Capturing an image of a hard drive for purpose of further review and investigation is a common digital forensics activity. Here is a quick review of three of my favorites tools.
The VOOM Hardcopy II is a great general purpose hard drive imaging tool and is my go-to solution. It is fast, simple to use and can either image or clone if you prefer. The imaging rate of these is limited only by transfer rate of the suspect and evidence drives. I routinely see 2-3+ GB/minute imaging rates with newer drives. Expect to pay ~$1000 for one of these, although you can sometimes get deals if you go to forensics conferences (especially those targeted at law enforcement).
The Image MASSter Solo-3 is also very fast and it offers a whole pack of features not available in the Hardcopy. However it is also about 2-4 times the cost of the Hardcopy (depending on features) and more complex to use. Still, a great tool. Some very useful features:
- Copy a suspect drive to TWO evidence drives simultaneously, with no decrease in imaging rate
- Image a computer through a firewire port without removing the harddrive
- Image closed MACs (software upgrade). It is this last feature that prompted me to pick one of these up. If any of you have had to crack one of the new iMacs, you know what I mean. Strangely, it does not image the MAC by taking advantage of the MAC target disk mode as I expected, but it can still do it by use of a boot CD.
- Restore an image to a hard drive so that you have a live clone of the suspect machine that can be run and examined as if you are the owner.
A Tableau write blocker set (one write blocker and one pass-through) is quite a bit less pricy, but this solution is slower than the above. These devices require a laptop or other computer with imaging software to take a forensic image. Due to the speed, however, I almost never use this approach. If I can get the drive out, I will use the Hardcopy or ImagMASSter every time. However, there are a few cases where these can be a real lifesaver:
- When you need to take an image of a live system such as when a system has full-disk encryption (in such cases, the yellow pass-through block is a stable platform to mount a writable harddrive to the suspect system)
- When you cannot open the system for whatever reason
- When you have a large number of drives to image in limited time and need every available machine working.
So, quick summary:
| Device | Price | Speed * | Ease of Use | Features |
| Hardcopy II | $$ | 2-3 GB/Min | Easy | Stand alone, Fast, Cloning, Imaging, Requires hard drives be removed |
| Imag MASSter Solo-3 | $$$$ | 2-3 GB/Min | Moderate | Stand alone, Fast imaging of removed hard drives, Image a system without removing the hard drive, Image a mac |
| Tableau | $ | 1-1.5 GB/Min | Easy | Requires a computer and imaging software, Image a live system |
*Notes: The speeds quoted are my field experience using the tools, these figures are not from the company. Others in different conditions may experience different performance.
Quinn Shamblin, quinn.shamblin@uc.edu, GCFA Silver #2801
Investigator, University of Cincinnati Information Security
.PNG "DFIR_ICON_(1).PNG"){kind=icon}
