A forensic image is a bit-for-bit copy of a storage device used for analysis without altering the original. Standard formats include E01 (EnCase format, with metadata and integrity hashes), AFF (Advanced Forensic Format), and raw dd (the simplest, no metadata). Created via write-blocker hardware that allows read-only access to the original drive. The basis of every device exam in litigation, criminal forensics, and incident response.
What it means in practice
The forensic image is what the analyst actually examines. The original is sealed and stored, the image is opened in EnCase, FTK, Magnet Axiom, or Autopsy, and analysis happens on the copy. The integrity hashes (MD5 and SHA-1 standard, SHA-256 increasingly) verify that the image matches the original at the moment of acquisition. Any tampering after that point fails the hash check, which is why chain-of-custody documentation matters: the image, the hashes, the timestamps, the analyst handling, all are recorded so the resulting evidence survives a courtroom challenge.
Who creates them, and why
Created by: forensic examiners in law enforcement (every federal computer-forensic lab, every state police forensic unit), corporate incident-response teams (Mandiant, CrowdStrike Services, Kroll, Stroz Friedberg) during breach response, civil-litigation forensic firms (Stroz, FTI, Kivu) during e-discovery and family-law disputes, and academic and commercial security researchers analyzing malware or compromised systems. The forensic image is the artifact that lets multiple parties (prosecution and defense, plaintiff and defendant) examine the same evidence independently without each handling the original device. For Predaxia readers, the forensic-image stage is where seized device contents become discoverable; understanding the workflow demystifies what happens after seizure.
What you can change today
The structural reality: if your device is seized and forensically imaged, every piece of data on the device at the moment of imaging is now in evidence and reproducible across the entire legal process. Privacy decisions need to be made before seizure, not after. Three implications. First, what should not be on the device cannot be added to the device “just for this trip”; the operational pattern is to use a clean device (see clean-device fiche). Second, encrypted volumes are still preserved in the image; the analyst gets the encrypted blob, and access depends on key availability. Third, deleted files are often still in the image; relying on the trash button is not a defense.
