Join Us!

Large hard drive im...
 
Notifications
Clear all

Large hard drive imaging  

Page 1 / 2
  RSS
armresl
(@armresl)
Senior Member

For those of you out there who have imaged drives 8-10TB, what are you using, and what kinds of times are you seeing?

Let's say the drives are SATA 7200 and you are write blocking to your destination.

Thanks.

Quote
Posted : 27/01/2020 7:44 pm
raydenvm
(@raydenvm)
Junior Member

Read speeds of the drives limit imaging performance a lot. So the times are getting worse and worse for the digital forensic community. Luckily, Seagate, WD, and Toshiba are really looking into improving speeds via new technologies like MACH.2, allowing parallel reading. But still, we have to deal myriad of 8, 10 TB drives, let alone the newest ones reaching 16 TB.

In Atola, we regularly run QA performance tests for TaskForce and Insight Forensic.

Here are some of the imaging times received several weeks ago
* WD Purple 8 TB, 5400 RPM- 13 hours 30 minutes
* WD Red 10 TB, 5400 RPM - 16 hours 50 minutes
* Seagate Skyhawk 12 TB, 7200 RPM - 18 hours 30 minutes

ReplyQuote
Posted : 28/01/2020 7:26 am
JimC
 JimC
(@jimc)
Member

It is certainly true that imaging time will increase with disk size. However, the discussion so far didn't mention that the imaging time will also depend on the amount/type of data and level of compression. For instance, it is quite common for 1-2TB drives in "consumer" equipment to be >50% empty and there is an inevitable trade-off between speed and compression.

Jim

www.binarymarkup.com

ReplyQuote
Posted : 31/01/2020 1:43 pm
mcman
(@mcman)
Active Member

It is certainly true that imaging time will increase with disk size. However, the discussion so far didn't mention that the imaging time will also depend on the amount/type of data and level of compression. For instance, it is quite common for 1-2TB drives in "consumer" equipment to be >50% empty and there is an inevitable trade-off between speed and compression.

Wouldn't that only matter if you're reading the contents or doing logical extractions? If you're simply running a stream acquisition (physical disk/sectors), the content shouldn't matter no?

I'm by no means a hardware imaging expert so I could be wrong but that was always my assumption.

Jamie

ReplyQuote
Posted : 31/01/2020 2:20 pm
Bunnysniper
(@bunnysniper)
Active Member

For those of you out there who have imaged drives 8-10TB, what are you using, and what kinds of times are you seeing?

I do not have a vendor or hard drive model for you, but from my experience X-Ways Forensics with 8 threads and highest compression for an E01 file is the fastest setup you can use for imaging. In case you have an older CPU only, I would reduce to high compression and 4 or 6 threads.

regards, Robin

ReplyQuote
Posted : 31/01/2020 3:08 pm
armresl
(@armresl)
Senior Member

Hi Robin,

You are imaging with X-Ways?
Do you not like FTK, Encase, Tableau imager?

Wonder what kind of speeds come out of TX1 with a big drive.

For those of you out there who have imaged drives 8-10TB, what are you using, and what kinds of times are you seeing?

I do not have a vendor or hard drive model for you, but from my experience X-Ways Forensics with 8 threads and highest compression for an E01 file is the fastest setup you can use for imaging. In case you have an older CPU only, I would reduce to high compression and 4 or 6 threads.

regards, Robin

ReplyQuote
Posted : 01/02/2020 5:24 am
Bunnysniper
(@bunnysniper)
Active Member

You are imaging with X-Ways?

