Standalone, industrial drive forensic imaging Lab unit. The unit is extremely fast and secure. It is built with the latest hardware technology to achieve the most efficient drive forensic imaging, performing at a very high speed, with the ability to image multiple drives at the same time. The unit supports 4 NVMe, 4 SAS/SATA, and 8 USB3.0/3.1 storage devices; and runs a Open Dual Boot of Linux OS for Forensic data imaging/virtual emulator, and Windows 10 for full forensic analysis, cellphone data extraction and analysis, and triage data collection. The user can run multiple, parallel, simultaneous forensic imaging operations from many storage devices, with 3 HASH values, and with an encryption on the fly. The unit’s top speed: 31GB/min SATA SSD, 187GB/min NVMe SSD.
1300 55 33 24
The SuperImager® Plus Desktop 8 NVMe Forensic unit is a standalone, dedicated NVMe forensic imager with the ability to perform multiple Forensic tasks, allowing the Forensic investigator to capture data in the Lab from multiple source drives to multiple target drives simultaneously and upload them to a network extremely fast. It also enables the user to perform a full Forensic analysis using Encase, Nuix and others Windows 10 application, or capture data from multiple cellphones, or use any third-party Windows application. The unit is industrial and durably built, using a desktop-style, with easy to use touchscreen icons. The unit has built-in 8 ports of NVMe and 10 ports of USB3.1. The unit is extremely fast with a high transfer rate imaging can reach 187GB/min.
The SuperImager’s main application (the unit’s software) supports many imaging methods like Mirror Image, Encase E01/Ex01, Linux-DD, Mix E01/DD.
Here are some of the tasks the unit can be used for:
1) Multiple Parallel Forensic Capture: Mirror (bit by bit), Linux-DD, E01/Ex01 (with full compression) formats, Mixed-Format DD/E01, copy the whole drive or only part of it.
2) Run a Selective Imaging (Targeted Imaging) of files, folders, and partitions with file extensions filters (for example, run E01 capture of 4 parallel simultaneous sessions using 8 NVMe SSD and 16 CPU compression engines).
3) Perform Forensic Imaging from many Suspect drives to one large Evidence drive; in append mode.
4) Upload many Forensic images to a network (SMB, CIFS, NFS).
5) Erase data from Evidence drive – using DoD (ECE, E), Security Erase, Enhanced Security, or Sanitize erase protocols.
6) View the data directly on the Ubuntu Desktop screen.
7) Encrypt the data while capturing (using the AES256 engine).
8) HASH the data while capturing – run all the three, SHA-1, SHA-2, and MD5 HASH engines, at the same time.
9) Run a quick Keyword Search on the Suspect drive prior to capture.
10) Run Multiple Cellphone/Tablets data Extraction and Analysis using a third-party application on the Windows 10 side.
11) Run Forensic Triage application using a third-party application on the Windows 10 side, prepare Forensic Triage keys, and view the captured targeted data.
12) Run a full Forensic Analysis application like Encase/Nuix/FTK.
13) Run Virtual Drive Emulator prior to the data being captured on the Linux side (this option is enabled on this unit).
14) Encryption and Decryption on the fly of drives that contain sensitive information.
15) Easily reconfigure the unit’s ports, where each of the target port can be configured as source or target for running 4:4 sessions, or to run an upload of 8 to a network.
16) Convert the unit’s 8 USB3.0 ports to SATA ports and run more parallel sessions (with the use of some USB3.0 to SATA adapters).
17) New feature – Use the SuperImager unit as a “Write Blocker” device: This new feature enables the SuperImager unit to function as a secure bridge between workstations on a network to Suspect drives attached to the SuperImager unit by using the iSCSI protocol over a network connection.
A forensic investigator using a workstation or laptop in one location can access a Suspect drive in different locations in the Write block mode.
The SuperImager unit will be connected to the same network and the Suspect drives will be attached to the SuperImager unit in read-only mode. The SuperImager unit will act as a “write blocker” for any of the unit’s attached storages, such as: SAS, SATA, USB, 1394, FC, SCSI, and NVMe.
