SuperImager Plus Complete Portable Rugged Forensic Lab with 10GbE

SuperImager Plus Complete Rugged Portable Forensic Lab unit is configured with Dual Open OS of Linux for multiple simultaneous parallel and independent of forensic imaging with extreme performances and Windows 10 for full forensic investigation, includes Forensic Analysis, Triage, and Cellphone data extraction. The unit is a Portable, Compact, easy to carry when traveling, large 15.6” display, and an extremely performing hardware (NVMe 187GB/min). It is built with the latest generation of i7 CPU, and with 4 NVMe U.2 ports (supports both U.2 and M.2), 4 SAS/SATA ports, 7 USB3.2 Gen2 , USB-C, 1 USB3.0 ports, and speakers and audio.

Are you interested in this product?

1300 55 33 24

contact@cdfs.com.au

Quote Request

Download SuperImager® Plus Portable Rugged Forensic Lab Brochure

 

Download Samples of SATA to SATA log file show max speed of complete Linux-DD imaging session

 

Download Samples of NVMe to NVMe log file show max speed of complete Linux-DD imaging session

 

The SuperImager Plus Portable Rugged Portable Digital Forensic Lab with 10GbE is a forensic imaging device with the ability to serve as a complete Field Computer Forensic Investigative platform. The unit built with 4 SAS/SATA ports, 4 U.2 NVMe ports, e-SATA port, and 1 Thunderbolt 4.0 ports. It configured with Dual Open OS (Linux for fast imaging/Win10 for forensic analysis and cellphone data extraction), Under Linux the user can run multiple parallel simultaneous Forensic imaging (mirror image, single partition, Linux-DD, EnCase, mix E01/DD, VHD, Triage with Files and Folders) with 4 HASH values (MD5, SHA1, SHA2, and SHA512 run all the four at the same time), encryption, compression, keyword search all on the fly and save images to a network. Under Win 10 the user can perform a full Forensic analysis using a third-party applications like EnCase, Nuix, Axiom and others, and also perform multiple cellphone data using Cellebrite, MSAB, Oxygen.

 

The unit hardware is very robust running i7 12 generation CPU, the 15.6″ large display helps visualization when running a full Forensic analysis software, and the rugged case make it easy to carry when traveling.

 

Total ports:

• one e-SATA port on the main unit

• 4 SAS/SATA ports: In drop socket, power & data

• 4 NVMe ports: 4 U.2 NVMe ports, include 4 M.2 to U.2 vertical adapters with special easy SSD locking mechanism, U.2 Extension cables and secure brackets, supporting all the three (U.2, M.2, PCIE) NVMe SSD

• 6 USB3.2 Gen2, 1 USB3.2 Gen1

• 2 USB-c port/Thunderbolt 4.0

 

Main purpose of the unit is when there is a need to image in the field SAS/SATA and NVMe in cross media capture and Upload images to a local network

The unit supplied with:

• Remote Capture KIT.

• Virtual Emulator (for viewing the Suspect drive prior to the capture).

• Mac/Thunderbolt kit – Capture from Mac with TB2/TB3, 1394 ports

 

Some speed tests:
SATA to SATA Linux-DD copy max speed 32.7GB/min.
NVMe to NVMe mirror image max speed 187GB/min. (see pictures)

The SuperImager’s main application (the unit’s software) supports many imaging operations. Some of the tasks that the unit can be used for includes:
1) Multiple Parallel Forensic Capture: Mirror (bit by bit), Linux-DD, E01/Ex01 (with full compression) formats, Mixed-Format DD/E01, and Selective Capture (files and folders with the use of file extension filters). Select a single partition to capture.
2) Erase data from Evidence drive – using DoD (ECE, E), Security Erase, NVMe, and Sanitize erase protocols.
3) View the data directly on Ubuntu Desktop screen.
4) Encrypt the data while capturing (AES256).
5) HASH the data while capturing – run all the three, SHA-1, SHA-2, and MD5 HASH engines, at the same time.
6) Run a quick Keyword Search on the Suspect drive prior to capture.
7) Run Multiple Cellphone/Tablets data Extraction and Analysis.
8) Run Forensic Triage application.
9) Run a full Forensic Analysis application like Encase/Nuix/FTK/Axiom.
10) Run Virtual Drive Emulator.
11) Run Remote Capture from unopened laptops (Intel Based CPU).
14) Unlock drives with ATA pass-code, BitLocker pass-code, Opal pass-code for SED drives

