Storing Digital Evidence

Image files can be created using different software and hardware tools in different standard formats. What are some of the common formats and software used to create digital evidence images?

The simplest image format is referred to as a raw bit-level copy of the original using software tools such as Unix/Linux dd. Another popular format is Advanced Forensics Format (AFF). Why is this format often preferred? Garfinkel et al. (2006) point out that AFF is not propietary, allows metadata to be stored with images, and the images themselves can take up less space than those in other formats. However, Durno and Trofimchuk worry that such images will not hold up in time as well as raw images (2015).

Many other tools and formats exist as well, and to some extent the tools used may be determined by the examiner’s training and budget. Since dd is a utility installed with the operating system, it can be viewed as a common, standard method. However, this would not work for all operating systems (Microsoft Windows is one example) although there may be a similar, third-party alternative for other operating systems beyond Unix and Linux. Some formats are limited to the tool used to create the image such as EnCase’s E01 image file format.

Cloud computing provides another venue for storage. See the PDF presentation in the resources below.

References

Durno, J., & Trofimchuk, J. (2015). Digital forensics on a shoestring: A case study from the University of Victoria. Code(4)lib Journal, 27. http://journal.code4lib.org/articles/10279

Forensics File Formats. (n.d.). https://forensicswiki.xyz/wiki/index.php?title=Category:Forensics_File_Formats