The unit is designed to help expedite the forensic imaging process, especially in facilities where there is a large backlog in imaging drives, by performing many parallel forensic imaging in a true optimized multiple session’s application. The advantage of this unit is that it supports imaging from mix media of USB and NVMe SSD.
Additional operations that are available include HASH a drive, drive diagnostics, and scripting.
Main Hardware Features:
– Case: Desktop, Industrial
– CPU: i9 Latest Generation Quad Core Mobile CPU
– Display: 10”, LED back-light, touchscreen, color LCD display.
– 8 Channel HDD Open Tray Drive Caddy: Easy to insert and plug tray that accommodates any size and shape of NVMe SSD drives or storage devices; contains power status LED indicators.
– Hardware: Very high-quality, high performing components; some with military specifications.
– OS: Linux Ubuntu 64 bit and Win 10 Professional 64 Bit in a dual boot. The open Ubuntu OS allows for easy application modification to include new features, easy adaptation to new hardware, and ease of adding third-party Ubuntu applications.
– Dual Boot (Included):
– Data Capture Under Linux: Performs Forensic Imaging under Linux for a faster, more efficient, and more secure operation.
– Analyze the Captured Data under Windows 10: Reboot the unit to Windows and use third-party applications to perform data analysis and other tasks.
– Security: Linux OS (Linux OS is less targeted by malware).
– Hardware Upgrade: The unit can be upgraded at the time of purchasing for additional cost to a larger internal SSD.
– Application Updates: The application can easily be updated via a USB thumb drive and displays a special update application screen.
– RAM: 32GB DDR4 internal memory.
– Internal storage: 250GB SSD
– Storage controller: 4 NVMe controller on the main board with a maximum data rate of 97GB/min.
– Source Ports: One NVMe port, and one USB3.0/USB3.1 ports are set as source ports (the user cannot change the role of these ports).
– Target Ports: 7 NVMe ports, one e-SATA port, and 9 USB3.0/USB3.1 ports.
– Supports Storage Protocols and Interfaces: SATA, e-SATA enclosures, IDE, USB2.0, USB3.0/3.1, MMC, M.2 NGFF (SATA).
– PCIE Supports: Besides NVMe U.2 and M.2 NVMe, for support of PCIE NVMe PCIE memory cards use a special optional NVMe adapter*
– Supports Form Factors: 3.5”, 2.5”, ZIF, 1.8”, Micro-SATA, Mini-SATA, Slim SATA, Ultra Slim SATA, PCIE – Memory cards*, SFF-8639 U.2 NVMe, M.2 NVMe, M.2 SATA, and CF-30.
*with optional hardware
– HPA/DCO Automatic Supports: The application has the ability to automatically open HPA and DCO areas and resize the “Suspect” hard drive to its full native capacity in order to capture any “hidden data: (HPA/DCO are special areas on the drive that support this feature).
– Bad Sectors Handling: The user can select to skip bad sectors, skip bad blocks, or abort the operations. The skipped, bad sectors will be reported in the log file in detailed or in summary.
– 48bit LBA Addressing: Supports drives with sizes up to 256TB.
– Forensic Images – Destination: The user can save Forensic Images to any storage device attached to the SuperImager unit, or to any connected network, using the unit’s 1Gigabit/s port, the 10Gigabit Option, any external USB3.0 RAID (encryption is optional), or an external NAS storage at a very good speed.
– Cross Copy from any Ports and any Interfaces: The user can choose to capture from one port, with one type of storage protocol and interface, and save the forensic image onto a different storage protocol and interface using destination ports. The cross copy of data can be done between any of these interfaces – SAS*/SATA/IDE/USB3.0/3.1/SCSI*/1394*/TB*
– GUI: The application is built with large and very simple and easy to navigate icons. In a few clicks the user can set an operation and it will quickly be up and running.
– Speed: Very fast – one of the fastest Forensic Imaging solutions available on the market today, achieving a speed of above 30GB/min.
