• Save
Forensic imaging tools draft v1
Upcoming SlideShare
Loading in...5
×
 

Forensic imaging tools draft v1

on

  • 7,491 views

This is an extract from ongoing research made available as a draft for comments and recommendations. All tools were tested in the same virtual configuration providing a consistent test platform.

This is an extract from ongoing research made available as a draft for comments and recommendations. All tools were tested in the same virtual configuration providing a consistent test platform.

Statistics

Views

Total Views
7,491
Views on SlideShare
7,157
Embed Views
334

Actions

Likes
5
Downloads
0
Comments
12

5 Embeds 334

http://www.linkedin.com 270
https://twitter.com 32
http://ucifserver 22
https://www.f-response.com 8
https://www.linkedin.com 2

Accessibility

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel

110 of 12 Post a comment

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
  • **Guymager missing !!! Try them on a 64 bit distros and they r lightning fast. Try these tests on them.

    **The virtual environment wont work for real life tests, try a benchmark on the same hardware and then run over the imagers.

    **Test the 64 bit variants with 32 bit variants for imaging. Both systems run in different ways. Speeds vary

    **Speeds with Write blockers and speeds without them.

    **Over the network imaging as well

    **Measure amount of CPU used by the threads/app
    Are you sure you want to
    Your message goes here
    Processing…
  • @RichardMarchewka here! here! Richard
    Are you sure you want to
    Your message goes here
    Processing…
  • @RichardMarchewka Thanks for your comment Richard. I recently started a debate on this very topic in the Yahoo digital forensic group. Unfortunately there seems to be a lack of understanding of the key point - digital forensics is not a science nor are the tools being used 'scientific'. If you continue to claim scientific status then digital evidence will be inappropriately tested in court using scientific criteria. I have however suggested that the processes being used can have scientific rigor and this is an important area we should be developing (actually 'back-filling').
    Are you sure you want to
    Your message goes here
    Processing…
  • What you find in your testing is endemic of all in this field who want to 'make this more scientific'. I have been in this field for over 20 years. There is nothing scientific about digital forensics. If it were a science one could test a hypothesis in a consistent manner and the results would either be, or not be, consistently what is expected. I have found numerous times that what is expected may be achieved x number of times and then x+1 is different. There are so many variable in this field, hardware and software. All, please stop trying to make this a science rather than an investigative tool, which it was when those in the law enforcement community were the pioneers in the field.
    Are you sure you want to
    Your message goes here
    Processing…
  • For those that have requested details of my previous research in relation to a process model for acquiring digital evidence here is the link to the full thesis - the model itself is in Appendix 2 but there may be some useful references elsewhere in the document : http://researchrepository.murdoch.edu.au/14422/2/02Whole.pdf
    Are you sure you want to
    Your message goes here
    Processing…

110 of 12

Post Comment
Edit your comment

    Forensic imaging tools draft v1 Forensic imaging tools draft v1 Presentation Transcript

    • A high-level review of acquisition times for several popular imaging tools
    • Background There has been a lot of anecdotal discussion regarding the relative performance of various popular acquisition tools. This document provides an overview of some research currently being undertaken and focusses on relative acquisition speeds between the products. Once completed the full set of detailed results will be published.
    • Tools Assessed  Adepto v2.1 (Helix3)  EnCase Forensic Imager v7.06  EnCase LineN v6.12.0.21 (Helix3)  FTK Imager v3.1.2  IXImager v3  Raptor v2.5  X-Ways v17.1
    • Speed Assessment Parameters Each of the acquisition tools used in this research was placed into one of two categories and measured for how quickly the tool could acquire a 160GB virtual drive. The categories were:  ‘Standalone’ – meaning the tool comes with its own bootable environment  ‘Dependant’ – meaning the tool itself is not part of a bootable environment and requires a third-party write-blocking device or bootable system. Within each category the tools were tested in the same virtual configuration. The default image type was selected together with the fastest compression (if available).
    • ‘Standalone’ Acquisition Tool Environment VIRTUAL MACHINE (VirtualBox) VDI (VIRTUAL SOURCE DISK) VDI (VIRTUAL TARGET DISK) VIRTUAL BOOT CDROM ISO SATA SATA PHYSICAL DISK 1 PHYSICAL DISK 2 PHYSICAL DISK 3 SATA
    • ‘Dependant’ Acquisition Tool Environment VIRTUAL MACHINE (VirtualBox) VDI (VIRTUAL SOURCE DISK) VDI (VIRTUAL TARGET DISK) SATA SATA PHYSICAL DISK 1 PHYSICAL DISK 2 SATA VDI (VIRTUAL SYSTEM DISK) WIN 7 SP1 PHYSICAL DISK 3
    • Standalone Tool Results Tool Time to acquire 160 GB Image size Image type Adepto 56 mins 149 GB RAW EnCase LineN 1hr 03 mins 149 GB E01 IXImager 17 mins 78.6 GB ASB Raptor 1hr 09 mins 68.3 GB E01
    • Dependant Tool Results Tool Time to acquire 160 GB Image size Image type EnCase Forensic Imager 1hr 14 mins 68.6 GB E01 FTK Imager 50 mins 68.3GB E01 X-Ways Forensic 27 mins 74.4 GB E01
    • Scalability Assessment The tools were grouped by their ability to accommodate being deployed in an environment containing multiple source devices. Two groups were identified:  Unrestricted  Restricted
    • Unrestricted tools Tool Comment Adepto Unlimited number of concurrent acquisitions, no licence required EnCase LineN Unlimited number of concurrent acquisitions, no licence required IXImager Unlimited number of concurrent acquisitions, one analysis licence required Raptor Unlimited number of concurrent acquisitions, no licence required
    • Restricted tools Tool Comment EnCase Forensic Imager Requires write-blocker per concurrent acquisition FTK Imager Requires write-blocker per concurrent acquisition X-Ways Requires write-blocker per concurrent acquisition, requires dongle per concurrent acquisition