The SuperImager® Plus 7” Mini Forensic unit is a Portable Compact Forensic imager with the ability to perform multiple Forensic tasks, allowing the Forensic investigator to capture data in the field from multiple source drives to multiple target drives simultaneously and extremely fast. It also enables the user capture data from multiple cellphones and run cellphone analyses, or any third-party application. The unit is compact and easy to carry, with built-in 3 SATA (with a secure and keyed SATA power connector) and 4 USB3.0 ports, 1 port of 1 Gigabit/s Ethernet, and 1 port of HDMI.
The SuperImager’s main application (the unit’s software) supports many imaging methods like Mirror Image, Encase E01/Ex01, and Linux-DD. Here are some of the tasks that the unit can be used for:
1) Multiple Parallel Forensic Capture: Mirror (bit by bit), Linux-DD, E01/Ex01 (with full compression) formats, Mixed-Format DD/E01, and Selective Capture (files and folders with the use of file extension filters). Select a single partition to capture.
2) Erase data from Evidence drive – using DoD (ECE, E), Security Erase, NVMe Secure Erase, or Sanitize erase protocols.
3) View the data directly on the Ubuntu Desktop screen.
4) Encrypt the data while capturing (using the AES256 engine).
5) HASH the data while capturing – run all the three, SHA-1, SHA-2, and MD5 HASH engines, at the same time.
6) Run a quick Keyword Search on the Suspect drive prior to capture.
7) Run Multiple Cellphone/Tablets data Extraction and Analysis using a third-party application on the Windows 10 side.
8) Run Forensic Triage application using a third-party application on the Windows 10 side.
9) Run Virtual Drive Emulator prior to the data being captured on the Linux side.
10) Run Remote Capture from unopened laptops (Intel Based CPU).
Additional operations that are available include HASH a drive, drive diagnostics, and scripting.
The application supports forensic imaging of multiple drives, in multiple sessions, in simultaneous forensic imaging runs.
Main Hardware Features:
– Case: Portable, lightweight, small, and easy to carry.
– CPU: i7 4th Generation Quad Core Mobile CPU
– Display: 7” (1280X800), LED back-light, touchscreen, color LCD display.
– OS: Linux Ubuntu 64 bit and Win 7 Professional 64 Bit in a dual boot. The open Ubuntu OS allows for easy application modification to include new features, easy adaptation to new hardware, and ease of adding third-party Ubuntu applications.
– Dual Boot (Built-in):
– Data Capture Under Linux: Performs Forensic Imaging under Linux for a faster, more efficient, and more secure operation.
– Analyze the Captured Data under Windows 10: Reboot the unit to Windows and use third-party applications to perform data analysis and other tasks.
– Security: Linux OS (Linux OS is less targeted by malware).
– Hardware Upgrade: The unit can be upgraded at the time of purchasing for additional cost to a larger internal SSD.
– Application Updates: The application can easily be updated via a USB thumb drive and displays a special update application screen.
– RAM: 8GB DDR3 internal memory.
– Internal storage: 250GB mSATA.
– Storage controller: SATA controller on the main board supporting 6 Gigabit/s SATA interface speeds with a maximum data rate of 37GB/min.
– Source Ports: One SATA ports and two USB3.0/USB3.1 ports are set as source ports (the user cannot change the role of these ports).
– Target Ports: Two SATA ports and 2 USB3.0/USB3.1 ports.
– Supports Storage Protocols and Interfaces: SATA, e-SATA enclosures, IDE, USB2.0, USB3.0, MMC, M.2 (SATA base), and M.2 NVMe*.
– Supports Form Factors: 3.5”, 2.5”, ZIF, 1.8”, Micro-SATA, Mini-SATA, Slim SATA, Ultra Slim SATA, M.2 SATA, and CF-30.
*With the NVMe to USB optional adapter.
– HPA/DCO Automatic Supports: The application has the ability to automatically open HPA and DCO areas and resize the “Suspect” hard drive to its full native capacity in order to capture any “hidden data: (HPA/DCO are special areas on the drive that support this feature).
– Bad Sectors Handling: The user can select to skip bad sectors, skip bad blocks, or abort the operations. The skipped, bad sectors will be reported in the log file in detailed or in summary.