– Tested with HASH verification operation with SHA-1, the top recorded speed was 30GB/min with SSD and 10GB/min with 1 TB WD Blue SATA-3 Hard Disk Drives.
– Tested with Forensic Imaging operation of 1 to 2 with SHA-1, the top recorded speed was 29GB/min with 3 SSD of SanDisk 120GB Extreme II.
– Tested with Forensic Imaging NVMe 1:1 with Samsung MZVPV512HDGL SSD, the top recorded speed was 93.7GB/min.
Application’s Main Operations:
– Forensic Imaging Mode
– Forensic Platform
– Data Eraser and Format
– HASH Calculation Authentication and Verification
Forensic Imaging Mode:
– Mirror imaging bit by bit (100% or any % of the drive), DD, E01/Ex01 – with optional compression, Selective Capture (Capture Partitions, Files and Folders, and with the use of file extension filters), Mix-Format of DD/E01/Ex01, selecting one partition capture.
– Targeted Imaging: Sometimes the forensic investigator does not have the time to do a full data capture of the Suspect drive. Now the user can use the Selective Imaging feature to select only partitions, files, or folders (like the Windows User-Folders or Windows User-Documents and User-Pictures). With the use of preset file extension filters or adding its own filters, the Forensic Investigator can narrow their capture scope and shorten its acquisition time.
– Forensic Restore: Back up the data that was captured to another drive in the original format.
– Forensic Images Formats:
a) Mirror Image Formats 100% Bit by Bit Mirror copy.
b) Linux-DD Format.
c) Encase E01/Ex01 Formats (includes options for optimizing the compression by adjusting the compression level and the number of compression parallel engines) and Mix-Format of E01/Ex01/Linux-DD.
d) Mix-Format is where the user can capture from one source drive and save the images onto multiple destination ports; each target port can be selected to be one of the 3 E01/Ex01/Linux-DD.
e) In addition, the user can use a file-based copy to copy files and folders by using selective imaging with file extension filters.
f) Single partition capture.
– Drive Spanning: Supports spanning the captured data onto many “Evidence” drives when the Evidence drives are not large enough (also supports restore images that are spanned over multiple drives).
– Encryption: On-the-fly AES256 encryption of the “Suspect” drive, saving the encrypted data on the “Evidence” drive in 100%, DD, E01/Ex01 formats.
– Decryption: The user can perform decryption on a drive that has been previously encrypted by any of the SuperImager units. Alternatively, the user can use a standalone MediaClone Linux decryption utility application to perform decryptions on an encrypted drive using any PC. The supplied standalone decryption utility application can be burned onto a USB flash drive that later can be used to boot the PC to the MediaClone Linux decryption utility application, where the encrypted drive and a blank destination drive are attached to the PC (the user needs to supply to the utility application the saved encryption key). MediaClone developed its own decryption utility application in order to make sure that the user can always decrypt the drive was were once encrypted via a MediaClone unit and not to rely on TruCrypt or other third-party applications that might not be supported in the future.
– Forensic Imaging Tool: In one read-pass from the “Suspect” drive, the SuperImager Plus application can run the following operations simultaneously: Forensic imaging with E01 format and full compression, Encryption with AES256, calculate 3 HASH Verification and Authentication values (MD5, SHA1, SHA2), save the captured Forensic Images to 2 “Evidence” drives to a local network, and external compact USB3.0/e-SATA TB RAID encrypted storage. The basic Forensic Imaging mode can be 1:1, 1:2, 1:3, 1:4, 2:2, 2:3 and up to 3:3 for SATA, 2:4 for USB3.0 storage devices, and 1:1 for NVMe.
– Extreme Speeds when performing Forensic capture with E01/Ex01 formats and full Compression:
– The new Linux-based SuperImager Plus application utilizes and optimizes multiple CPU cores to achieve one of the most efficient operations while also performing at incredibly high speeds with E01/Ex01 formats and full compression. The application allows the user to manually select and adjust the number of hyperthreads and the level of compression used during each session.
