Raw format

The raw format is nothing more than a set of bytes stored in the same logical order as they are found on disk. Nearly every media you are likely to encounter utilizes 512 byte sectors. Whereas older devices formatted with Windows filesystems (primarily FAT12 and FAT16) may use cylinders, heads, and sectors to address these sectors, the Linux forensics investigator is much more fortunate in that media he or she encounters will almost certainly use Logical Block Addressing (LBA).

On media where LBA is used sectors are numbered logically from 0 to ({media size in bytes} / 512 -1). The sectors are labeled LBA0, LBA1, etc. It is important to understanding that this logical addressing is done transparently by the media device and therefore deterministic (doesn’t depend on which operating system reads the filesystem, etc.). A raw image is nothing more than a large file with LBA0 in the first 512 bytes, followed by LBA1 in the next 512 bytes, and so on.

Because the raw format is essentially identical to what is stored on the media, there are numerous standard tools that can be used to manipulate them. For this and other reasons the raw format is very popular and supported by every forensics tool. Because raw images are the same size as the media they represent, they tend to be quite large.

Some investigators like to compress raw images. Indeed, some forensics tools can operate on compressed raw images. One thing to keep in mind should you choose to work with compressed images is that it limits your tool selection. It will also likely result in a performance penalty for many common forensics tasks such as searching.