DME Forensics Blog

Physical and Logical Sources

March 9,2015 /

Getting Started With DVR Examiner /

0 Comments

So now that you have DVR Examiner, what next?

DVR Examiner can operate on a number of different types of data including physical and logical sources, but we've found the best performance comes from using DD disk images. DD disk images usually have an extension of .001 and can be created using a number of different programs, we've included one in DVR examiner that you can read about in a future post from the Getting Started Series. You can also use FTK Imager, Encase Imager, and many other free programs to create these images. We prefer to deal with DD images for many reasons, we have a blog post dedicated solely to this topic here. We do support segmented disk images as well, but performance can be affected by the number of segments.

Imaging a disk has a two-fold benefit in this case. First, the data is secure and we don't need to keep a hard disk that may be damaged or failing powered on for an extended period. Second, the speed of accessing data on a local hard drive is usually faster than whatever connection you'd be using for an actual physical drive (USB, Firewire, eSATA, etc.).

Just because we prefer DD images doesn't mean that we won't work with other images. Many computer forensics examiners have used E01 images more often than DD images. The best way to work with an E01 image if you don't want to convert it to a DD is to mount it as a physical drive. Once the image is mounted, DVR Examiner treats it just like a physical disk.

Great, so how do you work with a physical disk? You always want to make sure that you're protecting your evidence, so we always recommend using some sort of write blocker. We prefer ComboDocks, but any write blocker will do. Here's an example:

Once you have your physical disk connected, you should be able to select it in the DVR Examiner source select window. Selecting a disk image works much the same, except you might need to browse to the file location to select it. Once you're past the source select screen, DVR Examiner is the same regardless of what type of media you're using, so now you're free to search, filter, preview and export to get the data you need with DVR Examiner!