@book{6436, author = {Nikkel, Bruce,}, title = {Practical forensic imaging :}, publisher = {No Starch Press,}, year = {c2016}, address = {San Francisco :}, note = {TABLE OF CONTENTS Storage media overview for postmortem acquisition -- magnetic storage media non-volatile memory optical storage media interfaces and physical connectors commands, protocols and Bridges special topics closing thoughts Linux as a forensic acquisition platform -- linux and OSS in a forensic context linux kernel and storage devices linux kernel and filesystems linux distributions and shells closing thoughts Forensic image formats and acquisition tools -- raw images forensic formats squashFS as a forensic evidence container closing thoughts Forensic imaging preparation and setup -- maintain an audit trail organize collected evidence and command output assess acquisition infrastructure logistics establish forensic write-blocking protection closing thoughts Attaching physical media to an acquisition host -- examine subject PC hardware attach subject disk to an acquisition host query the subject disk for information enable access to hidden sectors ATA password security and self encrypting drives e.tc Forensic image acquisition -- acquire an image with dd tools acquire an image with forensic formats preserve digital evidence with cryptography manage drive failure and errors image acquisition over a network e.tc Forensic image management -- manage image compression manage split images verify the integrity of a forensic image convert between image formats e.tc Accessing logical, virtual, and operating system encrypted images -- Extracting subsets of forensic images. assess partition layout and filesystems partition extraction other piecewise data extraction closing thoughts } }