Quicker Forensic Im...
 
Notifications
Clear all

Quicker Forensic Imaging?  

Page 3 / 5
  RSS
bshavers
(@bshavers)
Active Member

On the topic of quicker forensic imaging and WinFE, I've made a blog post at the WinFE blog (http//winfe.wordpress.com/2014/05/03/suggestions-for-a-winfe-imaging-tool-based-on-clonedisk/) where CloneDisk is being updated for WinFE use. I'll post on the speeds of imaging when the project is done. Since the work is being done in public (as in, it's on an Internet public forum), if you are interested in giving 2 cents of advice on what you'd like in a forensic imaging tool, this is your chance.

ReplyQuote
Posted : 03/05/2014 4:12 am
Passmark
(@passmark)
Active Member

Microsoft is no longer allowing WinPE (and thus WinFE) to be licensed and distributed.

I queried Microsoft about this mid 2013, this was their response.

"…there has been no change to the decision or the time frame for ending WinPE. This has been discussed at length and the impact to ISVs and end users was taken into account and we still think that ending distribution of WinPE is the right direction for Microsoft to take. I am sorry but Microsoft does not offer any other options."

So unless you have something else in writing from Microsoft I would suggest that both selling and giving away WinPE (and WinFE) for free is now in breach of their license.

ReplyQuote
Posted : 05/05/2014 6:16 am
jaclaz
(@jaclaz)
Community Legend

Microsoft is no longer allowing WinPE (and thus WinFE) to be licensed and distributed.

So unless you have something else in writing from Microsoft I would suggest that both selling and giving away WinPE (and WinFE) for free is now in breach of their license.

The wording here
http//msdn.microsoft.com/en-us/subscriptions/ff723773.aspx

Windows Preinstallation Environment Windows PE is available via several channels. MSDN subscriptions include the Windows AIK, and Windows PE is one of the tools in that kit. Any product that uses Windows PE from the WAIK must include the WAIK when redistributed. Microsoft no longer offers a WinPE and WAIK redistribution license for Independent Software Vendors or Independent Hardware Vendors. Licensing of WinPE is only available for Original Equipment Manufacturers who license Windows Products. Please send email to [email protected] for general WinPE inquiries.

is very similar to your snippet.

The date it was ended completely should be around January/March 2012
http//www.giveawayoftheday.com/forums/topic/11476
http//support.macrium.com/topic.asp?TOPIC_ID=4239
http//www.wilderssecurity.com/threads/no-more-winpe.320669/

And in any case (AFAIK) it was not-so-easy for an ISV to obtain a re-distribution agreement with MS, as the idea was that it was aimed ONLY at "recovery purposes"
http//technet.microsoft.com/en-us/library/cc766093(v=ws.10).aspx

jaclaz

ReplyQuote
Posted : 05/05/2014 3:29 pm
Chris_Ed
(@chris_ed)
Active Member

I had a quick look through the patent (which you can read here) and it turns out that the "trick" is to allow you to image to multiple external devices (a "plurality" of devices as the documents so nicely put it). So if you plug in 3 USB devices then it can use all three and then put it back together afterwards. This is why it is so fast.

Very interesting! I can see how it could be powerful. It does make me wonder about the cost though )

ReplyQuote
Posted : 06/05/2014 2:30 pm
jaclaz
(@jaclaz)
Community Legend

So if you plug in 3 USB devices then it can use all three and then put it back together afterwards. This is why it is so fast.

Very interesting! I can see how it could be powerful.

Well, but you would need 3 USB devices (and 3 USB ports) and possibly three USB writeblockers.

The original point - I believe - was if this thingie was much faster than other common imaging tools in a more conventional 11 situation. ?

As an example (not necessarily related) a number of USB sticks/and hard disks providers (we are talking here of USB 2.0 times) like Mushkin, LaCie or Buffalo provided a "special" TurboUSB software that used a different transmission "mode" (or "protocol" or *whatever*) and made data transfer, particularly for large amounts of data, much faster.
The same (or a similar approach) was even integrated in Windows 7 and/or by different motherboard manufacturers
http//reboot.pro/topic/11695-turboflash/

jaclaz

ReplyQuote
Posted : 06/05/2014 4:09 pm
markl1975
(@markl1975)
Member

Hello,

It's not just USB you can use, but any data port. I found in my tests that splitting the image over different ports makes the process quicker. I used a USB3 port, an eSATA attached SSD and an express adapter card with USB3 ports on my laptop. Haven't tried firewire yet.

