Upcoming SlideShare
Forensic imaging tools
- 1. A high-level review of acquisition times for several popular imaging tools
- 2. Background There has been a lot of anecdotal discussion regarding the relative performance of various popular acquisition tools. This document provides an overview of some research currently being undertaken. Once completed the full set of detailed results will be published.
- 3. Tools Assessed EnCase Forensic Imager v7.06 FTK Imager v3.1.2 Adepto v2.1 (Helix3) EnCase LineN v6.12.0.21 IXImager v3 Raptor v2.5 X-Ways v17.1
- 4. Speed Assessment Parameters Each of the acquisition tools used in this research was placed into one of two categories and measured for how quickly the tool could acquire a 160GB virtual drive. The categories were: ‘Standalone’ – meaning the tool comes with its own bootable environment ‘Dependant’ – meaning the tool itself is not part of a bootable environment and requires a third-party write-blocking device or bootable system. Within each category the tools were tested in the same virtual configuration. The default image type was selected together with the fastest compression (if available).
- 5. ‘Standalone’ Acquisition Tool Environment VIRTUAL MACHINE (VirtualBox) VDI (VIRTUAL SOURCE DISK) VDI (VIRTUAL TARGET DISK) VIRTUAL BOOT CDROM ISO SATA SATA PHYSICAL DISK 1 PHYSICAL DISK 2 PHYSICAL DISK 3 SATA
- 6. ‘Dependant’ Acquisition Tool Environment VIRTUAL MACHINE (VirtualBox) VDI (VIRTUAL SOURCE DISK) VDI (VIRTUAL TARGET DISK) SATA SATA PHYSICAL DISK 1 PHYSICAL DISK 2 SATA VDI (VIRTUAL SYSTEM DISK) WIN 7 SP1 PHYSICAL DISK 3
- 7. Overall Results Tool Time to acquire 160GB Image Size Image type IXImager 17 mins 78.6 GB ASB Xways Forensic 27 mins 74.4 GB E01 FTKI 50 mins 68.3 GB E01 Adepto 56 mins 149 GB RAW EnCase Linen 63 mins 149 GB E01 Raptor 69 mins 68.3 GB E01 EnCase Forensic Imager 74 mins 68.6 GB E01
- 8. Standalone Tool Results For tools that don’t require a write-blocker as part of the acquisition process Tool Time to acquire 160 GB Image size Image type IXImager 17 mins 78.6 GB ASB Adepto 56 mins 149 GB RAW EnCase LineN 1hr 03 mins 149 GB E01 Raptor 1hr 09 mins 68.3 GB E01
- 9. Dependant Tool Results For tools that require a write-blocker as part of the acquisition process Tool Time to acquire 160 GB Image size Image type X-Ways Forensic 27 mins 74.4 GB E01 FTK Imager 50 mins 68.3GB E01 EnCase Forensic Imager 1hr 14 mins 68.6 GB E01
- 10. Scalability Assessment The tools were grouped by their ability to accommodate being deployed in an environment containing multiple source devices. Two groups were identified: Unrestricted Restricted
- 11. Unrestricted tools Tool Comment IXImager Unlimited number of concurrent acquisitions, one analysis licence required Raptor Unlimited number of concurrent acquisitions, no licence required EnCase LineN Unlimited number of concurrent acquisitions, no licence required Adepto Unlimited number of concurrent acquisitions, no licence required
- 12. Restricted tools Tool Comment FTK Imager Requires write-blocker per concurrent acquisition EnCase Forensic Imager Requires write-blocker per concurrent acquisition X-Ways Requires write-blocker per concurrent acquisition, requires dongle per concurrent acquisition
**The virtual environment wont work for real life tests, try a benchmark on the same hardware and then run over the imagers.
**Test the 64 bit variants with 32 bit variants for imaging. Both systems run in different ways. Speeds vary
**Speeds with Write blockers and speeds without them.
**Over the network imaging as well
**Measure amount of CPU used by the threads/app