15) New feature – Use the SuperImager unit as a “Write Blocker” device: This new feature enables the SuperImager unit to function as a secure bridge between workstations on a network to Suspect drives attached to the SuperImager unit by using the iSCSI protocol over a network connection. A forensic investigator using a workstation or laptop in one location can access a Suspect drive in different locations in the Write block mode. The SuperImager unit will be connected to the same network and the Suspect drives will be attached to the SuperImager unit in read-only mode. The SuperImager unit will act as a “write blocker” for any of the unit’s attached storage, such as: SAS, SATA, USB, 1394, FC, SCSI, and NVMe.

 

Additional operations that are available include erase verification on a drive that was previously erased, Full or Quick Format, HASH a drive, drive diagnostics, and scripting. The application supports forensic imaging of multiple drives, in multiple sessions, in simultaneous forensic imaging runs. The Optional TB expansion box enables the user to connect to a 10 Gigabit/s network, or to an External HDMI monitor, or to plug additional optional storage controllers (SAS, SCSI, 1394, and FC) to support erase from more storage devices.

 

The SuperImager application is optimized to achieve extreme top speeds when using NVMe SSD:
HASH SHA-1 132.5GB/min, Mirror Image 187GB/min, Erase + Verify 130GB/min, Verify 197GB/min

SuperImager Plus 12″ NVMe +SATA Rugged unit with i7 CPU, 32GB Memory, and S/W Version 1.8.133.11
Operation Avg Speed GB/Min
HASH single drive, in a single session (Samsung 870 EVO SSD)
SHA-1 32.1
MD5 32.1
SHA-1+ MD5 32.1
HASH 2 drives in 2 separate sessions (2 Samsung 870 EVO SSD)
SHA-1 + MD5 drive 1 29.0
SHA-1 + MD5 drive 2 29.0
HASH single drive, in a single session (1TB WD black M.2 NVMe)
SHA-1 132.00
SHA-1 + MD5 132.00
Erase Drives using 1TB WD Black M.2 NVMe SSD
Read Verify 202.00
Single Pass – User Erase Mode 153.00
Forensic Imaging
100% bit by bit Imaging 1 TB WD Black to 1 TB WD black M.2 NVMe SSD
no HASH 187.00
with SHA1 HASH 137.00
DD Imaging Samsung 850 EVO SSD to Samsung 850 EVO SSD (2GB Files Chunks and NTFS)
with SHA-1 + MD5 HASH 30.1
DD Imaging SanDisk Extreme II SSD to Samsung 850 EVO SSD 2 GB file Chunks and NTFS)
with SHA-1 + MD5 HASH on 28.5
E01 Imaging Samsung 850 EVO SSD to Samsung 850 EVO SSD (2GB Files Chunks and NTFS)
with SHA-1 + MD5 HASH on 24.2

 

Technical Specs

 

Main Hardware Features:
Case: Mobile, lightweight, Rugged, and easy to carry.
CPU: i7 latest generation CPU.
Display: color LCD 15.6” display, LED back-light.

Hardware: Very high-quality, high performing components; some with military specifications.

OS: Linux Ubuntu 64 bit and Win 10 Professional 64 Bit in a dual boot.

Security: Linux OS (Linux is less targeted by malware).

Hardware Upgrade: The unit can be upgraded at the time of purchasing for additional cost to a larger internal SSD.

Application Updates: The application can easily be updated by using any of the unit’s USB ports and by a simple tap on the “update software” icon from the unit’ main menu.

 

Hardware Specifications:

RAM: 32GB DDR4 internal memory.

Internal storage: 1TB SSD SATA.

Storage controller: NVMe 4 ports storage controller, SAS 2.0 4 ports storage controller

 

Hardware Supports:

Source Ports: One SAS/SATA, one NVME U.2, and one USB3.2 gen2 ports are set as source ports (the user cannot change the role of these ports).

Target Ports: Three SAS/SATA, 3 U.2 NVMe, 1 USB-C/Thunderbolt 4.0, 7 USB3.2 ports.

