A forensic image is a bit-for-bit 1:1 copy of a storage device that captures every sector, including deleted data, free space, and slack space. Unlike a normal file copy, a forensic image contains the complete physical content of the medium.
Creation uses write blockers to prevent any modification of the source device. Hash values (SHA-256 or MD5) document integrity: the hash of the image must match the original. Forensic images are the foundation of all digital evidence preservation — analysis is performed exclusively on the copy while the original remains untouched. Common formats include E01 (EnCase) and AFF4.