– Forensic data captured with Encase E01/Ex01 formats with full compression is widely used for operations in the forensic industry and generally requires a trade-off between speed, space, and time of decompression by the Encase application.
– Comparative tests show a 20% increase in speed when using the SuperImager Plus Linux-based application over the SuperImager Windows-based application. The tests were performed with the same hardware, the same hard disk drives (filled 43% of the drive with random data), and the same level 1 compression. The Linux-based application was set to use 16 compressions threads.
Complete Forensic Platform:
– In addition, the unit can serve as a platform for a Forensic Investigator to run a complete investigation and to perform:
– The Forensic investigator can load and run third-party applications such as Cellebrite, Oxygen, DART, Paraben, and BlackBag. The user can also run third-party Triage applications under Windows on the attached Suspect or Evidence drives. The MediaClone Windows Drive Power Utility application allows the user to mount drives safely, either as read-only or read-write (depending on the unit’s port) in a secure way. The application also allows the user to dismount and remove drives in a safe way. The Suspect port is automatically assigned to be read-only.
– Virtual Drive Emulator: Enables the user to run a drive, or image of a drive emulator, on the unit (for Suspect Drives that were extracted previously from a Windows unit) and allows the user to share folders and copy important files (bypass the user Windows password). Mount a Suspect drive or it’s DD/E01 images, simulate it in its native Windows Environment, and extract important files (This function performs on the Linux side).
– Secure Write Blocked File Preview: Browse and preview the captured data on the Internal Display. The user should connect the drive to the unit’s Suspect port to protect the drive via the port’s write-blocking mechanisms, turn on the power to the drive using the application’s power icon, and mount the drive using Ubuntu. The drive Doc files, including XLS, can be viewed using the Ubuntu Open Office package. Alternatively, the user can boot the unit to Windows (if this option was purchased) and view the drive on Windows.
– High Performances: As a platform, a forensic investigator can, in addition to imaging and capturing data, load and run third-party applications to analyze the captured data:
– Cellphone/Tablet data extraction and analysis – Cellebrite, Oxygen, BlackBag, MPE+, Paraben applications, and more (the user can also use all of the 8 USB3.0 ports to run cellphone extractions)
– Triage data collection – Nuix/Encase/ADF portable applications.
– Full Computer Forensic Analysis – Encase, Nuix, and FTK applications – data is already captured, and the hardware can support a full analysis.
Data Eraser and Format:
– The user can erase drives and USB3.0 storage devices by using the unit’s 2 SATA ports and 8 USB3.0 ports. The application supports DoD erase (Full, Lite), Security Erase, Enhanced Security Erase, and Sanitize erase protocols. DoD (Full and Lite) are NIST 800-88 compliant. The rest of the erase protocols need to be run with verify pass in order for them to be NIST 800-88 compliant. The application also supports the user erase mode with verification pass and the erase verification mode for drives that were previously erase by a third-party application or tool.
– Erase the Evidence drive prior to use (with extremely fast speed of up to 28GB/min with the use of SSD and up to 11GB/min with the use of HDD).
– Erase the remainder of the drive after the copy.
– Drive Erase Protocols: DoD 5220-22M, Security Erase, Enhanced Security Erase, Sanitize, NVMe Secure Erase, or a User-erase mode where the user can define the final data filling pattern and the number of iterations (Security Erase, Enhanced Security Erase, Sanitize, and DoD erase protocols are all NIST 800-88 compliant).
– Format: NTFS, FAT, HFS+, EXT4, and exFAT.
– Erase Logs and Erase Certification: The application generates extensive erase logs and files with an NIST 800-88 erase certification (also runs S.M.A.R.T. tests before and after the erase operation and is saved to XML file format) which can be exported to a USB thumb drive. The application also has a built-in erase database that can easily be exported to XLS.
– Evidence Drive Formats: exFAT/FAT/NTFS/HFS+/EXT4.
– Audit trail and operation Log Files: Generated automatically by the application and saves it on the Evidence/Target drive (PDF).
