Forensic Imger revi...
 
Notifications
Clear all

Forensic Imger review , Pls. suggest right device

Page 1 / 3
athena
(@athena)
Junior Member

Dear Team
I am about to make a big purchase - Forensic Imager cum multifunction suite –

Products I have selected are -
1) Logicube Forensic Falcon - ( https://www.logicube.com/shop/falcon/?v=c86ee0d9d7ed)
2) Media -clone - SuperImager Plus 12" Rugged Forensic Field Unit - Linux Forensic Imager i7 (Optional Dual Boot)
3) Bekasoft - Evidence Suite with Atola Insight Imager

All of these cost more than US$ 6000 so its critical purchase.
I would like to know which you guys recommend ?
Do you own any one of these ? Any suggestion or feedback will immensely help me.
Each of the device has its own advantages like —
1) Belkasoft can reset Hard disk ATA password , It clones on firmware level so can deal with bad sectors most effectively .It can detect 600 file types , so it is not only dumb imager

2) Forensic Falcon – Almost all types of digital devices can be cloned , multiple copies of same source over no. of targets etc. Can image evidence over network or remotely as well

3) Superimager – Imager with intel i7 processor and having Linux /windows dual boot OS.
So evidence can be analyzed as well.

Pls. let me know your take or suggestion for any other device.
Thank you

Quote
Topic starter Posted : 24/04/2017 5:24 pm
jpickens
(@jpickens)
Active Member

The Falcon is pretty solid from my limited experience with it, but it was an older model.

If you have not looked into it the Tableau TD3, it works quite well as a physical imaging device. Its been my go-to imager device for a long time.

ReplyQuote
Posted : 24/04/2017 7:27 pm
UnallocatedClusters
(@unallocatedclusters)
Senior Member

We own multiple Tableau TD2u devices (http//www.forensiccomputers.com/tableau-td2-forensic-duplicator.html) and love them.

Individually the Tableau TD2u is $1,479.00 according to the aforementioned website.

The TD2u can write images to two raw hard drives and one external USB drive simultaneously if need be.

I would recommend buying multiple TD2u devices for the budget you mentioned.

Also contact the folks at Digital Intelligence who is a reseller.

ReplyQuote
Posted : 25/04/2017 2:25 am
thefuf
(@thefuf)
Active Member

Currently, there is a trend of putting a Linux-based operating system on custom hardware and labelling the result as a hardware imager (a typical example Tableau TD3). In my opinion, this is similar to running a customized Linux distribution on a typical forensic workstation. In this case, the only advantages of such a hardware imager are its size and a kit with cables & adapters.

But there are different hardware imagers. Some of them are launching an imaging process on FPGA (a typical example Tableau TD2u). In my opinion, these are true hardware imagers.

When taking both types of hardware imagers into consideration, keep in mind that there could be problems with the forensic soundness of a Linux-based operating system, so you might want to do something to validate such a hardware imager. So, there is a reason to purchase a simpler hardware imager like Tableau TD2u.

ReplyQuote
Posted : 25/04/2017 3:59 am
athena
(@athena)
Junior Member

Hi jpickens , UnallocatedClusters & thefuf

Thank you so much for your valuable suggestion. Detailed explanation given by thefuf has made me rethink of this purchase.
So far no one has put a word about super imager. As thefuf has mentioned there is concern for Linux based imaging which is not a purely hardware based imaging.
I will check with Tableau TD2u devices .
Thanks again.

ReplyQuote
Topic starter Posted : 25/04/2017 3:09 pm
bytethese
(@bytethese)
New Member

From personal experience I can recommend the Logicube Falcon. We used them at my last employer since they were the only ones that can write to encrypted volumes. We were a third party forensics/ediscovery vendor so writing to encrypted media was a must. The TD3 we were told "may" eventually include encryption but the Falcon was the only one that did out of the box. It is able to write to both TrueCrypt and Veracrypt containers.

It also has 2 USB3 ports so you can also output to Aegis Padlocks or similar hardware encrypted drives.

ReplyQuote
Posted : 26/04/2017 3:25 am
athena
(@athena)
Junior Member

Hi Team
I just came across IXIMAGER (https://www.perlustro.com/solutions/e-forensics/iximager)
In another post on this forum.
Its been claimed that it is only product certified by NIST. This is not hardware imager but a bootable pen drive. What do you think about it .Has anyone reviewed it so far ?
Features and specs are awesome -

Certified by NIST as THE STANDARD among all other tools
•Only forensic imaging tool in existence that exceeds NIST Test Criteria
•Only forensic imaging tool in existence that made 100% on the NIST CFTT Certification Tests, the most stringent test existing at any Federal Level
•Only forensic imaging tool used by NIST to test over 20 (all to date) write block devices, establishing itself as the NIST standard.
•Only forensic tool in existence that does NOT require a physical writeblock device for forensics imaging

The only non-Windows tool in existence to have 100% full kernel mode NTFS write support

The only tool in existence to identify AND image hidden drive areas
•Able to image all accessible disk sectors when Host Protected Areas (HPA) are present (when accessing drives directly via IDE and/or SATA)
•Able to image all accessible disk sectors when Device Configuration Overlays (DCO) are present (when accessing drives directly via IDE and/or SATA).
•Automatically access DCO space on a Device-ONLY Tool in existence
•Automatically access embedded DCO HPA combinations or in combination with each other on a device – ONLY tool in existence

Only tool that exists to correctly process anomalies and media-bad sectors
•Creates bad sector mapping sub-containers complemented by ILook’s Authentication Standard
•Authenticated digital evidence container production – only tool in existence to create tamper proof data sets with self-healing design
•Data corruption is securely accounted for
•Data tampering is securely documented and recorded
•Fully encrypted digital evidence container format that is native to a forensics tool
•High-speed data compression RW in all modes
•Ability for data to span multiple output devices, different file systems and different media types
•Only tool to create detailed data acquisition logs
•Only tool to create an Encrypted Authentication LOG file of all user actions, sealed to prevent tampering

Diverse, no-competition hardware system support
•Only tool that will boot x86 and x86_64 Macs, including Intel SMP from the same media
•Only tool that will boot PowerPC Macs
•Only tool that will boot PowerPC 64 Macs
•Boots x86 based computers regardless of Mfg.
•Boots x86_64 including SMP and multisocket systems regardless of mfg.

Diverse and unmatched boot media support
•Boots from USB thumb drives
•Boots from CD-ROM
•Boots from floppy disks
•Boots from IDE or SATA boot devices
•System validation tools included within the running OS

Diverse and unmatched storage media support
•Only product with unlimited Software RAID support in Linux
•Only product with full hardware RAID support for Windows, Linux and Unix
•Only forensics product with GPT and direct write support
•Only product with built-in Full Fiber Channel Support
•Only product of any type with 100% auto device detection support including RAIDS
•GUI Linux Imager with full mouse kbd support – ONLY forensics form in existence
•Only software to test Calibrate IO devices prior to imaging
•Only tool that can convert among 3 image forms in a single operation mode
•Only forensics tool that can capture any size block MSD device to an image file
•Native Firewire (ieee1394) support
•Native ATAPI
•Native IDE
•Native SATA
•Native eSATA
•Native USB mass storage
•Native USB non-mass storage devices
•Native SAS support
•Full ext2 and ext3 read and write support
•Full FAT32 read and write support
•Can partition and format media in any Filesystem form
•Can zero/erase fill media faster than any other software tool
•Can preview device/media data
•Can execute hashes of devices and image files and verify their data payload separately from imaging processes
•Over 50 Federal users, have over 5,000 terabytes of digital evidence that has been seized using the imager’s ASB proprietary format.
•Full HFS+RW support
•Full ISCI support
•Output media size is fully user determinant
•Only tool in existence that will create restores to Virtual Disk form in native formats without

ReplyQuote
Topic starter Posted : 26/04/2017 1:23 pm
athena
(@athena)
Junior Member

I am about to drop Media-clone SuperImager altogether.

As thefuf has rightly mentioned it is not purely hardware imager. I could not see any review of there product line anywhere. Besides it has not been certified by any law enforcement agency , (Like NIST CFTT etc)
Is anyone from community has owned it .Its specs are awesome - military grade components.

(Hardware Very high quality high performing components, some with military specifications.)
Writes Block Using “device driver” blocking mechanism based on Maxim Suhanov Mechanism (https://github.com/msuhanov/Linux-write-blocker) —- So no hardware write blocking

ReplyQuote
Topic starter Posted : 26/04/2017 2:53 pm
bytethese
(@bytethese)
New Member

Hmm, I've never heard of IXImager, but from what I see it is/was only offered to law enforcement as part of a package that costs about $2,000.

If you are looking for a cheap, reliable solution for Macs, have you looked into Recon from Sumuri? They just released recently for $399. Their PC software Paladin is suggested at $25.

https://sumuri.com/software/recon-imager/
https://sumuri.com/product/paladin-64-bit-version-7/

I've been using Paladin for years myself and love it when I need to image a PC where I can't remove the drive (Surface Pros, small form factor laptops, etc).

I've always used MacQuisition by BlackBag Technologies for my MAC imaging since it's a modified OS X kernel, thus being best for imaging Mac volumes. The new Sumuri tool sounds intriguing at $399 and some former colleagues of mine are testing out now but I haven't personally used it yet.

ReplyQuote
Posted : 26/04/2017 4:16 pm
PaulSanderson
(@paulsanderson)
Senior Member

it is not purely hardware imager.

None of the devices you mention are purely a hardware imager. All of them have some sort of code be it some proprietary code running on an embedded device, or linux (or some other OS) running on an embedded device.

Linux is tested on many millions of devices, your proprietary code probably on thousands.

Personally I would be slightly happier with a linux based device unless the manufacturer could show a feature that they have that is hardware/OS dependant that can't be obtained on a linux device.

TBH I would be pretty happier with either and would not use the embedded OS as a purchasing factor.

ReplyQuote
Posted : 26/04/2017 5:00 pm
athena
(@athena)
Junior Member

Wo Paul Sir
Thank you so much for your kind help.
I am sure it will help to many peoples in this forum.
So you suggest to go ahead with superimager from media-clone ?
It has dual boot option ( Linux and windows ) so besides imaging on site analysis also can be performed. A cell phone can be imaged and analysed using this device.
On the other hand Tableu which is been purchased by guidance is a heavy weight contender due to guidance software .
Interestingly NIST has validated a)forensic falcon 2) Tabelu only.
bytethese - I have more budget ( US $ 6000) so price is not a barrier.
I just want to ensure that I purchase right product as this will be costly purchase.
I don't want to end up with substandard product .
I am more confused now so as which product to be purchased finally.

ReplyQuote
Topic starter Posted : 26/04/2017 5:46 pm
JaredDM
(@jareddm)
Active Member

While not typically marketed as a "forensic imager" you might consider something like PC-3000 Portable. It's generally considered a data recovery tool, but their DE software can image in forensic mode, generate checksums, even create Encase image files to work with if you'd like. And, it can do a heck of a lot more. Remove ATA passwords, fix firmware malfunctions, etc., etc., etc. You'll have 10x more success with it, compared to those other tools, when it comes to any failing media that's for sure.

I my opinion, most forensic imagers do little more than you could do with a Linux computer. They're just sold for outrageous prices because most law enforcement agencies have deep pockets full of tax dollars and will pay whatever price for a solution that makes things simple (aka idiot proof).

I guess the only thing it wouldn't have for you is any features for "on site analysis" since the software isn't forensics oriented. You'd still need to use other software for that. But, if you're in forensics already you've probably already got Encase or some other software you can run on a laptop which you'd be hooking up the PC-3000 portable.

ReplyQuote
Posted : 26/04/2017 8:28 pm
athena
(@athena)
Junior Member

Hi Jared Good Morning

Thank you for sharing your thoughts on this subject.
Yes I know awesome capabilities of ace products as I own acelab PC3000 UDMA (Red card)
. This particular requirement is for a portable device having multiple ports so in case needed I can make 1 2 /13 or even more copies simultaneously . I can even image multiple drives simultaneously . I can erase large no. of disks on site.
all this is possible with least efforts using a standalone imager. Pc3000 lineup though powerful will lack flexibility for quick movement and multifunctionality of standalone imager.
Though portable also can do all these tasks most efficiently .
Typical drives to be cloned will be healthy. Those having defects will be operated in lab.
Those who are looking for a portable device having firmware level capability to deal with failing / ATA encrypted , WD smartware encrypted drives portable is the only choice.
Thank you.
Wishing all fruitful day ahead.

ReplyQuote
Topic starter Posted : 26/04/2017 9:42 pm
thefuf
(@thefuf)
Active Member

So you suggest to go ahead with superimager from media-clone ?
It has dual boot option ( Linux and windows ) so besides imaging on site analysis also can be performed. A cell phone can be imaged and analysed using this device.
On the other hand Tableu which is been purchased by guidance is a heavy weight contender due to guidance software .
Interestingly NIST has validated a)forensic falcon 2) Tabelu only.

Keep in mind that validation results are valid not for a specific product, but for a specific firmware version of the product and its hardware. NIST doesn't always revalidate a product after a firmware update is made available by a vendor.

If you don't have any legal reason to stick with validated products only, then [external] validation isn't a key factor for you.

It's rather sad that NIST validation efforts miss issues with the forensic soundness. Tableau TD3 is not an exception here. Also, since software products were mentioned in this thread, the same is applied to them.

Vendors may provide inaccurate information about write blocking in their products. They may include a software write blocker in a certain version of a tool, but later they silently exclude it (this is what happened to PALADIN). They may claim that a product contains a write blocker, but in fact it doesn't. And so on.

I just want to ensure that I purchase right product as this will be costly purchase.
I don't want to end up with substandard product .
I am more confused now so as which product to be purchased finally.

Try to contact a local reseller and ask him to provide a product for testing before purchasing.

ReplyQuote
Posted : 26/04/2017 9:54 pm
athena
(@athena)
Junior Member

Thanks a ton thefuf.
I have learned valuable lesson , vendors cant be trusted by there claims.
NIST ceritification is not gold standard.
I think Tabelu TD2 plain simple imager is best as it is tested and proven by many experts.

ReplyQuote
Topic starter Posted : 27/04/2017 10:32 am
Page 1 / 3
Share: