Years ago, when a system was suspected to have been compromised, incident handlers would run a few command‐line utilities to extract basic information from memory, then power off the system, remove the hard drive, and capture a forensic image of the system for analysis. This was done routinely across many systems when performing incident response. Although the approach to incident response has changed since then, capturing a forensically sound image of an impacted system is still an important skill for an incident responder to have. We may not make a full‐disk image of as many systems as in the past, instead relying on memory forensics, remote triage, and other updated techniques, but there are times when a full forensic image and subsequent analysis is the most appropriate step for an incident responder to take. Frequently, this analysis will be done on systems during the early stages of the incident to better understand the tactics, techniques, and procedures (TTPs) of the adversary, to identify potential indicators of compromise that can be used to locate other impacted systems, and to preserve evidence of the incident should it be needed for future legal action.

Protecting the Integrity of Evidence

Preserving the integrity of the evidence is the cornerstone of digital forensic imaging. The imaging process is not a simple copy of data from one device to another, but rather a scientifically verifiable activity that captures all the data contained on ...