HASH Calculation Authentication and Verification:
– HASH Authentication: Simultaneously calculated on-the-fly up to 3 HASH Authentication values MD5/SHA-1/SHA-2 during the same session.
– HASH while Capture: MD5, SHA-1, SHA-2 (all the 3 HASH protocols can be selected to run simultaneously).
– Network Capture: Data from a network folder can be captured and saved into “Evidence” drives via the use of the iSCSI storage protocols. The SuperImager application (for both capture from a network and save to a network) supports SMB, NFS, and CIFS networks protocols. The capture can run with HASH authentication and HASH verification.
– Saves Forensic Images to Network: Upload multiple Forensic images to a local network (DD, E01) simultaneously by using 1Gigabit/s port, 10Gigabit/s option, or any of the unit’s USB ports to upload up to 8 parallel 1Gigabit/s network streams.
– Disable Network process and protocols for security reasons: Those network protocols are easy to disable using Ubuntu Preferences Tools.
– Copy loose files from/to the network: The user can copy files from/to a network with HASH authentication for better data integrity.
– Remote Capture (Intel based CPU)- Capture data from the Internal Drives of an un-opened Laptop or Computer: Using USB or 1Gigabit Ethernet ports on the laptop/computer enables the user to use the Remote capture application via a USB stick, without the need to remove the drive from the laptop/computer or boot the laptop from its own OS (the capture speed is restricted to the performance of the Laptop/PC CPU and the 1Gigabit/s connection). The capture application can run using HASH authentication. The Remote Capture Option Kit includes the USB flash drive, 1Gigabit/s to USB3.0 Adapter, and a crossover network cable. The Remote capture application supports capture via USB/1394/TB/R45 network ports).
– Parallel Forensic Imaging – Multiple Session Operations: Improves the efficiency of the evidence data collection process by using multitasking and using a parallel imaging process. The user can take advantage of the SuperImager unit’s multiple available ports and run multiple, efficient, parallel operations. The user can mix different types of operations, and each operation can be set as a new independent session. An example of an operation: erase data from a drive connected to one port and HASH verify a different drive connected to the second port, all while performing forensic imagining of 1 to 1 on drives connected to the remaining ports.
– Basic Parallel Forensic Imaging: The supported modes are:
– NVMe: 1 to 1, 1 to 2, 1 to 3, 2 to 2, 2 to 3, and up to 4 to 4.
– e-SATA: for the use of the e-SATA port, the user will need to supply external power to the e-SATA plugged device.
– USB3.1: 1 to 1, 1 to 2, 2 to 2, and up to 5:5.
– The user can mix any NVMe and USB3.0/3.1 ports.
– More Ports for Forensic Imaging: with the use of USB3.0 to SATA fast adapters and in combination with the unit’s e-SATA port, the unit can support more combinations of Forensic Imaging of SATA drives.
Parallel Operations – Linux Elaborated:
– Detection Application Screen: All drives and storage devices that are connected to the unit will be “scanned” and displayed in one application screen called “The Detection Screen”. The user can tap on each drive to get its detailed info and run some specific utilities regarding that drive (as long as it is a target drive) – like a quick S.M.A.R.T. test (only using the “Target” port), run a Virtual Emulator (“Source” port), safely preview the contents of the drive (“Source” port), as well as select it for any desired operation they are planning to use.
– Parallel Forensic Imaging: This depends on the number and kind of ports that each model has. The application is very flexible in running multiple sources to multiple destinations, all in simultaneous operations. The user has the flexibility to change a port’s role from “Evidence” to “Suspect” port. The session control application screen provides the user with comprehensive information and direct control over the running sessions, including all the settings of the session and the ability to abort the session.
– Drive Trim: Allows the user to manipulate the HPA/DCO area on the drive to create an Evidence/Target drive with the same capacity of the Suspect/Source drive.
– Unit’s User Configuration: This feature allows the administrator of the unit to set specific operations with specific settings, and allows the user to secure it with a lock password (This feature needs to be requested at the time of purchasing the main unit – it is needed for security purposes).
– Tasks Scripting: The user can create a script to run sequential operations and parallel operations. There are no limitations on the number of scripts and operations one can run. Be aware that if the operation requires the use of an input it will stop and wait for the user to input (like when the user is running a drive scanning and a user’s response is needed).
– Language Supports: Easy to implement translations for new languages. Now supporting Korean and Chinese languages.
– Keyword search: Gives the user the ability to perform a quick keyword search on the Suspect drive’s files and folders, with filters on the files extension types and with a few important keywords (this is a quick keyword search to determine if a Suspect drive needs to be captured).
– Keyword search while imaging: Gives the user the ability to perform a quick keyword search on the Suspect drive’s files and folders, with filters on the files extension types and with a few important keywords included in the search images.
– Partition imaging: Gives the user the ability to select only one partition (per sessions) to perform forensic imaging and save it into the Evidence drive in DD/E01/Ex01 format.
– Partial Capture: When a Forensic imaging operation is terminated before it completes due to power failure or other reasons, some of the captured data can still be used. In this case, the SuperImager Plus application saves the partial captured data to the Evidence drive. A forensic investigator can use the data to extract vital information: 1) For 100% bit-by-bit capture mode using any forensic analysis application. 2) Fore E01 Capture mode using some data mining utilities (since the E01 was not completed it cannot be used by the EnCase application since EnCase will detect the image as corrupted).
– Network Multiple Forensic Image “Loader”: Besides the ability of the application to upload forensic images (DD, E01) to the network via the 1Gigabit/s network port, there is also a unique feature/solution that can solve the streaming bottleneck issue by using a single port. With this solution the user can upload many Forensic images directly to a local network using 8 equivalent 1Gigabit/s network streams. Alternatively, the user can use the Thunderbolt 3.0 port to connect to a 10Gigabit/s network.
Expansion Capabilities and Main Hardware Options:
– USB3.0 to SATA Adapters and Kits Option: Today USB3.0 technology is extremely fast and can run read data from SSD drives up to 20GB/min. With the use of the USB3.0 to SATA 4 channel Kit, the user can convert 4 USB3.0 ports to 4 SATA ports.
– M.2 SATA to SATA adapter
– Macbook Memory and SSD adapters
– NVMe U.2 to PCIE adapters
– Built in the US: The units are built and tested in the US.
– Warranty: One-year free warranty on the main unit (does not include warranty on accessories, adapters, and cables).
– Native NVMe: 8 Ports
– Native USB3.1: 10 Ports (all these ports can also be used as hosts to plug in and use a keyboard, mouse, or other peripherals).
– e-SATA: 1 Port (connected directly to the motherboard).
– Generic USB2.0: 3 Ports
– 1Gigabit/s Ethernet: 1 Port
– HDMI: 1 Port
– Location of the Ports:
– Front Panel: 4 USB3.1 ports, 1 e-SATA port, and 1 USB2.0 port.
– Back Panel: 4 USB3.1 Gen1 ports, 1 USB3.1 Gen2 Type-C port, 1 USB3.1 Gen2 Type-A port, 1 HDMI port, 2 USB2.0 ports, and 2 1Gigabit/s Ethernet ports.
– A built-in, universal, auto switching 700W UL/CE/PSE external power supply adapter with a key and lock-in mechanism to avoid accidental disconnection.
– Input Voltage: 100-240V/50-60Hz.
– Temperature: 5°C – 55°C (40°F-130°F).
– Relative Humidity: 20-60% non-condensing.
– Unit :
– Dimensions: 16.0” x 15.0 x 4.0 (400 x 380 x 100 mm).
– 8-channel open tray dimensions: 11” x 6” x 2” (the user will have to attach the display pad to the main unit).
– Net Weight: 5.50 lbs
– Box Dimensions: 24” x 20” x 16”.
– Box weight: 35 lbs.
– 8 NVMe 68 Pins male to female power and data combo cables with secure brackets, with secure locking connection, and M.2 NVMe External adapters with secure brackets.