LINUX FORENSIC IMAGING
The SuperImager® Plus Desktop NVMe Forensic Lab Unit – is a heavy duty, industrial, and extremely fast Forensic Imaging unit that captures data from multiple sources to multiple target drives. The unit is running under Linux Ubuntu OS. It easy to use with many built-in features that help the user to automated imaging or uploading
The user can use to the unit to:
- Forensic Imaging: E01/Ex01 format and with full compression, DD, Mirror, Mixed format DD/E01, Selective Imaging of files and folders using file extension filters (for example run E01 capture of 4 multiple parallel sessions using 8 NVMe SSD and with 16 CPU compression engines)
- Imaging of many to one: Perform Forensic Imaging from many Suspect drives to one large Evidence drive, in append mode
- Upload Images to network: Upload many Forensic images to a network (SMB, CIFS, NFS)
- Erase: Erase data from many drives simultaneously using DoD(ECE, E), Security Erase, Enhanced Security, Sanitize erase modes
- View captured data: View the captured data directly on Ubuntu Desktop
- Virtual Drive Emulator: boot, mount and view the Suspect drive in its native environment (mount raw drive or DD/E01 drive image), and extract important files into Evidence drive or any external storage(SATA drives)
- Encryption and Decryption on the fly of drives that contain sensitive information
- Unit’s Port Role: Easily reconfigure the unit’s ports, where each of the target port can be configured as source or target for running 4:4 sessions, or to run 8 uploads to network
- USB to SATA adapters: Convert the unit’s 8 USB3.0 ports to SATA ports and run more parallel sessions (with the use of some USB3.0 to SATA adapters)
- Network: use the unit’ 2 Thunderbolt 3.0 ports (USB-c 10gigabit/s) to connect TB3.0 to PCIE 3.0 compact Expansion Box to supports other types of media
- Use the unit’s two 1Gigabit/s and one 5Gigabit/s native network ports to increase upload speed of DD/E01 images
The unit is designed to help expedite the forensic imaging process, especially in facilities where there is a large backlog in imaging drives by performing many parallel forensic imaging in a true optimized multiple session’s application.
The Unit Built-in:
8 native NVMe ports in a 8 open tray drive caddy, 8 native USB3.0 ports, 2 USB 3.1 ports, 2 Thunderbolt 3.0 ports(USB3.1), e-SATA port, 3 Generic USB2.0 port, Two of 1Gigabit/s Ethernet port, one of 5Gigabit/s port, HDMI port, DP port.
The Unit as Forensic Imaging Tool:
In one read pass from the “Suspect” drive, the application can run the following operations simultaneously: Forensic Imaging with E01 format and with full compression, Encryption with AES 256, simultaneously calculate 3 HASH Verification and Authentication values (MD5, SHA1, SHA2), and Saving the captured Forensic Images to many destinations such us 1) Two “Evidence” drives 2) Network 3) External compact USB3.0/e-SATA TB RAID encrypted storage 4) NAS. In addition, the user can run (optional) Virtual Drive Emulator to browse the Suspect drive under Windows, transfer and copy important files from the Suspect drive to any destination drives
The Unit as Data Eraser:
Supports DoD and Security Erase, Enhanced Security, Sanitize, User erase protocols that are NIST 800-88 compliance.
Main Hardware Features:
Case: Desktop heavy duty style
Hardware: Very high quality high performing components
The Unit’s Port:
o 8 NVMe native ports
o 8 USB3.0 – (Also all those ports can be used as a host to plug and use keyboard, mouse and other peripherals)
o 2 USB3.1 – (Can be used for USB3.0 as well)
o 1 e-SATA port (connected directly to the motherboard)
o Two of 1Gigabit/s, One of 5Gigbit/s native network port (not shareable)
o 2 Thunderbolt 3.0 (USB3.1) – great connection for USB3.1 or Expansion Box and NVMe
o 1 HDMI port
o 1 DP port
Hardware Upgrade: The unit can be upgraded at time of purchasing for additional cost, to a larger internal SSD
OS: Ubuntu 64 Bit and Win 8.1 Professional 64 Bit in a dual boot. The open Ubuntu OS allows for easy application modification to include new features, easy adaptation to new hardware and ease of adding third-party Ubuntu applications.
