Typical terminal output when imaging a drive using Linux Application dc3d
Used for many functions, including data recovery and digital forensics, image copies and files copies each have their own specific purposes. In some cases, using the wrong type of copy can have consequences from wasting some extra time to corrupting digital evidence. Let’s compare the differences between an image copy and a file copy and give some examples of when each is best used.
Explaining an Image Copy and its Uses in Data Recovery and Digital Forensics
An image copy is the precise clone of a drive, sector-by-sector, all the ones and zeroes included. When a drive is backed up this way, the absolute exact state of the drive at that time is saved for future reference. When a file is stored on a drive, it doesn’t always overwrite every byte of the file previously stored in the same spot, and extra data from the old file may still exist on the drive. An image copy will preserve this extra data whereas a file copy will ignore it.
For digital forensics, extra data existing on a drive can be a treasure-trove of clues and evidence. Forensic analysts must create image copies of suspect drives to enable a complete analysis. Any tests on the data should be done on the image copy instead of the original drive, keeping it safe from unintentional contamination. Examining a piece of evidence before imaging it, is something to be avoided. An image copy may also need to be given to a legal opponent to examine the drive on their own, in its entirety. By handing over an image copy, the opponent can’t possibly harm the original source drive in evidence.
For data recovery, working on an image copy of client’s failed hard drives is always recommended, whether the failure is physical or logical. If a drive is physically failed, it is advisable to keep the amount of time spent working on the drive to a minimum because there is always the risk it will fail completely at any time. When it comes to logical recoveries, an image copy helps avoid any risky changes to the drive, so if anything was missed during the recovery, there is always the opportunity to try additional methods.
Explaining a File Copy and its Uses in Data Recovery and Digital Forensics
A file copy refers to the commonly used Copy & Paste command on files. The pasted files are only the data explicitly part of the file. The operating system locates the spot on the drive where the file is located, and copies only the data relevant to the file. If the file is split up in fragments on the drive, it is reassembled to be copied in one piece (or as close to one piece as possible). Extra data surrounding the file is not copied. Therefore, file copy will almost never appear identical to the original.
For digital forensics, file copies are made to attach to the analyst’s report. Attaching an image copy would use significant storage and isn’t necessary for readers of the report to understand the evidence. To prove that a file copy is the same as it was on the original drive, a cryptographic hash is computed which will match any identical version of the file.
For data recovery, file copies of the recovered data are transferred onto a separate functioning drive. The original drive isn’t used because it is often not fully functional or reliable anymore. By making file copies of recovered data instead of creating an image copy of the failed drive, substantial time and drive storage space can be saved.
In summary, image copies and file copies are considerably different actions. When conducting data recovery and digital forensics, specialists must be fully aware of the consequences of using both processes at each stage of their work. Copying files is a terrific way to backup or transfer files from one place to another whereas an image copy includes every single byte making it more suitable for data recovery and digital forensics.