Knowledgebase: E3
What is the difference between a logical and physical image when it comes to digital forensics? Which of the Paraben tools supports these types of images?
Posted by on 28 September 2017 10:37 AM

During logical acquisition we get logical structure and its related data, in other words we copy all available files from the file system to a case. Logical acquisition has some limitations related to a device restrictions. Usually, we can’t get all files from the device, because we use some device or system API. However, such API rarely provides access to whole data on a device. The other good thing is that logical acquisition provides data in user-friendly manner. We use a lot of parsers to represent data for users to work with it comfortable.

During physical acquisition we get bit-by-bit memory dump. Therefore, we acquire not only available file for logical acquisition, but all the data from a device. It means that this physical dump contains both located and unallocated space. So there are more options to curve deleted data using unallocated space. The data acquires in its raw format, so we need additional parsers for different file systems to parse this dumps and work with it.

DS (E3:Mobile) provides possibility to get logical and physical dumps from different devices. Also, JTAG dumps can be processed via E3:Mobile.

E3:P2C provides possibility to work with physical dumps as it a lot of file system parsers are included to this package.

DP2C can create dumps from physical and logical drives.

(6 vote(s))
Not helpful

Comments (0)