Goal and mindset
Forensic imaging is about creating a defensible copy of evidence without modifying the original. The best tools won’t save you if the methodology is sloppy. Method first, tool second.
- Integrity: prove the copy matches the source (hashing).
- Repeatability: another analyst should be able to reproduce your steps.
- Minimal changes: avoid writing to the source device.
Scope and legal frame
This guide assumes lawful access and a legitimate investigative or incident response need. If you don’t have authorization, stop. Forensics is powerful and must be used ethically.
Preparation
Before you touch the device
- Record case identifier, date/time, who handled the device, and where it came from.
- Photograph the device and its state (powered on/off, cables, labels).
- Plan storage: enough space for a full bit-for-bit image plus working copies.
- Use write-blocking for drives whenever possible.
Acquisition: imaging the evidence
Imaging means a sector-by-sector copy (where applicable). The exact tool varies by platform, but the method is consistent: read from source, write to destination, compute hashes, document everything.
Acquisition steps
- Connect the source drive through a write blocker (hardware preferred).
- Image to a clean destination drive using a trusted imaging tool.
- Compute hashes (at least SHA-256) for the source and image.
- Store the original safely. Do analysis on copies.
# Conceptual (not tool-specific) record you want to end up with: SOURCE: /dev/sdX DEST: case123_disk01.E01 (or raw image) HASH: SHA-256: ... DATE: 2025-xx-xx NOTES: write blocker model, tool version, errors/bad sectors
Hashing and verification
Hashes are your integrity proof. If hashes match, the image is bit-identical (for that hashing scope). If they do not match, you must explain why (read errors, unstable media, partial images).
- Use SHA-256 as a minimum. Some labs also keep MD5 for legacy compatibility, but do not rely on MD5 alone.
- Record tool versions. Hash implementations are usually standard, but documentation matters.
Chain of custody documentation
Chain of custody is not bureaucracy. It’s what protects the investigation (and you) from claims of tampering.
Documentation must include
- Who collected the device, when, and from where.
- Where it was stored, who accessed it, and for how long.
- What actions were performed (imaging, hashing, analysis) and by whom.
- Hash values and imaging logs.
Storage and working copies
Treat evidence as crown-jewel data. Store originals read-only where possible, and keep controlled access. Make at least one backup of the forensic image in separate storage.
Do not analyze on the original
Always analyze on a verified copy. If your analysis tool corrupts something, your evidence stays intact.
Common mistakes
- Imaging without write blocking (accidental writes happen).
- No hash verification after imaging.
- Mixing “working files” with evidence storage.
- No clear logs: “I think I did X” is not acceptable in court or audits.
- Forgetting time zones and accurate time sources for timelines.
Templates you can copy
CASE ID: EVIDENCE ITEM: SERIAL/LABEL: COLLECTED BY: COLLECTED AT: DEVICE STATE (ON/OFF): WRITE BLOCKER: IMAGING TOOL + VERSION: IMAGE FORMAT: DESTINATION PATH: SHA-256 SOURCE: SHA-256 IMAGE: NOTES / ERRORS:
References
- General forensic methodology: integrity, repeatability, documentation.
- Write blockers and imaging formats (raw vs E01/Ex01 concepts).
- Evidence storage hygiene and access control.
Scope note
This guide focuses on defensive hardening and incident readiness. Guidance about hiding wrongdoing, destroying evidence, or evading lawful investigation is intentionally not provided.
If you want this guide expanded (more screenshots, device-specific notes, or a printable checklist), tell me what phone/stack you target and I’ll adapt it safely.