SuperImager Plus 12” NVME + SATA Portable Rugged Forensic Imaging Unit with Thunderbolt 4.0 Port - Dual Open OS

The SuperImager® Plus 12” 2 NVMe & 2 SATA Rugged Portable Mix Ports Forensic unit is a forensic imaging device that can serve as a complete Field Computer Forensic Investigative platform. The unit is built with 2 SATA ports, 2 U.2/M.2 NVMe ports, 4 USB3.2 ports, 10Gb/s port, one e-SATA port, and one Thunderbolt 4.0 port (40 Gigabit/s fast port).. It is configured with Dual Open OS (Linux for fast imaging/Win11 for forensic analysis and cellphone extraction). Under Linux, the user can run multiple parallel simultaneous Forensic imaging (mirror image, single-partition, Linux-DD, EnCase, mix E01/DD, VHD, Triage with Files and Folders) with 4 HASH values (MD5, SHA1, SHA2, and SHA512 run all the three at the same time), encryption AES256 XTS, compression, keyword search all on the fly and save images to a network. Under Win 11, the user can perform a full Forensic analysis using third-party applications like EnCase, Nuix, Axiom, and more, and also perform multiple cellphone data using Cellebrite, MASB, and more.

The unit hardware is very robust, running i7 13 generation CPU, the 12″ large display helps visualization when running a full Forensic analysis software, and the rugged case makes it easy to carry when traveling.

 

Ports:

• one e-SATA port on the main unit

• 2 SATA ports: 2 on the main unit (in socket, power & data, but it is not supporting SAS )

• 2 NVMe ports: 2 U.2 NVMe ports on the main unit (power & data)

• 4 USB3.2 (10Gigabit/s)

• one USB3.2 Gen2x2 (20Gigabit/s)

• one TB4.0 port

 

One use of the unit is when there is a need to perform fast Forensic imaging onsite supporting SATA and NVMe in cross-media capture. Another use of the unit is to run cellphone data extraction, full forensic analysis, triage data capture, RAID reconstruction, network analysis

 

The unit supplied with:

• Remote Capture KIT.

• Virtual Emulator (for viewing the Suspect drive before capturing).

• 2 SATA Extension Cables.

• 2 U.2 Extension Cables.

• 2 U.2 to M.2 NVMe adapters.

 

The Thunderbolt port and the optional Thunderbolt Expansion box bring a lot of additional connectivity.

 

Important options:

 

Thunderbolt 3.0 to PCI-E Expansion Box, 4 Ports SAS controller, Thunderbolt 3.0 to 10GbE adapter, and Mac/Thunderbolt acquisition kit.

 

The unit’s fast Thunderbolt 4.0 (40 Gigabit/s) enables the user to capture data directly from Macbooks laptops via TB2, TB3, and 1394 connections. Also, the optional TB3.0 Expansion Box allows the user to capture data from other interfaces such SAS/SCSI/FC. The user can also use the unit’ TB3.0 port to connect to 10 Gigabit/s networks and quickly upload the captured images to a network.

 

Some speed tests:

 

SATA to SATA Linux-DD copy max speed 32.7GB/min.

 

NVMe to NVMe mirror image max speed 187GB/min. (see pictures)

 

The SuperImager’s main application (the unit’s software) supports many imaging operations. Some of the tasks that the unit can be used for include:

 

1) Multiple Parallel Forensic Capture: Mirror (bit by bit), Linux-DD, E01/Ex01 (with full compression) formats, Mixed-Format DD/E01, and Selective Capture (files and folders with the use of file extension filters). Select a single partition to capture.

 

2) Erase data from Evidence drive – using DoD (ECE, E), Security Erase, NVMe, and Sanitize Erase protocols.

 

3) View the data directly on the Ubuntu Desktop screen.

 

4) Encrypt the data while capturing (AES256).

 

5) HASH the data while capturing – run all the 4 MD5, SHA-1, SHA-2, and SHA512 HASH engines simultaneously.

 

6) Run a quick Keyword Search on the Suspect drive before the capture.

 

7) Run Multiple Cellphones/Tablets data Extraction and Analysis.

 

8) Run a Forensic Triage application.

 

9) Run a full Forensic Analysis application like Encase/Nuix/FTK.

 

10) Run Virtual Drive Emulator.

