Typically, a binary image of a hard drive is immediately created when a forensic examination begins.This is done to stem the possibility of the hard drive contents being altered during examination. As long as this binary image is an exact bit-for-bit copy of the original hard drive, it can be used as a sub- stitute for the hard drive itself.
There are many tools that can be used to create a binary image file from a hard drive. Copying sectors from the hard drive to some other type of media (including another hard drive) is all that is required. It is common practice to perform validations on a hard drive and its image contents to make sure that they are identical. Using a hash value such as Message Digest 5 (MD5) or Secure Hashing Algorithm 1 (SHA1) can validate that this has been done.
This has also been attempted with Compact Disc (CD) and Digital
Versatile Disc (DVD) media, often using the same image file format.There are those in the forensic community that believe it is possible to create a binary image file that is identical to those created with hard drives; however, this is overlooks several important aspects of how such discs are written.
Compact Disk - Read Only Memory (CD-ROM) data discs and com- mercially produced DVDs can be imaged easily, because they contain one type of sector that begins with sector zero and extends to an endpoint on the disc.
User-recorded music discs are commonly based on the Red Book audio and can be imaged fairly easily. User-recorded data discs are either multi-ses- sion or written with drag-and-drop software. If these types of discs involve multiple tracks, mixing the types of sectors is possible.
User-written multimedia discs can involve multiple types of sectors in a single track (e.g., it is common to mix XA Mode 2 Form 1 sectors with 2,048 bytes per sector with XA Mode 2 Form 2 sectors with 2,352 bytes per sector).
Many recording applications use multiple tracks where, unlike manufac- tured discs, the area between tracks is not readable.This presents a problem when treating a CD as a contiguous span of sectors.The Table of Contents (TOC) for a disc provides an index into the different tracks.There is no cor- responding data for hard drives, which only contain the sector data.
The disc TOC also provides an indication of whether the track contains Red Book audio or data sectors, which is required to properly read the con- tents of the disc. Determining what types of sectors are present in a track can be accomplished by examining other control information for the sectors or by examining the file system.
DVDs only have a single type of sector; however, multi-session recording is possible.The index of border zones for a disc is similar to the TOC for a CD, and is required to properly process a multi-session DVD.
In order to construct a binary image of a CD or DVD, each track sector must be on the disc along with an index indicating the type of track (for CDs) and the original starting location of the track.
CD/DVD Inspector 3.0 allows you to make a binary image file of any disc, which can later be run against that image file without the disc being present. While the image file format is specific to CD/DVD Inspector, coor- dination with other tools is expected.
Reproducing Forensic Images
In the case of hard drives, a forensic binary image of a drive is reproducible. As long as the contents have not been altered, every image taken of a hard drive is identical as long as the scope is limited to hard drives, flash memory, and other magnetic media.
This is not always the case with CD and DVD media, where reading from a disc with different drives can produce different results.This can result from different implementations of error correction strategy in the drive firmware and the hardware controlling the laser and optics.
With some drives, it is possible to obtain non-reproducible results from successive imaging, which can be observed with some Pioneer DVD writers on packet-written Compact Disc Recordable (CD-R) discs.
Assuming that it will always be possible to create identical forensic images from reading CD or DVD media is problematic, and calls into question evi- dence or forensic lab procedures should the MD5 or SHA1 hash value of such images not match. It is strongly recommended that you not attempt to compare forensic images or forensic image hash values unless the examiner is fully aware that mismatches can be “normal.”
www.syngress.com
A recommended procedure is to either work from the original media or to work from a single image file. When working with the original media, use proper procedures to avoid contamination by software that does not belong on a forensic computer. When working from an image file, use before and after hash values to verify that the image has not been altered. Do not attempt to re-image the media and compare images or image hash values.