Compare Disk Images
Forensic Imaging and Analysis for Host-Based Investigation
What is Forensic Disk Imaging?
A forensic disk image is an exact, bit-for-bit copy of a storage device. Unlike a simple file copy, a forensic image captures every sector of the drive, including deleted files, slack space, and unallocated areas.
Why Imaging Matters for SOC Analysts
- Evidence preservation: Original drive remains untouched for legal proceedings
- Repeatability: Multiple analysts can examine identical copies
- Timeline analysis: Compare before/after states to identify attacker activity
- Chain of custody: Hash verification proves image integrity
- Recovery: Deleted files can be recovered from slack space
Forensic vs. Logical Copy
Bit-for-Bit Copy
- Captures entire drive sector by sector
- Includes deleted files and slack space
- Preserves file system metadata
- Can recover hidden/deleted data
- Legally defensible in court
Use for: Incident response, legal investigations
File-Level Copy
- Copies only visible files and folders
- Skips deleted files and slack space
- May miss hidden data
- Faster but less thorough
- Not forensically sound
Use for: Backups, data migration
Write Blockers
A write blocker is a hardware or software tool that prevents any data from being written to the evidence drive during imaging. This is critical for:
- Preventing accidental modification of evidence
- Maintaining chain of custody
- Ensuring legal admissibility
blockdev --setro /dev/sdb # Set device read-only
blockdev --getro /dev/sdb # Verify (returns 1 = read-only)
Disk Image Formats
Different formats have different capabilities. Choose based on your analysis needs:
| Format | Extension | Features | Common Tools |
|---|---|---|---|
| Raw/DD | .dd, .raw, .img |
Exact bit copy, no compression, universal | dd, dcfldd, dc3dd |
| E01 (EnCase) | .E01 |
Compression, built-in hash, case metadata | EnCase, FTK Imager |
| AFF | .aff |
Open source, compression, extensible metadata | Autopsy, Guymager |
| SMART | .s01 |
Compression, password protection | SMART Linux |
Imaging Tools
Click each tool to learn more:
dd / dcfldd
FTK Imager
Guymager
Autopsy
Hash Verification
Hashing proves the image is an exact copy of the original. Any change, even a single bit, produces a completely different hash.
Hash Comparison Demo
sha256sum evidence.dd > evidence.dd.sha256
# Verify hash
sha256sum -c evidence.dd.sha256
Why Compare Disk Images?
Comparing disk images helps analysts understand what changed during an incident:
- Baseline comparison: Compare known-good image to suspect system
- Timeline reconstruction: Identify when files were created, modified, or deleted
- Malware analysis: Detect malicious files dropped by attacker
- Persistence mechanisms: Find startup items, scheduled tasks, services added
- Data exfiltration: Identify files accessed or copied before incident
Interactive: Spot the Changes
Below is a comparison between a baseline image (before attack) and a compromised image (after attack). Identify the attacker's activity:
Baseline Image (Before)
Compromised Image (After)
Analysis Findings
- SAM modified: Possible credential theft or new account creation
- hosts file modified: DNS hijacking for C2 or phishing
- svchost.exe in Temp: Fake Windows process (malware masquerading)
- update.bat in AppData: Persistence mechanism via startup script
- invoice.pdf deleted: Possible anti-forensics or original attack vector
Comparison Techniques
| Technique | Description | Tools |
|---|---|---|
| Hash Sets | Compare file hashes against known-good/known-bad databases | NSRL, VirusTotal, HashSets |
| Timeline Analysis | Build chronological view of file system activity | Autopsy, Plaso/log2timeline |
| Registry Diff | Compare registry hives for persistence mechanisms | RegRipper, Registry Explorer |
| Binary Diff | Byte-level comparison of raw images | cmp, diff, vbindiff |
Disk Images Quiz
Test your understanding. You need 80% (4/5) to pass.