Forensic imaging tools draft v1

13.980 visualizações

Publicada em

This is an extract from ongoing research made available as a draft for comments and recommendations. All tools were tested in the same virtual configuration providing a consistent test platform.

Publicada em: Tecnologia, Diversão e humor
13 comentários
9 gostaram
Estatísticas
Notas
Sem downloads
Visualizações
Visualizações totais
13.980
No SlideShare
0
A partir de incorporações
0
Número de incorporações
386
Ações
Compartilhamentos
0
Downloads
0
Comentários
13
Gostaram
9
Incorporações 0
Nenhuma incorporação

Nenhuma nota no slide

Forensic imaging tools draft v1

  1. 1. A high-level review of acquisition times for several popular imaging tools
  2. 2. Background There has been a lot of anecdotal discussion regarding the relative performance of various popular acquisition tools. This document provides an overview of some research currently being undertaken. Once completed the full set of detailed results will be published.
  3. 3. Tools Assessed  EnCase Forensic Imager v7.06  FTK Imager v3.1.2  Adepto v2.1 (Helix3)  EnCase LineN v6.12.0.21  IXImager v3  Raptor v2.5  X-Ways v17.1
  4. 4. Speed Assessment Parameters Each of the acquisition tools used in this research was placed into one of two categories and measured for how quickly the tool could acquire a 160GB virtual drive. The categories were:  ‘Standalone’ – meaning the tool comes with its own bootable environment  ‘Dependant’ – meaning the tool itself is not part of a bootable environment and requires a third-party write-blocking device or bootable system. Within each category the tools were tested in the same virtual configuration. The default image type was selected together with the fastest compression (if available).
  5. 5. ‘Standalone’ Acquisition Tool Environment VIRTUAL MACHINE (VirtualBox) VDI (VIRTUAL SOURCE DISK) VDI (VIRTUAL TARGET DISK) VIRTUAL BOOT CDROM ISO SATA SATA PHYSICAL DISK 1 PHYSICAL DISK 2 PHYSICAL DISK 3 SATA
  6. 6. ‘Dependant’ Acquisition Tool Environment VIRTUAL MACHINE (VirtualBox) VDI (VIRTUAL SOURCE DISK) VDI (VIRTUAL TARGET DISK) SATA SATA PHYSICAL DISK 1 PHYSICAL DISK 2 SATA VDI (VIRTUAL SYSTEM DISK) WIN 7 SP1 PHYSICAL DISK 3
  7. 7. Overall Results Tool Time to acquire 160GB Image Size Image type IXImager 17 mins 78.6 GB ASB Xways Forensic 27 mins 74.4 GB E01 FTKI 50 mins 68.3 GB E01 Adepto 56 mins 149 GB RAW EnCase Linen 63 mins 149 GB E01 Raptor 69 mins 68.3 GB E01 EnCase Forensic Imager 74 mins 68.6 GB E01
  8. 8. Standalone Tool Results For tools that don’t require a write-blocker as part of the acquisition process Tool Time to acquire 160 GB Image size Image type IXImager 17 mins 78.6 GB ASB Adepto 56 mins 149 GB RAW EnCase LineN 1hr 03 mins 149 GB E01 Raptor 1hr 09 mins 68.3 GB E01
  9. 9. Dependant Tool Results For tools that require a write-blocker as part of the acquisition process Tool Time to acquire 160 GB Image size Image type X-Ways Forensic 27 mins 74.4 GB E01 FTK Imager 50 mins 68.3GB E01 EnCase Forensic Imager 1hr 14 mins 68.6 GB E01
  10. 10. Scalability Assessment The tools were grouped by their ability to accommodate being deployed in an environment containing multiple source devices. Two groups were identified:  Unrestricted  Restricted
  11. 11. Unrestricted tools Tool Comment IXImager Unlimited number of concurrent acquisitions, one analysis licence required Raptor Unlimited number of concurrent acquisitions, no licence required EnCase LineN Unlimited number of concurrent acquisitions, no licence required Adepto Unlimited number of concurrent acquisitions, no licence required
  12. 12. Restricted tools Tool Comment FTK Imager Requires write-blocker per concurrent acquisition EnCase Forensic Imager Requires write-blocker per concurrent acquisition X-Ways Requires write-blocker per concurrent acquisition, requires dongle per concurrent acquisition

×