– 48bit LBA Addressing: Supports drives with sizes up to 256TB.
– Forensic Images – Destination: The user can save Forensic Images to any storage device attached to the SuperImager unit, or to any connected network, using the unit’s 1Gigabit/s port, the 10Gigabit Option, any external USB3.0 RAID (encryption is optional), or an external NAS storage at a very good speed.
– Cross Copy from any Ports and any Interfaces: The user can choose to capture from one port, with one type of storage protocol and interface, and save the forensic image onto a different storage protocol and interface using destination ports. The cross copy of data can be done between any of these interfaces – SATA/IDE/USB/NVMe
– GUI: The application is built with large and very simple and easy to navigate icons. In a few clicks the user can set an operation and it will quickly be up and running.
– Speed: Very fast – one of the fastest Forensic Imaging solutions available on the market today, achieving a speed of above 24GB/min.
Application’s Main Operations:
– Forensic Imaging Mode
– Forensic Platform
– Data Eraser and Format
– HASH Calculation Authentication and Verification
Forensic Imaging Mode:
– Mirror imaging bit by bit (100% or any % of the drive), DD, E01/Ex01: with optional compression, Selective Capture (Capture Partitions, Files and Folders, and with the use of file extension filters), Mix-Format of DD/E01/Ex01, selecting one partition capture.
– Targeted Imaging: Sometimes the forensic investigator does not have the time to do a full data capture of the Suspect drive. Now the user can use the Selective Imaging feature to select only partitions, files, or folders (like the Windows User-Folders or Windows User-Documents and User-Pictures). With the use of preset file extension filters or adding its own filters, the Forensic Investigator can narrow their capture scope and shorten its acquisition time.
– Forensic Restore: Back up the data that was captured to another drive in the original format.
– Forensic Images Formats:
a) Mirror Image Formats 100% Bit by Bit Mirror copy.
b) Linux-DD Format.
c) Encase E01/Ex01 Formats (includes options for optimizing the compression by adjusting the compression level and the number of compression parallel engines) and Mix-Format of E01/Ex01/Linux-DD.
d) Mix-Format is where the user can capture from one source drive and save the images onto multiple destination ports; each target port can be selected to be one of the 3 E01/Ex01/Linux-DD.
e) In addition, the user can use a file-based copy to copy files and folders by using selective imaging with file extension filters.
f) Single partition capture.
– Drive Spanning: Supports spanning the captured data onto many “Evidence” drives when the Evidence drives are not large enough (also supports restore images that are spanned over multiple drives).
– Encryption: On-the-fly AES256 encryption of the “Suspect” drive, saving the encrypted data on the “Evidence” drive in 100%, DD, E01/Ex01 formats.
– Decryption: The user can perform decryption on a drive that has been previously encrypted by any of the SuperImager units. Alternatively, the user can use a standalone MediaClone Linux decryption utility application to perform decryptions on an encrypted drive using any PC. The supplied standalone decryption utility application can be burned onto a USB flash drive that later can be used to boot the PC to the MediaClone Linux decryption utility application, where the encrypted drive and a blank destination drive are attached to the PC (the user needs to supply to the utility application the saved encryption key). MediaClone developed its own decryption utility application in order to make sure that the user can always decrypt the drive was were once encrypted via a MediaClone unit and not to rely on TruCrypt or other third-party applications that might not be supported in the future.
– Forensic Imaging Tool: In one read-pass from the “Suspect” drive, the SuperImager Plus application can run the following operations simultaneously: Forensic imaging with E01 format and full compression, Encryption with AES256, calculate 3 HASH Verification and Authentication values (MD5, SHA1, SHA2), save the captured Forensic Images to 2 “Evidence” drives to a local network, and external compact USB3.0/e-SATA TB RAID encrypted storage. The basic Forensic Imaging mode can be 1:1 or 1:2 for SATA and 1:3 or 2:2 for USB3.0 storage devices.
– Extreme Speeds when performing Forensic capture with E01/Ex01 formats and full Compression:
– The new Linux-based SuperImager Plus application utilizes and optimizes multiple CPU cores to achieve one of the most efficient operations while also performing at incredibly high speeds with E01/Ex01 formats and full compression. The application allows the user to manually select and adjust the number of hyperthreads and the level of compression used during each session.
