reviewed by Jonathan Krause
http://twitter.com/jonathankrause

Here’s two things you can be sure of; hard drives will constantly increase in capacity and the requirement to finish the job as soon as possible at minimum cost will be an ever present. So any device which may result in being able to complete our tasks quicker has got to be worth a closer look. Creating forensic images is the foundation of our work, but let’s face it, is pretty boring and even worse, dependent on where it’s being done, can be actively hostile. Happily, there’ve been some recent developments in the field of imaging, with the all-in-one devices of the Image MASSter Solo 4 Forensic and the Logicube Forensic Dossier being released, and on the software side Tableau’s and Guidance’s latest imaging software have been launched, both taking advantage of multi-core processors to help expedite the imaging process.

With the above in mind it was with interest that I received my trial copy Image MASSter Solo 4 Forensic (why the need for the stray capital letters?) from Data Duplication. My first impression, if I’m being brutally honest, is that the device is brutally ugly. The fact that it won’t be winning any design awards may not matter to many, but it sure will to some, especially if you need to take it on to client sites where impressions may count. It’s an extreme example of function over form, being a blue rectangular metal box, complete with sharp corners and a flimsy metal cover (not displayed in the promotional pictures I’ve used) protecting the 8” touch screen. Bulkier than its predecessor, the Solo 3 Forensic, the Solo 4 Forensic weighs in at 2.43Kg for the base unit, with the power pack being 1Kg and the bag, cables and manual adding 2.08Kg, giving a total weight of 5.5Kg (a shade over 11 pounds) making it not something you'd want your shoulders to bear too often. The overall dimensions of the unit are 270mm (width) x 98mm (height) and 194mm (depth).

The biggest news around this device is that it allows the imaging of two different source drives to two different destination drives simultaneously. Very handy. This potentially saves the examiner the time, money and weight over two separate devices with which would be needed to achieve the same result.

Picture 1: two source drives (at the rear of the picture) and two destination drives connected to the device

The device is advertised as being able to image a suspect device 'at up to 6GB per minute' - this figure being largely dependent on the performance of the suspect drive. Similar to AccessData’s FTK Imager, it offers nine differing levels of E01 compression which should be more than enough for most people. The unit supports a wide range of devices that it can image, being able to acquire SATA, PATA (IDE), USB devices, SAS and ATA compatible SSD devices all in both 3.5” and 2.5” sizes.

Rather unusually, the onboard firmware that was used previously in the Solo 3 Forensic has been dropped in favour of it running a legacy operating system, namely Windows XP. This can be operated either through the 8” touch screen with the supplied stylus, or by attaching a keyboard and mouse to the PS2 or USB ports to the rear of the device. One advantage of having a full-blown operating system installed is that you can preview a source drive in a write protected environment and perhaps even install some lightweight analysis applications for basic triage, although this was something I did not try.

Picture 2: A promo picture of what you won’t see on the screen. Instead the screen displays a typical Windows XP desktop on which the imaging software is installed

The device's ports which drives are attached to are labelled as ‘Suspect 1’, ‘Suspect 2’, and ‘Evidence 1’ and ‘Evidence 2’, while a different naming convention is used within the imaging software, the drives being referred to there as ‘Source’ and ‘Destination’ drives. I personally prefer the use of ‘Source’ and ‘Destination’ to minimise ambiguity, but either way the manufacturer needs to be consistent with their naming scheme.

The Solo 4 Forensic will enable the secure wiping of drives, and hashes are available using MD5, SHA-1 and SHA-2 algorithms. The manufacturers recommend using SHA-1 or SHA-22 to hash as they are implemented as hardware based algorithms, while MD5 is implemented as a slower software-based algorithm.

Picture 3: a screen of the ‘advanced’ control panel of the imaging software

Picture 4: the not so great ‘wizard’ screen of the imaging software