homepage
Open menu
Go one level top
  • Train and Certify
    • Overview
    • Get Started in Cyber
    • Courses
    • GIAC Certifications
    • Training Roadmap
    • OnDemand
    • Live Training
    • Summits
    • Cyber Ranges
    • College Degrees & Certificates
    • Scholarship Academies
    • NICE Framework
    • Specials
  • Manage Your Team
    • Overview
    • Group Purchasing
    • Why Work with SANS
    • Build Your Team
    • Hire Cyber Talent
    • Team Development
    • Private Training
    • Security Awareness Training
    • Leadership Training
    • Industries
  • Resources
    • Overview
    • Internet Storm Center
    • White Papers
    • Webcasts
    • Tools
    • Newsletters
    • Blog
    • Podcasts
    • Posters & Cheat Sheets
    • Summit Presentations
    • Security Policy Project
  • Focus Areas
    • Cyber Defense
    • Cloud Security
    • Digital Forensics & Incident Response
    • Industrial Control Systems
    • Cyber Security Leadership
    • Offensive Operations
  • Get Involved
    • Overview
    • Join the Community
    • Work Study
    • Teach for SANS
    • CISO Network
    • Partnerships
    • Sponsorship Opportunities
  • About
    • About SANS
    • Our Founder
    • Instructors
    • Mission
    • Diversity
    • Awards
    • Contact
    • Frequently Asked Questions
    • Customer Reviews
    • Press
  • SANS Sites
    • GIAC Security Certifications
    • Internet Storm Center
    • SANS Technology Institute
    • Security Awareness Training
  • Search
  • Log In
  • Join
    • Account Dashboard
    • Log Out
  1. Home >
  2. Blog >
  3. Three hard drive imaging tools
Quinn Shamblin

Three hard drive imaging tools

October 1, 2008

Capturing an image of a hard drive for purpose of further review and investigation is a common digital forensics activity. Here is a quick review of three of my favorites tools.

hardcopy.jpg
Hardcopy II

The VOOM Hardcopy II is a great general purpose hard drive imaging tool and is my go-to solution. It is fast, simple to use and can either image or clone if you prefer. The imaging rate of these is limited only by transfer rate of the suspect and evidence drives. I routinely see 2-3+ GB/minute imaging rates with newer drives. Expect to pay ~$1000 for one of these, although you can sometimes get deals if you go to forensics conferences (especially those targeted at law enforcement).

The Image MASSter Solo-3 is also very fast and it offers a whole pack of features not available in the Hardcopy. However it is also about 2-4 times the cost of the Hardcopy (depending on features) and more complex to use. Still, a great tool. Some very useful features:

  • Copy a suspect drive to TWO evidence drives simultaneously, with no decrease in imaging rate
    imagemasster.jpg
    Image MASSter Solo-3
    • Image a computer through a firewire port without removing the harddrive
    • Image closed MACs (software upgrade). It is this last feature that prompted me to pick one of these up. If any of you have had to crack one of the new iMacs, you know what I mean. Strangely, it does not image the MAC by taking advantage of the MAC target disk mode as I expected, but it can still do it by use of a boot CD.
    • Restore an image to a hard drive so that you have a live clone of the suspect machine that can be run and examined as if you are the owner.

    A Tableau write blocker set (one write blocker and one pass-through) is quite a bit less pricy, but this solution is slower than the above. These devices require a laptop or other computer with imaging software to take a forensic image. Due to the speed, however, I almost never use this approach. If I can get the drive out, I will use the Hardcopy or ImagMASSter every time. However, there are a few cases where these can be a real lifesaver:

    tableau
    Tableau Write Blocker and Pass-through Block
    • When you need to take an image of a live system such as when a system has full-disk encryption (in such cases, the yellow pass-through block is a stable platform to mount a writable harddrive to the suspect system)
    • When you cannot open the system for whatever reason
    • When you have a large number of drives to image in limited time and need every available machine working.

      So, quick summary:

      DevicePriceSpeed *Ease of UseFeatures
      Hardcopy II$$2-3 GB/MinEasyStand alone, Fast, Cloning, Imaging, Requires hard drives be removed
      Imag MASSter Solo-3$$$$2-3 GB/MinModerateStand alone, Fast imaging of removed hard drives, Image a system without removing the hard drive, Image a mac
      Tableau$1-1.5 GB/MinEasyRequires a computer and imaging software, Image a live system

      *Notes: The speeds quoted are my field experience using the tools, these figures are not from the company. Others in different conditions may experience different performance. 

      Quinn Shamblin, quinn.shamblin@uc.edu, GCFA Silver #2801
      Investigator, University of Cincinnati Information Security

      Share:
      TwitterLinkedInFacebook
      Copy url Url was copied to clipboard
      Subscribe to SANS Newsletters
      Receive curated news, vulnerabilities, & security awareness tips
      United States
      Canada
      United Kingdom
      Spain
      Belgium
      Denmark
      Norway
      Netherlands
      Australia
      India
      Japan
      Singapore
      Afghanistan
      Aland Islands
      Albania
      Algeria
      American Samoa
      Andorra
      Angola
      Anguilla
      Antarctica
      Antigua and Barbuda
      Argentina
      Armenia
      Aruba
      Austria
      Azerbaijan
      Bahamas
      Bahrain
      Bangladesh
      Barbados
      Belarus
      Belize
      Benin
      Bermuda
      Bhutan
      Bolivia
      Bonaire, Sint Eustatius, and Saba
      Bosnia And Herzegovina
      Botswana
      Bouvet Island
      Brazil
      British Indian Ocean Territory
      Brunei Darussalam
      Bulgaria
      Burkina Faso
      Burundi
      Cambodia
      Cameroon
      Cape Verde
      Cayman Islands
      Central African Republic
      Chad
      Chile
      China
      Christmas Island
      Cocos (Keeling) Islands
      Colombia
      Comoros
      Cook Islands
      Costa Rica
      Croatia (Local Name: Hrvatska)
      Curacao
      Cyprus
      Czech Republic
      Democratic Republic of the Congo
      Djibouti
      Dominica
      Dominican Republic
      East Timor
      East Timor
      Ecuador
      Egypt
      El Salvador
      Equatorial Guinea
      Eritrea
      Estonia
      Ethiopia
      Falkland Islands (Malvinas)
      Faroe Islands
      Fiji
      Finland
      France
      French Guiana
      French Polynesia
      French Southern Territories
      Gabon
      Gambia
      Georgia
      Germany
      Ghana
      Gibraltar
      Greece
      Greenland
      Grenada
      Guadeloupe
      Guam
      Guatemala
      Guernsey
      Guinea
      Guinea-Bissau
      Guyana
      Haiti
      Heard And McDonald Islands
      Honduras
      Hong Kong
      Hungary
      Iceland
      Indonesia
      Iraq
      Ireland
      Isle of Man
      Israel
      Italy
      Jamaica
      Jersey
      Jordan
      Kazakhstan
      Kenya
      Kingdom of Saudi Arabia
      Kiribati
      Korea, Republic Of
      Kosovo
      Kuwait
      Kyrgyzstan
      Lao People's Democratic Republic
      Latvia
      Lebanon
      Lesotho
      Liberia
      Liechtenstein
      Lithuania
      Luxembourg
      Macau
      Macedonia
      Madagascar
      Malawi
      Malaysia
      Maldives
      Mali
      Malta
      Marshall Islands
      Martinique
      Mauritania
      Mauritius
      Mayotte
      Mexico
      Micronesia, Federated States Of
      Moldova, Republic Of
      Monaco
      Mongolia
      Montenegro
      Montserrat
      Morocco
      Mozambique
      Myanmar
      Namibia
      Nauru
      Nepal
      Netherlands Antilles
      New Caledonia
      New Zealand
      Nicaragua
      Niger
      Nigeria
      Niue
      Norfolk Island
      Northern Mariana Islands
      Oman
      Pakistan
      Palau
      Palestine
      Panama
      Papua New Guinea
      Paraguay
      Peru
      Philippines
      Pitcairn
      Poland
      Portugal
      Puerto Rico
      Qatar
      Reunion
      Romania
      Russian Federation
      Rwanda
      Saint Bartholemy
      Saint Kitts And Nevis
      Saint Lucia
      Saint Martin
      Saint Vincent And The Grenadines
      Samoa
      San Marino
      Sao Tome And Principe
      Senegal
      Serbia
      Seychelles
      Sierra Leone
      Sint Maarten
      Slovakia (Slovak Republic)
      Slovenia
      Solomon Islands
      South Africa
      South Georgia and the South Sandwich Islands
      South Sudan
      Sri Lanka
      St. Helena
      St. Pierre And Miquelon
      Suriname
      Svalbard And Jan Mayen Islands
      Swaziland
      Sweden
      Switzerland
      Taiwan
      Tajikistan
      Tanzania
      Thailand
      Togo
      Tokelau
      Tonga
      Trinidad And Tobago
      Tunisia
      Turkey
      Turkmenistan
      Turks And Caicos Islands
      Tuvalu
      Uganda
      Ukraine
      United Arab Emirates
      United States Minor Outlying Islands
      Uruguay
      Uzbekistan
      Vanuatu
      Vatican City
      Venezuela
      Vietnam
      Virgin Islands (British)
      Virgin Islands (U.S.)
      Wallis And Futuna Islands
      Western Sahara
      Yemen
      Yugoslavia
      Zambia
      Zimbabwe

