Disk Imaging (Part 1) : Memory Acquisition & Encryption Checking

Imagine you need to make a perfect copy of everything on a hard drive—not just the files you see, but also hidden system data, partitions, and even deleted files that might still be recoverable.

Whether you’re working in digital forensics, IT, or just want to back up your system. Disk imaging is important

What is Disk Imaging?

Disk imaging is the process of creating an exact, bit-for-bit copy of a storage device (like a hard drive or SSD) and saving it as a file. Think of it as taking a snapshot of your entire drive, capturing everything from active files to hidden system data. This is different from just copying files, as it preserves the structure and details of the original disk.

However, in some cases, creating an exact duplicate isn’t always possible.

• SSDs (Solid-State Drives) may not allow precise duplication due to how they handle data storage.

• Bad sectors (damaged parts of a hard drive) might prevent some data from being copied, leaving gaps in the image file.

How Does Disk Imaging Work?

The disk imaging process involves three key components:

1. The Source Drive – This is the drive you want to copy.

2. A Write Blocker – A tool that prevents any accidental changes to the source drive while imaging.

3. Imaging Software – The program that reads the source drive and creates an image file.

   
   

Choosing the Right Image Format

When creating a disk image, you’ll typically save it in one of two formats:

• E01 (Expert Witness Format) – The most popular choice because it includes compression, making the file smaller while keeping all the data intact.

• DD (RAW format) – A bit-for-bit copy with no compression, meaning it takes up more space but remains a direct replica.

• FTK Imager

• X-Ways Imager

• Guymager

• DD (a classic command-line tool)

Steps to Create a Disk Image

1. Connect the source drive to your computer using a write blocker.

2. Start the imaging software and select the source drive.

3. Choose a destination location where the image file will be saved.

4. Select the format (E01 or DD) based on your needs.

5. Start the imaging process and wait for completion.

   
   

Once finished, most imaging software (except DD) generates a log file. This report contains:

• Drive details (size, sector count, etc.)

• A hash value (used to verify data integrity)

• Any errors, such as unreadable sectors

Hardware vs. Software Imaging

While the above method uses software-based imaging (requiring a computer and write blocker), another option is hardware-based imaging.

Hardware Imaging Devices

A hardware imager is a standalone device that combines the functions of a computer, write blocker, and imaging software in one unit.

These devices:

• Are faster and more efficient for large-scale imaging

• Minimize errors and risks of accidental modifications

• Can save images to another hard drive or even a network location (if supported)

However, be careful not to mix up the source and destination drives! Formatting the wrong drive could lead to irreversible data loss.

How Long Does Imaging Take?

Disk imaging can take several hours, depending on:

• The size of the drive

• How much data is stored on it

• The speed of the connection (USB, SATA, or network transfer)

While waiting, many forensic analysts take advantage of this time to review key data (a process called rapid triage), helping to identify important leads before the full image is ready.

Live vs. Dead Imaging: What’s the Difference?

1. Live Imaging – Done while the system is still running. This is useful when you need to capture volatile data like running processes, open network connections, or system logs.

2. Dead Imaging – Performed after powering down the system. This is the traditional approach and is often used for full disk acquisitions.

   
   

Why Live Imaging Matters

A running system provides valuable forensic insights, such as:

• What applications are currently running

• Connected external devices (USBs, external drives, etc.)

• Potential signs of tampering or malicious activity

  
  

If the system is off, you won’t get this real-time data. But if it's on, documenting its current state before imaging is crucial.

Old vs. Modern Forensic Acquisition Methods

In the past, forensic specialists followed a “dead box” approach, where the computer was shut down before data collection. This was because:

• RAM (temporary memory) was small and not often considered valuable.

• Encryption was rare, making it easy to access data even after shutting down.

However, today’s machines often use encryption and security measures like TPM (Trusted Platform Module), making live imaging more important than ever. If you shut down an encrypted device, the data could be permanently locked.

How Were Systems Handled in the Past?

• If it was a regular computer (not a server), forensics experts would unplug it directly.

• If it was a server, they would shut it down properly to avoid issues with RAID configurations or system failures.

--------------------------------------------------------------------------------------------------------

Live Response

When dealing with a running system, the way you collect data can significantly impact an investigation. Unlike a powered-off system, where everything is static, a running machine holds volatile data that can be lost if not captured correctly.

Live response is the process of collecting critical data from a system that is still powered on. This includes memory (RAM), active processes, network connections, and encryption states. U

Step 1: Document the System’s Status

Before interacting with the machine, it’s essential to document everything:

• What’s displayed on the screen?

• Are any applications open?

• Are there external devices connected?

• Is the system asleep or in hibernation mode?

Many computers may appear off when they are just in sleep mode. A simple press of the spacebar or mouse movement can wake them up. Also, check for indicator lights on the computer case—these can show that the system is still running.

Step 2: Determine the Order of Volatility

Volatile data disappears quickly once the system is shut down. This means you need to collect the most fragile information first.

The order of volatility in a forensic investigation is as follows:

• Dump Memory (RAM) – This contains running programs, network sessions, user activity, passwords, and even malware that only exists in memory.

• Check for Encryption – If encryption is present, shutting down the system could permanently lock the data.

• Perform Triage Collection – Extract key artifacts from the live system for quick analysis while the full forensic image is created.

Step 3: Dump Memory (RAM)

RAM is one of the richest sources of forensic data, but also the most fragile. If the computer is turned off before capturing RAM, this data is gone forever.

💡 What can be found in RAM?

• Running processes

• Open files and directories

• Network connections

• Chat conversations

• Encryption keys

• Malware that exists only in memory

How to Capture RAM?

There are several tools available for memory acquisition, with Windows systems having more options than Macs. Before starting, ensure the system is disconnected from all networks (Ethernet and Wi-Fi) to prevent remote interference.

✅ Use a USB drive or external SSD with forensic tools installed

✅ Store the memory dump on a fast external drive to speed up the process

✅ Use specialized tools like Volatility to analyze memory contents later

Important Considerations:

• Mac computers are more difficult to analyze due to fewer available tools.

• Laptops should be plugged in to prevent power loss during acquisition.

• Be careful with encryption keys—they often exist in RAM and can be retrieved before shutdown.

Step 4: Check for Encryption

Encryption can be a major roadblock if not handled properly. Many modern computers use full-disk encryption with tools like:

• BitLocker (Windows)

• VeraCrypt

• PGP Encryption

If the system is still running, the encrypted data is often accessible. The best approach is to create a logical volume image while the machine is still running. This ensures that decrypted data is preserved.

✔️ Image the drive before shutting down

✔️ Extract encryption keys from memory (if possible)

✔️ If no encryption is detected, proceed with normal disk imaging

Step 5: Perform Triage Collection

While waiting for full disk imaging to complete, triage collection can provide fast insights. Using tools like KAPE, forensic examiners can extract:

• Browser history

• User activity logs

• Recently opened files

• System logs

This allows investigators to identify leads early without waiting hours for a complete forensic image.

Step 6: The Reality of Live Data Collection

Interacting with a running system always leaves some trace.

The key is to minimize changes and document everything.

• Shutting the system down too early and losing RAM data

• Forgetting to disable network access, allowing remote tampering

• Using slow USB drives that take too long to capture memory

Why RAM Collection Matters More Than Ever

With modern encryption and cloud-based applications, RAM is now more valuable than ever in forensic investigations. Unlike 15 years ago, when most data was stored on hard drives, today’s machines:

✔️ Have 8GB, 16GB, or even 32GB of RAM (containing a huge amount of data)

✔️ Store passwords, decryption keys, and session data in memory

✔️ Run software that only exists in RAM (fileless malware)

Step 7: Storage and Transfer of Memory Dumps

Since memory dumps can be large, choosing the right storage device is critical.

Final Step: Document Everything!

Since live response actively changes system data, it’s crucial to:

📌 Take photos or videos of each step

📌 Write detailed notes on what actions were taken

📌 Record timestamps for each forensic operation

--------------------------------------------------------------------------------------------------------

Live Response Tools

When performing live forensics on a running system, one of the biggest challenges is introducing your tools without altering or corrupting evidence. While it may seem simple—just plug in a USB drive and start collecting data—there are several critical factors to consider.

