While physical imaging involves sector-for-sector copying the whole evidence drive from the first LBA to the last one, logical acquisition implies bit-for-bit copying of the file structure.
Logical acquisition is handy, when time is limited and you need to quickly start working with the file structure. At the same time, logical image does not include remaining fragments of previously deleted files, which makes this imaging method incomplete. On top of that, hash values of the source and the target will not be identical. Therefore, for profound investigation, it is still preferable to use a physical image.
This guide will show how Atola Insight Forensic’s flexible imaging functionality enables users to perform selective logical imaging.
In the Imaging category of the left-side menu there is I want to image drop-down menu, where you can select All sectors with data or All sectors with metadata options.
When you choose All sectors with data, you can image the whole system structure of the drive including folders and files, while omitting the areas with no data or fragments of previously deleted files.
By going for All sectors with metadata option you can image the system structure without data within its files (e.g. MFT in NTFS) for file browsing and selecting specific files to be imaged in full. For more information on this please watch this video guide: Benefits of Imaging Metadata.
When you select either of these two options, imaging log adds a message about the partitions Insight has been able to find.
Once imaging is complete, you can view the structure of the logical image you have obtained by clicking Analyze target image.
This will open the Target port.
- Click Scan partitions button
- Select any of the imaged partitions you want to
- Click Open partition button
In our example, we have imaged all sectors with data, and the partition we open contains the file structure and files, which we can explore, open and analyze.