Dear All,
I need forensically acquire the content of 8 hard disks.
I thought to proceed as follow:
1) Boot the pc using a live distro like kali-linux
2) use ftk-imager 3.1.1 to copy the content of the hard disk on a external drive
5 PC have a WD 500 GB SATA 16MB
3 PC have a Samsung SSD 750 EVO - 500GB
Could you help me to estimate approximatively the time it takes to make a single copy of the disk?
Do you have any suggestion (e.g. ftk-imager options, external hard disks feature...) to speed up
the process?
Thank you in advance,
Best Regards
Andrea Liguoro
There are a lot of variables concerning read speed, write speed, interface speed, format, compression, etc.
As a rough ballpark starting value, spinning rust to spinning rust is going to be around 1 Hour/500GB
Reading SSDs are going to be much much faster but if you are writing to spinning rust that will dominate the time and put you back into the same range.
SSD to SSD is potentially orders of magnitude faster but your interface speed will dominate. If you are booting from a live distro what's the interface to your external drive?
I'm guessing you're looking at a USB external drive (hopefully USB 3). So even with the SSD's 1 Hour/500GB is still a reasonable estimate. (Probably fractionally better but close enough)
One more thing, last I looked (and it's been awhile) kali-linux was not considered to be forensically sound.
As far as speeding things up, yes there are ways to speed things along but they all involve dismounting drives and direct connecting to custom hardware. The fact that time seems to be important to you suggests that you plan on doing the imaging in situ which does not lend itself well to taking things apart. Your most practical bet is using 8 external drives and running all 8 captures in parallel which would be about 1 hour.
Thank you very much.Â
I'll share in this post the copy elapsed time.
Best Regards
Andrea Liguoro