Forensic Imger revi...
 
Notifications
Clear all

Forensic Imger review , Pls. suggest right device

34 Posts
12 Users
0 Likes
4,103 Views
(@athena)
Posts: 27
Eminent Member
Topic starter
 

Dear Team
I am about to make a big purchase - Forensic Imager cum multifunction suite –

Products I have selected are -
1) Logicube Forensic Falcon - ( https://www.logicube.com/shop/falcon/?v=c86ee0d9d7ed)
2) Media -clone - SuperImager Plus 12" Rugged Forensic Field Unit - Linux Forensic Imager i7 (Optional Dual Boot)
3) Bekasoft - Evidence Suite with Atola Insight Imager

All of these cost more than US$ 6000 so its critical purchase.
I would like to know which you guys recommend ?
Do you own any one of these ? Any suggestion or feedback will immensely help me.
Each of the device has its own advantages like —
1) Belkasoft can reset Hard disk ATA password , It clones on firmware level so can deal with bad sectors most effectively .It can detect 600 file types , so it is not only dumb imager

2) Forensic Falcon – Almost all types of digital devices can be cloned , multiple copies of same source over no. of targets etc. Can image evidence over network or remotely as well

3) Superimager – Imager with intel i7 processor and having Linux /windows dual boot OS.
So evidence can be analyzed as well.

Pls. let me know your take or suggestion for any other device.
Thank you

 
Posted : 24/04/2017 4:24 pm
jpickens
(@jpickens)
Posts: 130
Estimable Member
 

The Falcon is pretty solid from my limited experience with it, but it was an older model.

If you have not looked into it the Tableau TD3, it works quite well as a physical imaging device. Its been my go-to imager device for a long time.

 
Posted : 24/04/2017 6:27 pm
UnallocatedClusters
(@unallocatedclusters)
Posts: 577
Honorable Member
 

We own multiple Tableau TD2u devices (http//www.forensiccomputers.com/tableau-td2-forensic-duplicator.html) and love them.

Individually the Tableau TD2u is $1,479.00 according to the aforementioned website.

The TD2u can write images to two raw hard drives and one external USB drive simultaneously if need be.

I would recommend buying multiple TD2u devices for the budget you mentioned.

Also contact the folks at Digital Intelligence who is a reseller.

 
Posted : 25/04/2017 1:25 am
(@thefuf)
Posts: 262
Reputable Member
 

Currently, there is a trend of putting a Linux-based operating system on custom hardware and labelling the result as a hardware imager (a typical example Tableau TD3). In my opinion, this is similar to running a customized Linux distribution on a typical forensic workstation. In this case, the only advantages of such a hardware imager are its size and a kit with cables & adapters.

But there are different hardware imagers. Some of them are launching an imaging process on FPGA (a typical example Tableau TD2u). In my opinion, these are true hardware imagers.

When taking both types of hardware imagers into consideration, keep in mind that there could be problems with the forensic soundness of a Linux-based operating system, so you might want to do something to validate such a hardware imager. So, there is a reason to purchase a simpler hardware imager like Tableau TD2u.

 
Posted : 25/04/2017 2:59 am
(@athena)
Posts: 27
Eminent Member
Topic starter
 

Hi jpickens , UnallocatedClusters & thefuf

Thank you so much for your valuable suggestion. Detailed explanation given by thefuf has made me rethink of this purchase.
So far no one has put a word about super imager. As thefuf has mentioned there is concern for Linux based imaging which is not a purely hardware based imaging.
I will check with Tableau TD2u devices .
Thanks again.

 
Posted : 25/04/2017 2:09 pm
bytethese
(@bytethese)
Posts: 12
Active Member
 

From personal experience I can recommend the Logicube Falcon. We used them at my last employer since they were the only ones that can write to encrypted volumes. We were a third party forensics/ediscovery vendor so writing to encrypted media was a must. The TD3 we were told "may" eventually include encryption but the Falcon was the only one that did out of the box. It is able to write to both TrueCrypt and Veracrypt containers.

It also has 2 USB3 ports so you can also output to Aegis Padlocks or similar hardware encrypted drives.

 
Posted : 26/04/2017 2:25 am
(@athena)
Posts: 27
Eminent Member
Topic starter
 

Hi Team
I just came across IXIMAGER (https://www.perlustro.com/solutions/e-forensics/iximager)
In another post on this forum.
Its been claimed that it is only product certified by NIST. This is not hardware imager but a bootable pen drive. What do you think about it .Has anyone reviewed it so far ?
Features and specs are awesome -

Certified by NIST as THE STANDARD among all other tools
•Only forensic imaging tool in existence that exceeds NIST Test Criteria
•Only forensic imaging tool in existence that made 100% on the NIST CFTT Certification Tests, the most stringent test existing at any Federal Level
•Only forensic imaging tool used by NIST to test over 20 (all to date) write block devices, establishing itself as the NIST standard.
•Only forensic tool in existence that does NOT require a physical writeblock device for forensics imaging

The only non-Windows tool in existence to have 100% full kernel mode NTFS write support

