Image only files with artifacts

Create a forensically sound logical image containing only the files with artifacts discovered by Insight during full physical drive imaging, or by Artifact Finder.

This is a practical way to start analyzing the files of interest without waiting for a full physical image.

When starting a new physical imaging session, enable artifact search in the imaging settings:

  1. In the Insight Forensic window, click Imaging on the left.
  2. Click Create New Session.
  3. In the Target Device Selection dialog, select your target drive or create an image file. Confirm by clicking the Select button.
  4. On the Start new imaging session screen, find the Preset section and click Show settings.
    5. The 'Start new imaging session' screen with the 'Show settings' link.
  5. Open the Artifacts tab and select all artifacts type you want to search for during imaging. Available options include:
    • Bitcoin address
    • Ethereum address
    • BIP39 mnemonic phrase
    • Emails
    • IP
    • GPS (Exif)
    • MAC
    • Phone numbers
    • URL
    • Credit cards
    • Keywords
    • Regular expressions
    6. Selecting the artifact types to search during imaging.
  6. Click Save settings.
  7. Adjust other imaging options, if needed. Then click Start Imaging.
    8. The 'Start Imaging' button on the 'Start new imaging session' screen.
  8. Insight displays the number of artifacts discovered in the course of imaging on the Artifacts tab.
    9. The number of artifacts discovered in the course of imaging on the 'Artifacts' tab.

Step 2: Pause the session and start logical imaging with the artifacts filter

As a result, you’ll have only the selected files with artifacts of interest in a forensically sound L01 container, ready for immediate analysis.

  1. On the imaging progress screen, click the Pause button.
    2. The Pause button on the imaging progress screen.
  2. On the Imaging Results screen, find the Artifacts section and click the Image files with artifacts link.
    3. The 'Image files with artifacts' link on the 'Imaging Results' screen.
  3. Insight takes you to the Logical Imaging module.
    4. The Logical Imaging module.
  4. On the Filters panel on the right, a new Include filter called Files with discovered artifacts is applied.
    5. The Filters panel with the filter applied.
  5. Click the Start imaging button.
    6. The 'Start imaging' button.
  6. In the Create Logical Image File dialog, select the target folder or drive, choose hashing method, enable or disable compression, and enter other details. Then click the Create button.
    7. The 'Create Logical Image File' dialog.
  7. Insight searches for the files with artifacts discovered in the previous step and saves their bit-for-bit copies in the L01 format.
    8. The logical imaging progress screen.
  8. After logical imaging is completed, Insight displays the Logical imaging results screen with the number of files imaged and other stats.
    9. The 'Logical imaging results' screen.
Back to Manual start page