So I did some tests comparing imaging a 1GB thumb drive to USB 2.0 and eSATA using TIM and FTKI
For imaging it doesn't make much difference that your target drive is connected via eSATA if your source thumb drive was connected via USB 2.0 the slowest link in the chain is going to limit you.
"the slowest link in the chain is going to limit you"
Yup - drive performance itself is an often overlooked factor. If your doing a 5400 RPM IDE drive you are a slave to its limitations of speed. Plus drives are like snowflakes - no two will be exactly the same. They are mechanical, have software/firmware versions and can have performance changes over time.
Ovie Caroll brought up a point that I think as practitioners we tend to forget - imaging a hard drive will probably be the most stressful thing the little buggers will have to go though in their life.
Here they are just hanging out, caching your web browser history - maybe streaming some MP3s. Then WHAM - ripped out of the homes in the middle of the night, hooked up to strange devices and forced to reveal every bit of information sequentially. The madness has to stop….
The point is to remember that each drive is a variable itself and will have different acquisition and verification times depending on drive mechanics, amount of data, hashing used, compression used.
Try benchmarking several types of drives with different hardware and software set-ups you have to find the best combination of performance and accuracy. Another reason I like to use different software tools along the verification process is that I feel better knowing I had the same outcome from different sources.
Use tools like
Process Monitor - http//
HD Tune - http//
Others out there as well…
To check your RAM, processor and I/O speeds under various test circumstances for imaging and verification to see what works best with your gear.
"imaging a hard drive will probably be the most stressful thing the little buggers will have to go though in their life.
Here they are just hanging out, caching your web browser history - maybe streaming some MP3s. Then WHAM - ripped out of the homes in the middle of the night, hooked up to strange devices and forced to reveal every bit of information sequentially. The madness has to stop….
I like the analogy 😉
I did some speed comparisons of TIM to FTK Imager a while back, as well as reviewing the work of some colleagues who were doing the same, and the conclusion I reached is that (assuming that your target/destination drive output is at full speed, i.e. either an internal drive or attached via eSATA) TIM was significantly faster imaging a source drive over USB2, but only slightly faster over eSATA. All the testing was done using later/latest generation 7200 RPM drives, and as Doug indicated, slower drives due to age, architecture or RPM may yield different results.
I'd be interested in hearing if others' testing reached a different conclusion.
Seeing as how almost all my imaging in the Windows environment is done with a T35es with an eSATA connection, I just stuck with FTK Imager. (For reference, most of my field imaging is done with a Linux forensic boot disk, most of my lab imaging is done with FTK Imager.)