Is there an actual calculation/conversion for physical disk size to EnCase or DD image size? Rather than just generically making sure the target drive is bigger?
For example given disk size of 300 GB the EnCase or DD image would be what size?
I see that FTK Imager also has some options for the compression of EnCase images, so not sure how that impacts the size of the image. When I use the Logicube MD5 or Talon there are less options, I just have to make sure the destination drive is bigger.
Chapter 4 of the EnCe Official Study Guide has extensive information on chunk size, block size and EnCase capture options, but nothing on the size of the resulting image.
Google has been a bust, but I may not be phrasing the query correctly. Thanks for any thoughts or a point in the right direction.
I don't think there is any calculation you can do to work out image size.
'dd' gives you a block by block copy, so will be the same size as the target, unless you pass it through some sort of compression utility. In fact some of the GUI programs that act as front ends for 'dd' also write you a text file out with the details of the acquisition, so for a 300Gb target you will need that amount of space, plus the size of the text file. If you are creating an image file using 'dd' you will also need to consider that the storage drive will not take as much data as it says on the tin given partitioning and any file size limits if you segment the image etc (sorry if that's sucking eggs!!)
As for EnCase images, whether you are using EnCase or FTK Imager you can compress, but there is no ratio that you can work on because it all depends how much data is on the target. A wiped 300Gb drive with a basic installation of Windows could give a relatively tiny image, but a 300Gb drive crammed full of data will give a big image. Guidance suggest that you could achieve 50% compression 'on average', but your mileage may vary.
Hope this helps
JonN,
Thanks. I am actually rewriting a Scope of Work in response to a RFP. Part of the revised RFP is a calculation of the drive space required for capturing all the machines. My original SoW just had a list of drives slightly larger than the original source drives. The RFP now wants specifics on the amount of space required for the images. I had to now not been presented with needing such an exact calculation.
I was considering rewriting to include EnCase rather than DD as the capture format because of the compression, but have not been able to determine the amount of savings that could be achieved. There is also the consideration where the more compression used the greater the amount of time required for the capture.
Guidance suggest that you could achieve 50% compression 'on average', but your mileage may vary.
I had not seen that figure. Well actually I have not seen any figures on size savings.
I really had hoped to find some sort of paper from Guidance (they write papers on everything else) with specifics about the compression of EnCase images. Just what I need in my spare time, a project to create a spreadsheet on disc size and the various compression sizes in relation to capture times for EnCase images using Linen, FTK Imager, ProDiscover, etc.
I never assume better than 20% compression with Encase to be safe. Also, remember that compression increases acquisition time significantly.
For Encase images, I really think it depends on
1. The amount of data on the disk.
2. The type of data on the disk.
I've seen images the same size as the source drive - i.e. where the drive had been encrypted, so no compression occured. I've also seen images of 500GB drives that are only several GB in size.
I really don't think there is a way of pre-calculating the size of the image without analysing the drive first and calculating the size of all the text files, and all the compressed files like zip, rar, avi etc …. then from those values, working out how much they could be compressed etc …
However, as JonN said, for DD, it's just a bit by bit copy, so the actual image will be the same size as the original drive.
HTH )