Disk and Volume Imaging
Last updated
Last updated
The acquisition of physical disk images and volume images can be done via an Acquire Image Task in the UI, or by using commands in an interACT session.
In addition to NTFS and FAT, AIR also supports the logical imaging of ext4 and ext3 volumes along with physical disk imaging which is possible from all of the operating systems supported by the AIR Responder.
When performing forensic disk imaging on Mac devices with T2 or later chips, obtaining a physical disk image of APFS volumes is often ineffective. This is because the data on these disks is encrypted, and decryption is exclusively managed by the chip that originally encrypted the data. Consequently, decryption can only occur during the acquisition process using that specific chip.
For most investigative purposes, a logical collection of files using AIR acquisition profiles typically provides sufficient information. This method, supported by AIR, allows investigators to access and analyze the file system and its contents efficiently, bypassing the complexities associated with Apple Silicon APFS encrypted physical disk images.
In the AIR UI you select Assets from the primary menu and then in the Asset Info window when you select the Asset Actions button a drop-down menu appears listing the actions that can be applied to that individual asset. Acquire Image is one such option:
The Acquire Image wizard will now walk you through the steps needed to take a forensic image from the asset:
Choose a Task Name.
Select or Create a case to which the image should be associated.
Choose either the Volume or Disk tab (note the size is displayed so you can be sure the Repository has enough free space to hold the collected image).
If there is more than one disk or volume you can select what you need by searching, filtering or by manual selection.
Having chosen what is to be imaged you can now configure/setup the image file:
Select an Evidence Repository to which the image file can be saved.
Select your image format, RAW (dd) or EWF2 (Ex01) is currently supported.
For RAW (dd) only, a toggle switch, gives users the option to enable or disable the consolidation of physical disk or volume image files into a single zip file, eliminating the need to split them into chunks.
For RAW (dd), if the 'single zip file' option is not toggled on, users will have the option to choose the size image file chunk sizes. If you want to use AIR's File Explorer to browse the image file, the image must be supplied to AIR from an SMB or SFTP shared location, where it needs to be saved as a single contiguous RAW file or an EWF file which can be segmented. (Read more here: AIR File Explorer)
Users can also choose to skip a configurable number of bytes before starting the imaging process.
In the 'Resource Limits' section, you can set limits on the network bandwidth used during the image acquisition process. Meanwhile, the 'Compression and Encryption' section provides options for conserving storage space and enhancing the security of the gathered evidence:
The output of your imaging task will be found in the location or evidence repository you selected when building the task in the wizard. The metadata associated with the acquisition will also be found there and this is explained here: Understanding errors documented in the metadata.yml file
