SlideShare a Scribd company logo
1 of 12
A high-level review of acquisition times for several
popular imaging tools
Background
There has been a lot of anecdotal
discussion regarding the relative
performance of various popular acquisition
tools. This document provides an overview
of some research currently being
undertaken. Once completed the full set of
detailed results will be published.
Tools Assessed
 EnCase Forensic Imager v7.06
 FTK Imager v3.1.2
 Adepto v2.1 (Helix3)
 EnCase LineN v6.12.0.21
 IXImager v3
 Raptor v2.5
 X-Ways v17.1
Speed Assessment Parameters
Each of the acquisition tools used in this research was placed
into one of two categories and measured for how quickly the tool
could acquire a 160GB virtual drive. The categories were:
 ‘Standalone’ – meaning the tool comes with its own bootable
environment
 ‘Dependant’ – meaning the tool itself is not part of a bootable
environment and requires a third-party write-blocking device
or bootable system.
Within each category the tools were tested in the same virtual
configuration. The default image type was selected together with
the fastest compression (if available).
‘Standalone’ Acquisition Tool
Environment
VIRTUAL
MACHINE
(VirtualBox)
VDI
(VIRTUAL
SOURCE DISK)
VDI
(VIRTUAL
TARGET DISK)
VIRTUAL
BOOT
CDROM
ISO
SATA
SATA
PHYSICAL DISK 1
PHYSICAL DISK 2
PHYSICAL DISK
3
SATA
‘Dependant’ Acquisition Tool
Environment
VIRTUAL
MACHINE
(VirtualBox)
VDI
(VIRTUAL
SOURCE DISK)
VDI
(VIRTUAL
TARGET DISK)
SATA
SATA
PHYSICAL DISK 1
PHYSICAL DISK 2
SATA
VDI
(VIRTUAL SYSTEM
DISK)
WIN 7 SP1
PHYSICAL DISK 3
Overall Results
Tool Time to acquire 160GB Image
Size
Image
type
IXImager 17 mins 78.6 GB ASB
Xways Forensic 27 mins 74.4 GB E01
FTKI 50 mins 68.3 GB E01
Adepto 56 mins 149 GB RAW
EnCase Linen 63 mins 149 GB E01
Raptor 69 mins 68.3 GB E01
EnCase Forensic Imager 74 mins 68.6 GB E01
Standalone Tool Results
For tools that don’t require a write-blocker as part of
the acquisition process
Tool Time to acquire 160 GB Image size Image
type
IXImager 17 mins 78.6 GB ASB
Adepto 56 mins 149 GB RAW
EnCase LineN 1hr 03 mins 149 GB E01
Raptor 1hr 09 mins 68.3 GB E01
Dependant Tool Results
For tools that require a write-blocker as part of
the acquisition process
Tool Time to acquire 160 GB Image
size
Image type
X-Ways Forensic 27 mins 74.4 GB E01
FTK Imager 50 mins 68.3GB E01
EnCase Forensic Imager 1hr 14 mins 68.6 GB E01
Scalability Assessment
The tools were grouped by their ability to
accommodate being deployed in an
environment containing multiple source
devices. Two groups were identified:
 Unrestricted
 Restricted
Unrestricted tools
Tool Comment
IXImager Unlimited number of concurrent
acquisitions, one analysis licence
required
Raptor Unlimited number of concurrent
acquisitions, no licence required
EnCase LineN Unlimited number of concurrent
acquisitions, no licence required
Adepto Unlimited number of concurrent
acquisitions, no licence required
Restricted tools
Tool Comment
FTK Imager Requires write-blocker per concurrent
acquisition
EnCase Forensic Imager Requires write-blocker per concurrent
acquisition
X-Ways Requires write-blocker per concurrent
acquisition, requires dongle per
concurrent acquisition

More Related Content

What's hot

Anti forensic
Anti forensicAnti forensic
Anti forensic
Milap Oza
 
Accessing Forensic Images
Accessing Forensic ImagesAccessing Forensic Images
Accessing Forensic Images
CTIN
 
computer forensics
computer forensicscomputer forensics
computer forensics
Akhil Kumar
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows System
Conferencias FIST
 
cyber security and forensic tools
cyber security and forensic toolscyber security and forensic tools
cyber security and forensic tools
Sonu Sunaliya
 

What's hot (20)

Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifacts
 
Digital forensic tools
Digital forensic toolsDigital forensic tools
Digital forensic tools
 
Router forensics
Router forensicsRouter forensics
Router forensics
 
Cyber Forensics Overview
Cyber Forensics OverviewCyber Forensics Overview
Cyber Forensics Overview
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
 
Introduction to forensic imaging
Introduction to forensic imagingIntroduction to forensic imaging
Introduction to forensic imaging
 
Anti forensic
Anti forensicAnti forensic
Anti forensic
 
Network Forensic
Network ForensicNetwork Forensic
Network Forensic
 
Autopsy Digital forensics tool
Autopsy Digital forensics toolAutopsy Digital forensics tool
Autopsy Digital forensics tool
 
Accessing Forensic Images
Accessing Forensic ImagesAccessing Forensic Images
Accessing Forensic Images
 
computer forensics
computer forensicscomputer forensics
computer forensics
 
Data recovery
Data recoveryData recovery
Data recovery
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows System
 
Database forensics
Database forensicsDatabase forensics
Database forensics
 
cyber security and forensic tools
cyber security and forensic toolscyber security and forensic tools
cyber security and forensic tools
 
Fundamental digital forensik
Fundamental digital forensikFundamental digital forensik
Fundamental digital forensik
 
Network forensic
Network forensicNetwork forensic
Network forensic
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory Forensics
 
Digital Forensic ppt
Digital Forensic pptDigital Forensic ppt
Digital Forensic ppt
 
CS6004 Cyber Forensics
CS6004 Cyber ForensicsCS6004 Cyber Forensics
CS6004 Cyber Forensics
 

Viewers also liked

К вам пришла проверка. Что делать?
К вам пришла проверка. Что делать?К вам пришла проверка. Что делать?
К вам пришла проверка. Что делать?
Евгений Царев
 
Опыт подготовки к CRISC/цикл мастер-классов по программам сертификации ISACA
Опыт подготовки к CRISC/цикл мастер-классов по программам сертификации ISACAОпыт подготовки к CRISC/цикл мастер-классов по программам сертификации ISACA
Опыт подготовки к CRISC/цикл мастер-классов по программам сертификации ISACA
RISClubSPb
 
Опыт подготовки к CISA/цикл мастер-классов по программам сертификации ISACA
Опыт подготовки к CISA/цикл мастер-классов по программам сертификации ISACAОпыт подготовки к CISA/цикл мастер-классов по программам сертификации ISACA
Опыт подготовки к CISA/цикл мастер-классов по программам сертификации ISACA
RISClubSPb
 
Повышение осведомленности пользователей по вопросам ИБ/очный семинар RISC
Повышение осведомленности пользователей по вопросам  ИБ/очный семинар RISCПовышение осведомленности пользователей по вопросам  ИБ/очный семинар RISC
Повышение осведомленности пользователей по вопросам ИБ/очный семинар RISC
RISClubSPb
 

Viewers also liked (20)

пр Модель зрелости Dlp
пр Модель зрелости Dlpпр Модель зрелости Dlp
пр Модель зрелости Dlp
 
Модель зрелости процесса (мониторинг и оценка ИБ)
Модель зрелости процесса (мониторинг и оценка ИБ) Модель зрелости процесса (мониторинг и оценка ИБ)
Модель зрелости процесса (мониторинг и оценка ИБ)
 
пр про SOC для ФСТЭК
пр про SOC для ФСТЭКпр про SOC для ФСТЭК
пр про SOC для ФСТЭК
 
пр Спроси эксперта про прогнозы ИБ
пр Спроси эксперта про прогнозы ИБпр Спроси эксперта про прогнозы ИБ
пр Спроси эксперта про прогнозы ИБ
 
Болевые точки корпоративной сети: взгляд не со стороны службы ИБ
Болевые точки корпоративной сети: взгляд не со стороны службы ИББолевые точки корпоративной сети: взгляд не со стороны службы ИБ
Болевые точки корпоративной сети: взгляд не со стороны службы ИБ
 
пр Куда идет ИБ в России? (региональные аспекты)
пр Куда идет ИБ в России? (региональные аспекты)пр Куда идет ИБ в России? (региональные аспекты)
пр Куда идет ИБ в России? (региональные аспекты)
 
пр Лицензия ТЗКИ на мониторинг Small
пр Лицензия ТЗКИ на мониторинг Smallпр Лицензия ТЗКИ на мониторинг Small
пр Лицензия ТЗКИ на мониторинг Small
 
Книга про измерения (ITSM)
Книга про измерения (ITSM)Книга про измерения (ITSM)
Книга про измерения (ITSM)
 
Анализ защищенности ПО и инфраструктур – подходы и результаты
Анализ защищенности ПО и инфраструктур – подходы и результатыАнализ защищенности ПО и инфраструктур – подходы и результаты
Анализ защищенности ПО и инфраструктур – подходы и результаты
 
пр Сколько зарабатывают специалисты по ИБ в России 2016
пр Сколько зарабатывают специалисты по ИБ в России 2016пр Сколько зарабатывают специалисты по ИБ в России 2016
пр Сколько зарабатывают специалисты по ИБ в России 2016
 