      Tags:
      • Digital Forensics and Incident Response

      Related Content

      Blog
      Vote_now.png
      Digital Forensics and Incident Response
      April 24, 2022
      Which DFIR Summit Mascots do you want to see as Lego giveaways this year? Vote now!
      To celebrate the 15th year of the DFIR Summit, we are letting you choose your favorite Summit mascot over the years. Which will make our Lego set?
      Viv_Ross_370x370.png
      Viviana Ross
      read more
      Blog
      Untitled_design-43.png
      Digital Forensics and Incident Response, Cybersecurity and IT Essentials, Industrial Control Systems Security, Purple Team, Open-Source Intelligence (OSINT), Penetration Testing and Ethical Hacking, Cyber Defense, Cloud Security, Security Management, Legal, and Audit
      December 8, 2021
      Good News: SANS Virtual Summits Will Remain FREE for the Community in 2022
      They’re virtual. They’re global. They’re free.
      Emily Blades
      read more
      Blog
      Digital Forensics and Incident Response
      February 1, 2010
      It's the little things (Part One)
      For forensic analysts working in Windows environments, .lnk shortcut files and the thumbprint caches are valuable sources for details about missing data. Individuals wanting to hide their activities may flush their browser cache, Temp files, use, and even wipe the drive free space. However, they...
      SANS_DFIR-370x370.png
      SANS DFIR
      read more
      • Register to Learn
      • Courses
      • Certifications
      • Degree Programs
      • Cyber Ranges
      • Job Tools
      • Security Policy Project
      • Posters & Cheat Sheets
      • White Papers
      • Focus Areas
      • Cyber Defense
      • Cloud Security
      • Cyber Security Leadership
      • Digital Forensics
      • Industrial Control Systems
      • Offensive Operations
      Subscribe to SANS Newsletters
      Receive curated news, vulnerabilities, & security awareness tips
      United States
      Canada
      United Kingdom
      Spain
      Belgium
      Denmark
      Norway
      Netherlands
      Australia
      India
      Japan
      Singapore
      Afghanistan
      Aland Islands
      Albania
      Algeria
      American Samoa
      Andorra
      Angola
      Anguilla
      Antarctica
      Antigua and Barbuda
      Argentina
      Armenia
      Aruba
      Austria
      Azerbaijan
      Bahamas
      Bahrain
      Bangladesh
      Barbados
      Belarus
      Belize
      Benin
      Bermuda
      Bhutan
      Bolivia
      Bonaire, Sint Eustatius, and Saba
      Bosnia And Herzegovina
      Botswana
      Bouvet Island
      Brazil
      British Indian Ocean Territory
      Brunei Darussalam
      Bulgaria
      Burkina Faso
      Burundi
      Cambodia
      Cameroon
      Cape Verde
      Cayman Islands
      Central African Republic
      Chad
      Chile
      China
      Christmas Island
      Cocos (Keeling) Islands
      Colombia
      Comoros
      Cook Islands
      Costa Rica
      Croatia (Local Name: Hrvatska)
      Curacao
      Cyprus
      Czech Republic
      Democratic Republic of the Congo
      Djibouti
      Dominica
      Dominican Republic
      East Timor
