My business conducts some "tactical" acquisitions, and these days we always expect multi-TB installations. Therefore I read this thread carefully, and "beat everything" seems to be a very tough statement to me.
Our goal is always to make 1 the bottleneck
What makes me curious in my opinion, we've always been doing this close to the red line - the physical specifications of the source. Any competitor does pretty much the same.
How could I or the rest of the industry get away faster, if the tool doesn't magically suck the data out of the source?
When confronted with 3-6 TB drives, we won't switch from customized RAID stations to a laptop with a bunch of USB drives. And there are a few good reasons to remove source drives and not to power up anything else, no matter what acquisition options you have.
A little contentious question Does this tool provide any advantage to someone who already uses adequate equipment for what he does?
Like a little kid, I like new toys. Forensic 'toys' are included.
I hope that I never came across as negative to anyone's work and efforts. Innovation, creativity, and the time involved to develop anything is a worthwhile endeavor and I respect everyone who creates things. Anytime I hear news of something new and better, I just can't wait to hear more about it. As I said, I'm like a little kid and things that go fast are cool.
For this new imaging system, I just don't know exactly where it will fit yet, and I think that is what several posts are asking. Where and when does this tool work compared to what exists today.
For me, any approach to a situation (data collection, scene seizure, etc…) requires me to choose the tools I have at hand that fit the situation in front of me.
Situation 1 Tools A, B, and E will work. Tools C, D, and F will not.
Situation 2 Tool H works. Tool B might work. Others tools will not.
Situation 3 Tools A-H work.
etc..
The situations are more varied than the tools. Macs, ultralights, servers, *nix machines, mobile devices, image allowed vs no imaging allowed, time unlimited vs restricted time frame, one machine vs a hundred, and so forth.
What I don't know is where this tool fits only because I haven't seen it. If it is as fast as advertised, does it come in black? https://
Was the 70 mins for a newish disk without much data, or for one full of video/jpegs/docx/zip files?
I would like to know how much the time changes with data.
What makes me curious in my opinion, we've always been doing this close to the red line - the physical specifications of the source. Any competitor does pretty much the same.
How could I or the rest of the industry get away faster, if the tool doesn't magically suck the data out of the source?
Endochronicity applied to forensic imaging? 😯
http//
wink
jaclaz
Well after reading all that I'm thoroughly dissapointed to say the least.
I find it very odd that the original poster wouldn't disclose anything other than the fact it was very fast after his visit for the "test", and then his next two posts read as if they were copy and pasted from promotional material.
The cynic in me thinks there is some linkage between the OP and the software company, but that's just me I tend to be suspicious by nature )
If it were me, the very first thing I would have posted after the testing was the fact that the speed gains were only possible by attaching multiple destination drives via USB to the device. It took some clever searching from another member to disclose that fact as neither the OP or the vendor were willing to talk about that.
What I want to see is a real world 1 to 1 test against the other forensic tools to gauge it's real speed, ie one source, one target. If I have to carry around dozens of USB drives to take out to jobs then this becomes a logistical nightmare.
On a personal note deceptive promotion of software by this method really annoys me and instantly makes me not want to try the software. If you have something you want to promote then by all means make us aware and be prepared to answer questions and be up front. You may find you get the support you want and even some valuable input.
…. but that's just me I tend to be suspicious by nature ).
You may want to choose a career as investigator wink .
jaclaz
Hello,
I am the OP. I didn't think this post would have this much interest when I posted, and I should point out I'm not with the vendor. I've been a FF member for nearly 5 years now, and am not affiliated with any vendors.
I have been keeping some test data, and I'll post some results here. This is my own testing, and I've tested multiple machines. Here is one result (I hope my maths is correct). The drive is 45% full, but this shouldn't matter as this is taking a DD image.
Test Machine Dell Vostro 3450, Core i5, 4GB RAM
HDD Samsung 320GB HM320HJ Platter Drive. Total bytes 320072932864 bytes.
Ballistic connected to 2 x USB2.0 ports, and 2 x USB3.0 ports. Drive imaged in 3511sec (58mins 31secs). Average speed of 5.469GB/min.
Tableau TD2 imaged drive in 77mins 48secs using a WD 1TB Velociraptor HDD as destination. Average speed 4.113GB/min. Time to remove drive for imaging was 25mins. Time to put the drive back in was 20mins.
FTK Imager connected to a single USB2.0 port took 224mins. Connected to a single USB3.0 port took 84mins 35secs.
The destination drive used for FTK was a Samsung 512GB 840 Pro SSD.
I would say Ballistic may not be the software tool of choice for guys sitting in a lab. If time is not a problem, then popping a drive out and attaching it to your Tableau or your FRED is fine.
The software is for my guys at the sharp end, working in Afghan or worse, where they can't hang about in a target environment. Ballistic is another tool for us, it has it's time and place like bshavers says, it's a tool for a particular situation.
Sorry, forgot to list what my Ballistic hardware is.
I am using the original Kingston HyperX 26GB USB3.0 stick I got the software on. I bought another, and I also have 2 x Samsung 512GB 840 Pro SSD's attached to an eSATA cable, and a USB3.0 cable.
Cheers,
Took you 25 mins to remove a HDD and another 20 mins to put it back in !!! 😯
Was the case welded shut? P
Even taking photographs and the associated paperwork I use I'm imaging a drive from a standard PC or Laptop within 5 mins tops.
Good point. I picked the Vostro as it's a pain to get the drive out.
I should also have pointed out that the tests we do simulate the conditions the soldiers may be in when using the kit.
The software is tested in night-time conditions, and any equipment moved has to be carefully recorded. In this case, 25mins is pretty good for a drive removal. I did it without carrying all the other associated equipment.
The soldiers who are carrying out this work will also be laden with body armour, side-arms, ammunition, comms and other kit, and a hard drive removal can sometimes take upwards of 45mins.
If I was at my lab bench, then 5mins is realistic, but we have to simulate the conditions of use.