Writes-Blocking: MediaClone is using a Linux environment that never automatically mounts any of the Suspect/source drive partitions and all the source drives are automatically set as read-only to prevent accidental writes.
Application Updates: The application can be easily updated by using USB thumb drives and by using the “Update Software from USB” icon in the application tools screen
HPA/DCO Automatic Supports: The application has the ability to automatically open HPA and DCO areas, and resize the “Suspect” hard drive to its full native capacity, in order to capture any “hidden data” (HPA/DCO are special areas on the drive that support this feature)
Bad Sectors Handling: The user can select to skip bad sectors, a block of bad sectors, or to abort the operation when it encounters bad sectors on the “Suspect” drive.
The skipped bad sectors will be reported in the log file in detailed or in summary
Forensic Images – Destination: The user can save Forensic Images to any attached storages to the SuperImager unit, or to any connected network using the unit 1Gigabit/s port or the 10Gigabit Option, or to any external USB3.0 RAID (encryption is optional) or external NAS storage in a very good speed.
Captured Storage Protocols and Interfaces: SAS*, SATA, e-SATA enclosures, IDE, USB2.0, USB3.0, USB3.1, MMC, M.2 NGFF(SATA), SCSI*, FC*, 1394*
PCIe Supports: With the use of the Expansion Box Option and optional Express card reader, or special NVMe Adapters to support PCIE Express cards, PCIE express Memory.
Form Factors: Capture data from various form factor devices: 3.5″, 2.5″, ZIF, 1.8″, Micro-SATA, Mini-SATA, Slim SATA, Ultra Slim SATA, PCIE*, Mini PCIE*, NVMe- SFF8639,M.2 NVMe, M.2 SATA, CF-30
Cross Copy from Ports and Interfaces: The user can choose to capture from one port with one type of storage protocol and interface, and save the forensic Image into a different storage protocol and interface using destination ports. The cross copy of data can be done between any of those SAS*/SATA/IDE/USB/USB3.1/SCSI*/1394*/TB* interfaces
GUI: The application is built with large icons and is very simple and easy-to-navigate. In a few clicks, the user can set an operation, and it will be quickly up and running
Extremely fast – One of the fastest Forensic Imaging solution available in the market today achieving a speed of above 30GB/min
• Tested with HASH verification operation with SHA-1 enabled the recorded top speed was 30GB/min with Solid State Drive, and 10GB/min with 1TB WD Blue SATA-3 Hard Disk Drive
• Tested with Forensic Imaging operation of 1 to 2 with SHA-1 enabled the recorded sustained top speed was 29GB/min with 3 SSD of SanDisk 120GB Extreme II
• Tested NVMe Forensic Imaging: 1:1 using Samsung MZVPV512HDGL NVMe SSD as Evidence drive, speed reach 93.7GB/min
Extreme Speeds when performing Forensic capture with E01/Ex01 formats and with full Compression:
• The new Linux-based SuperImager Plus application utilizes and optimizes multiple CPU cores to achieve one of the most efficient operations while performing at incredibly high speeds with E01/Ex01 formats with full compression. The application allows users to manually select and adjust the number of hyper-threads and the level of compression used during each session
• Forensic data capture with Encase E01/Ex01 formats with full compression is widely used operation in the forensic industry, and generally requires a trade-off between speed, space, and time of decompressing by the EnCase application
• Comparative tests show a 20% increase in speed when using the SuperImager Plus Linux-based application over the SuperImager Windows-based application. Tests were performed with the same hardware and the same hard disk drives (filled with 43% of random data), and the same level 1 of compression. The Linux-based application was set to use 16 compression threads
HASH Authentication: Simultaneously calculates on-the-fly up to 3 HASH Authentication values MD5/SHA-1/SHA-2 at the same session
Encryption: On-the-fly AES256 encryption of the “Suspect” drive, saving the encrypted data on “Evidence” drive in 100%, DD, E01/Ex01 formats.
