A high-level review of acquisition times for several
popular imaging tools
Background
There has been a lot of anecdotal
discussion regarding the relative
performance of various popular acquisition
...
Tools Assessed
 Adepto v2.1 (Helix3)
 EnCase Forensic Imager v7.06
 EnCase LineN v6.12.0.21 (Helix3)
 FTK Imager v3.1....
Speed Assessment Parameters
Each of the acquisition tools used in this research was placed
into one of two categories and ...
‘Standalone’ Acquisition Tool
Environment
VIRTUAL
MACHINE
(VirtualBox)
VDI
(VIRTUAL
SOURCE DISK)
VDI
(VIRTUAL
TARGET DISK)...
‘Dependant’ Acquisition Tool
Environment
VIRTUAL
MACHINE
(VirtualBox)
VDI
(VIRTUAL
SOURCE DISK)
VDI
(VIRTUAL
TARGET DISK)
...
Standalone Tool Results
Tool Time to acquire 160 GB Image size Image
type
Adepto 56 mins 149 GB RAW
EnCase LineN 1hr 03 mi...
Dependant Tool Results
Tool Time to acquire 160 GB Image
size
Image type
EnCase Forensic Imager 1hr 14 mins 68.6 GB E01
FT...
Scalability Assessment
The tools were grouped by their ability to
accommodate being deployed in an
environment containing ...
Unrestricted tools
Tool Comment
Adepto Unlimited number of concurrent
acquisitions, no licence required
EnCase LineN Unlim...
Restricted tools
Tool Comment
EnCase Forensic Imager Requires write-blocker per concurrent
acquisition
FTK Imager Requires...
Upcoming SlideShare
Loading in...5
×

Forensic imaging tools draft v1

9,621

Published on

This is an extract from ongoing research made available as a draft for comments and recommendations. All tools were tested in the same virtual configuration providing a consistent test platform.

13 Comments
8 Likes
Statistics
Notes
  • @Vijay Nair I appreciate your comments and have run Guymager that was fast under the same conditions but not the fastest, although it will be included in the follow-up tests. With regard to your other points please read the intro and my previous comments.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • **Guymager missing !!! Try them on a 64 bit distros and they r lightning fast. Try these tests on them.

    **The virtual environment wont work for real life tests, try a benchmark on the same hardware and then run over the imagers.

    **Test the 64 bit variants with 32 bit variants for imaging. Both systems run in different ways. Speeds vary

    **Speeds with Write blockers and speeds without them.

    **Over the network imaging as well

    **Measure amount of CPU used by the threads/app
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • @RichardMarchewka here! here! Richard
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • @RichardMarchewka Thanks for your comment Richard. I recently started a debate on this very topic in the Yahoo digital forensic group. Unfortunately there seems to be a lack of understanding of the key point - digital forensics is not a science nor are the tools being used 'scientific'. If you continue to claim scientific status then digital evidence will be inappropriately tested in court using scientific criteria. I have however suggested that the processes being used can have scientific rigor and this is an important area we should be developing (actually 'back-filling').
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • What you find in your testing is endemic of all in this field who want to 'make this more scientific'. I have been in this field for over 20 years. There is nothing scientific about digital forensics. If it were a science one could test a hypothesis in a consistent manner and the results would either be, or not be, consistently what is expected. I have found numerous times that what is expected may be achieved x number of times and then x+1 is different. There are so many variable in this field, hardware and software. All, please stop trying to make this a science rather than an investigative tool, which it was when those in the law enforcement community were the pioneers in the field.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total Views
9,621
On Slideshare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
0
Comments
13
Likes
8
Embeds 0
No embeds

No notes for slide

Transcript of "Forensic imaging tools draft v1"

  1. 1. A high-level review of acquisition times for several popular imaging tools
  2. 2. Background There has been a lot of anecdotal discussion regarding the relative performance of various popular acquisition tools. This document provides an overview of some research currently being undertaken and focusses on relative acquisition speeds between the products. Once completed the full set of detailed results will be published.
  3. 3. Tools Assessed  Adepto v2.1 (Helix3)  EnCase Forensic Imager v7.06  EnCase LineN v6.12.0.21 (Helix3)  FTK Imager v3.1.2  IXImager v3  Raptor v2.5  X-Ways v17.1
  4. 4. Speed Assessment Parameters Each of the acquisition tools used in this research was placed into one of two categories and measured for how quickly the tool could acquire a 160GB virtual drive. The categories were:  ‘Standalone’ – meaning the tool comes with its own bootable environment  ‘Dependant’ – meaning the tool itself is not part of a bootable environment and requires a third-party write-blocking device or bootable system. Within each category the tools were tested in the same virtual configuration. The default image type was selected together with the fastest compression (if available).
  5. 5. ‘Standalone’ Acquisition Tool Environment VIRTUAL MACHINE (VirtualBox) VDI (VIRTUAL SOURCE DISK) VDI (VIRTUAL TARGET DISK) VIRTUAL BOOT CDROM ISO SATA SATA PHYSICAL DISK 1 PHYSICAL DISK 2 PHYSICAL DISK 3 SATA
  6. 6. ‘Dependant’ Acquisition Tool Environment VIRTUAL MACHINE (VirtualBox) VDI (VIRTUAL SOURCE DISK) VDI (VIRTUAL TARGET DISK) SATA SATA PHYSICAL DISK 1 PHYSICAL DISK 2 SATA VDI (VIRTUAL SYSTEM DISK) WIN 7 SP1 PHYSICAL DISK 3
  7. 7. Standalone Tool Results Tool Time to acquire 160 GB Image size Image type Adepto 56 mins 149 GB RAW EnCase LineN 1hr 03 mins 149 GB E01 IXImager 17 mins 78.6 GB ASB Raptor 1hr 09 mins 68.3 GB E01
  8. 8. Dependant Tool Results Tool Time to acquire 160 GB Image size Image type EnCase Forensic Imager 1hr 14 mins 68.6 GB E01 FTK Imager 50 mins 68.3GB E01 X-Ways Forensic 27 mins 74.4 GB E01
  9. 9. Scalability Assessment The tools were grouped by their ability to accommodate being deployed in an environment containing multiple source devices. Two groups were identified:  Unrestricted  Restricted
  10. 10. Unrestricted tools Tool Comment Adepto Unlimited number of concurrent acquisitions, no licence required EnCase LineN Unlimited number of concurrent acquisitions, no licence required IXImager Unlimited number of concurrent acquisitions, one analysis licence required Raptor Unlimited number of concurrent acquisitions, no licence required
  11. 11. Restricted tools Tool Comment EnCase Forensic Imager Requires write-blocker per concurrent acquisition FTK Imager Requires write-blocker per concurrent acquisition X-Ways Requires write-blocker per concurrent acquisition, requires dongle per concurrent acquisition

×