Creating a Disk Image Using Guymager

From BitCurator
Jump to: navigation, search

The BitCurator environment includes Guymager, an open-source, graphical application for creating disk images. Guymager has support for raw dd images, EO1, and AFF image formats. The latter two image formats are commonly used in the digital forensics community and have the ability to incorporate metadata about the original media into the disk image itself.

If you'd prefer following video instructions, check out the screencast version of this tutorial in our video gallery.

Creating a Disk Image Using Guymager

Step 1

Create a directory in which to store your disk image by opening up Nautilus (the "Home" folder on the top left-hand side of the screen) and right clicking anywhere on the white background. Select "Create New Folder" from the drop-down menu. Name the folder as you see fit; we will use the folder name "diskimages" in this example.

Step 2

Make sure to safely mount the device, enable read-only enforcement, and/or use a write blocker in order to prevent inadvertently writing data back to the disk. The BitCurator environment is set up to enforce read-only access by default.

Connect the device you wish to image to your computer (USB flash drive, CD-ROM, hard drive, or floppy disk drive). Note: A device does not need to be mounted in order to be imaged by Guymager, and BitCurator will not mount devices automatically (the icon that appears in the Unity bar on the left indicates that the device is attached, rather than mounted). If you need to examine the contents of the disk before creating the disk image, you can safely mount the device. Simply clicking on the device icon will safely mount (in read-only mode) the readable filesystem(s) on that device.

Step 3

Open Guymager by opening the "Imaging Tools" folder on the desktop and then double clicking on the Guymager icon.

Step 4

When Guymager launches, it will display a list of all mounted disks on the system. Once again identify the disk you wish to image, right click on its listing, and select "Acquire image" (see Figure 1).

Figure 1: Click on "Acquire image" to begin the imaging process.

Step 5

Clicking on Acquire Image will open the Acquire Image window. In this window you will first select the disk image format you would like to use. The options include Linux dd raw image, Expert Witness Format (.E01), and Advance Forensics image format (.AFF; see Figure 2). An Expert Witness or AFF image will store user-added metadata within the forensically-packaged image. Note: If you choose either Linux dd or Expert Witness format, you have the option to split the image into multiple files, thus making it more easily transferable. So, for example, a 4GB image could be split into four 1GB files, or two 2GB files, etc.

Figure 2: Select the image format type and input metadata.

Step 6

After selecting the image format type, fill out the metadata as needed. E01 and AFF images were designed for the digital forensics community, so the fields are labeled for criminal investigation. However, these fields can easily be repurposed for the needs of archivists and curators. For example, an archivist might use the "Case number" field to record an accession number.

Step 7

Next choose the image directory, which in this example would be "/home/bcadmin/diskimages". Note: Guymager is running as the root user, so you want to avoid creating new directories directly through Guymager (thus step #1).

Step 8

Finally, name your disk image and choose which verification options you would like Guymager to perform. Click "OK" to begin the imaging process.

Step 9

Once the the imaging process begins you will be taken back to the main Guymager screen in Figure 4, which will now show a progress bar.

Step 10

After Guymager has finished creating the disk image, close Guymager and verify the image by navigating to the directory you created in Step #1. Notice that there are two files, the image itself and an info file (see Figure 3). The info file includes the metadata we input in step 7 along with additional metadata collected during the acquisition process. The imaging process is now complete.

Figure 3:Verify the disk image and metadata.