– Forensic data captured with Encase E01/Ex01 formats with full compression is widely used for operations in the forensic industry and generally requires a trade-off between speed, space, and time of decompression by the Encase application.
– Comparative tests show a 20% increase in speed when using the SuperImager Plus Linux-based application over the SuperImager Windows-based application. The tests were performed with the same hardware, the same hard disk drives (filled 43% of the drive with random data), and the same level 1 compression. The Linux-based application was set to use 16 compressions threads.
Complete Forensic Platform:
– In addition, the unit can serve as a platform for a Forensic Investigator to run a complete investigation and to perform:
– The Forensic investigator can load and run third-party applications such as Cellebrite, Oxygen, DART, Paraben, and BlackBag. The user can also run third-party Triage applications under Windows on the attached Suspect or Evidence drives. The MediaClone Windows Drive Power Utility application allows the user to mount drives safely, either as read-only or read-write (depending on the unit’s port) in a secure way. The application also allows the user to dismount and remove drives in a safe way. The Suspect port is automatically assigned to be read-only.
– Virtual Drive Emulator: Enables the user to run a drive, or image of a drive emulator, on the unit (for Suspect Drives that were extracted previously from a Windows unit) and allows the user to share folders and copy important files (bypass the user Windows password). Mount a Suspect drive or it’s DD/E01 images, simulate it in its native Windows Environment, and extract important files (This function performs on the Linux side).
– Secure Write Blocked File Preview: Browse and preview the captured data on the Internal Display. The user should connect the drive to the unit’s Suspect port to protect the drive via the port’s write-blocking mechanisms, turn on the power to the drive using the application’s power icon, and mount the drive using Ubuntu. The drive Doc files, including XLS, can be viewed using the Ubuntu Open Office package. Alternatively, the user can boot the unit to Windows (if this option was purchased) and view the drive on Windows.
– Cellphone/Tablet data extraction and analysis – Cellebrite, Oxygen, BlackBag, MPE+, Paraben applications, and more (the user can also use all of the 8 USB3.0 ports to run cellphone extractions)
– Triage data collection – Nuix/Encase/ADF portable applications.
Data Eraser and Format:
– The user can erase drives and USB3.0 storage devices by using the unit’s 2 SATA ports and 3 USB3.0 ports. The application supports DoD erase (Full, Lite), Security Erase, Enhanced Security Erase, and Sanitize erase protocols. DoD (Full and Lite) are NIST 800-88 compliant. The rest of the erase protocols need to be run with verify pass in order for them to be NIST 800-88 compliant. The application also supports the user erase mode with verification pass and the erase verification mode for drives that were previously erase by a third-party application or tool.
– Erase the Evidence drive prior to use (with extremely fast speed of up to 28GB/min with the use of SSD and up to 11GB/min with the use of HDD).
– Erase the remainder of the drive after the copy.
– Drive Erase Protocols: DoD 5220-22M, Security Erase, Enhanced Security Erase, Sanitize, NVMe Secure Erase, or a User-erase mode where the user can define the final data filling pattern and the number of iterations (Security Erase, Enhanced Security Erase, Sanitize, and DoD erase protocols are all NIST 800-88 compliant).
– Format: NTFS, FAT, HFS+, EXT4, and exFAT.
– Erase Logs and Erase Certification: The application generates extensive erase logs and files with an NIST 800-88 erase certification (also runs S.M.A.R.T. tests before and after the erase operation and is saved to XML file format) which can be exported to a USB thumb drive. The application also has a built-in erase database that can easily be exported to XLS.
– Evidence Drive Formats: exFAT/FAT/NTFS/HFS+/EXT4.
– Audit trail and operation Log Files: Generated automatically by the application and saves it on the Evidence/Target drive (PDF).
HASH Calculation Authentication and Verification:
– HASH Authentication: Simultaneously calculated on-the-fly up to 3 HASH Authentication values MD5/SHA-1/SHA-2 during the same session.
– HASH while Capture: MD5, SHA-1, SHA-2 (all the 3 HASH protocols can be selected to run simultaneously).
– Network Capture: Data from a network folder can be captured and saved into “Evidence” drives via the use of the iSCSI storage protocols. The SuperImager application (for both capture from a network and save to a network) supports SMB, NFS, and CIFS networks protocols. The capture can run with HASH authentication and HASH verification.
– Saves Forensic Images to Network: Upload multiple Forensic images to a local network (DD, E01) simultaneously by using 1Gigabit/s port, 10Gigabit/s option, or any of the unit’s USB ports to upload up to 5 parallel 1Gigabit/s network streams.
– Disable Network process and protocols for security reasons: Those network protocols are easy to disable using Ubuntu Preferences Tools.
– Copy loose files from/to the network: The user can copy files from/to a network with HASH authentication for better data integrity.
– Remote Capture (Intel based CPU)- Capture data from the Internal Drives of an un-opened Laptop or Computer: Using USB or 1Gigabit Ethernet ports on the laptop/computer enables the user to use the Remote capture application via a USB stick, without the need to remove the drive from the laptop/computer or boot the laptop from its own OS (the capture speed is restricted to the performance of the Laptop/PC CPU and the 1Gigabit/s connection). The capture application can run using HASH authentication. The Remote Capture Option Kit includes the USB flash drive, 1Gigabit/s to USB3.0 Adapter, and a crossover network cable. The Remote capture application supports capture via USB/1394/TB/R45 network ports).
– Parallel Forensic Imaging – Multiple Session Operations: Improves the efficiency of the evidence data collection process by using multitasking and using a parallel imaging process. The user can take advantage of the SuperImager unit’s multiple available ports and run multiple, efficient, parallel operations. The user can mix different types of operations, and each operation can be set as a new independent session. An example of an operation: erase data from a drive connected to one port and HASH verify a different drive connected to the second port, all while performing forensic imagining of 1 to 1 on drives connected to the remaining ports.
– Basic Parallel Forensic Imaging: The supported modes are – Native SATA (1 to 1, 1 to 2) and USB3.0/3.1 (1 to 1, 1 to 2, 2 to 2).
– More Ports for Forensic Imaging: with the use of USB3.0 to SATA fast adapters the unit can support up to 3 to 3 Forensic Imaging of SATA drives.
Parallel Operations – Linux Elaborated:
– Detection Application Screen: All drives and storage devices that are connected to the unit will be “scanned” and displayed in one application screen called “The Detection Screen”. The user can tap on each drive to get its detailed info and run some specific utilities regarding that drive (as long as it is a target drive) – like a quick S.M.A.R.T. test (only using the “Target” port), run a Virtual Emulator (“Source” port), safely preview the contents of the drive (“Source” port), as well as select it for any desired operation they are planning to use.
– Parallel Forensic Imaging: This depends on the number and kind of ports that each model has. The application is very flexible in running multiple sources to multiple destinations, all in simultaneous operations. The user has the flexibility to change a port’s role from “Evidence” to “Suspect” port. The session control application screen provides the user with comprehensive information and direct control over the running sessions, including all the settings of the session and the ability to abort the session.
– Drive Trim: Allows the user to manipulate the HPA/DCO area on the drive to create an Evidence/Target drive with the same capacity of the Suspect/Source drive.
– Unit’s User Configuration: This feature allows the administrator of the unit to set specific operations with specific settings, and allows the user to secure it with a lock password (This feature needs to be requested at the time of purchasing the main unit – it is needed for security purposes).
– Tasks Scripting: The user can create a script to run sequential operations and parallel operations. There are no limitations on the number of scripts and operations one can run. Be aware that if the operation requires the use of an input it will stop and wait for the user to input (like when the user is running a drive scanning and a user’s response is needed).
– Language Supports: Easy to implement translations for new languages. Now supporting Korean and Chinese languages.
– Keyword search: Gives the user the ability to perform a quick keyword search on the Suspect drive’s files and folders, with filters on the files extension types and with a few important keywords (this is a quick keyword search to determine if a Suspect drive needs to be captured).
– Keyword search while imaging: Gives the user the ability to perform a quick keyword search on the Suspect drive’s files and folders, with filters on the files extension types and with a few important keywords included in the search images.
– Partition imaging: Gives the user the ability to select only one partition (per sessions) to perform forensic imaging and save it into the Evidence drive in DD/E01/Ex01 format.
