Disk and Volume Imaging

The acquisition of physical disk images and volume images can be done via an Acquire Image Task in the UI, or by using commands in an interACT session.

In the AIR UI you select Assets from the primary menu and then in the Asset Info window when you select the Asset Actions button a drop-down menu appears listing the actions that can be applied to that individual asset. Acquire Image is one such option:

The Acquire Image wizard will now walk you through the steps needed to take a forensic image from the asset:

  1. Choose a Task Name.

  2. Select or Create a case to which the image should be associated.

  3. Select an Evidence Repository to which the image file can be saved.

  4. Choose either the Volume or Disk tab (note the size is displayed so you can be sure the Repository has enough free space to hold the collected image).

  5. If there is more than one disk or volume you can select what you need by searching, filtering or by manual selection.

Having chosen what is to be imaged you can now configure the image file:

  1. A toggle switch, gives users the option to enable or disable the consolidation of physical disk or volume image files into a single zip file, eliminating the need to split them into chunks.

  2. If the 'single zip file' option is not toggled on, users will have the option to choose the size image file chunk sizes. If you want to use AIR's File Explorer to browse the image file, the image must be supplied to AIR from an SMB or SFTP shared location, where it needs to be saved as a single contiguous file. Segmented files are not currently supported

  3. Users can also choose to skip a configurable number of bytes before starting the imaging process.

In the 'Resource Limits' section, you can set limits on the network bandwidth used during the image acquisition process. Meanwhile, the 'Compression and Encryption' section provides options for conserving storage space and enhancing the security of the gathered evidence:

The output of your imaging task will be found in the location or evidence repository you selected when building the task in the wizard. The metadata associated with the acquisition will also be found there and this is explained here in the next page: Understanding errors documented in the metadata.yml file

Last updated