Supports Storage Protocols and Interfaces: NVMe, SAS,SATA, e-SATA enclosures, IDE, USB2.0, USB3.2, MMC, 1394, TB

Supports Form Factors: 3.5”, 2.5”, ZIF, 1.8”, Micro-SATA, Mini-SATA, Slim SATA, Ultra Slim SATA, M.2 SATA, PCIE-Memory Card*, Mini PCIE, SFF-8639 U.2 NVMe, M.2 NVMe, and CF-30.

* with optional adapters

 

Application Settings:

HPA/DCO Automatic Supports: The application has the ability to automatically open HPA and DCO areas and resize the “Suspect” hard drive to its full native capacity in order to capture any “hidden data: (HPA/DCO are special areas on the drive that support this feature).

Bad Sectors Handling: The user can select to skip bad sectors, skip bad blocks, or abort the operations. The skipped, bad sectors will be reported in the log file in detailed or in summary.

48bit LBA Addressing: Supports drives with sizes up to 256TB.

Forensic Images – Destination: The user can save Forensic Images to any storage device attached to the SuperImager unit, or to any connected network, using the unit’s 1 Gigabit/s port, the 10 Gigabit/s Option, any external USB3.0 RAID (encryption is optional), or an external NAS storage at a very good speed.

Cross Copy from any Ports and any Interfaces: The user can choose to capture from one port, with one type of storage protocol and interface, and save the forensic image onto a different storage protocol and interface using destination ports. The cross copy of data can be done between any of these interfaces – SAS/SATA/IDE/USB/SCSI/1394/NVMe.

Audit trail and operation Log Files: Generated automatically by the application and saves it on the Evidence/Target drive (XML,PDF).

 

Application Features:

GUI: The application is built with large and very simple and easy to navigate icons. In a few clicks the user can set an operation and it will quickly be up and running.

Speed: Extremely fast – one of the fastest Forensic Imaging solutions available on the market today, achieving a speed of above 32GB/min for SATA SSD and 100GB/min for NVMe SSD.

– Tested with the HASH verification operation with SHA-1, SSD ran a top speed of 30GB/min and 1TB WD Blue SATA-2 HDD ran a top speed of 10GB/min.

– Tested with the Forensic Imaging operation of 1 to 2 with SHA-1, 3 SSD of Samsung Pro 240GB ran a top speed of 32GB/min.

– Tested with the Forensic Imaging operation of 1 to 2 with SHA-1, 3 SSD of Samsung NVMe 1 TB ran a top speed of 100GB/min.

 

Application’s Main Operations:

Forensic Imaging Mode

Complete Forensic Platform

Data Eraser and Format

HASH Calculation Authentication and Verification

Network

 

Forensic Imaging Mode:

– Mirror imaging bit by bit (100% or any % of the drive), DD, E01/Ex01 – with optional compression, Selective Capture (Capture Partitions, Files and Folders, and with the use of file extension filters), Mix-Format of DD/E01/Ex01, selecting one partition capture.

Targeted Imaging: Sometimes the forensic investigator does not have the time to do a full data capture of the Suspect drive. Now the user can use the Selective Imaging feature to select only partitions, files, or folders (like the Windows User-Folders or Windows User-Documents and User-Pictures). With the use of preset file extension filters or adding its own filters, the Forensic Investigator can narrow their capture scope and shorten its acquisition time.

Forensic Restore: Back up the data that was captured to another drive in the original format.

Forensic Images Formats:Multiple Image Formats

a) 100% Bit by Bit Mirror copy.

b) Linux-DD Format.

c) Encase E01/Ex01 Formats (includes options for optimizing the compression by adjusting the compression level and the number of compression parallel engines) and Mix-Format of E01/Ex01/Linux-DD.

d) Mix-Format is where the user can capture from one source drive and save the images onto multiple destination ports; each target port can be selected to be one of the 3 E01/Ex01/Linux-DD.

e) In addition, the user can use a file-based copy to copy files and folders by using selective imaging with file extension filters.

f) Single partition capture.

g) VHD capture.

Imaging and Verify: The user can select to run forensic imaging with 3 HASH engines and also enable the “HASH the target and compare HASH” feature. That is kind of a stand operation to make sure the captured image is not altered or corrupted.Reading speed from a source drive (32GB/min SATA, 202GB/min NVMe).

