Quicker Forensic Imaging?
i wanted to image a hard disk which is protected with password. the imager forensic dossier says the disk is password protected, unlock to continue. i tried with talon but it is not recognised. i also tried to clone thru CAINE, but i could not complete. my pc is able to see the hard disk, but it is not being mounted. encase shows unallocated disk area. is it there any method to image the hard disk while maintaiing the integrity of the data.
I'm looking at this product from a military perspective, however I've been in forensics for a long time so should hopefully be able to see it from a 'standard forensics' point-of-view also.
I'm seeing them on Wednesday.
i wanted to image a hard disk which is protected with password.
Please … don't hijack already running threads. Start a new thread instead – you're much more likely to get responses that way.
Later OK, I see that you already have.
If I remember, some late modems did that, claiming transfer rates that were impossible. Of course, they didn't measure *actual* transfer rate (on the wire), but *perceived* transfer rate, involving compression before the actual transfer was performed, and usually assuming that a compression rate of 70% or so was feasible.
They were the 2400 baud, MNP 5 modems. The idea was that the on-the-fly compression was done in the modem instead in the computer. It was the harbinger of switching from baud to bps.
Maybe I am just getting jaded, so let me soften my stance.
It is possible that the vendor implemented methodologies and resources to reduce most of the overhead and get the maximum possible from the system.
I saw the company yesterday for a live demo. I took my laptop in, with a 256GB drive, and it was imaged (dd binary image) in just over 12 minutes. It works on a live system and will take a RAM image as well. They also provide a secure boot environment (CD or USB), which will boot any Intel machine (Windows, OSX & Linux) to image the internal physical drive.
I've bought a single license to run some tests on. I took an old laptop with me as well, and it imaged it faster than FTK Imager could manage. FTK ran at about 8MB/sec when imaging the drive over USB, their Ballistic tool ran at 38MB/sec.
Clever stuff, good to see a company doing something different for a change.
What about WinHex (X-Way?) forensic imaging? I heard it's the fastest but I never had the chance to try it.
Maybe the issue lies within the EWF format itself? Maybe it's because it only allows a slow deflate compression (rather than just skipping empty sectors therefore allowing a full-speed read)?
Also isn't it puzzling that forensic formats don't seem to have a recovery record to allow recovering partially corrupted images? A single cluster gone awry can cause all sorts of havoc.
FTK imager is one of the slower imaging tools around, but that is partly due to the hashing process it uses.
Xways has consistently been the fastest imaging tool that I've seen, but from what you are saying there this tool seems much faster again..might have to look into it.
Hello, I am, what you could class as the "inventor" of our patented technology Ballistic. Many thanks for the forum comments. The tool was designed through frustration of current technologies (software and hardware) being too slow, data becoming too big, training burden and scope for error (removing drives - thing of the past!) and time remaining limited. We (MCMS) solved this complex task. Interesting comments on here.
Challenge of the day - 1 operator 160 gb of data
16GB USB 3.0 DRIVE
8GB USB DRIVE
4GB SD CARD
4GB CF CARD
How long to image??
Any q's please drop me a mail.
Maybe I overlooked this kind of information, but I have not understood if this Ballistic thingy is
- software only
- hardware only
and, if either 1 or 3 if it runs on the booted OS (which), if it runs from bootable media (under which "base" OS) or if it can run on both.
Possibly (of course without revealing any trade secret or the like) if you could publish a brief description of the tool and it's features (on your site or posting here) it would be beneficial to everyone, including raising more interest in it.
I can help with those.
I bought it on a 256GB Kingston Hyper X stick, and the license for the software is tied to that device. You also have the option of adding your own hardware, so you can use whatever drive you want. They gave me the option to buy additional hardware with the software.
OS-wise, it runs on a live Windows PC. The boot environment they provide is a WinFE environment, which will boot any Intel machine. Bootable media provided is a USB stick and a CD, and they gave me a copy of the iso so I can make my own boot media. The iso and software updates are all on the website, which you get access to once you buy the tool.
I tested it today using a Zalman caddy running a virtual CD Rom with their iso, and it worked fine on both Windows and Macs.
Hope that helps,
OS-wise, it runs on a live Windows PC. The boot environment they provide is a WinFE environment, which will boot any Intel machine.
So, all in all it is something "comparable" to FTK imager, only much faster, right?
Yes, a similar tool. I've just ditched FTK Imager…
Interestingly the company has some other tools, triage and rapid data extraction stuff. My ADF & IEF licenses are up for renewal shortly, and I have decided to drop them in favour of the new tools that MCMS gave me on trial.
The boot environment they provide is a WinFE environment, which will boot any Intel machine. Bootable media provided is a USB stick and a CD, and they gave me a copy of the iso so I can make my own boot media. ,
Did you say they are selling WinFE ISOs? 😯
Any q's please drop me a mail.
I only ask since selling WinFE ISOs without a licensing agreement would be like selling Satya Nadella's desk without his permission… oops
I don't think there was any cost attached the WinFE iso, this was just provided in order to boot machines into a Windows OS to run their tool. I thought I'd give theirs a go.
I have my own WinFE iso's with some additional tools, and Ballistic works fine with this. I built my WinFE with USB3.0 drivers, which was useful as the USB stick I bought is USB3.0.
As their tool is only Windows based at the moment, it makes sense to use WinFE, either provide your own or use theirs.