Morning guys,
We're imaging a number of drives both onsite and in the lab but we're spending alot of time waiting around on the images to complete. We get about 1GB/s when transferring which means for 160GB disks its taking approx 2.5 hours on average. This really goes sky high when we recently had to image a 1.2TB drive!
I'm just wondering what speeds the community achieve and if there are any recommendations as to how to speed this up? I'm specifically looking for options that would speed up the process both onsite or in the office. Any hardware that you can recommend etc.
We currently have EnCase 4, 5 and 6 available to us and we use USB/Firewire 400/800 at present.
Regards,
Ronan
P.S. Suggestions of other forensic software and hardware configurations welcome
Various gadgets available that just do the image and verification job but I like the flexibility of going on site with laptops or Shuttle but they do take longer. What are you imaging onto? Using internal SATA drives will help rather than pushing the data back out through USB, and are you using Firewire 800, it does speed things up.
I had to do lots of on site imaging with a previous job where the enforcement body did not have the power of seizure, spent many hours waiting go the verification to complete and non-tech colleagues getting frustrated at the delay . I have heard that SATA in-SATA out write blockers are on there way but not seen any on the market yet. They are bound to speed things up. Also rememebr that you need a good powerful CPU to speed up the verification.
The USB (and in a minor way the firewire) interface could be a real "bottleneck".
The numbers you give do not sound "right"
1 Gb/s means (roughly) 160 seconds to image a 160 Gb drive 😯 ,
even if you were thinking about 1 Gigabit/second, it would mean
160Gbytes=160x1024x1024x1024=171,798,691,840 bytes
1 Gigabit=1024x1024x1024=1,073,741,824 bits =
1,073,741,824/8=134,217,728 bytes (per second)
171,798,691,840/134,217,728 bytes/second=1280 seconds = 21,33 minutes.
2 and a half hour for taking an image of a 160 Gigabyte hard disk sounds right to me, given you have a GOOD USB controller, BOTH on motherboard and on the external case.
Ideally you should NOT use "intermediate" interfaces, just connect the drive to the proper Motherboard bus directly.
USB 2.0 speed (theoretical) =480 Megabit/second
But do read these articles to understand why "real life" transfer speed is actually much LESS than theoretical "RAW" one
http//
http//
"real life" transfer speeds of USB 2.0 are more in the 12 to 20 Megabytes per second thus
160*1024=163,840 megabytes
163,840/12=13,653 seconds=227 minutes, i.e. 3 h 47m
163,840/20= 8,192 seconds= 136 minutes, i.e. 2 h 16m
jaclaz
I've heard people have had good results with these if its of any use http//
I guess some of the speed differences will be due to flat file creation though, rather than an e01 type file with more checks. Even so, they look decent to me.
The USB (and in a minor way the firewire) interface could be a real "bottleneck".
The numbers you give do not sound "right"
1 Gb/s means (roughly) 160 seconds to image a 160 Gb drive 😯 ,
Sorry jaclaz, was writing that very early in the morning. It was meant to be Gb/Min, my mistake.
I'll take a better read at this later on a check all your links, thanks for the help guys.
I like to use Hardcopy 2 by voomtech. It will go as fast as the drive will allow. Only us it in clone mode so I don't know what the time would be for the image mode options. In the clone mode, I've imaged a 160gig EIDE to a 160gig EIDE in just over an hour.
I've also done 320gig SATA's with EIDE converters as the hardcopy does not have buildin SATA interfaces in 1 hour and 45 minutes.
How this helps.
Rich
do those quoted times include verification?
seems pretty quick
A colleague of mine mentioned the other day that when faced with multiple computers and large hard drives, he would occasionally put a sanitized HD in the suspect machine, boot it with a boot CD (e.g. Helix), and use the machine itself to image and hash to the sanitized HD.
No firewire or USB slowdown.
No slowdown because of multiple machines/drives either - great if you're doing a small LAN.
Also no need for expensive devices.
I'll have to ask him about the details because there's probably a little more to it than that (I'm always a little nervous about not using a hardware write-blocker), but it sounds like it might be something you could look into.
Not a bad idea. If you're worried about the writeblocking, surely you could connect the target drive via a writeblocker (such as an ide fastbloc) to its original machine , thereby still getting your speed benefits, but with the write blocking.
A colleague of mine mentioned the other day that when faced with multiple computers and large hard drives, he would occasionally put a sanitized HD in the suspect machine, boot it with a boot CD (e.g. Helix), and use the machine itself to image and hash to the sanitized HD.
I saw this demonstrated at CEIC this year. If you use Helix, I believe the target drive has to be formatted with FAT.. but I could be wrong about that. It was smoking fast though… great way to handle imaging multiple computers very quickly. The instructor told us that they had to image 30 computers onsite. Using this method, the first computer completed imaging by the time they were kicking off the fourth computer.
I personally just bought a Voom Hardcopy II and LOVE it. In my benchmark testing, I imaged a 40 GB IDE to a Sata Raptor in 13 mins. That was without verification though. With verification, the imaging completed in 24 mins. That is smoking fast. As long as the client isn't demanding E01 files - the HC II is hard to beat, IMO.