Which is quicker - Linux DD or Hardware

I haven't tested this, but I'd say that any differences would be minimal. The slowest link in the data transfer chain isn't going to be the interface, but the hard drive itself. It takes time for the heads to seek and find. If I am correct, then both methods should be roughly equivalent. This of course assumes that all other factors are equal other than the interfaces.

You two could have a race, winner buys the buffalo wings.

These are some results from TD-1 (with hashing) that i used the other day without the new firmware update. I don't know if you can beat these speeds with dd. but then again that all depends on your system/hardware setup.

Created 2010-05-20 1012
Closed 2010-05-20 1119
# of sectors 625,142,448 (320.0 GB)
Errors recorded 0

Created 2010-05-20 1209
Closed 2010-05-20 1341
# of sectors 625,142,448 (320.0 GB)
Errors recorded 0

It's quite bulky, but he swears it's faster than using hardware.

Well, dd is not exactly non-configurable – a suitable choice of bs=??? probably helps a great deal. And just possibly what the driver does with a multi-sector request – does it do a read for all sectors in one go, or does it do sector-by-sector read.

There are too many parameters involved for this to be a simple question to answer.

Using mstew's fastest time there, that's an average data transfer rate of 4.78 GB/min or 79 MB/sec. I've had transfer rate averages over 90MB/s with the latest generation of desktop drives (Seagate 7200.12) as the source and destination in my testing of dd with MD5 hashing inline.

I have a very similar configuration to what the OP describes - a Shuttle SFF PC with a forensic linux build - as part of my field kit. It's option 3 now of my 3 standard field acquisition methods.

Frankly though, I'm finding that some solutions that run under Windows 7 are almost as fast, especially in the lab where I'm imaging to a RAID.

Patrick4n6,

I'd like to build a couple of these configurations in our lab, just to test.

Would you be able to PM your PC builds, and which Linux Forensic distro you use?

The only software we run under Windows 7 is Tableaus TIM v1.1. Do you image to an externally attached RAID, or are you imaging using a PC with a RAID controller on board?

Many thanks for your help,

Mark

It's option 3 now of my 3 standard field acquisition methods.

With no desire to hijack the thread and just out of interest, what are your other 2 options?

Patrick4n6,

I'd like to build a couple of these configurations in our lab, just to test.

Would you be able to PM your PC builds, and which Linux Forensic distro you use?

The only software we run under Windows 7 is Tableaus TIM v1.1. Do you image to an externally attached RAID, or are you imaging using a PC with a RAID controller on board?

Many thanks for your help,

Mark

Generally, if I'm going to answer a question, I'm going to do it to the whole board rather than PM. The only exception is certain stuff related to law enforcement.

I have an older P4 shuttle which I'm going to replace at some point. It's an SB65G2 with a P4 3GHz CPU and 2GB DDR400 RAM. I'm using the SPADA forensic linux distro, which is limited to LEO and IACIS members, but I've also tested it with Raptor, which was for some strange reason slower.

When I said "image to RAID" I meant in my lab, to my i7 w/ Adaptec RAID. Also, those speed tests were done on my i7, but the newer Shuttles should get the same result.

To answer Fab4, my other 2 options are forensic boot disk and laptop w/ Tableau T35es & FTK Imager. Once I validate the new TIM with the improved naming, I may change over.

Hello,

I downloaded the SPADA-4 iso after searching for it on Google. Is this the same one you use? Our department works alongside the UK Police, so if there is a special version for LEO types, we should be able to download it.

Many thanks,

Mark

Looks like PK has opened up distribution outside LEOs now. If you got it from spada-cd.info, then you have the right one.