for the purposes of this test I cancelled the verification on most of the images if I caught it.
THe times only reflect the acquisition times.
Welllllll… I am about to cancel the USB3 acquisition as it is already at 3 hours with no compression
ok.. changed USB3 drives to an iOmega external 2TB drive that contains a Seagate Barracuda 7200 RPM drive.
THe acquisition took 2hours and 21 minutes.
Conclusion
For my setup using FTK imager set at level 6 compression with the destination drive in a SATA hot-swap bay would be the most efficient method of acquisition.
Conclusion
For my setup using FTK imager set at level 6 compression with the destination drive in a SATA hot-swap bay would be the most efficient method of acquisition.
If I may ? , possibly a very valid conclusion ) , but completely unlike backed up by experimental data.
I mean, what happens with compression levels 1 to 5 (and 7 and 8)?
There is a published paper, courtesy of Wayback Machine
http//
The live link is Error 500 right now
http//
that while being not "fully exhaustive", introduces the concept that the "best" is also function of the compressibility of data in the source, and takes into account verification time.
With all due respect ) your conclusion is that on average an average compression setting is preferable (but according to the mentioned paper levels 4 and 5 are - slightly - "more average" 😯 than the level 6 you chose).
The "direct" SATA connection cannot be but faster than a setup where there is an intermediate step (the USB3 to SATA bridge) and the difference in speed may greatly vary depending on the specific USB3 to SATA bridge controller.
jaclaz
Good point… I will have to check that.
I knew that there were different label colors but I didn't know that the label color would make a noticeable difference in speed.
the one that I am using now in this test is a 2TB Green Drive and my OS drive is a Blue. THe donor (Suspect) drive that I am using in all the tests is a Hitachi.
Just FYI…
WD Green and Red drives are not 7200 RPM drives, they are "Intellipower" RPM drives. Seriously, if you look at the specs under spindle speed, you'll see "Intellipower," as if that were a measurement of spindle speed. WD isn't saying, but what Intellipower is presumed to mean is the spindle speed is variable between 4500 RPM and 7200 RPM. This is to save power by not spinning the disk as fast during periods of low activity.
I use a Green drive in my home computer for media storage. It's perfect for that. For forensic purposes, I'd never use a Green drive. It may be okay for imaging because the source drive may be slower than even a Green drive. However, if you intend to use the Green drive to do your analysis from, you'll experience noticable performance penalties compared to a Black drive. Access times are slower, and as far as I know, there is no way to force a higher speed, so it's up to the drive's firmware to manage your performance.
Since I mentioned Red, I don't use Reds in a RAID. Although that's what they're designed for, the WD Black Enterprise drives are much better suited, and have a much better unrecoverable error rate, which means you have a much better chance of a successful rebuild after a drive failure. But this is a subject for another conversation.
If I may ? , possibly a very valid conclusion ) , but completely unlike backed up by experimental data.
I mean, what happens with compression levels 1 to 5 (and 7 and 8)?
that while being not "fully exhaustive", introduces the concept that the "best" is also function of the compressibility of data in the source, and takes into account verification time.
With all due respect ) your conclusion is that on average an average compression setting is preferable (but according to the mentioned paper levels 4 and 5 are - slightly - "more average" 😯 than the level 6 you chose).
The "direct" SATA connection cannot be but faster than a setup where there is an intermediate step (the USB3 to SATA bridge) and the difference in speed may greatly vary depending on the specific USB3 to SATA bridge controller.
jaclaz
THanks… .Excellent article.
But, the test wasn't meant to be a scientific study. Just a reality test. (new forensic term).
I had performed this test years ago using every level of compression and 6 seemed to work the best, which is why I chose level 6 to compare it to 0 and 9 on this test. Level 6 is what I normally use to do my acquisitions and maybe this test was to prove to myself that it still works best for me and I decided to share it on the forum.
I am glad I did because you guys are providing some excellent feedback.When you do an acquisition on a suspect drive you usually do not know the ration of files on the drive prior to your acquisition so even a real scientific test would not be completely accurate for everyone unless you could possible try every combination of file structures.
In my test the files were copied to the donor from my forensic OS drive so there would most likely be no music files and very few picture files. BUt a real suspect drive may be just the opposite.THe reason I did not do verification times is because they are a lot quicker than acquisition times and you can verify the files during other steps in the investigation process. But I could if you think they are important. As you can see on the paper all the verification times are within a few seconds of each other anyway.
I tried USB 3 because another reader suggested that it may be as quick or quicker, so I tried it. THe first acquisition was very slow and I cancelled it, the second using a different external USB device was quicker, but not as fast as no comp SATA.
So, not a scientific study, just a test. But I think it may be a test that everyone should try on their set up.
But, after reading that paper I may try lever 4-7 to see how much of a difference there is on my setup@Bulldawg..
thanks for that HDD info
I just checked my forensic computer and all the mechanical drives are WD Blacks. I used a blue in the acquisition computer.
Do the other drive manufacturers have a labeling system like that. I have some newer Hitachis and other than the Deskstar name I see no difference indicating quality or speed.Thanks guys..
When you do an acquisition on a suspect drive you usually do not know the ration of files on the drive prior to your acquisition so even a real scientific test would not be completely accurate for everyone unless you could possible try every combination of file structures.
In my test the files were copied to the donor from my forensic OS drive so there would most likely be no music files and very few picture files. BUt a real suspect drive may be just the opposite.
Yes, and even if you manage to decide to choose only "two" different compression levels, for the sake of the example let's say #5 and #6 and keep a "database of the time taken imaging a number of "real life" cases (twice, one with #5 and #6) until you have a big enough number of cases, let's say 100 you can start deriving data, but there could be a "relevant" sampling error because (say) you do mainly CP cases, and only in Las Vegas, so the results could be applicable only to "hard disks seized in suspected CP cases in - say - the County of Clark" (assuming that criminals involved in CP cases in other states/countries may have a different hard disk usage pattern) and surely will not be applicable to the "corporate cases".
The type and amount of data is too variable to be able to get any "meaningful and scientifically accurate" data, and by the time you (or anyone else) manages to get enough data, the usage pattern may change even sensibly.
I tried USB 3 because another reader suggested that it may be as quick or quicker, so I tried it. THe first acquisition was very slow and I cancelled it, the second using a different external USB device was quicker, but not as fast as no comp SATA.
Well, the rule of the thumb is the shorter is the path, the quicker you will get there, the USB to SATA bridge, even if minimal, will always add some time, as it represents anyway a "further step" or "longer path".
So, not a scientific study, just a test. But I think it may be a test that everyone should try on their set up.
But, after reading that paper I may try lever 4-7 to see how much of a difference there is on my setup
Yes, that is the essence of my suggestion, according to the mentioned test, I would personally "skip" the 7 and do a test with 4 and 5 (on the same disk/data you have already tested with the 6).
I just checked my forensic computer and all the mechanical drives are WD Blacks. I used a blue in the acquisition computer.
Do the other drive manufacturers have a labeling system like that. I have some newer Hitachis and other than the Deskstar name I see no difference indicating quality or speed.
Here again there are "rules of thumb", the bigger the cache the more probable is that the disk is fastish, the faster it rotates would do as well, besides the (limited) impact they may have on "sequential, continuous" writing, they are signs of "high performance" drives.
Even without testing a set of drives personally, public benchmarks, easy to find online are - in this particular case - a valid resource as essentially when imaging you are actually saturating write speed (those benchmarks are often of little relevance when choosing a disk drive for "generic use" as what is in the benchmarks is rarely similar to "real life use".
jaclaz
Try imaging to a hardware RAID. Any 3+ drive RAID5 is going to be faster than the component rotational drive. On my system I image uncompressed to DD/raw and the limiting factor is the always speed of the source drive.
I don't have a RAID here, but you are correct about the source drive. That will most likely be the weakest link in most systems… or exams
Hi LasVegasCop,
I'm curious if you testify about your findings, and if so, have you been up against another examiner on the other side? Did you win, did you find it beneficial?
Or do you do the knock/announce and on site seizure, and then work the drives from that state