The BitCurator environment includes Guymager, an open-source, graphical application for creating disk images. Guymager has support for raw dd images, EO1, and AFF image formats. The latter two image formats are commonly used in the digital forensics community and have the ability to incorporate metadata about the original media into the disk image itself.
- Create a directory in which to store your disk image by opening up Nautilus (the "Home" folder on the top left-hand side of the screen) and right clicking anywhere on the white background. Select "Create New Folder" from the drop-down menu. Name the folder as you see fit; we will use the folder name "diskimages" in this example.
Make sure to safely mount the device, enable read-only enforcement, and/or use a write blocker in order to prevent inadvertently writing data back to the disk. The BitCurator environment is set up to enforce read-only access by default.
Connect the device you wish to image to your computer (USB flash drive, CD-ROM, hard drive, or floppy disk drive).
Note: A device does not need to be mounted in order to be imaged by Guymager, and BitCurator will not mount devices automatically (the icon that appears in the Unity bar on the left indicates that the device is attached, rather than mounted). If you need to examine the contents of the disk before creating the disk image, you can safely mount the device. Simply clicking on the device icon will safely mount (in read-only mode) the readable filesystem(s) on that device.
- Open Guymager by opening the "Imaging Tools" folder on the desktop and then double clicking on the Guymager icon.
When Guymager launches, it will display a list of all mounted disks on the system. Once again identify the disk you wish to image, right click on its listing, and select "Acquire image" (see Figure 1).
Figure 1: Click on "Acquire image" to begin the imaging process.
Clicking on Acquire Image will open the Acquire Image window. In this window you will first select the disk image format you would like to use. The options include Linux dd raw image, Expert Witness Format (.E01), and Advance Forensics image format (.AFF; see Figure 2). An Expert Witness or AFF image will store user-added metadata within the forensically-packaged image.
Note: If you choose either Linux dd or Expert Witness format, you have the option to split the image into multiple files, thus making it more easily transferable. So, for example, a 4GB image could be split into four 1GB files, or two 2GB files, etc.
Figure 2: Select the image format type and input metadata.