Drive Imaging

Creating and restoring drive image files

OSForensics™ drive imaging functionality allows the investigator to create and restore drive image files, which are bit-by-bit copies of a partition, physical disk or volume. Drive imaging is essential in securing an exact copy of a storage device, so it can be used for forensics analysis without risking the integrity of the original data. Conversely, an image file can be restored back to a disk on the system.

Creating a disk image makes use of the Volume Shadow Copy service built in to Windows. This allows OSForensics to make copies of drives that are in use without resulting in data corruption from reading files that are currently being written to. This is especially important for imaging system drives which Windows is constantly modifying.

OSForensics can create and/or restore images of various image file formats