How To Streamline The Digital Evidence Collection Process Using Hardware-Based

As a pioneer in the manufacture of hardware-based digital forensic imaging solutions, we are often asked about the advantages of hardware-based vs software-based forensic imaging. We’ve put together some suggestions on what you should consider before make a final decision on what solution works best for your specific requirements.

Digital Forensic Challenges

• In 2000 the average computer hard drive capacity was 80-120GB; in 2019 the average capacity is 2.5TB!
• Law enforcement agencies worldwide have an enormous backlog of digital evidence to process
• This ongoing growth in the volume of data storage and the increase in the number of computer devices involved in a criminal investigation provides a challenge for digital forensic investigators;

How to securely & efficiently capture suspect data so that the investigator can quickly advance to the analysis phase of the investigation?Advantages of Hardware-Based Forensic Imagers

Get The Latest DFIR News!

Top DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

• Hardware-based imaging is typically faster than software-based imaging
• Can easily be transported to the field in a backpack or suitcase
• No recurring software license required
• Windows-based imaging may hang or lock-up the computer when encountering less-than-healthy drives
• Dependable, reproducible results that is immune from Windows-based computers’ declining performance
• Dedicated appliance for imaging frees up forensic computers for other tasks
• Time-saving; can make multiple copies of a source drive simultaneously
• Provides forensically sound write-blocking of the source drive without an external write-blocker

How to Choose a Hardware-Based Forensic Imager

• Look for solutions that are optimized to image at the drive’s maximum speed per the manufacturer’s specification
• Opt for solutions that can be operated remotely to allow investigators to apply resources to other tasks while imaging or use non-technical personnel in the field for set-up and experienced investigators in the lab to operate remotely all features/functions
• The ability to automate frequently used settings and tasks can save time and make it easier for non-technical personnel to operate the device
• Look for features that streamline the data collection process such as;

• Triage/preview function to prioritize suspect drives, particularly in the field where access to suspect devices is time-
constrained
• Multi-tasking to perform common tasks such as imaging, wiping, hashing simultaneously
• Logical imaging feature to image only the relevant data you need
• Optimized verification functionality, such as verifying concurrent with imaging instead of sequentially, to shorten the entire image+verify process

• The imager should provide the ability to image directly to/from a network repository to streamline evidence data capture + analysis process. 10GbE performance and multiple network ports to minimize bottlenecks can speed up the entire process
• Due to increased security protocols within organizations, investigators have seen an increase in hard drives that have been encrypted. The ability to decrypt and image from encrypted (using BitLocker for example) hard drives using your imaging solution is a plus
• The ability to image directly from laptops/desktops without removing the hard drive can be a significant time-saver
• Make sure the solution has a broad interface support, including newer drive technologies such as Thunderbolt™ and PCIe. The capability to expand support easily as new interfaces or technologies are introduced to the market ensures you are able to capture from whatever suspect media format is encountered now or in the future

About Logicube
Logicube is the world’s leader in digital forensic solutions and hard drive duplication. Founded in 1999, with headquarters in Chatsworth, California, Logicube is dedicated to delivering reliable, innovative, state-of-the-art solutions for users worldwide. The company’s products are sold direct to users, through international distributors and authorized dealers world-wide. Visit their website at http://www.logicube.com or follow Logicube on Twitter, @LogicubeUSA.

Leave a Comment

Latest Videos

Quantifying Data Volatility for IoT Forensics With Examples From Contiki OS

Forensic Focus 22nd June 2022 5:00 am

File timestamps are used by forensics practitioners as a fundamental artifact. For example, the creation of user files can show traces of user activity, while system files, like configuration and log files, typically reveal when a program was run. 

Despite timestamps being ubiquitous, the understanding of their exact meaning is mostly overlooked in favor of fully-automated, correlation-based approaches. Existing work for practitioners aims at understanding Windows and is not directly applicable to Unix-like systems. 

In this paper, we review how each layer of the software stack (kernel, file system, libraries, application) influences MACB timestamps on Unix systems such as Linux, OpenBSD, FreeBSD and macOS.

We examine how POSIX specifies the timestamp behavior and propose a framework for automatically profiling OS kernels, user mode libraries and applications, including compliance checks against POSIX.

Our implementation covers four different operating systems, the GIO and Qt library, as well as several user mode applications and is released as open-source.

Based on 187 compliance tests and automated profiling covering common file operations, we found multiple unexpected and non-compliant behaviors, both on common operations and in edge cases.

Furthermore, we provide tables summarizing timestamp behavior aimed to be used by practitioners as a quick-reference.

Learn more: https://dfrws.org/presentation/a-systematic-approach-to-understanding-macb-timestamps-on-unixlike-systems/

File timestamps are used by forensics practitioners as a fundamental artifact. For example, the creation of user files can show traces of user activity, while system files, like configuration and log files, typically reveal when a program was run.

Despite timestamps being ubiquitous, the understanding of their exact meaning is mostly overlooked in favor of fully-automated, correlation-based approaches. Existing work for practitioners aims at understanding Windows and is not directly applicable to Unix-like systems.

In this paper, we review how each layer of the software stack (kernel, file system, libraries, application) influences MACB timestamps on Unix systems such as Linux, OpenBSD, FreeBSD and macOS.

We examine how POSIX specifies the timestamp behavior and propose a framework for automatically profiling OS kernels, user mode libraries and applications, including compliance checks against POSIX.

Our implementation covers four different operating systems, the GIO and Qt library, as well as several user mode applications and is released as open-source.

Based on 187 compliance tests and automated profiling covering common file operations, we found multiple unexpected and non-compliant behaviors, both on common operations and in edge cases.

Furthermore, we provide tables summarizing timestamp behavior aimed to be used by practitioners as a quick-reference.

Learn more: https://dfrws.org/presentation/a-systematic-approach-to-understanding-macb-timestamps-on-unixlike-systems/

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_i0zd7HtluzY

A Systematic Approach to Understanding MACB Timestamps on Unixlike Systems

Forensic Focus 21st June 2022 5:00 am

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles

Share to...