- Nationwide Digital Forensic & Cyber Services
- BOOK A FREE CONSULTATION TODAY!
Forensic imaging is the process of creating a forensic-quality copy of digital evidence so examiners can perform parsing and analysis on a working copy, rather than the original device or media. In computer forensics, imaging decisions affect what evidence is available, how defensible the workflow is, and how confidently findings can be reported. For the main service overview, see: computer forensics.
This page explains the most common acquisition types (logical vs file-level vs full-disk), how imaging formats like DD and E01 work, how hashing and verification help validate integrity, and why write blockers matter. It also explains limits and special cases such as encryption, live imaging, and container-based evidence (e.g., encrypted volumes, virtual disks, and cloud-synced content).
If you want to start with the foundation of evidence handling first, see: evidence preservation and chain of custody. If you want the broader primer before imaging details, see: what is computer forensics.
Educational note: Imaging is not “copying files.” A defensible acquisition documents method, scope, and constraints, and validates the resulting evidence set when possible.
Computer forensic experts use the term “imaging” to mean a controlled acquisition that is documented and designed to minimize unintended changes. Depending on scope, imaging can be full-disk or limited to selected data.
A full-disk image attempts to capture the entire storage device at the block level. This can include allocated file data and other structures, depending on storage type and encryption state.
Sometimes the scope is targeted: specific folders, user profiles, or export sets. This approach is faster but may omit artifacts that live outside those paths.
“Logical” typically means collecting data through the operating system’s normal access pathways (what the OS allows at that time). It can be appropriate, but it is inherently scope-limited.
Computer forensics can involve many evidence sources beyond a single internal drive. The media type affects imaging speed, connectors, and what “deleted data” can realistically mean.
Practical note: “One drive” may not equal “one dataset.” Virtual disks, partitions, snapshots, and encrypted containers can create multiple logical evidence layers inside a single device.
A write blocker is a hardware or software control designed to reduce the risk of writing data to the original evidence media during acquisition. In many workflows, a hardware write blocker is used when imaging removable media (e.g., SATA/USB drives) to help prevent accidental modification.
A frequent misunderstanding: plugging a drive into a normal computer can create new system artifacts or trigger background processes. That is why controlled acquisition environments are used.
Imaging outputs are typically either a raw, bitstream-style image or an evidence container format that stores additional metadata. The defensible point is not “the format,” but documenting what was captured and validating it when possible.
“DD” is often used informally to describe a raw image: a direct representation of data from the source at the block level. Raw images are widely supported and straightforward, but they do not inherently carry rich case metadata unless documented separately.
E01 is a commonly used evidence container format that can store image data plus acquisition metadata (e.g., examiner notes, segmentation, and integrity-related fields), depending on the workflow and tool configuration.
In practice, you may also encounter formats associated with virtual disks, backups, or snapshots (for example, virtual drive files and system backup sets). These can be forensic-relevant, but they are not the same as a controlled forensic image unless acquired and documented with that intent.
Hashing uses a mathematical algorithm to generate a “fingerprint” of data. In computer forensics, hash values are commonly recorded during acquisition so an examiner can later verify that the image being analyzed matches what was acquired. This supports defensible reporting, especially when evidence changes hands.
Practical takeaway: hash and verification steps strengthen defensibility, but conclusions still depend on artifact interpretation and constraints (encryption, missing logs, overwrites).
Modern computers increasingly rely on full-disk encryption and protected containers. This can limit what a “powered-off” acquisition can access without authorized keys. In some cases, a live acquisition may be considered specifically to preserve access to decrypted content or running-state artifacts—subject to scope and authorization.
Technologies such as BitLocker (Windows), FileVault (macOS), and LUKS (Linux) can prevent access to user data when the device is powered off or locked, unless authorized recovery material is available.
Some evidence exists inside containers that are only available when mounted or unlocked (encrypted volumes, secure vaults, or application-level encrypted stores). In these situations, “live acquisition” may be discussed specifically to capture accessible, decrypted content or confirm container existence and configuration.
Encryption is a normal security feature. The defensible stance is to document the encryption state and access conditions and avoid overstating what can be recovered. When keys are not available, a computer forensic analysis may shift toward artifacts outside the encrypted scope (cloud logs, network/device management records, backups, and endpoints).
A sound imaging workflow records more than “we made a copy.” It documents what was attempted, the method used, observed errors, and the resulting evidence set. This is one of the main differences between casual data copying and work performed by computer forensic companies.
“No errors reported” does not always mean “perfect evidence.” Aging drives, unstable enclosures, and firmware behaviors can affect what is readable and when.
Imaging is the beginning, not the end. The acquired evidence is typically parsed into artifacts (file system structures, logs, application data) and then analyzed to answer the case questions. The findings are then presented in a written report that separates observed facts from interpretation and explains limitations.
If you are building foundational understanding, the “what is” primer is here: what is computer forensics.
For the full overview of computer forensic services (scope, process, and what outcomes are realistic), return to the main hub: computer forensics. If your priority is handling and documentation before any acquisition occurs, start with: evidence preservation and chain of custody.
Educational note: This page is informational and explains common acquisition approaches and constraints. Any real-world workflow should be scoped to the matter, devices, and authorized access conditions.
Elite Digital Forensics Assistant
By submitting this form, you consent to be contacted by email, text, or phone. Your information is kept secure and confidential. Reply Stop to opt out at anytime.
IMPORTANT: Please remember to check your spam or junk folder