Key Questions to Ask Before Deploying Live Response Tools

Before introducing any tools into a system, ask yourself:

✅ How much space will I need? (Memory dumps and disk images can be large.)

✅ How should my external drive be formatted? (NTFS for Windows, exFAT for cross-compatibility.)

✅ What resources are available? (Are USB ports, network storage, or optical drives an option?)

✅ Can I trust the software already on the target system? (Always bring your own trusted binaries.)

✅ Are there any environmental restrictions? (Some locations, such as government facilities, may restrict USB devices.)

✅ Do I have a backup plan? (If my primary tool fails, do I have an alternative?)

Choosing the Right External Storage

Since live forensics often involves capturing large amounts of data (such as RAM dumps or forensic images), using a high-quality external storage device is crucial.

✔️ Use a large-capacity, high-quality external SSD for faster read/write speeds.

✔️ Format the drive as NTFS for Windows systems or exFAT for cross-platform compatibility.

✔️ Always document the details of the device before use.

Tracking USB Devices with NirSoft USBDeview

To maintain a proper chain of custody, document the details of your external storage using a tool like NirSoft USBDeview. This allows you to:

• Record the make, model, and serial number of your USB device.

• Include this information in your forensic reports for future reference.

  
  

Where Should You Store Collected Data?

One of the biggest logistical challenges in live response is deciding where to store the collected data. This depends on:

• The size of the storage device you’re imaging.

• The amount of memory on the system.

• The number of devices you need to process.

Storage Recommendations:

✅ External SSDs – The preferred option, but always bring more space than you think you’ll need. If you estimate needing 1TB, bring 4TB—unexpected extra data is common!

✅ Network Storage (Less Optimal) – If an external drive isn’t an option, a network share may work, but consider security risks (who else has access?).

✅ Chain of Custody Considerations – Keep strict control over the storage device to prevent tampering or unauthorized access.

Selecting the Right Live Response Tools

Once you have a storage device ready, the next step is choosing and deploying the right tools for live response. Your toolkit should include:

🔹 Memory collection tools (e.g., DumpIt, Belkasoft RAM Capturer, FTK Imager)

Command Line vs. GUI Tools

When performing live forensics, minimizing system impact is critical. Using command-line (CLI) tools instead of graphical user interface (GUI) tools can help:

✔️ Reduce memory usage

✔️ Minimize system modifications

✔️ Prevent unnecessary process execution

Top Memory Collection Tools for Live Forensics

1. DumpIt (by Comae Technologies)

Pros:

✅ Simple command-line tool with minimal system impact

✅ Can be executed without additional arguments for quick memory dumps

✅ Allows file compression to save space

Cons:

❌ Compressed files may not be compatible with all memory analysis tools

DumpIt /OUTPUT <Name>

If run without arguments, DumpIt will prompt for confirmation before proceeding. The collected memory file will automatically be named with the machine name and timestamp.

2. Belkasoft RAM Capturer

Pros:

✅ Minimal GUI interface, reducing system modifications

✅ Uses kernel mode driver to bypass anti-forensic techniques

✅ Available in 32-bit and 64-bit versions to minimize unnecessary code execution

Cons:

❌ Requires administrator privileges

1. Launch Belkasoft RAM Capturer.

2. Select an output folder for the memory dump.

3. Click “Capture!” to start memory acquisition.

   

3. FTK Imager

Pros:

✅ Well-known forensic tool with wide industry adoption

✅ Can capture both memory and full disk images

✅ Provides verification logs for integrity checks

Cons:

❌ Older versions (pre-3.0.0) operate in user mode, which may limit access to certain memory areas

❌ May not detect advanced malware hiding in kernel memory

 If using FTK Imager, update to version 3.0.0 or later to ensure kernel-level access to all memory areas.

Final Considerations: Ensuring a Secure and Effective Live Response

🔹 Plan ahead – Know the environment and what resources are available.

🔹 Minimize system impact – Use command-line tools whenever possible.

🔹 Document everything – Keep detailed records of every action taken.

🔹 Secure collected data – Store forensic images and memory dumps on encrypted, controlled-access storage.

