Computer specs
This computer is a very basic machine and was built specifically for an imaging computer.
Windows 7 home premium SP1 64 bit OS, Gigabyte B75M-HD3 Motherboard, Intel i3 processor 3.3GHz, and 8 GBs RAM
The target hard drive installed in this computer is a 1 TB Western Digital SATA 7200 RPM HDD, with 64MBs cache and is the sole drive. It contains minimum software including the OS.
It is equipped with 2 hot-swap SATA bays and a fire-wire card.
The fire-wire card was installed to accommodate some of my write blockers that export via fire-wire.
Donor hard drive
Hitachi 400GB SATA 7200 RPM, no write blocking used in this test. The drive contains 1,128,608 files and has 313GBs of data on a 400 GB drive. It was installed via the hot-swap bays.
FTK imager 3.1.3.2
During the test I monitored the CPU usage as well as RAM and read/writes usage using the Windows 7 Resource Monitor (resmon.exe). No more than 25% of RAM was used and CPU usage was steady around 20%. The hard IO read/writes were nearly maxed out during the tests.
I used the same hard drive/computer set up for all three tests. One test at no compression, one at level 6 compression, and the last test at max (9) compression.
No Compression
No compression took 2 hours 11 minutes and 6 seconds to acquire.
It created 255 files @ 1,535,925 KBs and one 730,214KBs in size with a 372GB folder size
Level 6
Level 6 compression took 2 hours 17 minutes and 10 seconds to acquire.
It created 108 files varying is size from 1,535,952 KBs to 1,535,809 KBs in size and the last one was 497,120 KBs. The folder size is 157GBs.
Level 9
High compression took 3 hours 49 minutes and 24 seconds to acquire.
It created 108 files that varied in size from 1,535,957 KBs to 1,535,804 KBs in size with the last one at 174,019 KBs. The folder size is 156GBs.
As you can see using compression level 6 decreases the folder size over half and only added about 6 minutes to the acquisition time.
Level 9, the highest compression level on FTK Imager only saved 1GB of space and increased the acquisition time by over an hour and a half.
Larry
Larry,
Am I reading correctly that your target drive is also the OS drive? If so, you may be getting erroneous results because there's no telling what Windows will do to the drive during imaging. That could have a big impact on performance.
evening lasvegascop,
real world metrics are always useful -) imaging is one of those sequential processes that will quite literally work as fast as the slowest component. read speed of the seized/source media, bandwidth of blocker/interface, write speed of destination media. for what it's worth, i'd recommend USB3 interfaces over thunderbolt - despite the marketing hype, we've never seen imaging speeds substantially above USB3 capabilities that would justify the cost.
regards, ross
Larry,
Am I reading correctly that your target drive is also the OS drive? If so, you may be getting erroneous results because there's no telling what Windows will do to the drive during imaging. That could have a big impact on performance.
True.. I have a few USB 3 drives that I can acquire to.
If I get some time I will do as you and AFENTIS_Forensics said and perform this test using a USB3 drive.
I would imagine that there will be minimum difference in speed due to the IO read/write performance on the drives, but it's worth a shot..
I was using my forensic computer which has a SSD OS drive and 10k SATA drives as data and FTK postgres database drives but I decided to build separate acquisition drives to prevent obvious issues.
I could also place a destination drive in my hot-swap bay and go that route, since that is its purpose anyway.
It is best to go to a non system drive, Windows is always doing some work which affects the drive.
With compression, the type of data is very critical. Texts compress, JPEGS, MP3 etc don't compress much. For an empty disk, compression might make the system much faster.
It is best to go to a non system drive, Windows is always doing some work which affects the drive.
With compression, the type of data is very critical. Texts compress, JPEGS, MP3 etc don't compress much. For an empty disk, compression might make the system much faster.
Yes, this is a combination of a bunch of files but I dont have the numbers on what kinds of files,,
Doing this test is just an example of what FTK Imager and compression can do and what you can expect on a normal drive and I think that we all would agree that no two donor or suspect drives would produce the same results.
I am trying the test again using a non OS SATA drive in my hot-swap bay
What model Western Digital drive are you using? Although on paper, many WD drives are similar, I find the WD Black drives offer the best price/performance ratio for imaging. Green are unacceptably slow, Blue are marginal, Black are good. The Red and Black enterprise drives are not ideally suited for imaging. I would love to use Velociraptors for everything, but at double the price of a Black drive, I can't justify it.
My 1TB drives are WD1002FAEX.
What model Western Digital drive are you using? Although on paper, many WD drives are similar, I find the WD Black drives offer the best price/performance ratio for imaging. Green are unacceptably slow, Blue are marginal, Black are good. The Red and Black enterprise drives are not ideally suited for imaging. I would love to use Velociraptors for everything, but at double the price of a Black drive, I can't justify it.
My 1TB drives are WD1002FAEX.
Good point… I will have to check that.
I knew that there were different label colors but I didn't know that the label color would make a noticeable difference in speed.
the one that I am using now in this test is a 2TB Green Drive and my OS drive is a Blue. THe donor (Suspect) drive that I am using in all the tests is a Hitachi.
I just checked all of my extra drives the all of the WD are green drives.
I will keep your advice in mind the next machine I build so my machine won't be the bottle neck.
ok, I just imaged the drive again to the WD green 2 TB drive, no compression, inserted into a SATA hot-swap bay and it took 2 hrs 11 minutes.. the same as before. Now I will insert it into a usb3 external enclosure.
I do expect the times to be the same again as the donor drive is probably maxing out on reads.
Hello,
I didn't see anything about verify. Did you, or do you verify the images.
Thanks.
ok, I just imaged the drive again to the WD green 2 TB drive, no compression, inserted into a SATA hot-swap bay and it took 2 hrs 11 minutes.. the same as before. Now I will insert it into a usb3 external enclosure.
I do expect the times to be the same again as the donor drive is probably maxing out on reads.