Sticking the image back together is fairly quick too, and is still quicker than actually removing the drive overall.

Mark

ReplyQuote
Posted : 06/05/2014 6:48 pm
bshavers
(@bshavers)
Active Member

Very creative. So it sounds similar to imaging out to a RAID 0, but with multiple types of storage devices.

ReplyQuote
Posted : 06/05/2014 7:21 pm
paul_mcms
(@paul_mcms)
New Member

Ballistic is designed to cut time in all situations, especially field work. The cost of the software (and hardware) is to reflect the investment MCMS have put into the project (it is a 3 year licence and there is a development roadmap for new features). The capability will stand time, data size will continue to rise and where will it stop?

I imaged 3 laptops in under 1 hour yesterday (over 1.5tb), using 1 BALLISTIC Kit.

The system can ustilise, USB, ESata, SD Card, firewire and an express adapter. On the roadmap is thunderbolt.

We are running a workshop (it won't take long -excuse the pun) at our office in West Sussex this month and June tbc, you can see the software running, get a full training course and walk away with a demo. The demo version images and rebuilds 20gb of data. Come along. As with all our projects we welcome customer feedback / innovations.

Interesting comments on here, thank you.

Estimations on 2015 hard disk sizes????

2000 - 2010

Hard disk capacity grew 5x

SLC SSD capacity- grew 71x ….SCARY

ReplyQuote
Posted : 06/05/2014 11:49 pm
jaclaz
(@jaclaz)
Community Legend

Ballistic is designed to cut time in all situations, especially field work.

Sure ) .

Interesting comments on here, thank you.

Some were actually NOT "comments", but requests for further details
http//www.forensicfocus.com/Forums/viewtopic/p=6573187/#6573187

With all due respect, this

I imaged 3 laptops in under 1 hour yesterday (over 1.5tb), using 1 BALLISTIC Kit.

is another (nice) piece of anecdotal evidence, but it is not yet clear (at least to me) WHAT is this "Kit".

Member markl1975 posted about it being a "software only", you now talk again of "hardware"

The cost of the software (and hardware) is to reflect the investment MCMS have put into the project (it is a 3 year licence and there is a development roadmap for new features).

And you should still IMHO reply to the point raised about re-distribution of a Windows PE, which I believe it is not-so-trifling. 😯

jaclaz

ReplyQuote
Posted : 07/05/2014 12:46 am
lordrodd
(@lordrodd)
New Member

I received this from Microsoft this morning while trying to see if our company can use a WinPE/WinFE boot solution.

"I know some of our tools such as DaRT runs on WinPE. DaRT is a standalone toolset available to customer as part of MDOP. It’s a more full recovery environment. If you want to run Win PE for other general purposes, I don’t think we license in that manner anymore."

ReplyQuote
Posted : 07/05/2014 12:56 am
jaclaz
(@jaclaz)
Community Legend

I received this from Microsoft this morning while trying to see if our company can use a WinPE/WinFE boot solution.

"I know some of our tools such as DaRT runs on WinPE. DaRT is a standalone toolset available to customer as part of MDOP. It’s a more full recovery environment. If you want to run Win PE for other general purposes, I don’t think we license in that manner anymore."

Well, it doesn't sound like a reply from an "expert" in this.

The point raised earlier is not about "use" or "run", it is about re-distribution of the binaries.

The allowed use of the PE (if built from the ADK) may however be different from that of self-created PE (built from install files for which a corresponding "full" OS license exists).

jaclaz

ReplyQuote
Posted : 07/05/2014 1:24 am
paul_mcms
(@paul_mcms)
New Member

To clear up the questions

We don't give WinFE away, we advise anyone using the software to make their own distribution. For users who have assisted us with trials, we have provided the WinFE environment for their use until they build their own. We are currently working on a version that will work under a Linux boot environment, however until this is ready, customers are advised to build a WinFE disc using their own Windows licenses.