🔹 Always have a backup plan – If one tool fails, be ready with an alternative.

--------------------------------------------------------------------------------------------------------

Handling Encrypted Drives

Encryption presents a major challenge in digital forensics. While forensic imaging techniques typically allow investigators to access data on a storage device, encryption software like BitLocker, VeraCrypt, and PGP can make this data completely inaccessible without the proper decryption key.

What Happens When a Drive is Encrypted?

If encryption is enabled, imaging the physical volume (even with a write blocker) only captures the encrypted data, which is useless without the decryption key. This is especially problematic if the device is turned off because, in many cases, powering down the system can permanently lock the data.

✔️ If encryption is detected, do NOT shut down the system before performing a live capture.

✔️ If the system is running, logical imaging may allow access to decrypted data.

✔️ Failing to check for encryption before imaging can result in lost evidence.

How to Detect Encryption on a Running System

To determine whether a system is using encryption, forensic analysts use specialized tools that can scan for encryption signatures. One such tool is Encrypted Disk Detector (EDD) from Magnet Forensics.

🔍 Using EDD to Identify Encrypted Volumes

EDD is a command-line tool that checks local physical drives for encryption software, including:

• BitLocker (Windows)

• VeraCrypt & TrueCrypt

• PGP® (Pretty Good Privacy)

• Checkpoint, Sophos, and Symantec encrypted volumes

I have created an complete article on EDD (Do check it out you will learn how to use the tool

https://www.cyberengage.org/post/exploring-magnet-encrypted-disk-detector-eddv310

Handling VeraCrypt and TrueCrypt Encryption

VeraCrypt is the successor to TrueCrypt, and both function similarly:

🔹 Users create an encrypted container that appears as a mounted drive.

🔹 Files stored inside are inaccessible without a password or keyfile.

🔹 A hidden partition can be created within the primary encrypted volume.

Detecting VeraCrypt/TrueCrypt Artifacts

If a container is currently mounted, EDD will detect and flag it. However, once unmounted, traces of its existence may be deleted from the system.

💡 Registry Analysis for VeraCrypt/TrueCryptOlder versions of these tools left traces in the Windows Registry under:

HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices

• Older versions left artifacts even after unmounting.

• Newer versions delete traces after unmounting (though remnants may still exist).

Pro Tip: Finding Encrypted Containers

Since encrypted containers store a large amount of data, they tend to be some of the biggest files on the system. You can identify them by:

✅ Scanning for large, unexplained files on the system.

✅ Ignoring system files like pagefile.sys and hiberfil.sys.

✅ Checking recently accessed files for unusual activity.

BitLocker Encryption: Challenges & Solutions

BitLocker is Microsoft’s built-in encryption tool, included with Windows Enterprise, Pro, and Ultimate editions.

✔️ Uses AES encryption (128-bit or 256-bit).

✔️ Can be enabled via Group Policy (common in corporate environments).

✔️ Requires a password, PIN, or recovery key to unlock data.

The Biggest Forensic Challenge with BitLocker

If a BitLocker-encrypted drive is removed from the original computer, the data is completely inaccessible without the recovery key.

Two Ways to Handle BitLocker-Protected Drives

🔹 Option 1: Live Logical Imaging

• If the system is running, image the logical drive instead of the physical disk.

• This ensures you capture decrypted data.

  
  

🔹 Option 2: Recover BitLocker Keys

• BitLocker requires users to save a recovery key to a separate drive or print it.

• In corporate settings, IT administrators may have stored recovery keys via Group Policy.

Best Practices for Handling Encrypted Systems

🔹 Always check for encryption before shutting down the system.

🔹 If encryption is detected, prioritize live imaging.

🔹 Use tools like EDD to scan for encryption software.

🔹 Look for large container files if encryption is suspected.

🔹 Consult Group Policy settings for corporate BitLocker deployments.

--------------------------------------------------------------------------------------------------------

Wrapping Up

Digital forensic acquisition is as much about strategy and preparation as it is about technical execution. Whether capturing volatile memory, imaging a disk, or handling encrypted data, the right approach can mean the difference between retrieving crucial evidence or losing it forever.

---------------------------------------------Dean-------------------------------------------