Guymager Forensic Use Case: Forensic Imaging
The Guymager forensic use case featured here shows how Squirrel Forensics’ Acorn enables digital investigators to perform reliable forensic imaging with minimal manual effort. With Guymager and the Acorn working together, forensic examiners can create forensically sound images while preserving evidence integrity. The built-in verification features and seamless workflow make Guymager an essential imaging tool in digital forensics.
Context
Digital forensics examiner Jane Smith is investigating a financial fraud case. She receives a suspect drive containing financial transaction data and needs to create a forensic image while preserving evidence integrity. Using the Acorn’s built-in forensic toolkit, she selects Guymager, a GUI-based forensic imaging tool, to perform the acquisition.
1. Connecting the Suspect Drive
• Jane connects the suspect drive to the Acorn forensic workstation via USB or the SATA USB adaptor.
• The Acorn’s Disk Manager automatically detects the drive and activates the built-in software write-blocker to prevent any accidental modifications.
2. Launching Guymager & Detecting the Device
• Jane opens Guymager, which immediately detects the suspect drive and lists it in the device list.
• The interface displays essential details, including:
-Device path (e.g., /dev/sdc)
– Model, serial number, and size
– Partition structure
3. Acquiring a Forensic Image
• Jane right-clicks on the suspect drive and selects “Acquire Image”.
• Guymager provides options to create a forensic image in multiple formats, including:
– E01 (EnCase format, compressed with metadata)
– RAW (bit-for-bit exact copy)
• She selects E01 format, enters case details (e.g., investigator name, case ID), and specifies a secure destination directory.
• Before proceeding, she enables:
– MD5 and SHA1 hashing to verify the integrity of the acquired image.
– Concurrent imaging mode, allowing multiple acquisitions to run simultaneously (if needed).
4. Forensic Imaging Process & Verification
• Guymager begins the imaging process, displaying:
– Real-time progress (data rate, estimated time remaining).
– Hash calculations for the source drive and the forensic image.
• Once the imaging completes, Jane compares the generated hash values of the original drive and the image.
• The hash values match, confirming that the forensic image is an exact, unmodified replica of the suspect drive.
5. Forensic Report & Documentation
• Guymager automatically generates a forensic acquisition log, which includes:
– Device details (serial number, size, partition info).
– Imaging start and completion times.
– Hash verification results.
• Jane compiles a preliminary forensic report using LibreOffice, including:
– The imaging process details.
– Hash verification results proving data integrity.
• She exports the report as a PDF for inclusion in case documentation.
______
6. Preserving Integrity
• Throughout the process, the Acorn’s Disk Manager ensures no modifications are made to the suspect drive.
• After confirming a successful forensic image, Jane removes the suspect drive and secures it for storage.
Why the Acorn Wins Here
• User-Friendly GUI-Based Imaging – Unlike command-line tools, Guymager’s graphical interface simplifies forensic imaging while maintaining high accuracy.
• Automated Hash Verification – Ensures forensic integrity with built-in MD5/SHA1 hash generation.
• Efficient, Concurrent Imaging – Supports multiple acquisitions at once, saving time during large investigations.
• Seamless Integration with Acorn – The Acorn’s write-blocking, imaging, and reporting tools create a complete forensic workflow in a single device.
Learn more about Guymager
