Back to binalyze.com

Disk and Volume Imaging

The acquisition of physical disk images and volume images can be done via an Acquire Image Task in the UI or by using commands in an interACT session.

In addition to NTFS and FAT, AIR also supports the logical imaging of ext4 and ext3 volumes, as well as physical disk imaging, which is possible from all operating systems supported by the AIR Responder.

When performing forensic disk imaging on Mac devices with T2 or later chips, obtaining a physical disk image of APFS volumes is often ineffective. This is because the data on these disks is encrypted, and decryption is exclusively managed by the chip that originally encrypted the data. Consequently, decryption can only occur during the acquisition process using that specific chip.

For most investigative purposes, a logical collection of files using AIR acquisition profiles typically provides sufficient information. This method, supported by AIR, enables investigators to access and analyze the file system and its contents efficiently, thereby bypassing the complexities associated with Apple Silicon APFS-encrypted physical disk images.

In the AIR UI you select Assets from the primary menu and then in the Asset Info window when you select the Asset Actions button a drop-down menu appears listing the actions that can be applied to that individual asset. Acquire Image is one such option:

Disk and Volume Imaging: Acquire an image from a single asset

The Acquire Image wizard will now walk you through the steps needed to take a forensic image from the asset:

  1. Choose a Task Name.

  2. Select or create a case to which the image should be associated.

  3. Choose either the Volume or Disk tab (note that the size is displayed, so you can ensure the Repository has enough free space to hold the collected image).

  4. If there is more than one disk or volume, you can select the desired one by searching, filtering, or manually selecting it.

Disk and Volume Imaging: The Volume and Disk tabs

Having chosen what is to be imaged, you can now configure/set up the image file:

  1. Select an Evidence Repository to which the image file can be saved.

  2. Select your image format, RAW (dd) or EWF2 (Ex01), which is currently supported.

  3. For RAW (dd) only, a toggle switch provides users with the option to enable or disable the consolidation of physical disk or volume image files into a single zip file, eliminating the need to split them into separate chunks.

  4. For RAW (dd), if the 'single zip file' option is not toggled on, users will have the option to choose the size of image file chunks. If you want to use AIR's File Explorer to browse the image file, the image must be supplied to AIR from an SMB, SFTP, an Amazon S3 bucket, or Azure Blob Storage shared location, where it needs to be saved as a single contiguous RAW file or an EWF file which can be segmented. (Read more here: AIR File Explorer)

  5. Users can also choose to skip a configurable number of bytes before starting the imaging process.

Disk and Volume Imaging: Configuration setting for the image files

In the 'Resource Limits' section, as with other AIR taskings, you can set limits on the network bandwidth used during the image acquisition process. Meanwhile, the 'Compression and Encryption' section provides options for conserving storage space and enhancing the security of the gathered evidence.

The output of your imaging task will be located in the evidence repository you selected when building the task in the wizard. The metadata associated with the acquisition will also be found there and this is explained here: Understanding errors documented in the metadata.yml file

The acquired image can be investigated using the AIR File Explorer.

PreviousScheduling TasksNextImaging with interACT

Last updated

Was this helpful?