Physical image vs L...
 
Notifications
Clear all

Physical image vs Logical Image

8 Posts
6 Users
1 Likes
18.6 K Views
(@ottomatik)
Posts: 10
Active Member
Topic starter
 

Hi,
I'm new to forensics. I would like to understand what's the difference between a physical image and a logical image.
From what i understand a physical image is a bit to bit copy of an entire hard drive or a partition and a logical image is a copy of the files (all or a subset) referenced in the filesystem, is that correct?
For instance, if i understand correctly a logical image can be a copy of a folder.
Also how would you call a bit to bit copy of a pseudo-partition (/dev/mapper) created by tools like LUKS or VeraCrypt?
Thank you for your for your answers.

 
Posted : 07/10/2015 5:43 pm
(@ludwigb)
Posts: 2
New Member
 

Your understanding is pretty much right. A logical is basically just the files that are on the drive (no deleted). If you acquire a physical image you have everything. If you run a physical image through a forensic processing software like FTK it'll discover deleted files etc.

 
Posted : 07/10/2015 7:56 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Let's try to draw a tentative definition.

A physical image is the image of an extent on the device.

Talking of block devices an image of the extent from LBA0 up to the last accessible LBA on device is a physical image of the whole disk, an image of the extent from the first LBA of a volume up to the last LBA within a volume is a physical image of a volume.

A logical image is the image of the contents of a volume (as interpreted by the filesystem driver in use) or if you prefer of only the accessible files in the volume.

jaclaz

 
Posted : 07/10/2015 8:30 pm
MahdyWahedi reacted
(@athulin)
Posts: 1156
Noble Member
 

I would like to understand what's the difference between a physical image and a logical image.

I'm not sure there is one single difference, so you'll probably get different answers from different people.

To me it's a system hierarchy difference. The logical image shows a reality one type of person ('the user') wants or needs to see. And to the user a file system isn't particularly complex.

The system level below that is how that particular 'reality' is implemented. At this level you have sectors and clusters, and directories may have a more complex structure (B-trees) than an ordinary user may imagine. Files may grow 'holes', or be compressed or even encrypted. But sectors are numbered from 0 to N, and may conceptually be ordered (again, this is another kind 'user' perspective).

And then, there's perhaps a systems level below that, where you're seeing magnetic flux variations, and soft sectoring, and G and P lists of sectors that have been replaced, so that is called sector 5 is really located somewhere else entirely, and perhaps SSD mechanisms, and so on.

(CD-ROMs are good for showing this the UDF/ISO file system, the 2048-byte 'sector' view, the 2352-byte 'raw' sectors, and so on.)

And if you have something RAID-like, the 'physical' layer is actually emulated by the RAID software, so you may have an additional physical layer, one real, the other made up by the RAID .

The physical/logical difference is just a particular place where most forensic analysts find the stuff they're working with. However, it should be mistaken for reality – it's a selected view of reality.

Also how would you call a bit to bit copy of a pseudo-partition (/dev/mapper) created by tools like LUKS or VeraCrypt?

Terminology should not be pressed to do work it wasn't intended to do. Physical and logical imaging makes sense at a particular place is a systems hierarchy, but, as I hope I've indicated, in another situation, there may easily be more than one physical 'layer', in which case it may not make sense to use anymore.

If there was no accepted terminology, I would try to go for something that would be easy to tell apart (that is, no 'physical layer A' and 'physical layer B'), and still was unambiguous.

Added For one view of this, consider ISO-9660. It recognizes physical blocks and physical sectors as the storage layer 'below' the ISO-9660 layer – typically the CD-ROM layer, on top of which ISO-9660 may be positioned. Internally, however, ISO-9660 defines logical blocks and sectors, and how they map to the physical layer. In this kind of situation, a physical image of an ISO-9660 would be an image of the layer below ISO-9660, and possibly with a different physical sector size than 2048 bytes, while a logical image would contain the logical sectors and blocks, while no trace of the underlying storage layer would remain.

 
Posted : 07/10/2015 8:59 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

To me it's a system hierarchy difference. The logical image shows a reality one type of person ('the user') wants or needs to see. And to the user a file system isn't particularly complex.

Yep ) and we can extend that calling it a "telescopic" hierarchy, i.e. if you have a "physical" image you can also access the "logical" one as the "logical" is contained inside the physical.

And if you have something RAID-like, the 'physical' layer is actually emulated by the RAID software, so you may have an additional physical layer, one real, the other made up by the RAID .

… or emulated by the RAID hardware/controller firmware, but this is more a matter of combining several devices into one, the single mass storage device "physical" image(s) remain the same, you have an added "intermediate" layer (which you will need to recreate via software) needed to access/interpreter the "RAW" data, as not only files but "RAID device LBA's" will be split in blocks on more than one physical disk (or physical image).

jaclaz

 
Posted : 07/10/2015 11:41 pm
Adam10541
(@adam10541)
Posts: 550
Honorable Member
 

I'd always interpreted it this way

Physical = bit for bit of all partitioned and unpartitioned accessible space on the drive

Logical = bit for bit of a logical partition (ie if a hard drive has 2 logical partitions then two images will be required)

The logical will still include unallocated space that is part of that partition, the only parts it misses is unpartitioned or unpartitionable space.

 
Posted : 08/10/2015 7:13 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

I'd always interpreted it this way

Physical = bit for bit of all partitioned and unpartitioned accessible space on the drive

Logical = bit for bit of a logical partition (ie if a hard drive has 2 logical partitions then two images will be required)

The logical will still include unallocated space that is part of that partition, the only parts it misses is unpartitioned or unpartitionable space.

Hmmm, this is very different, we do need a common definition.

As I see it the second you describe is still a physical image (or bit-by-bit or sector-by-sector) of a subset of the whole thing, or if you prefer you use the same imaging program "dd-like" on different addresses, on the "whole" or on a "part" of the source disk or (in windows) with two different objects, the \\.\Physicaldrive or the \\.\LogicalDrive as source, while it is the use of the "dd-like" or other direct disk access bit-by-bit or sector-by-sector copying tool that makes an image a "physical" one.

We were talking more of something like
http//freeandroidforensics.blogspot.it/2014/09/the-differences-between-physical-image.html
or
http//d4discovery.com/discover-more/2014/12/3-methods-of-forensic-imaging#sthash.qMV4tyKE.dpbs

Physical Image A physical image of a hard drive will capture all of the ones and zeroes contained on the drive. It will capture the deleted space on the hard drive even if the drive has been recently formatted. It will capture deleted files and file fragments on a hard drive. If one is making a physical image of a 1 TB drive the resulting image file(s) will be 1 TB, unless compression algorithms are used.
Logical Image A logical image of a hard drive will capture all the “active” data. If you look at the My Computer icon on your computer and browse through the C drive you are viewing the logical drive and active files. This is what will be captured if one performs a logical capture. Typically, deleted space, deleted files and fragments will NOT be captured. If one is making a logical image of a 1 TB drive, but only 30 GB is active files, then the resulting image will be 30 GB uncompressed.

jaclaz

 
Posted : 08/10/2015 11:49 am
(@segovia)
Posts: 4
New Member
 

A logical image is the file systems excluding the operating system and unallocated space. A physical image is an image of everything.

Therefore a logical image is similar to a view a user would have of the content and a physical image is a view that an investigator would have after taking a DD copy of a drive using a forensic tool etc.

J

 
Posted : 18/09/2016 12:11 pm
Share: