Large hard drive im...
 
Notifications
Clear all

Large hard drive imaging

20 Posts
10 Users
0 Likes
2,264 Views
(@armresl)
Posts: 1011
Noble Member
Topic starter
 

For those of you out there who have imaged drives 8-10TB, what are you using, and what kinds of times are you seeing?

Let's say the drives are SATA 7200 and you are write blocking to your destination.

Thanks.

 
Posted : 27/01/2020 7:44 pm
mokosiy
(@mokosiy)
Posts: 54
Trusted Member
 

Read speeds of the drives limit imaging performance a lot. So the times are getting worse and worse for the digital forensic community. Luckily, Seagate, WD, and Toshiba are really looking into improving speeds via new technologies like MACH.2, allowing parallel reading. But still, we have to deal myriad of 8, 10 TB drives, let alone the newest ones reaching 16 TB.

In Atola, we regularly run QA performance tests for TaskForce and Insight Forensic.

Here are some of the imaging times received several weeks ago
* WD Purple 8 TB, 5400 RPM- 13 hours 30 minutes
* WD Red 10 TB, 5400 RPM - 16 hours 50 minutes
* Seagate Skyhawk 12 TB, 7200 RPM - 18 hours 30 minutes

 
Posted : 28/01/2020 7:26 am
JimC
 JimC
(@jimc)
Posts: 86
Estimable Member
 

It is certainly true that imaging time will increase with disk size. However, the discussion so far didn't mention that the imaging time will also depend on the amount/type of data and level of compression. For instance, it is quite common for 1-2TB drives in "consumer" equipment to be >50% empty and there is an inevitable trade-off between speed and compression.

Jim

www.binarymarkup.com

 
Posted : 31/01/2020 1:43 pm
(@mcman)
Posts: 189
Estimable Member
 

It is certainly true that imaging time will increase with disk size. However, the discussion so far didn't mention that the imaging time will also depend on the amount/type of data and level of compression. For instance, it is quite common for 1-2TB drives in "consumer" equipment to be >50% empty and there is an inevitable trade-off between speed and compression.

Wouldn't that only matter if you're reading the contents or doing logical extractions? If you're simply running a stream acquisition (physical disk/sectors), the content shouldn't matter no?

I'm by no means a hardware imaging expert so I could be wrong but that was always my assumption.

Jamie

 
Posted : 31/01/2020 2:20 pm
Bunnysniper
(@bunnysniper)
Posts: 257
Reputable Member
 

For those of you out there who have imaged drives 8-10TB, what are you using, and what kinds of times are you seeing?

I do not have a vendor or hard drive model for you, but from my experience X-Ways Forensics with 8 threads and highest compression for an E01 file is the fastest setup you can use for imaging. In case you have an older CPU only, I would reduce to high compression and 4 or 6 threads.

regards, Robin

 
Posted : 31/01/2020 3:08 pm
(@armresl)
Posts: 1011
Noble Member
Topic starter
 

Hi Robin,

You are imaging with X-Ways?
Do you not like FTK, Encase, Tableau imager?

Wonder what kind of speeds come out of TX1 with a big drive.

For those of you out there who have imaged drives 8-10TB, what are you using, and what kinds of times are you seeing?

I do not have a vendor or hard drive model for you, but from my experience X-Ways Forensics with 8 threads and highest compression for an E01 file is the fastest setup you can use for imaging. In case you have an older CPU only, I would reduce to high compression and 4 or 6 threads.

regards, Robin

 
Posted : 01/02/2020 5:24 am
Bunnysniper
(@bunnysniper)
Posts: 257
Reputable Member
 

You are imaging with X-Ways?

Yes, nicely integrates in the later analysis workflow and I can use all CPU cores and memory for the imaging process. In a direcct comparison with FTK you will see, that X-Ways is faster.

regards, Robin

 
Posted : 01/02/2020 10:20 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

@armresl
JFYI, some time ago brett shavers pointed to a google spreadsheet prepared by eric zimmermann, comparing a number of tools
https://docs.google.com/spreadsheets/d/1wXX5zYql7KIPgrsDdt6S5bTuGt_WRjWaBde1D0fhG5k/edit?type=view&gid=0&f=true&sortcolid=11&sortasc=true&rowsperpage=250#gid=0

jaclaz

 
Posted : 01/02/2020 3:22 pm
Bunnysniper
(@bunnysniper)
Posts: 257
Reputable Member
 

…..some time ago brett shavers pointed to a google spreadsheet prepared by eric zimmermann

That doc is 7 years old. Time to generate a new comparison including NVMe, USB 3.1 und Core i7/9 CPU… - today we simply have a new generation of tools and hardware available. No, sorry, I do not have that time available -/

regards, Robin

 
Posted : 01/02/2020 8:03 pm
(@rich2005)
Posts: 535
Honorable Member
 

For those of you out there who have imaged drives 8-10TB, what are you using, and what kinds of times are you seeing?

I do not have a vendor or hard drive model for you, but from my experience X-Ways Forensics with 8 threads and highest compression for an E01 file is the fastest setup you can use for imaging. In case you have an older CPU only, I would reduce to high compression and 4 or 6 threads.

regards, Robin

I also use X-Ways for all my imaging, in standard scenarios, but I'm curious as to your experiences with highest compression versus the fast-adaptive method.
I think I settled on the fast-adaptive method, probably partly because I figured I wasn't bothered about a fractionally larger image file, but also because I figured the extra decompression effort, when processing later, might make that slightly slower in tools that max the CPU.
Are your observations purely-imaging related or both for imaging and processing?

 
Posted : 02/02/2020 10:23 am
Page 1 / 2
Share: