Practical Forensic Imaging

Forensic image acquisition is an important part of postmortem incident response and evidence collection. Digital forensic investigators acquire, preserve, and manage digital evidence to support civil and criminal cases; examine organizational policy violations; resolve disputes; and analyze cyber attacks.

Practical Forensic Imaging takes a detailed look at how to secure and manage digital evidence using Linux-based command line tools.

This essential guide walks you through the entire forensic acquisition process and covers a wide range of practical scenarios and situations ­related to the imaging of storage media.

You’ll learn how to:

• Perform forensic imaging of magnetic hard disks, SSDs and flash drives, opti­cal discs, magnetic tapes, and legacy technologies
• Protect attached evidence media from accidental modification
• Manage large forensic image files, storage capacity, image format conversion, compression, splitting, duplication, secure transfer and storage, and secure ­disposal
• Preserve and verify evidence integrity with cryptographic and piecewise hashing, public key signatures, and RFC-3161 ­timestamping
• Work with newer drive and interface tech­nologies like NVME, SATA Express, 4K-native sector drives, SSHDs, SAS, UASP/USB3x, and Thunderbolt
• Manage drive security such as ATA pass­words; encrypted thumb drives; Opal self-encrypting drives; OS-encrypted drives using BitLocker, FileVault, and TrueCrypt; and others
• Acquire usable images from more complex or challenging situations such as RAID systems, virtual machine images, and damaged media

With its unique focus on digital forensic acquisition and evidence preservation, ­Practical Forensic Imaging is a valuable resource for experienced digital forensic investigators wanting to advance their Linux skills and experienced Linux administrators wanting to learn digital forensics.

This is a must-have reference for every digital forensics lab.