To create a forensic disk image you connect the source media through a write blocker, run an imager such as Guymager or ewfacquire that captures every sector to an .E01 file, and let it verify the source and image hashes match. That single artefact, plus its embedded metadata, becomes the authoritative copy from which you do all further work. The point is not crime-scene drama; it is that a sector-level image preserves structure, timestamps and deleted content that a plain file copy throws away.

Why a forensic image beats a simple file copy

A drag-and-drop copy grabs only the files the operating system chooses to show, and it updates access timestamps as it goes. A forensic image captures the whole block device: allocated files, unallocated space, file-system journals and the original timestamps. For born-digital archives this matters because the arrangement of files, the dates and the residue of deleted drafts are part of the record's evidential value, not noise to be discarded.

What hardware do you set up first?

Put a hardware write blocker between the source media and your workstation. These devices physically refuse write commands, so the host cannot mount-and-modify the disk before you start. A practical bench for mixed media includes a forensic bridge for IDE/SATA drives, a USB write blocker, and a controller such as a Kryoflux or Greaseweazle for floppies. Label and photograph each item before connecting it; that photograph is the start of your chain of custody.

How do you actually capture the image?

On a BitCurator workstation, Guymager offers a graphical capture with a live hash. For scripted or headless work, ewfacquire is the standard:

ewfacquire -t /mnt/store/ACC-2025-042/image \
  -f encase6 \
  -c best:none \
  -S 4GiB \
  -d sha256 \
  -C "ACC-2025-042" \
  -D "Smith laptop HDD" \
  /dev/sdc

The -S 4GiB flag splits the image into segments that copy cleanly to FAT-limited or cloud storage, and -d sha256 records a strong hash inside the image itself.

How do you handle a failing or degraded disk?

Do not point a verifying imager at a dying drive; one bad sector can hang the whole job. Image with ddrescue first, which keeps a mapfile so it can skip ahead, then retry the gaps:

# Pass 1: grab everything readable, fast, no scraping
ddrescue -n /dev/sdc rescue.img rescue.map
# Pass 2: retry the hard sectors, three attempts each
ddrescue -d -r3 /dev/sdc rescue.img rescue.map

Then run your format and hash tools against rescue.img. The mapfile is itself preservation metadata: it documents exactly which regions could not be read.

Which image format should you choose?

Format	Compression	Embedded hash	Best for
EWF (.E01)	Yes	Yes	Default archival capture
Raw (.dd/.raw)	No	No (external)	Tool compatibility, carving
AFF4	Yes	Yes	Large or sparse modern disks

EWF is the safe default. Keep a raw export only if a downstream carving or emulation tool cannot read EWF.

How do you verify and record the capture?

After acquisition, confirm the source hash equals the image hash; the imager reports this, but record the value yourself in the accession log. A minimal log entry pairs the identifiers with the proof:

accession:   ACC-2025-042
source:      Smith laptop HDD, S/N WD-XYZ123
imager:      ewfacquire 20140807
sha256:      9f2c...e41a (source == image: PASS)
operator:    E. Reed
date:        2025-03-11

What pitfalls trip people up?

• Forgetting the write blocker and mounting the source read-write by accident.
• Verifying an image of a failing disk and stalling for hours on bad sectors.
• Saving the image without recording the matching source hash.
• Choosing raw format and then losing the external checksum file.
• Deleting the image once files are extracted, discarding the authoritative source.

Key Takeaways

• Image at the sector level so structure, timestamps and deleted data survive.
• Always interpose a hardware write blocker on writable media.
• Default to EWF (.E01); fall back to raw only for tool compatibility.
• Use ddrescue with a mapfile for degraded disks, then image the result.
• Confirm source and image hashes match and log the value.
• Keep the disk image for the life of the accession, not just until extraction.

Frequently Asked Questions

Why image a disk instead of just copying the files?

A forensic image captures every sector, including slack space, deleted entries and the file system structure, not only the visible files. It also freezes timestamps and lets you prove the source was never altered.

What image format should an archive use?

The Expert Witness Format (.E01) is the common choice because it stores compression, an embedded hash and case metadata in one file. Use raw .dd or .raw only when a downstream tool requires it.

Do I always need a hardware write blocker?

For any media that can be written to, yes. A hardware write blocker is the most reliable guarantee that imaging cannot alter the source; software blocking is a fallback, not a replacement.

How do I prove the image is faithful?

Compute a hash of the source during acquisition and a hash of the resulting image, then confirm they match. Tools such as Guymager and ewfacquire verify this automatically and record it in the metadata.

What about disks with bad sectors?

Use a recovery-aware imager such as ddrescue with a mapfile, which retries and logs unreadable areas without stalling, then image the recovered file rather than the failing disk.

How long should I keep the disk image after extracting files?

Retain it for the life of the accession where storage allows. The image is the authoritative source and may hold context, deleted data or recoverable formats you have not yet needed.

Related reading

• How to Get started with born-digital archiving
• Troubleshooting: Use BitCurator for born-digital
• How to Recover data from legacy media
• Fixity and checksums for digital preservation
• Preventing bit rot in your collections