±Forensic Focus Partners
New Today: 4
New Yesterday: 7
· Development of Digital Forensic Tools on Mobile Device, a Potential Area to Consider?
· Can You Get That License Plate?
· How To Decrypt WeChat EnMicroMsg.db Database?
· A guide to RegRipper and the art of timeline building
· Recovering Evidence from SSD Drives in 2014: Understanding TRIM, Garbage Collection and Exclusions
· FT Cyber Security Summit 2014 – Recap
· Why Offender Profiling is Changing Thanks to Mobile Forensics and Increasingly ‘Social’ Criminal Activity
· Understanding Cyber Bullying – Notes for Digital Forensics Examiners
· Investigating the Dark Web – The Challenges of Online Anonymity for Digital Forensics Examiners
±Follow Forensic Focus
Thunderbolt, Light Peak and forensics
Light Peak I believe appeared in 2009.
EndGadget has a decent but basic article of the implementation.
Any thoughts? How will this impact our industry?
anyone played with it?
I love the faster speed for imaging, with possibility of direct memory imaging . . .
- Senior Member
In the pursuit of faster field acquisitions, I've begun playing with USB3, and now Thunderbolt.
USB3 is a dismal failure. There's only one or two PCIe controllers worth anything, and the controllers built into laptops are a lottery. I abandoned USB3 when I realized I'd need to purchase and return an endless supply of laptops. The issue is that while one transfer is okay, the controllers cannot handle multiple transfers. Aggregate speeds would sputter.
Thunderbolt is essentially, PCI Express. From my (limited) understanding the IDE/ATA commands are sent over the bus and all should be well in the land of fast transfers. Under actual use this isn't always the case.
Promise R6: The Mac-daddy end-all storage DAS
The Promise R6 is a bit pricey (12TB $2300), but if you've given up on USB3, there's really no other alternative. I tested the R6 on a 2010 Macbook Pro with 8GB of RAM and an SSD. I used 'dd' to read from zero and write to the drive. I also tested the default and maximum settings for stripe and sector size:
RAID1E - read 454MB/s - write 290MB/s
RAID0 - read 799MB/s - write 621MB/s
RAID5 - read 426MB/s - write 582MB/s
The RAID5 test was done while syncronizing the array, which means this is a minimum speed. I realize it's not very exact, but I don't have time to sit and wait for it to finish. I used bs=1024k (block size) and count=25000 to transfer about 25GB of data each time. Overall, very happy with the product.
LaCie eSata Hub Thunderbolt Series
The LaCie eSata Hub is basically a controller sitting on the Thunderbolt bus, and comes with the added benefit of being daisy-chained. I purchased two of these, yielding up to 4 eSATA ports.
Most of the testing was done using Weibetech Ultradock v5s, the new write blocker with USB3 and a bunch of other ports. dd images of one SSD, two 7200RPM SATA, and 1 PATA drive yielded about the same results: ~20MB/s per thread. After speaking to LaCie, I could tell I wasn't going to get any help whatsoever and I started playing around with block sizes and the destination drive. I even tried a random eSata drive just to make sure it wasn't the write blockers. The most I ever got was 23MB/s, on drives that easily did 45MB/s or more. Finally I tested using FTK Imager CLI for mac, with similar results.
On a whim I attempted a simple file copy from the mounted SSD. Miraculously, it copied at a snappy 45MB/s. I then unmounted, and got the same paltry 20MB/s speeds. Undeterred I grabbed a bunch of big (8-20GB) backups and threw them on the drive. Through the write blocker, I got about 100MB/s. That's more like it!
Calling the company back, I was sure this was a software issue, and a firmware update was sure to come. After all, how could having a filesystem in the way copy faster than a bare drive? Lacie's answer was that the hardware was only tested using mounted filesystems, and that the product worked as they expected. Good thing it's no problem returning.
Before returning the Pegasus R6, I'm going to try one more product which opens up the Thunderbolt bus. The Magma Expressbox 3T theoretically allows you to put in PCIe cards (such as USB3 controllers, or eSATA controllers) directly on the Thunderbolt bus. With luck, this may work out. Luckily, it seems they're used by a bunch of video pros and are suited to providing technical expertise and advice.
- Senior Member
One pitfall, currently, is that little hardware exists. Desktops and laptop PCs (non-Apple) have been out for less than a year and although there seem to be fewer issues than the rollout of USB, drivers are a real issue. As an evaluation machine, our internal 2011 Macbook Pro was used to test out the R6 with the Magma Expressbox 3T. The 3T also seemed to run into the throughput limitation when imaging physical drives. To isolate the problem, I began investigating the possibility of utilizing Thunderbolt devices in boot camp. Fortunately, the Magma Expressbox 3T has no need of drivers on the Windows 7 side. The Pegasus R6 however, needed drivers and they are sorely lacking in that department. This article sorts it out, and after some initial confusion with the model number to base the driver from, the R6 is [mostly] working.
Initially, booting with both devices connected in the chain didn't work (with either device first in the chain). I noticed varying results sometimes, and have narrowed it down to a hot boot issue; That is, booting from being powered down works, but rebooting and connecting the devices will result in a frozen boot process. As expected, speeds are up there (65MB/s from one test spinning-disk), although speeds to the R6 resulted in a slightly slower 55MB/s. The newer Macbook Pros have options which include dual thunderbolt, and may help. The task now is to test with multiple imaging operations, but now that the speed issue is isolated to later Mac OSX versions, I expect decent results.
Seagate GoFlex Desk
I have a MacBook Pro Retina which has 2 Thunderbolt ports. I use the GoFlex Desk with a bare SATA drive as my target drive and a Tableau Firewire bridge on my suspect drive.
I only use this setup in the field, and I haven't done any tests on this setup as the bottleneck is with the Firewire bridge. So, it works, but may not be all that fast.
- Senior Member