Which command is commonly used to create a forensic image on a Linux system?

The command commonly used to create a forensic image on a Linux system is 'dd'. This command is particularly valuable in digital forensics because it can make a bit-by-bit copy of data from one storage medium to another, ensuring that every single byte is captured accurately, including deleted files and unallocated space.

Using 'dd' for forensic imaging is critical because it maintains the integrity of the original data by avoiding any changes to the source disk during the process. It allows forensic analysts to capture an exact duplicate of a storage device, which can then be examined without altering the original evidence.

The other commands listed serve different purposes: 'cp' is used for copying files and directories but does not create a complete image of the disk. 'tar' is primarily for archiving files and directories into a single file but does not handle raw disk imaging. 'mv' is used to move files and directories, not for creating copies or images. Thus, 'dd' stands out due to its specific functionality designed for creating forensic images, making it the appropriate choice for this task.