- Acquisition or imaging is the first step of the forensic process and involves making a sector-by-sector duplicate of the original drive or device to preserve the data. This duplication includes hashing to verify the copy is intact. - Disk imaging copies every sector of the disk including file metadata, directory structure, and formats all information into binary 0s and 1s. - A write blocker is used to prevent modification of the original drive during duplication to avoid altering or contaminating the data. Clusters are the basic unit of storage on a hard drive, made up of sectors, and determine the smallest file size that can be stored.

1. IMAGE ACQUISITION
- Nithin

2. Forensic Process
• Acquisition or Imaging
• Analysis
• Reporting

3. Forensic Process
• Acquisition or Imaging
– Sector level duplication
– Hashing
• Analysis
• Reporting

4. Disk Imaging
• Sector by sector copying
• Archive files
– Meta data,
– File directory structure
• File Formats
– Information to 0’s and 1’s

5. • Write blocker
– Native
– Tailgate
• Cluster
– A single sector, on a standard hard drive is 512
bytes
– Group of sectors is clusters
– In a Windows pc a cluster has 8 sectors (4kB)
– 1 cluster is the smallest file size that a drive can
handle

6. Live Working on FTK imager

7. Thank you 