic imaging is more than copying files. A normal file copy typically captures only active files and misses deleted artifacts, slack space, and some metadata. A forensic image aims to capture everything addressable on the media (or everything in a defined scope) and prove it wasn’t altered.

1) Scope selection: physical vs. logical acquisition

You typically choose one of these approaches:

  • Physical (disk) image: Copies all sectors of a drive (or partition), including unallocated space, slack space, and remnants of deleted data. Best for deep investigations and defensibility.
  • Logical image: Copies a subset such as a folder tree, specific files, or a logical volume view. Faster and smaller, but may miss artifacts outside normal file listings.

Practical guidance: if the situation could escalate (ransomware, insider threat, fraud, regulatory inquiry), default to physical imaging when feasible and permitted.

2) Preservation: write-blocking and minimal handling

To avoid contaminating evidence:

  • Use a hardware write blocker when imaging a seized drive.
  • If imaging a live system (common in IR), minimize actions that change disk state, and capture volatile data (RAM) first if required.

Write-blocking prevents writes to the source media, reducing accidental modification (for example, an operating system mounting a drive and updating metadata).

3) Acquisition: sector-by-sector read into an image format

The imaging tool reads from the source and writes to a destination image file (or a segmented set). Common formats include:

  • RAW / dd (.dd, .img): Simple sector copy; widely supported.
  • E01 (EnCase Evidence File): Supports compression, metadata, chunking, and per-block hashes.
  • AFF/AFF4: Open formats used in various forensic workflows; AFF4 supports modern container features.

You’ll also choose operational settings such as compression (if supported), split sizes (for example, 2GB segments), and bad-sector handling.

4) Integrity: hashing and verification

A defining property of forensic imaging is repeatable integrity checking:

  • Calculate cryptographic hashes (commonly SHA-256, sometimes MD5 for legacy compatibility).
  • Verify that the image hash matches the source hash (or block-level hash scheme) at acquisition time and later whenever evidence is transferred or analyzed.

This is the mechanism behind the claim: “The image I analyzed is identical to what was acquired.”

5) Documentation: chain of custody and evidence handling

For defensibility, record:

  • Who collected it, when, where, and under what authority
  • Device identifiers (serial number, model), host context, photos if applicable
  • Tool versions, commands/options used, hash values, error logs
  • Evidence storage location, access logs, transfers, and seals (if physical)

In many environments, the process is as important as the technical findings.

Example forensic imaging workflow (Linux)

The commands below illustrate typical mechanics. Your environment may require specific tools, approvals, or evidence storage procedures.

Identify the source disk (be careful)

lsblk -o NAME,SIZE,MODEL,SERIAL,TYPE,MOUNTPOINT
sudo fdisk -l

Acquire a RAW image using dcfldd (shows progress)

sudo dcfldd if=/dev/sdX of=/evidence/case123/sdX.img hash=sha256 hashlog=/evidence/case123/sdX.sha256.log

Compute and record a SHA-256 hash of the resulting image

sha256sum /evidence/case123/sdX.img | tee /evidence/case123/sdX.img.sha256

Verify later (integrity check)

sha256sum -c /evidence/case123/sdX.img.sha256

Practical tip: Avoid mounting evidence images read-write. If you must mount for triage, mount read-only and document it.

Log patterns and red flags during imaging

Watch for indicators that can impact completeness or defensibility:

  • I/O errors / bad sectors: “Input/output error”, “UNC error”, “read error at sector …”
  • Unexpected device resets: USB/SATA link resets, device disconnects
  • Auto-mount events (on the acquisition workstation): evidence drive gets mounted and metadata changes

If errors occur, document them and consider tools/workflows that provide robust bad-sector handling and detailed acquisition logs.

When you’ll need forensic imaging

Forensic imaging shows up in both mature security programs and “everything is on fire” moments.

Incident response (IR)

  • Ransomware and extortion: Image impacted systems (or key endpoints/servers) to preserve artifacts like pre-encryption activity, attacker tooling, lateral movement traces, and deleted scripts.
  • Business email compromise (BEC) and insider threats: Imaging endpoints can reveal browser artifacts, credential stores, USB usage, and deleted documents.
  • Persistence investigations: Physical images help uncover hidden scheduled tasks, registry hives, tampered logs, and artifacts in unallocated space.

Operational reality: IR teams sometimes prioritize containment over imaging. If you can’t image everything, image high-value systems first (domain controllers, jump boxes, finance workstations, file servers) and document triage decisions.

If you’re documenting an IR playbook, consider aligning it with common attacker lifecycle analysis (for context and reporting). See: what is the cyber kill chain.

HR, fraud, and internal investigations

When employee actions are in question, forensic imaging supports a defensible review of device activity—especially when you must show evidence wasn’t altered and your process was consistent across cases.

eDiscovery and legal/regulatory matters

Imaging is frequently used when evidence must be preserved for litigation, regulatory requests, or compliance audits. Legal teams care about repeatability and chain of custody, not just technical findings.

M&A, audits, and third-party disputes

In disputes with vendors, MSPs, or partners, a forensic image can preserve a record of configurations, logs, and timelines—useful when attribution or responsibility is contested.

Tools and supporting controls (what helps in practice)

Forensic imaging is one part of a defensible workflow. A few supporting controls commonly reduce friction during acquisition and investigation:

  • Credential hygiene: If you’re handling privileged acquisition systems and evidence repositories, use a dedicated password manager with strong auditing and sharing controls. Many teams standardize on 1Password (Try 1Password →) for operational credential management.
  • Malware safety checks on analysis workstations: Keep analysis environments isolated and well-instrumented; endpoint protection can reduce accidental detonation of suspicious files. Malwarebytes is one option some practitioners use (Get Malwarebytes →) depending on environment requirements.

(These are operational aids—not substitutes for write-blocking, hashing, and documentation.)

Related terms

Bit-for-bit (sector-by-sector) copy

A copy that includes every readable sector, not just files visible to the OS.

Write blocker

Hardware/software control that prevents writes to evidence media during acquisition.

Chain of custody

Documentation proving who had access to evidence and when, maintaining integrity and accountability.

Hash (SHA-256/MD5)

A cryptographic fingerprint used to verify that evidence hasn’t changed.

Slack space

Unused bytes in the last cluster of a file that may contain remnants of prior data.

Unallocated space

Disk space not currently assigned to a file; may contain deleted data fragments.

Live acquisition

Collecting data from a running system (often necessary in IR), which can alter system state.

Dead-box acquisition

Imaging a powered-off system or removed drive, typically more controlled and defensible.

Forensically sound

A process that preserves data integrity, is repeatable, and is properly documented.

Memory capture (RAM acquisition)

Separate from disk imaging; captures volatile data like running processes, encryption keys, and network connections.

Last verified: 2026-05-16

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.