You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
Evidence acquisition is the process of creating an exact, verifiable copy of digital evidence while ensuring the original data remains unaltered. This is arguably the most critical phase of any forensic investigation — if evidence is improperly acquired, everything that follows may be challenged or excluded.
A forensic image (also called a forensic copy or bit-stream image) is a sector-by-sector copy of a storage device, capturing every bit of data including:
| Type | Description | Use Case |
|---|---|---|
| Physical image | Bit-for-bit copy of the entire device (all sectors) | Full forensic analysis; captures everything |
| Logical image | Copy of the file system (files and directories only) | When only specific files or partitions are in scope |
| Targeted collection | Copies only specific files or folders | eDiscovery, triage, or when full imaging is impractical |
A write blocker prevents any write commands from reaching the source device:
| Feature | Description |
|---|---|
| Function | Sits between the forensic workstation and the evidence drive |
| Interfaces | SATA, IDE, USB, NVMe, FireWire |
| Validation | Must be tested and validated (e.g. NIST CFTT programme) |
| Advantages | Tamper-proof; easy to verify; widely accepted in court |
| Feature | Description |
|---|---|
| Function | Operating system driver or utility that intercepts and blocks write commands |
| Examples | Linux mount with -o ro,noexec,noatime options; forensic boot disks |
| Advantages | No additional hardware needed; cost-effective |
| Disadvantages | Relies on OS functioning correctly; may be less trusted in court |
# Linux: Mount a device as read-only
mount -o ro,noexec,noatime,noload /dev/sdb1 /mnt/evidence
# Verify read-only mount
mount | grep /mnt/evidence
# Output: /dev/sdb1 on /mnt/evidence type ext4 (ro,noexec,noatime,noload)
Tip: Always use a hardware write blocker when handling original evidence in criminal cases. Software write blockers are acceptable for triage and incident response but may face greater scrutiny in court.
| Tool | Type | Format | Notes |
|---|---|---|---|
| dd | Command-line (Linux) | Raw (.dd, .img) | Basic but widely available; no built-in hashing or error handling |
| dc3dd | Command-line (Linux) | Raw | Enhanced dd with hashing, progress, and error logging |
| FTK Imager | GUI (Windows) | E01, AFF, Raw | Free; widely used; supports hashing and verification |
| EnCase | GUI (Windows) | E01 (EnCase Evidence File) | Industry standard; supports compression and case management |
| Guymager | GUI (Linux) | E01, AFF, Raw | Fast; open-source; multi-threaded compression |
| ewfacquire | Command-line (Linux) | E01 | Part of the libewf library |
# Basic imaging with dd
dd if=/dev/sdb of=/evidence/case001/disk.img bs=4M status=progress
# Improved imaging with dc3dd (includes hashing)
dc3dd if=/dev/sdb of=/evidence/case001/disk.img hash=sha256 log=/evidence/case001/imaging.log
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.