 

11) Run Remote Capture from unopened laptops (Intel Based CPU).

 

13) Use the native Thunderbolt 3.0 port (40 Gigabit/s) to capture data from USB3.2 Gen2 storage devices, Mac via Thunderbolt 2/3 port or 1394 port, or connect to 10GbE network with the use of TB3.0 to 10GbE adapter.

 

14) Unlock drives and capture with ATA passcode, BitLocker passcode, Opal passcode for SED drives, and VeraCrypt.

 

15) Use the unit as a “Write Blocker” device: This new feature enables the SuperImager unit to function as a secure bridge between workstations on a network to Suspect drives attached to the SuperImager unit by using the iSCSI protocol over a network connection. A forensic investigator using a workstation or laptop in one location can access a Suspect drive in different locations in the Write block mode. The SuperImager unit will be connected to the same network, and the Suspect drives will be attached to the SuperImager unit in read-only mode. The SuperImager unit will act as a “write blocker” for any of the unit’s attached storage, such as SAS, SATA, USB, 1394, FC, SCSI, and NVMe.

 

 

Additional operations: Erase verification, Full or Quick Format, standalone HASH authentication, drive diagnostics, and scripting. The application supports forensic imaging from multiple drives in simultaneous forensic imaging sessions. The optional TB 3.0 expansion box enables the user to connect to a 10 Gigabit/s network, to an external HDMI monitor, or to plug in additional optional storage controllers (SAS, SCSI, 1394, and FC) to support capture from more storage devices.

The main difference between using a product with U.2 port (and with Extension cables) vs. using M.2 port and plugging the media directly into the port: NVMe U.2 port is more versatile and can support three types of NVMe SSD: M.2, U.2, PCIE NVMe storage controller, while M.2 port is limited to M.2 SSD. Using the U.2 Extension cables protects the unit’s NVMe port from overuse and many insertions by plugging the SSD directly into the unit’s port and damaging the port. Competitors that use NVMe M.2 ports are limited with their supports (Only M.2), and force the user to plug the media directly into the port. The U.2 extension cables are very durable and built with high quality and precision, and they exhibit an extreme transfer rate of over 200 GB/min.
The SuperImager application is optimized to achieve extreme top speeds when using NVMe SSD: HASH SHA-1 132.5 GB/min, Mirror Image 187 GB/min, Erase + Verify 130 GB/min, Verify 197 GB/min

 

The SuperImager application is optimized to achieve extreme top speeds when using NVMe SSD:
HASH SHA-1 132.5GB/min, Mirror Image 187GB/min, Erase + Verify 130GB/min, Verify 197GB/min

 

SuperImager Plus 12″ NVMe +SATA Rugged unit with i7 CPU, 32GB Memory, and S/W Version 1.8.133.11
Operation Avg Speed GB/Min
HASH single drive, in a single session (Samsung 870 EVO SSD)
SHA-1 32.1
MD5 32.1
SHA-1+ MD5 32.1
HASH 2 drives in 2 separate sessions (2 Samsung 870 EVO SSD)
SHA-1 + MD5 drive 1 29.0
SHA-1 + MD5 drive 2 29.0
HASH single drive, in a single session (1TB WD black M.2 NVMe)
SHA-1 132.00
SHA-1 + MD5 132.00
Erase Drives using 1TB WD Black M.2 NVMe SSD
Read Verify 202.00
Single Pass – User Erase Mode 153.00
Forensic Imaging
100% bit by bit Imaging 1 TB WD Black to 1 TB WD black M.2 NVMe SSD
no HASH 187.00
with SHA1 HASH 137.00
DD Imaging Samsung 850 EVO SSD to Samsung 850 EVO SSD (2GB Files Chunks and NTFS)
with SHA-1 + MD5 HASH 30.1
DD Imaging SanDisk Extreme II SSD to Samsung 850 EVO SSD 2 GB file Chunks and NTFS)
with SHA-1 + MD5 HASH on 28.5
E01 Imaging Samsung 850 EVO SSD to Samsung 850 EVO SSD (2GB Files Chunks and NTFS)
with SHA-1 + MD5 HASH on 24.2

 

 

Samples of SATA to SATA log file show max speed of complete Linux-DD imaging session

 

 

Samples of NVMe to NVMe log file show max speed of complete Linux-DD imaging session