Difference between ...
 
Notifications
Clear all

Difference between a physical image and a logical image.

3 Posts
3 Users
1 Reactions
4,484 Views
(@sa4zn69p)
New Member
Joined: 2 years ago
Posts: 1
Topic starter  

Hi,
I'm new to forensics. I would like to understand what's the difference between a physical image and a logical image.

This topic was modified 2 years ago by Jamie

   
Quote
kastajamah
(@kastajamah)
Estimable Member
Joined: 7 years ago
Posts: 113
 

Posted by: @sa4zn69p

Hi,
I'm new to forensics. I would like to understand what's the difference between a physical image and a logical image.

Good Morning, sorry for the late reply.  In a nutshell, a physical image is an image of the full physical disk.  From bit 0 to the last bit.  A logical image is an image of a logical portion of a drive.  For example, that could be a full disk partition, a folder, an individual file, etc.

I am not sure what you are using to image a drive, but for example, if you are using EnCase, and you choose to create an image of the drive by its number, for example drive 1, you will image the full disk and this will be a physical image.  This will be bit 0 to the last bit.  This will usually be in the Ex01, E01, or raw image formats.

Let's say you choose instead of drive 1, you select to image the "C:" partition under disk 1.  That would be a logical image.  This will usually be in the Lx01, L01, or AD1 format. 

There are pros and cons to the different types of images.  There are also other image formats that I did not get into here.  If you intend to carve and look for deleted data, I would recommend a physical image.  If you just need the data that is currently in the allocated spaces of the drive, do a logical image.  You will find some deleted data in the logical partition (i.e. deleted data that is still in an allocated database), but you will not find data that was emptied from the recyclebin.

This is a basic explanation, and I am sure there might be others who can add to this, but I hope this explanation helps.

 


   
olhachycher reacted
ReplyQuote
(@olhachycher)
New Member
Joined: 2 years ago
Posts: 4
 

@kastajamah

Yes, that is a good summary. A physical image captures the entire storage device, including all data in unallocated space, while a logical image only captures data in allocated space within a specific partition or directory. The choice between creating a physical or logical image will depend on the specific use case and what kind of data you are trying to recover or preserve.

Physical images are useful for forensic analysis because they capture all data, including deleted files and other information that may be overwritten if the drive is used after the image is taken. Logical images are more useful for backup and recovery because they only include data that is currently in use.

It's also worth noting that there are other types of images that can be created, such as Incremental images, differential images and file-level backups. Each one have their own pros and cons and use cases.

This post was modified 2 years ago by Jamie

   
ReplyQuote
Share: