A high-level review of acquisition times for several
popular imaging tools

Background
There has been a lot of anecdotal
discussion regarding the relative
performance of various popular acquisition
tools. This document provides an overview
of some research currently being
undertaken. Once completed the full set of
detailed results will be published.

Tools Assessed
 EnCase Forensic Imager v7.06
 FTK Imager v3.1.2
 Adepto v2.1 (Helix3)
 EnCase LineN v6.12.0.21
 IXImager v3
 Raptor v2.5
 X-Ways v17.1

Speed Assessment Parameters
Each of the acquisition tools used in this research was placed
into one of two categories and measured for how quickly the tool
could acquire a 160GB virtual drive. The categories were:
 ‘Standalone’ – meaning the tool comes with its own bootable
environment
 ‘Dependant’ – meaning the tool itself is not part of a bootable
environment and requires a third-party write-blocking device
or bootable system.
Within each category the tools were tested in the same virtual
configuration. The default image type was selected together with
the fastest compression (if available).

‘Standalone’ Acquisition Tool
Environment
VIRTUAL
MACHINE
(VirtualBox)
VDI
(VIRTUAL
SOURCE DISK)
VDI
(VIRTUAL
TARGET DISK)
VIRTUAL
BOOT
CDROM
ISO
SATA
SATA
PHYSICAL DISK 1
PHYSICAL DISK 2
PHYSICAL DISK
3
SATA

‘Dependant’ Acquisition Tool
Environment
VIRTUAL
MACHINE
(VirtualBox)
VDI
(VIRTUAL
SOURCE DISK)
VDI
(VIRTUAL
TARGET DISK)
SATA
SATA
PHYSICAL DISK 1
PHYSICAL DISK 2
SATA
VDI
(VIRTUAL SYSTEM
DISK)
WIN 7 SP1
PHYSICAL DISK 3

Overall Results
Tool Time to acquire 160GB Image
Size
Image
type
IXImager 17 mins 78.6 GB ASB
Xways Forensic 27 mins 74.4 GB E01
FTKI 50 mins 68.3 GB E01
Adepto 56 mins 149 GB RAW
EnCase Linen 63 mins 149 GB E01
Raptor 69 mins 68.3 GB E01
EnCase Forensic Imager 74 mins 68.6 GB E01

Standalone Tool Results
For tools that don’t require a write-blocker as part of
the acquisition process
Tool Time to acquire 160 GB Image size Image
type
IXImager 17 mins 78.6 GB ASB
Adepto 56 mins 149 GB RAW
EnCase LineN 1hr 03 mins 149 GB E01
Raptor 1hr 09 mins 68.3 GB E01

Dependant Tool Results
For tools that require a write-blocker as part of
the acquisition process
Tool Time to acquire 160 GB Image
size
Image type
X-Ways Forensic 27 mins 74.4 GB E01
FTK Imager 50 mins 68.3GB E01
EnCase Forensic Imager 1hr 14 mins 68.6 GB E01

Scalability Assessment
The tools were grouped by their ability to
accommodate being deployed in an
environment containing multiple source
devices. Two groups were identified:
 Unrestricted
 Restricted

Unrestricted tools
Tool Comment
IXImager Unlimited number of concurrent
acquisitions, one analysis licence
required
Raptor Unlimited number of concurrent
acquisitions, no licence required
EnCase LineN Unlimited number of concurrent
acquisitions, no licence required
Adepto Unlimited number of concurrent
acquisitions, no licence required

Restricted tools
Tool Comment
FTK Imager Requires write-blocker per concurrent
acquisition
EnCase Forensic Imager Requires write-blocker per concurrent
acquisition
X-Ways Requires write-blocker per concurrent
acquisition, requires dongle per
concurrent acquisition