The only tool in existence to identify AND image hidden drive areas
•Able to image all accessible disk sectors when Host Protected Areas (HPA) are present (when accessing drives directly via IDE and/or SATA)
•Able to image all accessible disk sectors when Device Configuration Overlays (DCO) are present (when accessing drives directly via IDE and/or SATA).
•Automatically access DCO space on a Device-ONLY Tool in existence
•Automatically access embedded DCO HPA combinations or in combination with each other on a device – ONLY tool in existence

Only tool that exists to correctly process anomalies and media-bad sectors
•Creates bad sector mapping sub-containers complemented by ILook’s Authentication Standard
•Authenticated digital evidence container production – only tool in existence to create tamper proof data sets with self-healing design
•Data corruption is securely accounted for
•Data tampering is securely documented and recorded
•Fully encrypted digital evidence container format that is native to a forensics tool
•High-speed data compression RW in all modes
•Ability for data to span multiple output devices, different file systems and different media types
•Only tool to create detailed data acquisition logs
•Only tool to create an Encrypted Authentication LOG file of all user actions, sealed to prevent tampering

Diverse, no-competition hardware system support
•Only tool that will boot x86 and x86_64 Macs, including Intel SMP from the same media
•Only tool that will boot PowerPC Macs
•Only tool that will boot PowerPC 64 Macs
•Boots x86 based computers regardless of Mfg.
•Boots x86_64 including SMP and multisocket systems regardless of mfg.

Diverse and unmatched boot media support
•Boots from USB thumb drives
•Boots from CD-ROM
•Boots from floppy disks
•Boots from IDE or SATA boot devices
•System validation tools included within the running OS

Diverse and unmatched storage media support
•Only product with unlimited Software RAID support in Linux
•Only product with full hardware RAID support for Windows, Linux and Unix
•Only forensics product with GPT and direct write support
•Only product with built-in Full Fiber Channel Support
•Only product of any type with 100% auto device detection support including RAIDS
•GUI Linux Imager with full mouse kbd support – ONLY forensics form in existence
•Only software to test Calibrate IO devices prior to imaging
•Only tool that can convert among 3 image forms in a single operation mode
•Only forensics tool that can capture any size block MSD device to an image file
•Native Firewire (ieee1394) support
•Native ATAPI
•Native IDE
•Native SATA
•Native eSATA
•Native USB mass storage
•Native USB non-mass storage devices
•Native SAS support
•Full ext2 and ext3 read and write support
•Full FAT32 read and write support
•Can partition and format media in any Filesystem form
•Can zero/erase fill media faster than any other software tool
•Can preview device/media data
•Can execute hashes of devices and image files and verify their data payload separately from imaging processes
•Over 50 Federal users, have over 5,000 terabytes of digital evidence that has been seized using the imager’s ASB proprietary format.
•Full HFS+RW support
•Full ISCI support
•Output media size is fully user determinant
•Only tool in existence that will create restores to Virtual Disk form in native formats without

 
Posted : 26/04/2017 12:23 pm
(@athena)
Posts: 27
Eminent Member
Topic starter
 

I am about to drop Media-clone SuperImager altogether.

As thefuf has rightly mentioned it is not purely hardware imager. I could not see any review of there product line anywhere. Besides it has not been certified by any law enforcement agency , (Like NIST CFTT etc)
Is anyone from community has owned it .Its specs are awesome - military grade components.

(Hardware Very high quality high performing components, some with military specifications.)
Writes Block Using “device driver” blocking mechanism based on Maxim Suhanov Mechanism (https://github.com/msuhanov/Linux-write-blocker) —- So no hardware write blocking

 
Posted : 26/04/2017 1:53 pm
bytethese
(@bytethese)
Posts: 12
Active Member
 

Hmm, I've never heard of IXImager, but from what I see it is/was only offered to law enforcement as part of a package that costs about $2,000.

If you are looking for a cheap, reliable solution for Macs, have you looked into Recon from Sumuri? They just released recently for $399. Their PC software Paladin is suggested at $25.

https://sumuri.com/software/recon-imager/
https://sumuri.com/product/paladin-64-bit-version-7/

I've been using Paladin for years myself and love it when I need to image a PC where I can't remove the drive (Surface Pros, small form factor laptops, etc).

I've always used MacQuisition by BlackBag Technologies for my MAC imaging since it's a modified OS X kernel, thus being best for imaging Mac volumes. The new Sumuri tool sounds intriguing at $399 and some former colleagues of mine are testing out now but I haven't personally used it yet.

 
Posted : 26/04/2017 3:16 pm
PaulSanderson
(@paulsanderson)
Posts: 651
Honorable Member
 

it is not purely hardware imager.

None of the devices you mention are purely a hardware imager. All of them have some sort of code be it some proprietary code running on an embedded device, or linux (or some other OS) running on an embedded device.

Linux is tested on many millions of devices, your proprietary code probably on thousands.

Personally I would be slightly happier with a linux based device unless the manufacturer could show a feature that they have that is hardware/OS dependant that can't be obtained on a linux device.

TBH I would be pretty happier with either and would not use the embedded OS as a purchasing factor.

 
Posted : 26/04/2017 4:00 pm
Page 1 / 4
Share: