DME Forensics Blog

Creating a Disk Image with DVR Examiner

April 20,2015 /

Getting Started With DVR Examiner /

0 Comments

Did you know that DVR Examiner has the capability to create forensically sound disk images?

There are a number of features in the Disk Imaging function of DVR Examiner that are unique and useful to many evidence technicians or case workers.

Scenario

You're working a case, and you need to have a secure copy of the original data in case something goes wrong with the original media. You also want to have a working copy that you can perform your analysis on or investigate further.

With other disk imaging programs, you'd have to either create an image and then copy that image, or create two separate images. That can be very time consuming, not to mention if you're working a forensic lab case, it's an expected best practice to hash the results to verify that they actually are an accurate representation of the original data or media. DVR Examiner can execute all of these actions in one step. You can create both a secure copy of the original and a working copy in a different location, as well as hashing both the source and the destination files, saving you effort and time in several different ways.

The file paths in the image are there for demonstration purposes only, we certainly don't recommend that you save evidence to your local hard drive!

There's one more feature you should be aware of in the Disk Imager, and that's the "stop on bad sectors" check box. We have this checked by default, however if you intend to walk away during the process it will stop the image creation process. We have it checked by default, because we want to make sure that we don't create an image by omitting bad sectors without authorization from the user. In some investigations it's very important to know about bad sectors, and with the box unchecked the imager will complete the image by omitting the bad sectors, and if the user is not aware of the situation they might miss crucial data.

DVR Examiner's imaging program creates "DD", or raw, images, which are the ideal way to work with images in DVR Examiner. Not sure what a DD image is? Check out this blog post on the difference between E01 images and DD images and how they affect the speed of dealing with DVR data.