Forensic Imaging & Analysis of a Laptop Drive – Anonymized Case Study

Forensic Imaging & Analysis of a Laptop Drive

Anonymized Case Study for Training & Documentation

This article is based on a real workflow I performed during a forensic training scenario. All identifying information has been removed — no serial numbers, usernames, device IDs or case specifics remain.

The goal is to document a clean, professional-grade workflow for:

• creating a bit-by-bit forensic image,
• validating integrity,
• preparing the image for analysis,
• and loading it into professional tools for examination.

1. Case Overview

A laptop was seized as part of an internal security investigation. The task was to create a forensically sound disk image, preserve chain of custody, and prepare it for offline analysis.

Key constraints:

• the laptop used modern UEFI + SSD,
• full-disk encryption was suspected (BitLocker),
• imaging had to be done without altering source media,
• analysis had to work from the image, never the original disk.

This mirrors typical police forensic procedures, where repeatability and integrity validation are essential.

2. Evidence Preparation & Write Blocking

A software write blocker was used (udisksctl + blockdev --setro) to ensure the source disk could not be modified:

blockdev --setro /dev/sdX lsblk --fs

Verification:

• mount attempts failed (expected),
• kernel reported read-only state,
• disk was locked for imaging.

3. Creating a Bitwise Forensic Image with dd

A full, sector-exact image was created using dd with progress and error handling:

dd if=/dev/sdX of=evidence_laptop.img bs=4M conv=noerror,sync status=progress

This ensures:

• no skipped sectors,
• corrupted sectors padded for alignment,
• continuous log of read operations.

Imaging resulted in:

evidence_laptop.img (size identical to physical disk)

4. Integrity Verification (SHA-256)

For chain of custody, integrity hashes were generated:

sha256sum /dev/sdX > hash_source.txt sha256sum evidence_laptop.img > hash_image.txt

Hashes matched: imaging was confirmed 1:1 identical.

This is a critical step in any forensic process — allowing the image to be defended in audit or testimony.

5. Mounting the Image for Read-Only Inspection

Before using heavy forensic suites, the partition layout was inspected:

fdisk -l evidence_laptop.img

Partitions were mapped via losetup:

losetup -P -f evidence_laptop.img lsblk

This exposed:

• EFI partition
• OS partition
• Recovery partition
• BitLocker encrypted volume
• Unallocated space

A typical layout for modern Windows laptops.

6. Dealing With BitLocker Encryption

As expected, the primary OS volume was BitLocker-encrypted.

Because the case required reviewing file system contents, the volume was decrypted using:

• available recovery key (obtained legally during investigation),
• dislocker tool:

dislocker -V /dev/loop0p3 -u -- /mnt/dislocker mount -o loop /mnt/dislocker/dislocker-file /mnt/evidence

This provided a decrypted NTFS stream without altering the source.

7. Analysis in Autopsy (SleuthKit)

The decrypted mounted image was loaded into Autopsy, enabling:

• file system timeline construction
• extraction of browser artefacts
• shellbag analysis
• thumbnail reconstruction
• OS event log correlation
• registry hive review
• detection of recently attached removable devices

The tool produced a full case report stored separately as:

report_case_001/

8. Virtualization of the Image (QEMU)

To validate system behaviour, the image was also test-booted in a sandbox.

A differential overlay was used to protect the base image:

qemu-img create -f qcow2 overlay.qcow2 -b evidence_laptop.img qemu-system-x86_64 -hda overlay.qcow2 -m 4G -snapshot

This allowed:

• observing OS startup procedures,
• identifying login screens,
• checking persistence anomalies,
• testing user-profiles behaviour,

without modifying the original evidence.

9. Key Lessons Learned

This imaging exercise reinforced several principles that apply to both police and enterprise forensics:

Work from a write-blocked device

Always protect the original.

Hash before and after imaging

Integrity is the cornerstone of forensic work.

Use layered tools

Start simple (dd, hashes), escalate to Autopsy when needed.

Avoid altering evidence

Virtualization must run from overlays/snapshots only.

Document everything

Every step becomes evidence.

Conclusion

This case demonstrates a clean, repeatable, professionally acceptable workflow for forensic imaging and analysis of a laptop drive.

It bridges the gap between practical police forensics and sysadmin-level incident work, and lays the foundation for future SystemLog articles about artefacts, timelines, registry forensics, encrypted volumes and more.