±Partners and Sponsors

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 5
New Yesterday: 12
Overall: 26994
Visitors: 56

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

Reviews

2010

Reviews - 2010

Image MASSter Solo-4 Forensic

Image MASSter Solo-4 Forensic
Image MASSter Solo-4 Forensic

Reviewed by Jonathan Krause of Forensic Control.


Here’s two things you can be sure of; hard drives will constantly increase in capacity and the requirement to finish the job as soon as possible at minimum cost will be an ever present. So any device which may result in being able to complete our tasks quicker has got to be worth a closer look. Creating forensic images is the foundation of our work, but let’s face it, is pretty boring and even worse, dependent on where it’s being done, can be actively hostile. Happily, there’ve been some recent developments in the field of imaging, with the all-in-one devices of the Image MASSter Solo 4 Forensic and the Logicube Forensic Dossier being released, and on the software side Tableau’s and Guidance’s latest imaging software have been launched, both taking advantage of multi-core processors to help expedite the imaging process.

With the above in mind it was with interest that I received my trial copy Image MASSter Solo 4 Forensic (why the need for the stray capital letters?) from Data Duplication. My first impression, if I’m being brutally honest, is that the device is brutally ugly. The fact that it won’t be winning any design awards may not matter to many, but it sure will to some, especially if you need to take it on to client sites where impressions may count. It’s an extreme example of function over form, being a blue rectangular metal box, complete with sharp corners and a flimsy metal cover (not displayed in the promotional pictures I’ve used) protecting the 8” touch screen. Bulkier than its predecessor, the Solo 3 Forensic, the Solo 4 Forensic weighs in at 2.43Kg for the base unit, with the power pack being 1Kg and the bag, cables and manual adding 2.08Kg, giving a total weight of 5.5Kg (a shade over 11 pounds) making it not something you'd want your shoulders to bear too often. The overall dimensions of the unit are 270mm (width) x 98mm (height) and 194mm (depth).

The biggest news around this device is that it allows the imaging of two different source drives to two different destination drives simultaneously. Very handy. This potentially saves the examiner the time, money and weight over two separate devices with which would be needed to achieve the same result.


Picture 1: two source drives (at the rear of the picture) and two destination drives connected to the device

The device is advertised as being able to image a suspect device 'at up to 6GB per minute' - this figure being largely dependent on the performance of the suspect drive. Similar to AccessData’s FTK Imager, it offers nine differing levels of E01 compression which should be more than enough for most people. The unit supports a wide range of devices that it can image, being able to acquire SATA, PATA (IDE), USB devices, SAS and ATA compatible SSD devices all in both 3.5” and 2.5” sizes.

Rather unusually, the onboard firmware that was used previously in the Solo 3 Forensic has been dropped in favour of it running a legacy operating system, namely Windows XP. This can be operated either through the 8” touch screen with the supplied stylus, or by attaching a keyboard and mouse to the PS2 or USB ports to the rear of the device. One advantage of having a full-blown operating system installed is that you can preview a source drive in a write protected environment and perhaps even install some lightweight analysis applications for basic triage, although this was something I did not try.


Picture 2: A promo picture of what you won’t see on the screen. Instead the screen displays a typical Windows XP desktop on which the imaging software is installed

The device's ports which drives are attached to are labelled as ‘Suspect 1’, ‘Suspect 2’, and ‘Evidence 1’ and ‘Evidence 2’, while a different naming convention is used within the imaging software, the drives being referred to there as ‘Source’ and ‘Destination’ drives. I personally prefer the use of ‘Source’ and ‘Destination’ to minimise ambiguity, but either way the manufacturer needs to be consistent with their naming scheme.

The Solo 4 Forensic will enable the secure wiping of drives, and hashes are available using MD5, SHA-1 and SHA-2 algorithms. The manufacturers recommend using SHA-1 or SHA-22 to hash as they are implemented as hardware based algorithms, while MD5 is implemented as a slower software-based algorithm.


Picture 3: a screen of the ‘advanced’ control panel of the imaging software


Picture 4: the not so great ‘wizard’ screen of the imaging software

So, on to where the Solo 4 Forensic will rise or fall; imaging speeds. Using the latest firmware available at the time of testing, version 4.2.30.0, I used various imaging scenarios to examine what this device was capable of. The testing was conducted using the ‘advanced’ mode rather than the over-simplified ‘wizard’ which has simplified the imaging process to such an extent that the user really isn’t left with enough control over the output. It is worth noting that when you need to image two source disks then you’ll need to start two separate instances of the imaging software, which will run concurrently, which wasn’t immediately clear to me.

