bit for bit copy?

USB Image Tool support forum
Post Reply
stepheng
Posts: 2
Joined: Tue Jan 29, 2013 11:27 pm

bit for bit copy?

Post by stepheng » Tue Jan 29, 2013 11:31 pm

Alex,

First I want to say this is a great tool and I have been using it quite often over the last few years. A question comes to mind though as I am currently enrolled in a Forensics class and learning all about very expensive software for creating a bit for bit copy of an drive. I searched previous posts and I seen that you have mentioned in the past 1:1 copies, when this terminology is being used is that synonymous for bit for bit? My initial guess is yes because the file size fits the drive and why such if it is not retaining all information including slack and files outside of the allocation table but your confirmation would mean close the question.

Could you please confirm one way or the other?

Thanks in advance,
- Stephen

Alex
Site Admin
Posts: 235
Joined: Fri Jul 29, 2011 11:59 pm

Re: bit for bit copy?

Post by Alex » Thu Jan 31, 2013 9:33 pm

In device mode, a 1:1 copy means, that all accessible bytes are copied to the image file. This also includes the boot sector (the first 512 bytes) and areas, that are not covered by a partiton. These areas are not accessible by file systems, but still might contain data, that somebody write to that sectors with the same low level access to the device, that is used by USB Image Tool.

Forensics, however, may be a more complex issue. As far as I know, at least in Germany there are more requirements to be met, if you want to use forensic data in court. To my knowledge, the method of data retrieval has to be guarantied not to modify the data. This might require special hardware. I can't remember, where I read this info exactly, but maybe this helps you a little bit with you question.

stepheng
Posts: 2
Joined: Tue Jan 29, 2013 11:27 pm

Re: bit for bit copy?

Post by stepheng » Fri Feb 01, 2013 7:44 pm

Alex,

Of course what is technically considered an exact copy and what is determined by law are completely separate things and unfortunately law is not written by engineers. I believe I understand your answer correctly, from a strictly technical point of view, it is in fact a bit for bit copy. Any data that is on the device is extracted during the imaging process and will be in the image.

Thanks again,
- Stephen

Post Reply