      East Timor
      Ecuador
      Egypt
      El Salvador
      Equatorial Guinea
      Eritrea
      Estonia
      Ethiopia
      Falkland Islands (Malvinas)
      Faroe Islands
      Fiji
      Finland
      France
      French Guiana
      French Polynesia
      French Southern Territories
      Gabon
      Gambia
      Georgia
      Germany
      Ghana
      Gibraltar
      Greece
      Greenland
      Grenada
      Guadeloupe
      Guam
      Guatemala
      Guernsey
      Guinea
      Guinea-Bissau
      Guyana
      Haiti
      Heard And McDonald Islands
      Honduras
      Hong Kong
      Hungary
      Iceland
      Indonesia
      Iraq
      Ireland
      Isle of Man
      Israel
      Italy
      Jamaica
      Jersey
      Jordan
      Kazakhstan
      Kenya
      Kingdom of Saudi Arabia
      Kiribati
      Korea, Republic Of
      Kosovo
      Kuwait
      Kyrgyzstan
      Lao People's Democratic Republic
      Latvia
      Lebanon
      Lesotho
      Liberia
      Liechtenstein
      Lithuania
      Luxembourg
      Macau
      Macedonia
      Madagascar
      Malawi
      Malaysia
      Maldives
      Mali
      Malta
      Marshall Islands
      Martinique
      Mauritania
      Mauritius
      Mayotte
      Mexico
      Micronesia, Federated States Of
      Moldova, Republic Of
      Monaco
      Mongolia
      Montenegro
      Montserrat
      Morocco
      Mozambique
      Myanmar
      Namibia
      Nauru
      Nepal
      Netherlands Antilles
      New Caledonia
      New Zealand
      Nicaragua
      Niger
      Nigeria
      Niue
      Norfolk Island
      Northern Mariana Islands
      Oman
      Pakistan
      Palau
      Palestine
      Panama
      Papua New Guinea
      Paraguay
      Peru
      Philippines
      Pitcairn
      Poland
      Portugal
      Puerto Rico
      Qatar
      Reunion
      Romania
      Russian Federation
      Rwanda
      Saint Bartholemy
      Saint Kitts And Nevis
      Saint Lucia
      Saint Martin
      Saint Vincent And The Grenadines
      Samoa
      San Marino
      Sao Tome And Principe
      Senegal
      Serbia
      Seychelles
      Sierra Leone
      Sint Maarten
      Slovakia (Slovak Republic)
      Slovenia
      Solomon Islands
      South Africa
      South Georgia and the South Sandwich Islands
      South Sudan
      Sri Lanka
      St. Helena
      St. Pierre And Miquelon
      Suriname
      Svalbard And Jan Mayen Islands
      Swaziland
      Sweden
      Switzerland
      Taiwan
      Tajikistan
      Tanzania
      Thailand
      Togo
      Tokelau
      Tonga
      Trinidad And Tobago
      Tunisia
      Turkey
      Turkmenistan
      Turks And Caicos Islands
      Tuvalu
      Uganda
      Ukraine
      United Arab Emirates
      United States Minor Outlying Islands
      Uruguay
      Uzbekistan
      Vanuatu
      Vatican City
      Venezuela
      Vietnam
      Virgin Islands (British)
      Virgin Islands (U.S.)
      Wallis And Futuna Islands
      Western Sahara
      Yemen
      Yugoslavia
      Zambia
      Zimbabwe
      • © 2022 SANS™ Institute
      • Privacy Policy
      • Contact
      • Careers
      • Twitter
      • Facebook
      • Youtube
      • LinkedIn