6

I am a bit confused from various sources about the abstraction level and layers that a file resides in forensic imaging. I have found two slightly different explanations:

The first one includes

  • a) Physical Layer (sectors,cylinders etc.)

  • b) Data Layer (Unallocated space etc.)

  • c) Metadata Layer (i-nodes, alternative data streams etc.)

  • e) File System Layer (superblock, boot sector etc.)

  • f) File Name Layer

The second one includes:

  • a) Physical Media Layer (sectors,cylinders etc.)
  • b) Media File Layer (partitions etc.)
  • c) System Layer (boot sector etc.)
  • d) Application Layer (ascii etc.)

I notice there are some similarities but I try to figure out if the 1st one is an extension of the second or else. Can anyone clear this out?

user3127632
  • 235
  • 2
  • 7

2 Answers2

1

When you take a forensic image, you can generally take either a physical or logical image of a drive. See this article for the differences.

When you create a physical forensic image, your imager is reading the values of a drive bit by bit for the entire drive (unallocated space and all) whereas if you are to taking a logical image, the imager queries the OS and retries only the 'active' bit values within the drive.

Matthew Peters
  • 3,592
  • 4
  • 21
  • 39
1

So these two seem to have some overlap, with the first one being more detailed. Let me try to merge them:

a) Physical Layer, the bare drive. (sectors,cylinders etc.) 

    1. Unallocated space/slack space

b) Physical media Layer

   1. File System Layer (superblock, boot sector, partitions, etc.)

   2. File Metadata Layer (i-nodes, alternative data streams etc.)

   3. File Name/Application Layer (userland data, ascii text, etc)

Does this make more sense?

Also, to tie in Matthew Peters' question, imaging can happen at the Physical layer or the FS layer. Imaging at the Physical layer copies the bits as they are, damaged sectors and all. You also get what's called "slack space". Slack space is just unused sections of disk, but if something's deleted it's marked as "unused" typically. But the data is still living in slack space, ready to be lifted off a physical copy of the drive. Physical copying is the most complete, and recommended for forensic analysis. Logical copying is good if you can't turn off the system for imaging, or if physical copying is impossible.

Ohnana
  • 4,737
  • 2
  • 23
  • 39