The unit hardware is very robust, running i7 13 generation CPU, the 12″ large display helps visualization when running a full Forensic analysis software, and the rugged case makes it easy to carry when traveling.
Ports:
• one e-SATA port on the main unit
• 2 SATA ports: 2 on the main unit (in socket, power & data, but it is not supporting SAS )
• 2 NVMe ports: 2 U.2 NVMe ports on the main unit (power & data)
• 4 USB3.2 (10Gigabit/s)
• one USB3.2 Gen2x2 (20Gigabit/s)
• one TB4.0 port
One use of the unit is when there is a need to perform fast Forensic imaging onsite supporting SATA and NVMe in cross-media capture. Another use of the unit is to run cellphone data extraction, full forensic analysis, triage data capture, RAID reconstruction, network analysis
The unit supplied with:
• Remote Capture KIT.
• Virtual Emulator (for viewing the Suspect drive before capturing).
• 2 SATA Extension Cables.
• 2 U.2 Extension Cables.
• 2 U.2 to M.2 NVMe adapters.
The Thunderbolt port and the optional Thunderbolt Expansion box bring a lot of additional connectivity.
Important options:
Thunderbolt 3.0 to PCI-E Expansion Box, 4 Ports SAS controller, Thunderbolt 3.0 to 10GbE adapter, and Mac/Thunderbolt acquisition kit.
The unit’s fast Thunderbolt 4.0 (40 Gigabit/s) enables the user to capture data directly from Macbooks laptops via TB2, TB3, and 1394 connections. Also, the optional TB3.0 Expansion Box allows the user to capture data from other interfaces such SAS/SCSI/FC. The user can also use the unit’ TB3.0 port to connect to 10 Gigabit/s networks and quickly upload the captured images to a network.
Some speed tests:
SATA to SATA Linux-DD copy max speed 32.7GB/min.
NVMe to NVMe mirror image max speed 187GB/min. (see pictures)
The SuperImager’s main application (the unit’s software) supports many imaging operations. Some of the tasks that the unit can be used for include:
1) Multiple Parallel Forensic Capture: Mirror (bit by bit), Linux-DD, E01/Ex01 (with full compression) formats, Mixed-Format DD/E01, and Selective Capture (files and folders with the use of file extension filters). Select a single partition to capture.
2) Erase data from Evidence drive – using DoD (ECE, E), Security Erase, NVMe, and Sanitize Erase protocols.
3) View the data directly on the Ubuntu Desktop screen.
4) Encrypt the data while capturing (AES256).
5) HASH the data while capturing – run all the 4 MD5, SHA-1, SHA-2, and SHA512 HASH engines simultaneously.
6) Run a quick Keyword Search on the Suspect drive before the capture.
7) Run Multiple Cellphones/Tablets data Extraction and Analysis.
8) Run a Forensic Triage application.
9) Run a full Forensic Analysis application like Encase/Nuix/FTK.
10) Run Virtual Drive Emulator.
11) Run Remote Capture from unopened laptops (Intel Based CPU).
13) Use the native Thunderbolt 3.0 port (40 Gigabit/s) to capture data from USB3.2 Gen2 storage devices, Mac via Thunderbolt 2/3 port or 1394 port, or connect to 10GbE network with the use of TB3.0 to 10GbE adapter.
14) Unlock drives and capture with ATA passcode, BitLocker passcode, Opal passcode for SED drives, and VeraCrypt.
15) Use the unit as a “Write Blocker” device: This new feature enables the SuperImager unit to function as a secure bridge between workstations on a network to Suspect drives attached to the SuperImager unit by using the iSCSI protocol over a network connection. A forensic investigator using a workstation or laptop in one location can access a Suspect drive in different locations in the Write block mode. The SuperImager unit will be connected to the same network, and the Suspect drives will be attached to the SuperImager unit in read-only mode. The SuperImager unit will act as a “write blocker” for any of the unit’s attached storage, such as SAS, SATA, USB, 1394, FC, SCSI, and NVMe.
Additional operations: Erase verification, Full or Quick Format, standalone HASH authentication, drive diagnostics, and scripting. The application supports forensic imaging from multiple drives in simultaneous forensic imaging sessions. The optional TB 3.0 expansion box enables the user to connect to a 10 Gigabit/s network, to an external HDMI monitor, or to plug in additional optional storage controllers (SAS, SCSI, 1394, and FC) to support capture from more storage devices.
The SuperImager application is optimized to achieve extreme top speeds when using NVMe SSD:
HASH SHA-1 132.5GB/min, Mirror Image 187GB/min, Erase + Verify 130GB/min, Verify 197GB/min
SuperImager Plus 12″ NVMe +SATA Rugged unit with i7 CPU, 32GB Memory, and S/W Version 1.8.133.11 | |
Operation | Avg Speed GB/Min |
HASH single drive, in a single session (Samsung 870 EVO SSD) | |
SHA-1 | 32.1 |
MD5 | 32.1 |
SHA-1+ MD5 | 32.1 |
HASH 2 drives in 2 separate sessions (2 Samsung 870 EVO SSD) | |
SHA-1 + MD5 drive 1 | 29.0 |
SHA-1 + MD5 drive 2 | 29.0 |
HASH single drive, in a single session (1TB WD black M.2 NVMe) | |
SHA-1 | 132.00 |
SHA-1 + MD5 | 132.00 |
Erase Drives using 1TB WD Black M.2 NVMe SSD | |
Read Verify | 202.00 |
Single Pass – User Erase Mode | 153.00 |
Forensic Imaging | |
100% bit by bit Imaging 1 TB WD Black to 1 TB WD black M.2 NVMe SSD | |
no HASH | 187.00 |
with SHA1 HASH | 137.00 |
DD Imaging Samsung 850 EVO SSD to Samsung 850 EVO SSD (2GB Files Chunks and NTFS) | |
with SHA-1 + MD5 HASH | 30.1 |
DD Imaging SanDisk Extreme II SSD to Samsung 850 EVO SSD 2 GB file Chunks and NTFS) | |
with SHA-1 + MD5 HASH on | 28.5 |
E01 Imaging Samsung 850 EVO SSD to Samsung 850 EVO SSD (2GB Files Chunks and NTFS) | |
with SHA-1 + MD5 HASH on | 24.2 |
Samples of SATA to SATA log file show max speed of complete Linux-DD imaging session
Samples of NVMe to NVMe log file show max speed of complete Linux-DD imaging session