Hi,
I work in a law enforcement DFU in the UK.
We have limited resources.
I have access to 2 acquisition PC’s with USB3 write blockers and network storage.
Daily I might get 3/4 acquisitions done due to size of hard drives.
Takes a good 45mins to do the notes, photographs and strip the machines down for media and storage per exhibit.
Any strategies out there that people use to do things the most efficient way?
Are you acquiring directly to your network? What sort of network interface do you have in the PC? You could maybe see if you can upgrade those to get quicker speeds?
Either that, or buy some large drives to acquire to locally, then schedule a task for a robocopy of the data form the local drive to your network storage location overnight when the office is empty.
To be honest, acquiring 3 to 4 devices a day isn't too bad. You have to remember that the acquisition process is vitally important to the overarching forensic process and that everything you do can be scrutinised further down the line, so I would say taking time to write all your notes up is good practice. Although it feels like a sausage factory at times, it is sometimes good to remember that 99% of the time there is someone's life, or liberty at stake so it deserves to be treated with the due care and diligence that you have described. )
There was some discussions some time ago about a forensic tool
http//www.forensicfocus.com/Forums/viewtopic/t=11704/
intended to be used in a non-lab scenario, still the "generic" idea was that Read speed is higher than Write speed, so "dividing" the read stream to several write streams i.e. devices (buses) made things much faster.
Besides the usual "fluff" by the vendor, here is some insight by PaulSanderson
https://www.forensicfocus.com/Forums/viewtopic/t=11704/postdays=0/postorder=asc/start=49/
have a look at the thread starting from the above post.
Loosely, you need some seriously fast (and local) "target" devices, as was suggested by hectic_forensics a local pool of disk drives or - nowadays - possibly of SSD's and a provision for copying to "final" location when system is idle/not used.
jaclaz
I'll add something to this.
After your get your image and want to save it to another drive for storage and disaster recovery, be sure to get something like untracopier to transfer over data. Windows loves to interfere in moving things and doesn't always do the best job.
as a complete tangent; triage devices first, you may find you dont need to image them and you can get the entire examination done in a day, rather than imaging/processing etc.
Also, looking into Evimetry lab which will allow for concurrent imaging and processing at the same time
With imaging of hard drives, I always find that more (cheaper) machines images faster than single faster machines.
Do you have a single write-blocker attached to each machine? What Imaging software are you using?
In terms of fastest imaging software, X-Ways arguably holds the title for that, however X-Ways Imager comes at a cost of about £100.
Installing a forensic Linux distribution onto a machine and using Guymager is our preferred method. It removes the requirement for writeblockers (although we use them for old IDE drives) and they can be repalced with USB 3 docks (Approx £20 per unit). You can then image 2 devices per machine without buying additional writeblockers. This also allows you to repurpose an old machine (if you have any) as they don't need to be particularly powerful.
Although your network will start slowing down when you acquire multiple images at once, the trick is to get all the bays going and then come back in the morning. Even if it takes 10%-25% longer because you are doing more drives at once, they will all be done by morning.
DM me if you want to look at some of our procedures, I'm sure your going through the ISO 17025 nightmare as well.
DM me if you want to look at some of our procedures, I'm sure your going through the ISO 17025 nightmare as well.
You know that the use of "your" instead of "you are" is a non-conformity per ISO 17025 😯 , and you need to take immediate action to control and correct it, don't you? wink
D
jaclaz
Full disclosure - I am the developer of Evimetry, which was mentioned earlier in this thread.
Gaining more efficiency depends on where in your workflow the bottlenecks are (you might like to see [1] and [2] for more detail on that). For example, a gigabit network does ~100MB/s maximum - half the speed of a commodity 3.5" drive; and a USB write blocker might limit the acquisition speed of an SSD from 500MB/s to around 300MB/s.
Following from the suggestion of @jaclaz, using an imaging technology that lets you get the aggregate throughput of multiple portable evidence storage devices can be a real improvement in labs that are still on 1GBe. It is much faster to "sneakernet" a couple of 3.5" HDD's or Samsung T5's containing an image to an analysis workstation and copy it direct to its RAID rather than to use a network (4 or 8x faster for this example). Verification speeds also scale similarly with multiple evidence storage devices and RAID storage.
On the acquisition side the speed gains are mainly for RAID, SSD and NVME, which have high IO rates that often can't be matched by single output devices.
-bradley
[1] https://
[2] https://
DM me if you want to look at some of our procedures, I'm sure your going through the ISO 17025 nightmare as well.
You know that the use of "your" instead of "you are" is a non-conformity per ISO 17025 😯 , and you need to take immediate action to control and correct it, don't you? wink
D
jaclaz
Probably and it will require a non-conformance action that generates so much paperwork that we have to harvest a small forest. If it was picked up during an audit, this would be enough to withhold accreditation until the action has been closed out.
So says the holy text of ISO 17025, so shall it be done!
So says the holy text of ISO 17025, so shall it be done!
Thus spoke ISO17025, A Norm for All and None. wink
mrgreen
jaclaz