As I understand it, the previous user asked for a copy of our iso to compare to the one which they use. Ballistic will work under your own WinFE build, just ensure you have USB 3.0 drivers, and drivers for any express adapter you wish to use included in the image.

Ballistic is software supplied on -

Some form of collection Hardware - (drives), we supply the software on one drive along with associated cables and connectors you need (as you need to add other drives yourself), you can buy a full set of collectors ( 4 drives), giving 5 in total.

You can, (although no-one has yet), buy a licencing platform which is all software and no hardware from MCMS. This allows you to licence ANY drive with the software for a time period of your choosing.

The fastest the software has run is 503mb/sec or 30gb/min. All dependent on several factors - ports, machine age / power, hard disk.

Jaclaz, happy to send you a brochure , drop me an inbox.

ReplyQuote
Posted : 07/05/2014 2:12 am
steve_linn
(@steve_linn)
New Member

I would investigate the entire imaging process with this new device. The data transfer rate is only one part of the equation in total acquisition time.

How are you hashing your drives when complete?

If you are running MD5 and SHA-1 and SHA-256 —you could cut your time considerably by just hashing SHA-1

Use a good destination drive as well - I like WD VelociRaptors

ReplyQuote
Posted : 07/05/2014 10:20 am
jaclaz
(@jaclaz)
Community Legend

To clear up the questions

Thanks ) , so we are back to the previous (rough) definition, of

So, all in all it is something "comparable" to FTK imager, only much faster, right?

The fastest the software has run is 503mb/sec or 30gb/min. All dependent on several factors - ports, machine age / power, hard disk.

Very good ) , but - with all due respect - obvious 😯 (that it depends on ports/machine/age/power/hard disks, and I would also add "quality of cables" as I have seen here and there reports of generic issues both with SATA and USB cables *somehow* defective).
Cannot say how much it is doable (legally), and/or if you can actually do it, but I would (personally) appreciate a "comparative" test with a same "declared" hardware of the tool against one (or more) "common" tools.
Even if done (instead of against any of the Commercial tools - to avoid any possible legal issues) against a simple freeware tool (admittedly on the "slow" side of "imaging tools") such as the DSFOK toolkit or one among the various dd ports to windows, it would IMHO give a feeling of the speed increase obtainable on one's own hardware.

Example (completely faked data)
Machine "x", make/model "y", OS Windows "n" (or WinPE "n"), RAM, etc., imaging a 500 Gb disk (make/model) to a hard disk 1 Gb (make/model) connected through BUS "z"
dsfo time 512.33
ballistic time 035.14

This would give (still IMHO) a more practical feeling of the increased speed of the thingy.

Jaclaz, happy to send you a brochure , drop me an inbox.

That would be very kind of you, though I would suggest you to instead publish it (or a reduced version of it with the main points, should there be in it something under NdA or similar).

jaclaz

ReplyQuote
Posted : 07/05/2014 6:11 pm
bshavers
(@bshavers)
Active Member

The posted imaging speeds are really good. So good that it begs to be seen in a test for comparison (that is a good thing). I bet Eric Zimmerman would gladly accept a demo of the tool to add to his extensive imaging tests.

https://docs.google.com/spreadsheet/lv?key=0Al7os14ND-cFdGp1NDR2WGwyakR2TkJtNUFXa29pNXc

My concern for the imaging process as I understand it, is that the image is spread out across several storage devices. If there is parity, no problem. If no parity, then the chance of a hardware failure increases with each additional device (or forgetting to bring back an external USB you plugged in the back of the machine…).

If 1TB were imaged across 3 or 5 devices, the segmented(?)/striped(?) parts of the image need to be reconstructed on one storage device later at the shop. Doing this onsite would add to the time and defeat the purpose of the imaging speed increase. And discovering at the shop that you left part of the system plugged in the suspect/custodian computer would require going back in.

ReplyQuote
Posted : 07/05/2014 8:04 pm
Page 3 / 5
Share: