The SuperImager® Plus 12” Forensic unit with 4 SAS/SATA-3 ports, 5 USB3.2 ports, and Thunderbolt 4.0 port (40Gigabit/s port). It is a top-performance field computer Forensic Imaging tool and complete computer forensic investigation platform. It is configured with Dual Open OS (Linux for fast imaging/Win11 for forensic analysis and cellphone extraction). Under Linux, the user can run multiple simultaneous Forensic imaging (mirror image, single-partition, Linux-DD, EnCase, mix E01/DD, AFF4, Triage with Files and Folders) with 4 HASH values (MD5, SHA1, SHA2, and SHA512 run all the 4 at the same time), encryption AES 256 XTS, compression, keyword search all on the fly and save images to a network. Also run simultaneouse logical smartphone data extraction and immediatly view the captured data. Under Win 11 the user can perform a full Forensic analysis using third-party applications like Encase, Nuix, Axiom, and more, and multiple cellphone data extraction using Cellebrite, MSAB, Oxygen, and more.

The unit hardware is very robust, running i7 13 generation CPU, with the 12″ large display which helps visualization when running a Forensic Analysis software, and with a rugged case which makes it easy to carry when traveling.

The unit ports:

• one e-SATA port
• one USBc Gen2x2 port

• 4 SAS/SATA ports (in socket, power & data)

• 4 USB3.2 ports

• TB4.0 port

One of the uses of this unit is when there is a need to perform fast Forensic Imaging onsite supporting SATA and SAS. The other use of the unit is to extract data from multiple cellphones, run full Forensic analysis, run Triage data capture, RAID remonstration, and network analysis.

The unit supplied with:

• Remote Capture KIT.

• Virtual Emulator (viewing the Suspect drive before the capture).

• 4 SATA/SAS Extension Cables.

Here are some of the important Options:

Thunderbolt 3.0 to PCIE Expansion Box,

M.2 NVMe controller

Thunderbolt 3.0 to 10GbE adapter

Mac/Thunderbolt acquisition kit

The Optional Thunderbolt 3.0 to PCIE Expansion box enables the user to plug in additional optional storage controllers (NVMe, SAS, SCSI, 1394, and FC) to support capture from more storage devices.

The SuperImager’s main application (the unit’s software) supports many imaging operations. Some of the tasks that the unit can be used for include:

1) Multiple Parallel Forensic Capture: Mirror (bit by bit), Linux-DD, E01/Ex01 (with full compression) formats, Mixed-Format DD/E01, and Selective Capture (files and folders with the use of file extension filters). Select a single partition to capture.

2) Erase data from Evidence drive – using DoD (ECE, E), Security Erase, NVMe, Sanitize, User, erase protocols.

3) View the data directly on the Ubuntu Desktop screen.

4) Encrypt the data while capturing (AES256 XTS).

5) HASH the data while capturing – run all the 4 MD5, SHA-1, SHA-2, and SHA512 HASH engines simultaneously.

6) Run a Quick Keyword Search on the Suspect drive before or during the capture.

7) Run Multiple Cellphone/Tablet data Extraction and Analysis.

8) Run a Forensic Triage application.

9) Run a full Forensic Analysis application like Encase/Nuix/FTK.

10) Run Virtual Drive Emulator.

11) Run Remote Capture from unopened laptops (Intel Based CPU).

12) Save Images to a network using the optional Thunderbolt 3.0 to 10GbE adapter

13) Use the native Thunderbolt 4.0 port (40 Gigabit/s) to capture data from USB3.2 Gen2 storage devices, capture data from NVMe SSD with the use of the TB 3.0 expansion box, capture data from Mac T1 via 1394 port and expansion box, or connect to 10GbE network with the use of TB3.0 to 10GbE adapter.

14) Unlock drives and image drives with ATA passcode, BitLocker passcode, Opal passcode for SED drives, VeraCrypt.

15) Built-in Write-Blocker hardware solution that run at full bandwidth.

16) Use the SuperImager unit as a “Write Blocker” device: This new feature enables the SuperImager unit to function as a secure bridge between workstations on a network to Suspect drives attached to the SuperImager unit by using the iSCSI protocol over a network connection. A forensic investigator using a workstation or laptop in one location can access a Suspect drive in different locations in the Write-block mode. The SuperImager unit will be connected to the same network, and the Suspect drives will be attached to the SuperImager unit in read-only mode. The SuperImager unit will act as a “write blocker” for any of the unit’s attached storage, such as SAS, SATA, USB, 1394, FC, SCSI, and NVMe.

Additional Operations: Drive Erase, HASH authentication, Drive Diagnostics, Image Restore, Scripting, and more.

The application supports forensic imaging of multiple drives running simultaneous runs.

Also, the optional Thunderbolt 3.0 to PCIE Expansion box enables the user to plug in additional optional storage controllers (NVMe, SAS, SCSI, 1394, and FC) to support capture from more storage devices.

3) “We got a unit of this machine a while ago, and then fell in love with it” From: Adewale Alayegun – Digital Forensics Examiner at Digital Footprints Ltd, Nigeria 2021