Drive Spanning: Supports spanning the captured data onto many “Evidence” drives when the Evidence drives are not large enough (also supports restore images that are spanned over multiple drives).

Encryption: On-the-fly AES256 encryption of the “Suspect” drive, saving the encrypted data on the “Evidence” drive in 100%, DD, E01/Ex01 formats.

Decryption: The user can perform decryption on a drive that has been previously encrypted by any of the SuperImager units. Alternatively, the user can use a standalone MediaClone Linux decryption utility application to perform decryptions on an encrypted drive using any PC. The supplied standalone decryption utility application can be burned onto a USB flash drive that later can be used to boot the PC to the MediaClone Linux decryption utility application, where the encrypted drive and a blank destination drive are attached to the PC (the user needs to supply to the utility application the saved encryption key). MediaClone developed its own decryption utility application in order to make sure that the user can always decrypt the drive was were once encrypted via a MediaClone unit and not to rely on TruCrypt or other third-party applications that might not be supported in the future.

Forensic Imaging Tool: In one read-pass from the “Suspect” drive, the SuperImager Plus application can run the following operations simultaneously: Forensic imaging with E01 format and full compression, Encryption with AES256, calculate 3 HASH Verification and Authentication values (MD5, SHA1, SHA2), save the captured Forensic Images to 2 “Evidence” drives to a local network, and external compact USB3.0/e-SATA TB RAID encrypted storage. The basic Forensic Imaging mode can be 1:1, 1:2, 1:3, 2:2 and more for SATA/NVMe and USB3.0/USB3.1 storage devices.

Extreme Speeds when performing Forensic capture with E01/Ex01 formats and full Compression:

– The new Linux-based SuperImager Plus application utilizes and optimizes multiple CPU cores to achieve one of the most efficient operations while also performing at incredibly high speeds with E01/Ex01 formats and full compression. The application allows the user to manually select and adjust the number of hyperthreads and the level of compression used during each session.

– Forensic data captured with Encase E01/Ex01 formats with full compression is widely used for operations in the forensic industry and generally requires a trade-off between speed, space, and time of decompression by the Encase application.

– Comparative tests show a 20% increase in speed when using the SuperImager Plus Linux-based application over the SuperImager Windows-based application. The tests were performed with the same hardware, the same hard disk drives (filled 43% of the drive with random data), and the same level 1 compression. The Linux-based application was set to use 16 compression threads.

 

Complete Forensic Platform:

– In addition, the unit can serve as a platform for a Forensic Investigator to run a complete investigation and to perform:

Virtual Drive Emulator: Enables the user to run a drive, or image of a drive emulator, on the unit (Windows only) and allows the user to share folders and copy important files (bypass the user Windows password). Mount a Suspect drive or it’s DD/E01 images, simulate it in its native Windows Environment, and extract important files.

Secure Write Blocked File Preview: Browse and preview the captured data on the Internal Display. The user should connect the drive to the unit’s Suspect port to protect the drive via the port’s write-blocking mechanisms, turn on the power to the drive using the application’s power icon, and mount the drive using Ubuntu. The drive Doc files, including XLS, can be viewed using the Ubuntu Open Office package. Alternatively, the user can boot the unit to Windows (if this option was purchased) and view the drive on Windows.

High Performances: As a platform, a forensic investigator can, in addition to imaging and capturing data, load and run third-party applications to analyze the captured data.

Cellphone/Tablet data extraction and analysis – Cellebrite, Oxygen, BlackBag, MPE+, Paraben applications, and more (the user can also use all of the 8 USB3.0 ports to run cellphone extractions)

Triage data collection – Nuix/Encase/ADF portable applications.

Full computer forensic analysis – Encase, Nuix, Axiom, and FTK applications (data is already captured, and the hardware can support a full analysis).

– The units’ have very firm hardware that enables the applications to run with excellent performance.

 

Data Eraser and Format:

– Erase the Evidence drive prior to use (with extremely fast speed of up to 28GB/min with the use of SSD and up to 11GB/min with the use of HDD).

– Erase the remainder of the drive after the copy.

Drive Erase Protocols: DoD 5220-22M, Security Erase, Enhanced Security Erase, Sanitize, NVMe Secure Erase, or a User-mode where the user can define the final data filling pattern and the number of iterations (Security Erase, Enhanced Security Erase, Sanitize, and DoD erase protocols are all NIST 800-88 compliant).

Format: NTFS, FAT, HFS+, EXT4, and exFAT.

Erase Verify: Run Erase Verify to verify that the drive was erased before use

Erase Logs and Erase Certification: The application generates extensive erase logs and files with an NIST 800-88 erase certification (also runs S.M.A.R.T. tests before and after the erase operation and is saved to XML file format) which can be exported to a USB thumb drive. The application also has a built-in erase database that can easily be exported to XLS.

Evidence Drive Formats: exFAT/FAT/NTFS/HFS+/EXT4.

 

HASH Calculation Authentication and Verification:

HASH Authentication: Simultaneously calculated on-the-fly up to 3 HASH Authentication values MD5/SHA-1/SHA-2/SHA512 during the same session.

HASH while Capture: MD5, SHA-1, SHA-2, SHA-512 (all the 4 HASH protocols can be selected to run simultaneously).

 

Network:

Network Capture: Data from a network folder can be captured and saved into “Evidence” drives via the use of the iSCSI storage protocols. The SuperImager application (for both capture from a network and save to a network) supports SMB, NFS, and CIFS networks protocols. The capture can run with HASH authentication and HASH verification.

Saves Forensic Images to Network: Upload multiple Forensic images to a local network (DD, E01) simultaneously by using 10 Gigabit/s port.

Disable Network process and protocols for security reasons: Those network protocols are easy to disable using Ubuntu Preferences Tools.

Copy loose files from/to the network: The user can copy files from/to a network with HASH authentication for better data integrity.

Remote Capture (Intel based CPU)- Capture data from the Internal Drives of an un-opened Laptop or Computer: Using USB or 1 Gigabit Ethernet ports on the laptop/computer enables the user to use the Remote capture application via a USB stick, without the need to remove the drive from the laptop/computer or boot the laptop from its own OS (the capture speed is restricted to the performance of the Laptop/PC CPU and the 1 Gigabit/s connection). The capture application can run using HASH authentication. The Remote Capture Option Kit includes the USB flash drive, 1 Gigabit/s to USB3.0 Adapter, and a crossover network cable. The Remote capture application supports capture via USB/1394/TB/R45 network ports).

 

Parallel Operations:

Parallel Forensic Imaging – Multiple Session Operations: Improves the efficiency of the evidence data collection process by using multitasking and using a parallel imaging process. The user can take advantage of the SuperImager unit’s multiple available ports and run multiple, efficient, parallel operations. The user can mix different types of operations, and each operation can be set as a new independent session. An example of an operation: erase data from a drive connected to one port and HASH verify a different drive connected to the second port, all while performing forensic imagining of 1 to 1 on drives connected to the remaining ports.
– Port’s rule increase possibilities:The application is very flexible in running multiple sources to multiple destinations, all in simultaneous operations. The user has the flexibility to change a port’s role from “Evidence” to “Suspect” port. The session control application screen provides the user with comprehensive information and direct control over the running sessions, including all the settings of the session and the ability to abort the session.

Detection Application Screen: All drives and storage devices that are connected to the unit will be “scanned” and displayed in one application screen called “The Detection Screen”. The user can tap on each drive to get its detailed info and run some specific utilities regarding that drive (as long as it is a target drive) – like a quick S.M.A.R.T. test (only using the “Target” port), run a Virtual Emulator (“Source” port), safely preview the contents of the drive (“Source” port), as well as select it for any desired operation they are planning to use.

Basic Parallel Forensic Imaging: The supported modes are: Native SATA (1 to 1, 1 to 2 imaging mode uses the e-SATA port, which needs to be supplied with external power. Native NVMe (1:1)

More Ports for Forensic Imaging: with the use of USB3.0 to SATA fast adapters. In addition, with the use of the optional Thunderbolt 3.0 Expansion Box to add more needed ports, like NVME, 4 SAS/SATA, and more..

 

More Features:

Drive Trim: Allows the user to manipulate the HPA/DCO area on the drive to create an Evidence/Target drive with the same capacity of the Suspect/Source drive.