Yes, nicely integrates in the later analysis workflow and I can use all CPU cores and memory for the imaging process. In a direcct comparison with FTK you will see, that X-Ways is faster.

regards, Robin

ReplyQuote
Posted : 01/02/2020 10:20 am
jaclaz
(@jaclaz)
Community Legend

@armresl
JFYI, some time ago brett shavers pointed to a google spreadsheet prepared by eric zimmermann, comparing a number of tools
https://docs.google.com/spreadsheets/d/1wXX5zYql7KIPgrsDdt6S5bTuGt_WRjWaBde1D0fhG5k/edit?type=view&gid=0&f=true&sortcolid=11&sortasc=true&rowsperpage=250#gid=0

jaclaz

ReplyQuote
Posted : 01/02/2020 3:22 pm
Bunnysniper
(@bunnysniper)
Active Member

…..some time ago brett shavers pointed to a google spreadsheet prepared by eric zimmermann

That doc is 7 years old. Time to generate a new comparison including NVMe, USB 3.1 und Core i7/9 CPU… - today we simply have a new generation of tools and hardware available. No, sorry, I do not have that time available -/

regards, Robin

ReplyQuote
Posted : 01/02/2020 8:03 pm
Rich2005
(@rich2005)
Active Member

For those of you out there who have imaged drives 8-10TB, what are you using, and what kinds of times are you seeing?

I do not have a vendor or hard drive model for you, but from my experience X-Ways Forensics with 8 threads and highest compression for an E01 file is the fastest setup you can use for imaging. In case you have an older CPU only, I would reduce to high compression and 4 or 6 threads.

regards, Robin

I also use X-Ways for all my imaging, in standard scenarios, but I'm curious as to your experiences with highest compression versus the fast-adaptive method.
I think I settled on the fast-adaptive method, probably partly because I figured I wasn't bothered about a fractionally larger image file, but also because I figured the extra decompression effort, when processing later, might make that slightly slower in tools that max the CPU.
Are your observations purely-imaging related or both for imaging and processing?

ReplyQuote
Posted : 02/02/2020 10:23 am
jaclaz
(@jaclaz)
Community Legend

That doc is 7 years old. Time to generate a new comparison including NVMe, USB 3.1 und Core i7/9 CPU… - today we simply have a new generation of tools and hardware available. No, sorry, I do not have that time available -/

Sure, but even then X-Ways was on the fastish side, if you prefer, I was surprised at the surprise 😯 expressed by armresl about your report of using X-Ways for imaging ) .

jaclaz

ReplyQuote
Posted : 02/02/2020 10:28 am
minime2k9
(@minime2k9)
Active Member

I'm honestly shocked that people still use FTK or Encase for imaging.
Or Encase for anything actually

ReplyQuote
Posted : 02/02/2020 6:46 pm
thefuf
(@thefuf)
Active Member

I'm honestly shocked that people still use FTK or Encase for imaging.
Or Encase for anything actually

Just read this https://www.reddit.com/r/computerforensics/comments/e7rblh/is_encase_worth_buying_any_more/

ReplyQuote
Posted : 02/02/2020 9:57 pm
watcher
(@watcher)
Member

It is certainly true that imaging time will increase with disk size. However, the discussion so far didn't mention that the imaging time will also depend on the amount/type of data and level of compression. For instance, it is quite common for 1-2TB drives in "consumer" equipment to be >50% empty and there is an inevitable trade-off between speed and compression.

Wouldn't that only matter if you're reading the contents or doing logical extractions? If you're simply running a stream acquisition (physical disk/sectors), the content shouldn't matter no?

I'm by no means a hardware imaging expert so I could be wrong but that was always my assumption.

Jamie

Correct, a physical drive image is a bit for bit copy, data content does not matter on the read, an empty drive would take the same time as a full drive. However if your are making a compressed image copy, the compression time will be effected by the data content which will in turn effect the write time.

All things being optimum, the source image read time is the speed limiting factor and that is unchanged by data content.

ReplyQuote
Posted : 03/02/2020 4:12 am
minime2k9
(@minime2k9)
Active Member

I'm honestly shocked that people still use FTK or Encase for imaging.
Or Encase for anything actually

Just read this https://www.reddit.com/r/computerforensics/comments/e7rblh/is_encase_worth_buying_any_more/

Yeah that's been my impression, over the past 4 years a lot of forces/companies have moved to X-Ways/Axiom combination.

ReplyQuote
Posted : 03/02/2020 6:40 am
Page 1 / 2
Share: