Overview

Typically, a binary image of a hard drive is immediately created when a forensic examination begins. This is done to stem the possibility of the hard drive contents being altered during examination. As long as this binary image is an exact bit-for-bit copy of the original hard drive, it can be used as a substitute for the hard drive itself.

There are many tools that can be used to create a binary image file from a hard drive. Copying sectors from the hard drive to some other type of media (including another hard drive) is all that is required. It is common practice to perform validations on a hard drive and its image contents to make sure that they are identical. Using a hash value such as Message Digest 5 (MD5) or Secure Hashing Algorithm 1 (SHA1) can validate that this has been done.

This has also been attempted with Compact Disc (CD) and Digital Versatile Disc (DVD) media, often using the same image file format. There are those in the forensic community that believe it is possible to create a binary image file that is identical to those created with hard drives; however, this is overlooks several important aspects of how such discs are written.

Compact Disk - Read Only Memory (CD-ROM) data discs and commercially produced DVDs can be imaged easily, because they contain one type of sector that begins with sector zero and extends to an endpoint on the disc.

User-recorded music discs are commonly...