• Testing Acquisition Software Part 1

    Posted on November 15, 2010 by Lee Whitfield in Reviews.

    At work we’re going for the ISO 17025 certification. As part of this I have been verifying and testing tools for a few weeks. This has involved creating a set hard drive containing sample evidence and using my forensic tools (both hardware and software) against that drive and subsequent images.

    The most recent tests have involved testing imaging software. I need to make sure that this is accurate and that each forensic tool acquires the same data and produce the same acquisition and verification hash. I thought I’d share my results as they may of interest to you. The software I have been using for acquiring hard drives is Tableau Imager, FTK Imager 3, and EnCase 6.17. My computer in an HP z600 with two quad-core Xeon processors an 12GB RAM. My OS is Windows 7. I have a Tableau T3458is Forensic Bridge installed attached via FireWire 800.

    I started with a 320GB laptop hard drive, wiped it, and installed an OS. I then used it to generate some artefacts. When finished it had around 12GB of allocated space, so not a great deal, but enough for testing purposes. Each piece of software was set to full compression.

    First up was Tableau Imager version 1.1. It acquired the drive in one hour and fourteen minutes. I wondered if this was wrong as that makes it about 4GB/minute in acquiring speed.

    Next up was FTK Imager version 3. That acquired the same drive in three hours and forty-seven minutes. Quite a long time, I thought, but the hash was exactly the same as Tableau Imager.

    Finally was EnCase 6.17. This acquired the hard drive in one hour and fifty-one minutes. Same hash value.

    So, what does this mean? It kills me to say it but the Guidance products way outperformed FTK Imager. Would this have changed if the drive was completely full? I’ll find out in the future when I run more tests. I like FTK Imager, I still think it is one of the best pieces of software out there as it is full of other features and is still available for free.

    I knew that TIM (Tableau Imager) was quick when used with a Tableau write-blocker but I didn’t expect it to image that quickly. I think that this will, at least temporarily, become my tool of choice for acquisitions. I very much doubt that it’ll be the same story when used with a different brand of write-blocker but it is still impressive. However my heart still belongs to FTK Imager.

    EDIT

    It should be noted that the compression used on each piece of software was exactly the same. Each produced the same size image.

8 Responsesso far.

  1. […] This post was mentioned on Twitter by Lee Whitfield and Jonathan Rajewski, Forensic 4cast. Forensic 4cast said: New post: Testing Acquisition Software http://is.gd/h9uO9 […]

  2. […] View original here:  Testing Acquisition Software : Forensic 4cast […]

  3. spoon says:

    will you be looking into how commandline tools (aimage, dcfldd, etc), compare? or different disk image types, such as aff?

  4. […] acquisition tools November 18, 2010 integriography Leave a comment Go to comments Lee was researching software acquisition tools and made some interesting findings. One of my first thoughts was “Why?” No, not why was […]

  5. Anders Thulin says:

    Without any information about the image file format or the size of the compressed images, it seems impossible to conclude anything. If each imaging product produces its own image file with its own preferred compression set up, the result will probably be largely a benchmark of compression algorithms and/or configuration.

    For example, if FTK Imager goes to extreme lengths to obtain good compression, while the other products only do a half-hearted attempt (or even none at all), it could easily explain any discrepancies you are seeing.

  6. will you be looking into how commandline tools (aimage, dcfldd, etc), compare? or different disk image types, such as aff?

  7. Luann Potts says:

    Without any information about the image file format or the size of the compressed images, it seems impossible to conclude anything. If each imaging product produces its own image file with its own preferred compression set up, the result will probably be largely a benchmark of compression algorithms and/or configuration. For example, if FTK Imager goes to extreme lengths to obtain good compression, while the other products only do a half-hearted attempt (or even none at all), it could easily explain any discrepancies you are seeing.

  8. Alistair Ewing says:

    I like FTK 3, though if I was off-site would I trust Encase not to crash? Never used it for imaging, probably never will. Will stick to FTK, IEF, Netanalysis, blade and free linux tools for my needs.

    I bloody hate encase, but that’s my opinion. Why is Encase so universally dogmatically accepted as the de-facto choice? I did a case where it double mounted evidence files because they had similar names and tried using bundled en-scripts with the program crashing. I think I need to pay £6000 to train to use their software.

Leave a Reply

Your email address will not be published. Required fields are marked *