Forensic Copy vs Forensic Image
Is there any difference between a forensic copy and a forensic image? This question comes from a discussion I had with a coworker over if there is any difference between the two. My position is they are exactly the same thing because both are taking a bit by bit image of the evidence. His claim was a forensic copy indicates a logical acquisition was being performed whereas a forensic image communicates a physical acquisition was being performed. I am relatively new to the field so it is possible that I am wrong and he was right…
Can anybody tell me if forensic copy and forensic image mean different things or if they mean the same thing?
It's all semantics. You've defined them as the same thing, and your friend hasn't. That's about it. Others will do the same.
Looking at it one way, if you copy a file from one location to another, you can then compute hashes for both and verify that they are correct. The same with an image. However, if you define an image as making a bit-for-bit copy of the physical sectors, to include file slack…again, it simply depends on your definition.
One of the issues within the community is a lack of specificity of language. Even if you go to sites such as Wikipedia and find a definition of "forensic image", you're still going to find people that (mis)use the term.
A forensic image is a verified bit for bit copy of an entire disk a forensic copy is the act of cloning files without changing the metadata and verifying each of the files with an MD5 hashsum.
Following on from the responses above. The terms Forensic Copy or Forensic Image are commonly used. It is expected there will be a further supporting statement to clarify how those terms are to be understood (the assumption being the court or jury are not language literate for terms used for forensically recovering data).
Even in lab speak usage if you were to say "…I obtained a forensic copy /../ forensic image" might still need to be supported by other words to clarify what you meant e.g. bit-for-bit or logical read? Unless, of course, you have an agreed Terminology chart of definitions on the wall for commonly used word in the lab which anyone in the lab can read and will know what the terms mean and how to apply them.
As teaser-quiz questions (referenced to a saved, readable document)
Just for example if you were to say "I forensically conducted a logical read of a file.. [a document].. from the exhibit's memory" did your extraction process
1) obtain a faithful bit-for-bit copy of the saved, readable document during the forensic logical read?
2) it doesn't take a faithful bit-for-bit copy of the saved, readable document during a forensic logical read?
Is there any difference between a forensic copy and a forensic image?
Depends. Copy of what? and image of what?
The term 'image' is commonly applied to something like a disk or a partition within in that disk, and indirectly to whatever is contained in that partition.
'copy' is often applied to something such as a file, but it can also be used in a less specific sense. 'copy of a file' and 'copy of a drive/disk/volume' are probably perfectly clear to most CF people, although there may be some details of exactly what a 'file' is, especially in enviroments where 'file' may refer to multiple data streams, and there may be similar ambiguity about 'drive', particularly in environments, where the term 'drive' is used to identify a volume as well as a disk.
'image of a drive/disk/volume' may lead to a followup question 'logical image or physical image?' (as would the use of 'copy' in the same context). 'Image of a file' … never heard that phrase myself.
While it would be desirable to have a reasonably fixed and generally approved terminology for computer forensics, it hasn't happened yet. As CF people generally are computer or IT people, they bring their own terminology along – and that isn't standardized to any great extent, even if there are attempts at doing so.
My position is they are exactly the same thing because both are taking a bit by bit image of the evidence.
The real problem is probably how do you ensure that your audience understands what you say? Particularly in a context where they have multiple inputs with different terminology?
If you told me to take a forensic image of a disk - I'd image it
If you told me to take a forensic copy of a disk - I'd image it
If you told me to take a forensic image of a folder - I'd ask whether you knew what a forensic image was
If you told me to take a forensic copy of a folder - I would copy and compare hashes to originals
You cannot say that one terms describes different actions than another - Like most things in life it would be simpler if every thing was crystal clear but in reality it's all about context.
Theoretically there should be a standard of the used terminologies, but practice shows otherwise. I suggest the usage of exact definitions, like "physical dump", "logical extraction", "binary image", etc. Usually no misinterpretation can come out of those. Usually )
Forensic copy is the broader term, imaging the narrower. Imaging typically refers to the forensic copy of physical disks, partitions or volumes, generally storage units which file systems can reside on. But you can also obtain individual forensic copies of files, unused space, file slack, partition slack etc.