Test 1 - image one SATA to one SATA

Source: One SATA Seagate Barracuda Model ST340014AS, capacity 40GB, 7,200RPM
Destination: One SATA Western Digital Caviar Green, 750GB Model WD7500AACS.
Method: E01 files, no compression, SHA1 hashing, no hash of destination.

Total time taken 00:17:41 to copy 38146MB


Test 2 - image one SATA to two SATAs

Source: One SATA Seagate Barracuda Model ST340014AS, capacity 40GB, 7,200RPM
Destination: Two SATA Western Digital Caviar Green, 750GB Model WD7500AACS
Method: E01 files, no compression, SHA1 hashing, no hash of destination.

Total time taken 00:20:23 to copy 38146MB


Test 3 – image two SATAs to two SATAs

Source: Two SATA Seagate Barracuda Model ST340014AS, capacity 40GB, 7,200RPM
Destination: Two SATA Western Digital Caviar Green, 750GB Model WD7500AACS.
Method: E01 files, no compression, SHA1 hashing, no hash of destination.

Total time taken 1st drive 00:19:38 to copy 38146MB (ran concurrently with drive 2)
Total time taken 2nd drive 00:20:38 to copy 38146MB (ran concurrently with drive 1)


Test 4 – image two SATAs to two SATAs, full compression

Source: Two SATA interface Seagate Barracuda Model ST340014AS, capacity 40GB, 7,200RPM
Destination: Two SATA Western Digital Caviar Green, 750GB Model WD7500AACS
Method: E01 files, level 9 compression, SHA1 hashing, no hash of destination.

Total time taken 1st drive 00:28:43 to copy 38146MB - (ran concurrently with drive 2) (whole source drive blank.)
Total time taken 2nd drive 01:39:14 to copy 38146MB - (ran concurrently with drive 1) (source drive contained 16.GB allocated, XP, User data, etc)


Test 5 - image two SATAs to two SATAs, using dd

Source: Two SATA interface Seagate Barracuda Model ST340014AS, capacity 40GB, 7,200RPM
Destination: Two SATA Western Digital Caviar Green, 750GB Model WD7500AACS.
Method: dd files, no compression, SHA1 hashing, no hash of destination.

Total time taken 1st drive 00:15:11 to copy 38146MB (ran concurrently with drive 2)
Total time taken 2nd drive 00:15:13 to copy 38146MB (ran concurrently with drive 1)


Test 6 – image one SAS to one SATA

Source: OneSAS Seagate Cheetah, Model ST3146855SS, capacity 146GB, 15,000RPM
Destination: One SATA Western Digital Caviar Green, 750GB Model WD7500AACS
Method: E01 files, no compression, SHA1 hashing, no hash of destination.

Total time taken 00:45:34 to copy 140009MB


Test 7 – image one SAS to two SATAs

Source: OneSAS Seagate Cheetah, Model ST3146855SS, capacity 146GB, 15,000RPM
Destination: Two SATA Western Digital Caviar Green, 750GB Model WD7500AACS.
Method: E01 files, no compression, SHA1 hashing, no hash of destination drive.

Total time taken 01:12:19 to copy 140009MB
(NB, the device first formatted the drives before using them, although this was quick, less than 20 seconds)


Test 8 – image one SAS to one SATA with hash of result

Source: OneSAS Seagate Cheetah, Model ST3146855SS, capacity 146GB, 15,000RPM
Destination: One SATA Western Digital Caviar Green, 750GB Model WD7500AACS
Method: E01 files, no compression, SHA1 hashing, with hash of destination.

Total time taken 01:30:34 to copy 140009MB


I’ll let you draw your own conclusions with regard to the imaging speeds, as few things are as boring to read as a description of statistics. Overall I found the Solo 4 Forensic to be a very handy unit and a useful tool to take on site, with the ability to image two drives simultaneously being an obvious win. The interface wasn’t the most intuitive but after some helpful support from Data Duplication I was quickly put right. The Solo 4 Forensic is available in the UK from Data Duplication at a cost (excluding VAT) of £1875.00 which includes,

- Solo-4 Stand Alone Unit
- 4 SAS/SATA Data Cables and Power cables
- 1 SATA to IDE Adapter
- 1 IDE Data Cable
- 1 IDE Power Cable
- 1 2.5” Drive Adapter
- 1 150 watt watt power supply
- 1 Power Cord


Jonathan Krause is an independent computer forensics consultant based in central London. Follow him on Twitter at http://twitter.com/jonathankrause.

 

  Printer Friendly Format