I was wondering if it is published anywhere the conversion ratio for compression between time and the amount written to the target drive. It says None, which is probably the fastest, but then good and best. I'm curious the time differences if it is published for eacho of these. If you can point me in the right direction, it would be greatly appreciated.
Hi,
This might be something that you want to try yourself. Why not image the same drive 3 times and during each time change the compression ratio. We have done this before.
We found that no compression is the fastest, resulting in the largest files size. Good compression greatly reduces the file size (by about a 2/3rds on a 40GB HDD) but doubled the imaging time.
Best compression quadruppled the imaging time and only resulted in a file approx 500MB smaller than good compression.
When onsite we generally images with no compression, and when we get back to the lab compress it then. We do use good compression onsite when time is not an issue or when storage space is limited.
Ronan
Hi Craig,
There are also some factors that can influence both speed and compression
- CPU speed of the imaging workstation can positively influence compression speed
- the data on the source drive can impact the 'compressibility' of the image, for example a drive that has been wiped with zeroes before installing an OS on it will result in a smaller image than a drive that has been wiped with random data
Doing a lab test will definitely give you some feeling on the differences, but especially the size of the compressed image is something that can vary greatly.
Jelle
The compressibility of the data also heavily influences the amount of CPU time to compress the data and therefore how long the imaging takes.
Do the test on 4 differnet hard disks and you will get 4 different sets of results - hence the vagueness of the good fast best description.
Not questioning the stability or quality of E01 compression, but be very careful using the highest E01 compression ratio in FTK Imager. I had an instance in which I imaged 7 drives. 3 were imaged with default compression and 4 were imaged with the highest compression. All 4 of the highest compression E01images were corrupt and unreadable. Worked with AccessData and others for weeks to no avail.
Thanks for that tip re full compression and FTK, I have never had this issue but it's good to know. I assume your backup image also had the same issue? I may turn the compression down a little in future.
Yes.. The backup images also had the issue. The oddest part that AccessData and I could not figure out is why the verify did not catch the issue..
So what was the issue
Were there CRC errors for a chunk but the data decompressed OK? was corrupt data written to each chunk but with an associated good CRC?
It sounds like the latter if it verified OK.
The de/compression used by the expert witness format is zlib and these libraries are deemed very stable so this sound sodd
It was odd.. The first 7-8 segments were fine.. then 1-2 segments would be bad that threw everything out of whack.
You didn't mention it but I have noticed that EnCase Evidence Files acquired with Version 6 of EnCase cannot be opened with FTK version 1.7. I haven't tried 1.8 or 2.1.
Before I upgrade to EnCase V6, I had no problems.