As a pioneer in the manufacture of hardware-based digital forensic imaging solutions, we are often asked about the advantages of hardware-based vs software-based forensic imaging. We’ve put together some suggestions on what you should consider before make a final decision on what solution works best for your specific requirements.
Digital Forensic Challenges
• In 2000 the average computer hard drive capacity was 80-120GB; in 2019 the average capacity is 2.5TB!
• Law enforcement agencies worldwide have an enormous backlog of digital evidence to process
• This ongoing growth in the volume of data storage and the increase in the number of computer devices involved in a criminal investigation provides a challenge for digital forensic investigators;
How to securely & efficiently capture suspect data so that the investigator can quickly advance to the analysis phase of the investigation?Advantages of Hardware-Based Forensic Imagers
• Hardware-based imaging is typically faster than software-based imaging
• Can easily be transported to the field in a backpack or suitcase
• No recurring software license required
• Windows-based imaging may hang or lock-up the computer when encountering less-than-healthy drives
• Dependable, reproducible results that is immune from Windows-based computers’ declining performance
• Dedicated appliance for imaging frees up forensic computers for other tasks
• Time-saving; can make multiple copies of a source drive simultaneously
• Provides forensically sound write-blocking of the source drive without an external write-blocker
How to Choose a Hardware-Based Forensic Imager
• Look for solutions that are optimized to image at the drive’s maximum speed per the manufacturer’s specification
• Opt for solutions that can be operated remotely to allow investigators to apply resources to other tasks while imaging or use non-technical personnel in the field for set-up and experienced investigators in the lab to operate remotely all features/functions
• The ability to automate frequently used settings and tasks can save time and make it easier for non-technical personnel to operate the device
• Look for features that streamline the data collection process such as;
• Triage/preview function to prioritize suspect drives, particularly in the field where access to suspect devices is time-
constrained
• Multi-tasking to perform common tasks such as imaging, wiping, hashing simultaneously
• Logical imaging feature to image only the relevant data you need
• Optimized verification functionality, such as verifying concurrent with imaging instead of sequentially, to shorten the entire image+verify process
• The imager should provide the ability to image directly to/from a network repository to streamline evidence data capture + analysis process. 10GbE performance and multiple network ports to minimize bottlenecks can speed up the entire process
• Due to increased security protocols within organizations, investigators have seen an increase in hard drives that have been encrypted. The ability to decrypt and image from encrypted (using BitLocker for example) hard drives using your imaging solution is a plus
• The ability to image directly from laptops/desktops without removing the hard drive can be a significant time-saver
• Make sure the solution has a broad interface support, including newer drive technologies such as Thunderbolt™ and PCIe. The capability to expand support easily as new interfaces or technologies are introduced to the market ensures you are able to capture from whatever suspect media format is encountered now or in the future
About Logicube
Logicube is the world’s leader in digital forensic solutions and hard drive duplication. Founded in 1999, with headquarters in Chatsworth, California, Logicube is dedicated to delivering reliable, innovative, state-of-the-art solutions for users worldwide. The company’s products are sold direct to users, through international distributors and authorized dealers world-wide. Visit their website at http://www.logicube.com or follow Logicube on Twitter, @LogicubeUSA.
