9EXTRACTING SUBSETS OF FORENSIC IMAGES
This chapter covers the selective extraction of data regions from an attached drive or a forensically acquired image file. You’ll learn to extract whole partitions, deleted or partially overwritten partitions, inter-partition gaps, and various volume and file slack areas. In addition, you’ll see how to extract special areas such as Unified Extensible Firmware Interface (UEFI) partitions, the sectors hidden by a DCO or HPA, and hibernation partitions such as Intel Rapid Start Technology.
The final sections demonstrate extraction of data from allocated and unallocated (possibly deleted) areas of the disk for ...
Get Practical Forensic Imaging now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
