±Forensic Focus Partners
New Today: 4
New Yesterday: 7
±Forensic Focus Partner Links
· SQLite Database Forensics – ‘Sleep Cycle’ Case Study
· Data Recovery As A Medium For Email Forensics
· Carving out the Difference between Computer Forensics and E-Discovery
· Forensic Analysis of SQLite Databases: Free Lists, Write Ahead Log, Unallocated Space and Carving
· How Secure Is Your Password? A Friendly Advice from a Company That Breaks Passwords
· Using SQL as a date/time conversion tool
· Forensics and Bitcoin
· Investigation and Intelligence Framework (IIF) – an evidence extraction model for investigation
· Extracting data from dump of mobile devices running Android operating system
4 ForensicBack to top Back to main Skip to menu
Image MASSter Solo-4 Forensic
With the above in mind it was with interest that I received my trial copy Image MASSter Solo 4 Forensic (why the need for the stray capital letters?) from Data Duplication. My first impression, if I’m being brutally honest, is that the device is brutally ugly. The fact that it won’t be winning any design awards may not matter to many, but it sure will to some, especially if you need to take it on to client sites where impressions may count. It’s an extreme example of function over form, being a blue rectangular metal box, complete with sharp corners and a flimsy metal cover (not displayed in the promotional pictures I’ve used) protecting the 8” touch screen. Bulkier than its predecessor, the Solo 3 Forensic, the Solo 4 Forensic weighs in at 2.43Kg for the base unit, with the power pack being 1Kg and the bag, cables and manual adding 2.08Kg, giving a total weight of 5.5Kg (a shade over 11 pounds) making it not something you'd want your shoulders to bear too often. The overall dimensions of the unit are 270mm (width) x 98mm (height) and 194mm (depth).
The biggest news around this device is that it allows the imaging of two different source drives to two different destination drives simultaneously. Very handy. This potentially saves the examiner the time, money and weight over two separate devices with which would be needed to achieve the same result.
Picture 1: two source drives (at the rear of the picture) and two destination drives connected to the device
The device is advertised as being able to image a suspect device 'at up to 6GB per minute' - this figure being largely dependent on the performance of the suspect drive. Similar to AccessData’s FTK Imager, it offers nine differing levels of E01 compression which should be more than enough for most people. The unit supports a wide range of devices that it can image, being able to acquire SATA, PATA (IDE), USB devices, SAS and ATA compatible SSD devices all in both 3.5” and 2.5” sizes.
Rather unusually, the onboard firmware that was used previously in the Solo 3 Forensic has been dropped in favour of it running a legacy operating system, namely Windows XP. This can be operated either through the 8” touch screen with the supplied stylus, or by attaching a keyboard and mouse to the PS2 or USB ports to the rear of the device. One advantage of having a full-blown operating system installed is that you can preview a source drive in a write protected environment and perhaps even install some lightweight analysis applications for basic triage, although this was something I did not try.
Picture 2: A promo picture of what you won’t see on the screen. Instead the screen displays a typical Windows XP desktop on which the imaging software is installed
The device's ports which drives are attached to are labelled as ‘Suspect 1’, ‘Suspect 2’, and ‘Evidence 1’ and ‘Evidence 2’, while a different naming convention is used within the imaging software, the drives being referred to there as ‘Source’ and ‘Destination’ drives. I personally prefer the use of ‘Source’ and ‘Destination’ to minimise ambiguity, but either way the manufacturer needs to be consistent with their naming scheme.
The Solo 4 Forensic will enable the secure wiping of drives, and hashes are available using MD5, SHA-1 and SHA-2 algorithms. The manufacturers recommend using SHA-1 or SHA-22 to hash as they are implemented as hardware based algorithms, while MD5 is implemented as a slower software-based algorithm.
Picture 3: a screen of the ‘advanced’ control panel of the imaging software
Picture 4: the not so great ‘wizard’ screen of the imaging software