– Application Audio Notification: The user can enable some audio notification features, like end of a session.

Unit’s User Configuration: This feature allows the administrator of the unit to set specific operations with specific settings, and allows the user to secure it with a lock password (This feature needs to be requested at the time of purchasing the main unit – it is needed for security purposes).

Tasks Scripting: The user can create a script to run sequential operations and parallel operations. There are no limitations on the number of scripts and operations one can run. Be aware that if the operation requires the use of an input it will stop and wait for the user to input (like when the user is running a drive scanning and a user’s response is needed).

Language Supports: Easy to implement translations for new languages. Now supporting Korean and Chinese languages.

Keyword search before imaging: Gives the user the ability to perform a quick keyword search on the Suspect drive’s files and folders, with filters on the files extension types and with a few important keywords (this is a quick keyword search to determine if a Suspect drive needs to be captured).

Keyword search while imaging: Gives the user the ability to perform a quick keyword search on the Suspect drive’s files and folders, with filters on the files extension types and with a few important keywords included in the search images.

Partition imaging: Gives the user the ability to select only one partition (per sessions) to perform forensic imaging and save it into the Evidence drive in DD/E01/Ex01 format.

Cloud Storage Connection: With the use of Insync paid services the user can sync to Microsoft OneDrive, Google Cloud, and others cloud storage

Network Multiple Forensic Image Loader: Besides the ability of the application to upload forensic images (DD, E01) to the network via the 1 Gigabit/s network port, there is also a unique feature/solution that can solve the streaming bottleneck issue by using a single port. With this solution the user can upload many Forensic images directly to a local network using 5 equivalent 1 Gigabit/s network streams. Alternatively, the user can use the Thunderbolt 3.0 port to connect to a 10 Gigabit/s network.

Built in the US: The units are built and tested in the US.

Warranty: One-year free warranty on the main unit (does not include warranty on accessories, adapters, and cables).

 

Ports:

Native NVMe 4 U.2 ports , 4 SAS/SATA ports with data and power combo Ports (1 source and 3 target ports).

e-SATA: one target port (connected directly to the motherboard) for external storage (“hot” plug) for DVD, or as a normal Evidence Port.

USB3.0/3.1 gen1: 1 target ports ( all the unit’s USB ports can also be used as a host to plug and use a keyboard, mouse, and other peripherals).

USB3.2 Gen 2 (10 Gigabit/s): one source and 6 target ports

USB-C/Thunderbolt 4.0 : one target port

10 Gigabit/s: For network connectivity and remote data acquisition from an unopened PC/Laptop.

Additional ports: 2 Audio ports with 3.5mm connectors to support the plug ear-phones, and/or microphones, and include 2 side speakers

 

Power Characteristics:

– A built-in, universal, auto switching 500W UL/CE/PSE external power supply adapter with a key and lock-in mechanism to avoid accidental disconnection.

Input Voltage: 100-240V/50-60Hz.

 

Operating Environment:

Temperature: 5°C – 55°C (40°F-130°F).

Relative Humidity: 20-60% non-condensing.

 

Mechanical Characteristics:

Unit net weight: 35.00 lbs

Unit dimensions: 20″ x 15″ x 8″.

Shipping dimensions: 24″ x 18″ x 12″, 40.00 lbs.

 

Included Items:

– 4 SAS/SATA 29 pins Extension cables.
– 4 NVMe U.2 extension cables, and U.2 to M.2 Vertical Adapters with locking mechanism.
– Mac/Thunderbolt Kit: Enable the user to capture form Mac with 1394/ Thunderbolt 2.0 / Thunderbolt 3.0 ports – include all the cables and adapters
– USB mini Keyboard.
– Thunderbolt to HDMI adapter
– Accessory bag to store all adapters, cables, and the keyboard.

 

Extended Information

 

Options:

  • Remote capture kit via USB port or 1 Gigabit/s Ethernet ports
  • SATA to USB3.0 Adapter (User can transform USB3.0 port into SATA port with the use of external power supply)
  • USB3.0 to SATA 4 Channel Kit convert 4 USB3.0 ports to 4 SATA ports at high speed (20GB/min) The Kit includes 4 USB3.0 to SATA drive adapters and one power supply to power 4 SATA hard disk drives