If you're imaging in a lab and not in the field I dont really see a benefit in a dedicated imaging device
Eric Zimmerman did some testing and found that Guymager and X-Ways were a good couple tools for imaging devices. Both of these will run on a standard machine.
On top of that, the Atola/PC3000 is probably a good purchase because of their extra capabilities.
I haven't played with a PC3000 but I'd say a tool that's capable of imaging drives that have issues is better than a dedicate imaging device.
Is your usecase for imaging out in the field or in a lab?
Hi randomaccess
Thanks for suggestions.
I am looking for standalone device as mostly it will be used in field - Onsite imaging.
We already have PC-3000 udma which is great tool for firmware data recovery.
We will be needing hardware write- blockers with software tools like x-ways .
combined cost of x-ways and write blocker will be similar to hardware devices only.
With devices like falcon you can make multiple copies of same disk or image multiple devices simultaneously .This reduces time of evidence collection.
We will be needing hardware write- blockers with software tools like x-ways .
combined cost of x-ways and write blocker will be similar to hardware devices only.
I would go with that then; the versatility of a writeblocker+xways offsets a dedicated imager in my opinion.
Depending on what you're tasked with doing, I would plug the drive in, export key files, for example, the registry, and then setup your imaging process. Whilst that's been done, you can start some basic analysis. better use of your time, rather than waiting several hours for an image to complete.
I think there is grave risk in doing any direct work with suspected drive without making multiple images first.
Disk drive being extremely fragile and delicate must be imaged first before any analysis.
So imaging is first part in forensic , analysis starts only after imaging.
Besides As per law , unless evidence is submitted in courts required procedure it will be flawed.
At any point It should be proved to court that forensic imaging is been done on suspected drive.
Court may reject if disk is not imaged first (Pls. note this changes from country to country)
In my country private investigation other than law enfocement agency is not valid as per law.
Using imager you can convert IDE /SAS /SCSI disks in SATA which is common platform.
otherwise write blockers for each type will be needed, Support for IDE and PCI slots has been removed from modern motherboards, How will you connect IDE and SCSI hard disk to your X-ways workstation ? Carrying entire PC on site is absolutely not easy task.
Considering this and many things dedicated imaging is the only better option.
I would argue that conducting a brief triage of a hard drive prior to imaging isn't putting the disk at any further risk. I definitely wouldn't be saying grave risk; if you're happy to have the drive sitting on an imaging device for several hours imaging, what is a few minutes extracting useful data so that you can begin your examination.
You can redo the examination afterwards if your country requires you to run your examination on a copy of the data. But if for example someone were to come and seize all of my electronic devices and image them all without an initial triage they would be wasting a lot of time and energy. By all means use an imaging device, but I would still recommend hooking the drive up and have a look to make sure it's worth the imaging time. Plus as I mentioned before, extracting forensic artefacts so that you can work concurrently.
You are correct regarding SCSI and SAS drives, also PCI/NVME drives etc and write blocking. For those it is suggested that boot disks will suffice, although there have been arguments about data spoliation. I dont really come across many SCSI or SAS drives so I dont have experience there. The only PCI write blocker I know of is from Tableau and that requires a desktop PC to be installed into.
Regarding IDE; both the Weibetech and Tableaus cover both IDE and SATA.
Hi randomaccess
Yes onsite quick initial examination will be always helpful.
Issue I am facing now is both size and complexity of drives is getting increased everyday.
It takes several days to analyze 3TB / 4 TB disks.
Besides Full disk encryption / Bitlocker / Ransomware encryption etc type issues are there.
I am planning to buy imager and still struggling for right device.
As you said Superimager with dual boot was one of the contender .But after not so good review of the same , I have dropped it. It is useful for quick checking of disk on site.
(http//
I am about to conclude no forensic hardware maker is truly professional nor there devices are 100% reliable and trustworthy
On the other hand they are fully aware of defects /bugs and limitation of there devices.
I am following up with media-clone / logicube and others.
They do not bother to reply to customers emails /queries.
This shows suspicious behavior of them .They avoid direct technical questions.
They are only experts in making false claims and marketing hype of there device.
I am still unable to choose right device. It seems I will have to make my own device. (
I am about to conclude no forensic hardware maker is truly professional nor there devices are 100% reliable and trustworthy
On the other hand they are fully aware of defects /bugs and limitation of there devices.
I am following up with media-clone / logicube and others.
They do not bother to reply to customers emails /queries.
This shows suspicious behavior of them .They avoid direct technical questions.
They are only experts in making false claims and marketing hype of there device.
I am still unable to choose right device. It seems I will have to make my own device. (
Hi! I can claim we are true professional hardware makers with long successful history. I am always ready to respond and existing customers know how much we try to assist them when questions arise.
Hi raydenvm
Yes I am well aware of great features of Atola which none of the imagers have (except Deepspar which has some of the features)
However I am looking for a standalone device which will work in onsite field imaging.
Atola will be of great use for inlab cloning.
My basic requirement is as following –
1) Create multiple copies from single source / cloning and imaging
2) SHA verification
3) Multiple disk wiping.
So I am looking for a dump imager which will clone 100% working hard disks ( for firmware level work we already have PC3000 UDMA)
We have often noticed issues with high-tech devices which are not rugged industrial grade.
They have proprietoary cables /connectors / adapters and power supplies.
In case of any issue with device either you will have to send it to manufacturer.
Sending device from asia to Europe with customs charges are so high, I can get a brand new imager in it. It will be having dense SMD and multilayer pcb which no one will be able to repair post sale / post warranty.
So we will prefer industrial grade rugged device than the one having advanced features.
My original Tableau TD1 and TD2s are still functional, so they appear to be sturdily built.
The TD2u can wipe three hard drives at once, the TD2 can wipe two hard drives at once, and the TD1 can wipe one hard drive at a time.