Forensic disk image...
 
Notifications
Clear all

Forensic disk image creation and compression

2 Posts
2 Users
0 Likes
1,389 Views
 aina
(@aina)
Posts: 4
New Member
Topic starter
 

Hi,

I'm new to forensic trying to learn from scratch on how to create and compress a raw disk image for forensic text analysis.

Here are the steps that I used to create the image

1) I deployed a Windows 7 into Virtual Box. I set the disk size to 8GB

2) Using the VBoxManage clonehd convert vdi into a raw image. After converting it still shows 8gb

I was wondering how can I compress the raw image into 4gb? Also is it advisable to compress a raw image?

3) Also I have a .aff image which was around 2.9 GB however after converting to raw using the following command

affconvert win7.aff -r convert -o win7test.raw

the raw file become 50gb, is there anyway to make it smaller?

rgds,

rgds,
Aruna

 
Posted : 13/07/2017 2:06 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Hi,

I'm new to forensic trying to learn from scratch on how to create and compress a raw disk image for forensic text analysis.

I am not too sure to understand the "goal" of the compression.

The whole idea of a RAW image is that it is an identical, sector by sector, byte by byte, image of a "real" device (keeping aside - for the moment - HPA's and DCO's, if any), so it is necessarily exactly as large as the original device.

If you want to "compress" it in order to transfer the data, you can use *any* compression, like gzip, bzip, zip, 7z, rar, etc. but of course you will need to uncompress it for examining it.

Or you can make it a "sparse" image, i.e. a file where the sectors that are all 00's are not actually written on the underneath hosting filesystem.
This latter approach has however two drawbacks
1) depending on the tools you will later use on the image, they might be not capable of "understanding" the sparse nature of the file or they could force it to expand.
2) the actual "compression" due to sparseness is highly variable, a "brand new" disk will image to a very minimal sparse file (because it has so many never written or just wiped sectors), a heavily used disk might - theoretically - have ALL sectors non-zero and this will result in no "compression" whatsoever through sparseness.

A format that can provide compression (and that is largely used) is the EWF , but while guaranteeing the integrity of the image and data and usually a good compression level, it is not "RAW"
https://github.com/libyal/libewf

jaclaz

 
Posted : 13/07/2017 3:21 pm
Share: