Hello All,
I could not find the answer here or elsewhere online.
I was wondering if there is hardware/tool out there similar to the Tableau TD2 duplicator but instead of performing a E01 forensic image or disk duplication, it will perform a compressed image of another disk? When I have only a few drives to obtain a compressed image, I use Symantec Ghost. However, I may receive almost 300 HDs and will need to turn them around quicker than what it will take using Symantec Ghost with the source and target drives connected via USB on my laptop. The TD2 images HDs very fast and I was hoping to find a similar product for capturing compressed images. Has anyone ever came across a tool like this or a better way to speed up collection times? I have the capacity to only perform 3 Ghost images at 1 time - I only have 3 computers to use.
Thank you in advance for anyones help or advice.
I am not sure to understand the question.
The .E01 is already a compressed format
http//www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=3091
https://
The PSI-Clone
http//
also allows for compression, though I don't think that the compression used is "open" (i.e. it cannot be restred if not by using the PSI thingy) ?
jaclaz
However, I may receive almost 300 HDs and will need to turn them around quicker than what it will take using Symantec Ghost with the source and target drives connected via USB on my laptop.
Are you asking for one product that should scale from 3 to 300? I think that is optimistic.
It seems to be a question of using those 300 system in a way to help your job … essentially imaging a dozen, and then use those system to image the rest, in parallel. For that you probably need a solution based on software rather than hardware.
Thank you for your prompt responses. I apologize for being vague.
I do understand that the .E01 is a compressed format, but it's a forensic image. The legal team does not want a forensic image of the 300 HDs. They want me to perform a disk duplication to capture live data, not any slack space or overwritten data. When I typically perform this disk image/duplication, I use Symentec Ghost, which compresses the disk image. This process takes a long time because I have the source and target drives connected to my laptop via USB. Read/write to these disks take a very very long time. I was hoping to find a tool or better way (faster) to perform a compressed disk duplication than using Symentec Ghost.
I do not need to capture the data from all 300 drives at one time. I was hoping for a machine similar to the TD2 because it's ability to aquire the data quickly. A 1 to 1 ratio is fine as long as it doesnt take 4-5 hours like Symentec Ghost.
Thanks!
Look at Acronis True Image - (www. acronis. com) You can boot off the CD and then image the partitions to your destination drive that is connected to the computer via USB or eSata if available. You are limited to the speed and processing power of the user's computer.
=Art=
Yep. )
What you want to do is not a "real" image of a disk, it is more like a set of (restorable) logical images of the volumes (+ I presume the MBR or GPT table).
Hardware duplicators/imagers are "dumb" machines and they are "filesystem agnostic" (i.e. they don't bother to see WHAT is in the source, they just copy the data "as is" at the byte, actually sector, level), whilst what you want to do needs some "intelligence", i.e. the device needs to be able to "understand" the filesystem used on the volume(s), and parse its contents, interpreting their contents and copying just the data.
GHOST can be used both as a "dd-like" imager and as a "logical imager", you were talking of the latter while - since we are in the "forensics realm" I assumed you meant the former, and I was perplexed.
The liberally mixing of terms (common to almost *any* technical conversation/documentation, since MS actually introduced it) did not help. (
For future memory
A Disk Drive is the actual hardware (or Hard Disk Drive or Hard Drive).
A DISK is the whole thing (or PhysicalDrive under Windows NT) i.e. the actual whole number of sectors from start to end of the whole device.
A DRIVE is the Partition (if Primary) or Logical Volume (or LogicalDrive under Windows NT) or in any case the *whatever*gets a drive letter in Windows.
This latter "DRIVE" can mean BOTH the actual physical extents, i.e. the actual whole number of sectors from start to end of the actual corresponring entry in the MBR, EMR or GPT table, or, ONLY the "allocated" ones as resulting from the actual filesystem indexing data.
As said, depending on the switches used, GHOST can do both a "dd-like" image, that would be the -IR switch
http//
or operate "intelligently" and skip unused/unallocated sectors and/or unused areas of the disk.
Acronis, as well as a number of other softwares Commercial or free, among the many I will mention Clonezilla, will be able to do the same.
If you could explain in detail what will be the use (final goal) of the imaging, it may be possible to suggest you a more suitable alternative.
There is however a trade off between "intelligently" copying less data (and have possibly more compact compressed images) and "primitively" image RAW data (you transfer more data but at a higher speed).
Conversely, if you are willing to spend money to buy a dedicated hardware imager, with the same (or much less) money you could set up one or two "dedicated" PC's.
jaclaz