UEBA – поведенческий анализ, а не то, что Вы подумали
UEBA – поведенческий анализ, а не то, что Вы подумалиUEBA – поведенческий анализ, а не то, что Вы подумали
UEBA – поведенческий анализ, а не то, что Вы подумали
 
Проблемы безопасной разработки и поддержки импортных средств защиты информации
Проблемы безопасной разработки и поддержки импортных средств защиты информацииПроблемы безопасной разработки и поддержки импортных средств защиты информации
Проблемы безопасной разработки и поддержки импортных средств защиты информации
 
Fusing digital forensics, electronic discovery and incident response
Fusing digital forensics, electronic discovery and incident responseFusing digital forensics, electronic discovery and incident response
Fusing digital forensics, electronic discovery and incident response
 
К вам пришла проверка. Что делать?
К вам пришла проверка. Что делать?К вам пришла проверка. Что делать?
К вам пришла проверка. Что делать?
 
Опыт подготовки к CRISC/цикл мастер-классов по программам сертификации ISACA
Опыт подготовки к CRISC/цикл мастер-классов по программам сертификации ISACAОпыт подготовки к CRISC/цикл мастер-классов по программам сертификации ISACA
Опыт подготовки к CRISC/цикл мастер-классов по программам сертификации ISACA
 
Опыт подготовки к CISA/цикл мастер-классов по программам сертификации ISACA
Опыт подготовки к CISA/цикл мастер-классов по программам сертификации ISACAОпыт подготовки к CISA/цикл мастер-классов по программам сертификации ISACA
Опыт подготовки к CISA/цикл мастер-классов по программам сертификации ISACA
 
Повышение осведомленности пользователей по вопросам ИБ/очный семинар RISC
Повышение осведомленности пользователей по вопросам  ИБ/очный семинар RISCПовышение осведомленности пользователей по вопросам  ИБ/очный семинар RISC
Повышение осведомленности пользователей по вопросам ИБ/очный семинар RISC
 
Linux booting process
Linux booting processLinux booting process
Linux booting process
 
Disk
DiskDisk
Disk
 
mm CGEIT Best Practices and Concepts
mm CGEIT Best Practices and Conceptsmm CGEIT Best Practices and Concepts
mm CGEIT Best Practices and Concepts
 

Similar to Forensic imaging tools

Similar to Forensic imaging tools (20)

computer forensic tools-Hardware & Software tools
computer forensic tools-Hardware & Software toolscomputer forensic tools-Hardware & Software tools
computer forensic tools-Hardware & Software tools
 
You suck at Memory Analysis
You suck at Memory AnalysisYou suck at Memory Analysis
You suck at Memory Analysis
 
Becoming a kinect hacker innovator v2
Becoming a kinect hacker innovator v2Becoming a kinect hacker innovator v2
Becoming a kinect hacker innovator v2
 
Kinect
KinectKinect
Kinect
 
Kinect
KinectKinect
Kinect
 
Voice Assistance Based Remote Surveillance System
Voice Assistance Based Remote Surveillance SystemVoice Assistance Based Remote Surveillance System
Voice Assistance Based Remote Surveillance System
 
Real Time Object Dectection using machine learning
Real Time Object Dectection using machine learningReal Time Object Dectection using machine learning
Real Time Object Dectection using machine learning
 
Reproducibility in artificial intelligence
Reproducibility in artificial intelligenceReproducibility in artificial intelligence
Reproducibility in artificial intelligence
 
slide-171212080528.pptx
slide-171212080528.pptxslide-171212080528.pptx
slide-171212080528.pptx
 
Picture Recovery Software:- Retrieves all lost and deleted digital Photos
Picture Recovery Software:- Retrieves all lost and deleted digital PhotosPicture Recovery Software:- Retrieves all lost and deleted digital Photos
Picture Recovery Software:- Retrieves all lost and deleted digital Photos
 
Digital Forensic Tools - Application Specific.
Digital Forensic Tools - Application Specific.Digital Forensic Tools - Application Specific.
Digital Forensic Tools - Application Specific.
 
Digital Forensic tools - Application Specific
Digital Forensic tools - Application SpecificDigital Forensic tools - Application Specific
Digital Forensic tools - Application Specific
 
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22]  Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...[cb22]  Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
 
Technical portfolio 15 opteng no backlink
Technical portfolio 15 opteng no backlinkTechnical portfolio 15 opteng no backlink
Technical portfolio 15 opteng no backlink
 
Presentation for min project
Presentation for min projectPresentation for min project
Presentation for min project
 
Forensic imaging
Forensic imagingForensic imaging
Forensic imaging
 
Sanger, upcoming Openstack for Bio-informaticians
Sanger, upcoming Openstack for Bio-informaticiansSanger, upcoming Openstack for Bio-informaticians
Sanger, upcoming Openstack for Bio-informaticians
 
Flexible compute
Flexible computeFlexible compute
Flexible compute
 
Exploring Android Studio
Exploring Android StudioExploring Android Studio
Exploring Android Studio
 
Feature Based Opinion Mining from Amazon Reviews
Feature Based Opinion Mining from Amazon ReviewsFeature Based Opinion Mining from Amazon Reviews
Feature Based Opinion Mining from Amazon Reviews
 

Recently uploaded

Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc
 

Recently uploaded (20)

Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
 
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform Engineering
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
 
Design Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxDesign Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptx
 
Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...
 