– Network Multiple Forensic Image Loader: Besides the ability of the application to upload forensic images (DD, E01) to the network via the 1Gigabit/s network port, there is also a unique feature/solution that can solve the streaming bottleneck issue by using a single port. With this solution the user can upload many Forensic images directly to a local network using 4 equivalent 1Gigabit/s network streams. Alternatively, the user can use the Thunderbolt 3.0 port to connect to a 10Gigabit/s network.
Main Hardware Options:
– USB3.0 to SATA Adapters and Kits Option: Today USB3.0 technology is extremely fast and can run read data from SSD drives up to 20GB/min. With the use of the USB3.0 to SATA 4 channel Kit, the user can convert 4 USB3.0 ports to 4 SATA ports on any of MediaClone’s units and have a total of 7 SATA ports available to be used. Utilizing the 7 ports, the user can perform Forensic Imaging from 3 “Suspect” drives to 3 “Evidence” drives in 3 separate sessions. The optional Kit is supplied with one external PS and includes all the cabling to power and connect the 4 USB3.0 to SATA adapters. The tested performance when running 4 adapters in parallel was measured at a very high speed and with very little speed degradation.
– USB3.0 to M.2 (NGFF) adapters Option: Currently, most laptops and tablets use M.2 (NGFF) Storage devices. This adapter supports connectivity to some of the newest SSD M.2 storage devices (storage that is supported by SATA Protocols).
– USB3.0 to M.2 NVMe adapter Option: Supports M.2 NVMe limited to the speed of the USB3.0 port.
– USB3.0 to M.2 (NGFF) PCIE (not NVMe) base adapters Option: Few adapters are available that support PCIE base SSD that are being used in MacBook Air 2012+, MacBook Pro Retina 2012+, and MacBook 2013-14 with special interfaces (12+16). It is supplied with an adapter with M.2 generic B+M connectors.
– External Battery Option: Supports the use of an external Lithium-Polymer battery that enables the user to run a full capture of the data in the field on hard disk drives; it operates on a battery for a long time (the unit is able to complete forensic imaging of WD 1TB hard disk drives using the imaging mode of 1 to 2 for 2 hours, or Cellphone data extraction and analysis for 5 hours, all performed with the use of the external battery).
– Crucial data upload with External Wi-Fi and Cellphone HotSpot features: With the use of a USB3.0 to Wi-Fi adapter and the user’s Cellphone Hot-Spot feature, the SuperImager Plus 7” Mini unit can connect to the internet, satellite, or any other network to upload crucial data.
– Built in the US: The units are built and tested in the US.
– Warranty: One-year free warranty on the main unit (does not include warranty on accessories, adapters, and cables).
– Native SATA: 3 power and data combo Ports (1 source and 2 target ports).
– USB3.0: 4 Ports (1 source and 2 target ports – all these ports can also be used as a host to plug in and use a keyboard, mouse, and other peripherals).
– 1Gigabit/s: 1 Port (for network connectivity and remote data acquisition from an unopened PC/Laptop.
– HDMI: 1 Port
– Front Panel: 3 SATA power and data ports (One “Suspect” and two “Evidence”). The SATA power connector on the cable is keyed and has a locking mechanism to prevent accidental disconnection.
– Back Panel: 1GbE port for network connectivity and remote data acquisition from an unopened PC or laptop, 2 USB3.0 “Suspect” ports, 2 USB3.0 “Evidence” ports for generic use (side panel), and an HDMI port to plug in and use an external monitor.
– A built-in, universal, auto switching 96W UL/CE/PSE external power supply adapter with a key and lock-in mechanism to avoid accidental disconnection.
– Input Voltage: 100-240V/50-60Hz.
– Power Consumption excluding External Drives: 34W
– Temperature: 5°C – 55°C (40°F-130°F).
– Relative Humidity: 20-60% non-condensing.
– Unit Net Weight: 2.50 lbs
– Overall Dimensions: 7.5” x 6.0″ x 2.5″ (190 x 152 x 63 mm).
– Shipping Box Dimensions: 14″ x 12″ x 8″, 10.00 lbs.
Three SATA data and power combo extension cables cable
One SATA to 40-pin IDE adapter
One M.2 SATA adapter
One Micro SATA adapter
One MSATA SATA adapter
Accessory bag to store all adapters and cables.