HC3 Controls
Parts that come in the package
VOOM has released a new version of their forensic hard drive imaging tool: Hardcopy III
As I reviewed their first two versions in a previous post, I figured I would test this one as well.First, I like the size and portability of this version. Unlike HC and HC2, which have IDE connectors, HC3 has SATA connectors, so is more compact. The package includes the HC3 device itself, power supply, three SATA cables, power cords for three drives.
HC3 Connection Ports
The reason for three of everything is that it will make 2 evidentiary copies in parallel with no slowdown. VOOM has retained the simple and intuitive 3-button control system they have used for all three versions, but have added a few new features to HC3.
You can still Test, Format, Clone, Image and Wipe. You can still collect evidence from multiple suspect drives onto a single evidence drive (assuming you have enough space). But HC 3 adds increased support for unlocking DCO and HPA so your image will be complete. It also adds a feature that allows you to set the date and time on the device for inclusion in your imaging records. For a full list of features, see the Hardcopy III Tech Specs.
It boots up and is ready for action very quickly, roughly 7 seconds.
Evidence capturing layout with two evidence capturing drive
Boot up ready screen
HC3 with date and time added
Capture speed on a drive with 3.0 GB/min transfer speed
VOOM specs state that HC3 will duplicate the source at up to 7.5 GB/min., or at up to 5.7 GB/min. with SHA256 verify enabled, but keep in mind that this is dependent on the transfer speed limits of your hard drives. In my tests, my hard drives were rated at 3.0 GB/min and as you can see above, my speeds were limited to that rate (as expected). It hashes using SHA-256 only. No MD5 or SHA-1 option.One interesting behavior that was present in Hardcopy and Hardcopy II still exists in Hardcopy III, and, while your evidentiary procedure may preclude you from ever running into this, it is something of which to be aware.The HC series uses a particular form of NTFS that is different than that used by XP or Vista. If you connect a drive containing an evidence image to XP or Vista without using a write-blocker, the OS will update NTFS on your evidence drive. The evidence images themselves remain completely intact and can be verified via SHA 256 hash, but NTFS on the host drive is changed. Once this happens, you will be required to format that evidence drive again using HC before you can use it to collect more evidence.One scenario where this might happen: HC allows for the collection of multiple suspect drives onto a single evidence drive. However, unless you have a write-blocker in line, do not try to confirm that the capture process is working properly by disconnecting your evidence drive after the first capture and connecting it to a computer so you can review the contents?I like this product. As with the others in its line, it is fast, reliable and easy to use. A good addition to any kit.
Quinn Shamblin, quinn.shamblin@uc.edu, GCFA Silver #2801 Investigator, University of Cincinnati Information Security
.png "Finding_Evil_WMI_Event_Consumers_with_Disk_Forensics_-Blog_(1).png")
.png "Blog_teaser_images_(19).png")
