Thursday, December 9, 2010

Computer Forensic Hard Drive Imaging Process Tree for Basic Training

I recently had a need for a simple decision tree for students to grasp and understand some of the options available to them when imaging a hard drive. I put together a simple decision tree and figured others may find it useful. Feel free to make additions or suggestions in the comments.


Anonymous Thursday, 09 December, 2010  

You may wish to add Chain of Custody steps if the decision tree is intended to be a learning tool for people that are new to forensics.

Lance Mueller Thursday, 09 December, 2010  


Excellent observation. For my purpose, I am covering that exact topic in a separate detailed module. This was meant to be a decision tree to explain what imaging options are available. You are correct, but for my intended use, I was not trying to cover all aspects of what a student needs to cover or think about when imaging, but more about imaging options.

Thanks for the observation and comment.

Andrew Hay Thursday, 09 December, 2010  

I'm a little concerned that you're suggesting people turn off the system simply because they can. What of the volatile data stored in memory and active running processes on the system?

Sure, shutting the system down is 'an option' but not necessarily the best option in all cases.

Perhaps you could adjust the tree to account for live data acquisition prior to taking the system offline for offline drive acquisition?

Anonymous Thursday, 09 December, 2010  

Why the power off? Seems like the tree leads you to shutting it down no matter what.

Rob Lee Thursday, 09 December, 2010  


Like the post and understand that this is about hard drive imaging. But Id include exactly where in the steps you would include volatile data and memory acquisition collection.

Also, in many cases removing a hard drive means you have to have an adapter. Id first check to see if you have the right adapter prior to removing the hard drive from the PC. If no adapter, Id imagine using a LiveCD.


Lance Mueller Thursday, 09 December, 2010  

@Andrew - No need to be concerned. This chart was meant to show options just for imaging. I cover volatile data collection in a separate module.

@Anon - there are times when power will remain on, but generally my students are law enforcement and seizure is part of the equation.

Lance Mueller Thursday, 09 December, 2010  

@Rob -

Great points. I was mulling over the previous comments and the idea of expanding it to include collection of volatile data to make it clear, but love your point about adapters! Thanks

SS Thursday, 09 December, 2010  

Hello Lance,

First of all, great post as always, kudos to you!

I cited your process tree, linking to your blog and added a process tree for remote acquisition considering volatile evidence in my blog:

original (in portuguese):

translated to english:


Sandro Süffert

Matt Anderson Friday, 10 December, 2010  


Great post. The only thing I would add is a quick look at processes running to see if encryption is part of the equation before shutting down.

I prefer to image machines that are turned off but have run into encryption before.

I'll be using this in class next week.

Thanks again.

Matt Anderson

deuter Friday, 10 December, 2010  

I'd also have a shot at adding a branch for the LiveCD imaging. Because of MBR encryptions, connectors (as mentioned above) or just because it's faster on many occasions.

What about imaging of Safeboot, Safeguard or Pointsec? A different tree? But would be definitely useful.

Post a Comment

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles