Quicker Forensic Im...
 
Notifications
Clear all

Quicker Forensic Imaging?  

Page 1 / 5
  RSS
markl1975
(@markl1975)
Member

Hello all,

My work is based around scene-of-crime data collection, and I am often frustrated by the speed of imaging hard drives, particularly if we need to leave the laptop/pc where it is.

Has anyone on here heard of, or used, Ballistic Imager? I've been doing some research and this seems like the fastest solution at the moment, claiming around 5 minutes for 128GB drive, forensically imaged.

I've pinged the company an email so I'll wait to hear from them too. Happy to post any feedback if it's any good, or has anyone already used it?

Cheers,

Mark

Quote
Posted : 24/04/2014 2:06 am
mitch
(@mitch)
Active Member

Mark

Using any industrial imager device, has limitations and is dependable upon architecture, of the drive and equipment.

for example try getting that speed with a 200GB IDE drive.

now i have a PCIe SSD @ 1000mb/s and that will superseed that speed if imaged.

Ive had a look at the website and not really alot of valuable info.

I very rarely image now onsite, I request bag and tag. can do it then in the lab.

Mitch

ReplyQuote
Posted : 24/04/2014 2:33 am
markl1975
(@markl1975)
Member

Mitch,

Thanks for the reply. I agree, lab-based imaging is quicker, however the jobs I do are usually not bag-and-tag jobs. We often have to image quickly, and leave the target machines where they are.

FTK Imager and EnCase's Imager are OK, but not especially quick, and removing hard drives and imaging on-site with a TD3 or a Talon can be awkward.

I might see if I can get a demo from them to put it through it's paces.

Mark

ReplyQuote
Posted : 24/04/2014 2:53 am
Passmark
(@passmark)
Active Member

Imaging speed mostly depends on the speed of the drive.
From a coding point of view there are a few tricks, like doing large sequential reads and giving caching hints to the operating system. Beyond that however there isn't any magic fairy dust that will make the drive exceed it design specifications.

Pretty much any imaging tool will do 128GB drive in 5min, if the drive is fast enough. Most current solid state drives will get this kind of read performance.

ReplyQuote
Posted : 24/04/2014 6:08 am
Adam10541
(@adam10541)
Senior Member

I'd be interested to see if the 128GB drive they used for testing contained any data, how much data and what type of data….

There are so many variables that can affect the imaging speed that any claim like that is always a 'best case scenario'.

ReplyQuote
Posted : 24/04/2014 6:50 am
markl1975
(@markl1975)
Member

Hello,

I'm heading to the company next week for a demo.

They're not giving any demo software out at the moment, however I can go and see it running, and take some of my own hardware to run it against.

We'll see if it's any good.

ReplyQuote
Posted : 25/04/2014 1:28 pm
Chris_Ed
(@chris_ed)
Active Member

Assuming they don't get you to sign an NDA or something, it would be interesting to hear your thoughts!

ReplyQuote
Posted : 25/04/2014 2:16 pm
jaclaz
(@jaclaz)
Community Legend

Surely for being a commercial company they are a bit secretive, I mean having to register just to read (what I presume being 😯 ) vague and generic info on their *whatever*, comeon ) .
http//mcmsolutions.co.uk/our-products/ballistic/

Ballistic Imager – Rapid Forensic Imaging

Text goes here

wink
and
http//mcmsolutions.co.uk/our-products/

Ballistic Imager

UK Patent GB1317136.8

Ballistic Imager will forensically image hard disc drives in minutes, without the need for removing the drive and with minimal training overheads. Ballistic Imager is addressing the issue of performing rapid extractions on higher storage capacity hard drives. In an age where the storage capacity of personal computers is ever-increasing, and time management is critical, Ballistic Imager is the tool of choice. For example, Ballistic Imager can image a 256GB Hard Drive in 12 minutes, and a 1TB drive in 35 minutes. Ballistic Imager can also be used to take an image of RAM from a running machine, imaging 8GB of RAM in just 18 seconds.
For more information on Ballistic Imager, click here.

jaclaz

ReplyQuote
Posted : 25/04/2014 5:26 pm
mitch
(@mitch)
Active Member

Jaclaz

My thoughts exactly,

last person I spoke to regarding something similar, it turned out to be, they were taking a snapshot of a system not a forensic image…..

Thus they didnt have a clue regarding forensic procedures etc…..

ReplyQuote
Posted : 25/04/2014 6:26 pm
jhup
 jhup
(@jhup)
Community Legend

Someone promising to deliver data faster than theoretical device limits of not one device but many, from various vendors of various designs?

Why would that be suspicious?

On an other note, I invented this device which will produce 101 energy from sea water using simple cow flatulence. The byproduct will fix global warming, and reduce your body fat to 10%. I just need some seed money for the stickers that go on the device. How does . . . $3mm sound? Now I know this is a big deal of me letting you in, as I have rejected many others, but for you I will let you in since you have been so nice. Again, please do not share this with others as they will bother me to get in. I had to brush off these sheiks last week, and they are very persistent! So, just transfer the funds here . . .

ReplyQuote
Posted : 25/04/2014 6:35 pm
ThePM
(@thepm)
Active Member

LOL

ReplyQuote
Posted : 25/04/2014 6:57 pm
jaclaz
(@jaclaz)
Community Legend

Just to clear the extents of my previous post, I have no reason to doubt that this Ballistic Imager (as well IXimager, to name one BTW) is among the first few best things in the world (anyway after ice cream, beer and sliced bread wink ), what I am saying is simply that their web site and marketing/communicating strategy seemingly suck, and suck big.

Also, being so secretive, I find it queer how they declare how they do training courses
http//mcmsolutions.co.uk/training/
for covert operations stating where they take place

We also offer specialised training courses for covert operations, based at our Horsham Offices.

roll
The whole stuff seems however more aimed to defense/intelligence than "forensics".

@jhup
Did you manage to fix your optical undulators?

jaclaz

ReplyQuote
Posted : 25/04/2014 8:23 pm
Chris_Ed
(@chris_ed)
Active Member

I suppose the notable words here are that the software "can" image up to xxxx speeds.

Looking at their example, they say they can image a 256GB HDD in 12 mins. Conservatively that works out at approx 356MB/sec ((256000/12)/60). So if you are imaging a PC where the motherboard not only supports SATA 3 for the source disk but also has a spare eSATA/USB 3 port - well maybe then you might see those sort of speeds.

Interestingly, the other bit of detail they give on the performance (1TB in 35 mins) would require writing data at 476MB/sec ((1000000/35)/60) - a 33% increase. You could image a 256GB HDD in 8 mins at that speed.

ReplyQuote
Posted : 25/04/2014 8:30 pm
athulin
(@athulin)
Community Legend

Someone promising to deliver data faster than theoretical device limits of not one device but many, from various vendors of various designs?

If I remember, some late modems did that, claiming transfer rates that were impossible. Of course, they didn't measure *actual* transfer rate (on the wire), but *perceived* transfer rate, involving compression before the actual transfer was performed, and usually assuming that a compression rate of 70% or so was feasible.

I'm not claiming that this is a similar case – only that one needs to be careful about interpreting sales talk.

ReplyQuote
Posted : 26/04/2014 2:58 pm
jaclaz
(@jaclaz)
Community Legend

I'm not claiming that this is a similar case – only that one needs to be careful about interpreting sales talk.

In this specific case we need however to interpret sales non-talk . 😯

jaclaz

ReplyQuote
Posted : 26/04/2014 4:17 pm
Page 1 / 5
Share: