How to do it...

There are two ways of initiating the drive imaging process:

1. Using the Create Disk Image button from the toolbar (Figure 3.1)

1. Using the Create Disk Image... option from the File menu (Figure 3.2)

You can choose whichever option you prefer.

The first window you see is Select Source. Here, you have five options:

• Physical Drive: This allows you to choose a physical drive as the source, with all partitions and unallocated space.
• Logical Drive: This allows you to choose a logical drive as the source, for example E:\ drive.
• Image File: This allows you to choose an image file as the source, for example, if you need to convert your forensic image from one format to another.
• Contents of a Folder: This allows you to choose a folder as the source. Of course, no deleted files will be included.
• Fernico Device: This allows you to restore images from multiple CD/DVDs.

Of course we want to image the whole drive to be able to work with deleted data and unallocated space, so:

1. Let's choose the Physical Drive option.

1. Click Next and you'll see the next window - Select Drive.

1. Now you should choose the source drive from the drop-down menu, in our case it's \\.\PHYSICALDRIVE2.

1. Now that the source drive has been chosen, click Finish.
2. The next window is - Create Image. We'll get back to this window soon, but for now, just click Add...
3. It's time to choose the destination image type. As we decided to create our image in EnCase's Evidence File format, let's choose E01.

1. Click Next and you'll see the Evidence Item Information window.

Here, we have five fields to fill in: Case Number, Evidence Number, Unique Description, Examiner, and Notes. All fields are optional.

1. Fill in the fields, or skip them if you prefer, then click Next.
2. Now choose the image destination. You can use the Browse button for this.
3. Also, you should fill in the image filename.

If you want your forensic image to be split, choose a fragment size (in megabytes). E01 format supports compression, so if you want to reduce the image size, you can use this feature. As you can see in figure 3.7, we have chosen 6. And if you want the data in the image to be secured, use the AD Encryption feature.

We are almost done.

1. Click Finish and you'll see the Create Image window again.
2. Now look at the three options at the bottom of the window.

The verification process is very important, so make sure the Verify images after they are created option is ticked; it helps you to be sure that the source and the image are equal. The Precalculate Progress Statistics option is also very useful: it will show you the estimated time of arrival during the imaging process. The last option will create directory listings of all files in the image for you, but of course, it takes time, so use it only if you need to.

1. All you need to do now is click Start.

Great, the imaging process has been started! Once the image has been created, the verification process starts.

1. Finally, you'll get a Drive/Image Verify Results window, like the one shown in figure 3.9.

As you can see, in our case the source and the image are identical: both hashes matched. In the folder with the image, you will also find an info file with valuable information such as the drive model, serial number, source data size, sector count, MD5 and SHA1 checksums, and so on.