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
 
ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps Productivity
 
Top 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development CompaniesTop 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development Companies
 
How to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfHow to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cf
 
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
 
Navigating the Large Language Model choices_Ravi Daparthi
Navigating the Large Language Model choices_Ravi DaparthiNavigating the Large Language Model choices_Ravi Daparthi
Navigating the Large Language Model choices_Ravi Daparthi
 
Event-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingEvent-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream Processing
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
 
ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptx
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
 

Forensic imaging tools

  • 1. A high-level review of acquisition times for several popular imaging tools
  • 2. Background There has been a lot of anecdotal discussion regarding the relative performance of various popular acquisition tools. This document provides an overview of some research currently being undertaken. Once completed the full set of detailed results will be published.
  • 3. Tools Assessed  EnCase Forensic Imager v7.06  FTK Imager v3.1.2  Adepto v2.1 (Helix3)  EnCase LineN v6.12.0.21  IXImager v3  Raptor v2.5  X-Ways v17.1
  • 4. Speed Assessment Parameters Each of the acquisition tools used in this research was placed into one of two categories and measured for how quickly the tool could acquire a 160GB virtual drive. The categories were:  ‘Standalone’ – meaning the tool comes with its own bootable environment  ‘Dependant’ – meaning the tool itself is not part of a bootable environment and requires a third-party write-blocking device or bootable system. Within each category the tools were tested in the same virtual configuration. The default image type was selected together with the fastest compression (if available).
  • 5. ‘Standalone’ Acquisition Tool Environment VIRTUAL MACHINE (VirtualBox) VDI (VIRTUAL SOURCE DISK) VDI (VIRTUAL TARGET DISK) VIRTUAL BOOT CDROM ISO SATA SATA PHYSICAL DISK 1 PHYSICAL DISK 2 PHYSICAL DISK 3 SATA
  • 6. ‘Dependant’ Acquisition Tool Environment VIRTUAL MACHINE (VirtualBox) VDI (VIRTUAL SOURCE DISK) VDI (VIRTUAL TARGET DISK) SATA SATA PHYSICAL DISK 1 PHYSICAL DISK 2 SATA VDI (VIRTUAL SYSTEM DISK) WIN 7 SP1 PHYSICAL DISK 3
  • 7. Overall Results Tool Time to acquire 160GB Image Size Image type IXImager 17 mins 78.6 GB ASB Xways Forensic 27 mins 74.4 GB E01 FTKI 50 mins 68.3 GB E01 Adepto 56 mins 149 GB RAW EnCase Linen 63 mins 149 GB E01 Raptor 69 mins 68.3 GB E01 EnCase Forensic Imager 74 mins 68.6 GB E01
  • 8. Standalone Tool Results For tools that don’t require a write-blocker as part of the acquisition process Tool Time to acquire 160 GB Image size Image type IXImager 17 mins 78.6 GB ASB Adepto 56 mins 149 GB RAW EnCase LineN 1hr 03 mins 149 GB E01 Raptor 1hr 09 mins 68.3 GB E01
  • 9. Dependant Tool Results For tools that require a write-blocker as part of the acquisition process Tool Time to acquire 160 GB Image size Image type X-Ways Forensic 27 mins 74.4 GB E01 FTK Imager 50 mins 68.3GB E01 EnCase Forensic Imager 1hr 14 mins 68.6 GB E01
  • 10. Scalability Assessment The tools were grouped by their ability to accommodate being deployed in an environment containing multiple source devices. Two groups were identified:  Unrestricted  Restricted
  • 11. Unrestricted tools Tool Comment IXImager Unlimited number of concurrent acquisitions, one analysis licence required Raptor Unlimited number of concurrent acquisitions, no licence required EnCase LineN Unlimited number of concurrent acquisitions, no licence required Adepto Unlimited number of concurrent acquisitions, no licence required
  • 12. Restricted tools Tool Comment FTK Imager Requires write-blocker per concurrent acquisition EnCase Forensic Imager Requires write-blocker per concurrent acquisition X-Ways Requires write-blocker per concurrent acquisition, requires dongle per concurrent acquisition