I'm wondering if anyone has any advice on how to image an Intel Optane drive. I have a machine with two drives in it, the Optane SSD one and a regular HDD. However, I cannot get the SSD to connect properly to any machine. I believe this is because it isn't formatted like any other disk, it is used almost like RAM and that user data is cached there. This is a major issue for me as the HDD has imaged fine but there is almost no user data on it.Â
Does anyone have any advice on how to image it? I've tried Xways and FTK when connected to a write blocker but it errors out as it is looking for a disk. I've also tried booting into Paladin, DEFT and WinFE and none pick up the SSD, only the HDD.
Any help would be appreciated.
I have also searched a lot but was unable to find a satisfactory result. If anyone has a solution then please suggest.
@royankit I tried imaging the optane drive with a Forensic Falcon, but it doesn’t look right. Would love to reach out and discuss
Optane is, as far as I can make out from tech literature, not a hard drive. It's conceptually located 'between' the CPU and your hard drive. Important stuff (i.e. such stuff that Intel Rapid Storage Technology decides is important) gets cached. Unimportant stuff (that is not very likely to get used again) is ignored. (Don't get confused by its form factor being the same as ordinary SSD drives.)
If you image that hard drive 'through' Optane, some sectors will be read from the hard drive, some will be read from the Optane cache. (To avoid that, image from a separately booted environment, preferably Linux, which doesn't seem to have Optane drivers yet.)
If everything is working right, the Optane cache will (probably) not hold any information that is not also on the hard drive. Unless and until someone researches the issue and decides that v X.Y of the driver software fails to work that way, and that old data is stored, and can be retrieved off the cache, I would not consider doing it. (That could be a security issue for Optane for external hard drives.) That is, I would not attempt to 'fish' the Optane cache in the hope that it might contain something, especially not if the imaging software or manufacturer doesn't explicitly state that it supports that mode of operation.
You would probably need something like Volatility to make that work: special knowledge about internal data structure and driver versions and so on. Cache content would probably be rather like a page file: fragments of data in sector/cluster chunks that might need to be puzzled together.
(There were similar discussions some years back, about semi-hard drives that were a combination of a hard disk and a SSD cache as an integrated unit, with standard xATA interface. And some people wanted to image that cache. I can't remember anyone reporting success.)Â Â
One of our TA's imaged an Optane SSD and it all we got was one chunk of unusable data.
I had a go at imaging using Digital Collector which I was able to obtain images from nvme 1 and nvme 2.
I was able to analyse the data in AXIOM and peruse the user data as normal.