Decryption: The user can perform decryption on a drive, previously encrypted by any of the SuperImager units. Alternatively, the user can use a standalone MediaClone Linux decryption utility application to perform decryption on the encrypted drive using any PC. The supplied standalone decryption utility application can be burned onto a USB flash drive that later can be used to boot the PC to the MediaClone Linux decryption utility, where the encrypted drive and a blank destination drive were attached to the PC. (The user needs to supply to the utility application the saved encryption key). MediaClone developed its own decryption utility in order to make sure that the user can always decrypt the drives that were encrypted via the MediaClone units, and not to relay on TruCrypy or other third-party application that might not be supported in the future
Forensic Images Formats: Multiple Image Formats 100% Bit by Bit Mirror copy, Linux DD Format, Encase E01/Ex01 Formats (include options for optimizing the compression by adjusting the compression level and the number of compression parallel engines) and Mix-Format of E01/E01/DD. Mix-Format is where the user can capture from one source drive and save the images into multiple destination ports, each target port can be selected to be one of the 3 E01/EX01/DD formats. In addition, the user can use a file-based copy to copy files and folders, by using selective imaging with file extension filters
Evidence Drive Formats: exFAT/FAT/NTFS/HFS+/EXT4
Audit trail and operation Log Files: Generated automatically by the application and saves on the Evidence/Target drive (PDF).
Drive Spanning: Supports spanning the captured data onto many “Evidence” drives, when the Evidence drives are not large enough (Also supports restore images from spanned over multiple drives)
Main application Features:
• Forensic Imaging Mode
• Forensic Restore back the data that was captured to another drive in the original format
• Erase data from drives and Format/Quick Format drives
• Keyword Search prior to the capture
• HASH calculation authentication and verification
• Virtual Drive Emulator Option: Enable the user run a drive or image of a drive emulator on the unit (Windows only), and ability to share folders and copy important files. (Bypass the user Windows passcodes)
• Remote Capture (Intel based CPU) – capture from unopened laptops and PC
Main Forensic Imaging Mode Features:
• Forensic Imaging Modes: Mirror Imaging bit by bit (100% or any % of the drive), DD, E01/Ex01 – with optional compression, Selective Capture(Capture Partitions, Files and Folders and with the use of file extension filters), Mix-Format of DD/E01/Ex01
• Targeted Imaging: Some time the forensic investigator does not have the time to do a full data capture of the Suspect drive. Now he/she can use the Selective Imaging feature to select only partitions, files, or folders (like the Windows user folders or Windows User- Documents and User-Pictures). With the use of pre-set file extension filters or add its own filter, the Forensic investigator, can narrow it capture scope and shorten is the acquisition time
• Partition Imaging
• Keyword Search on the Suspect drive, prior to the data capture or during the capture
• HASH while capture: MD5, SHA-1, SHA-2 (all 3 can be selected simultaneously)
• Erase The Reminder of the drive, after the copy
• Encryption/Decryption on the fly
Parallel Forensic Imaging – Multiple Session Operations: Improve efficiency of the evidence data collection process by using multitasking and parallel imaging process. The user can run multiple efficient parallel operations taking advantage the availability of the SuperImager unit’s multiple ports. The user can mix different type of operations, and each operation can be set as a new independent session. An example of operations: erase data from a drive connected to one port, HASH verify on a different drive connected to the second port, while performing forensic imaging of 1 to 1 on drives connected to the remaining ports.
Basic Parallel Forensic Imaging: The supported modes are:
Native NVMe: 1 to 1, 1 to 2, 1 to 3, 2 to 2, 2 to 3 up to 4 to 4.
e-SATA: For the use of the e-SATA port the user will need to supply external power to the e-SATA plugged device
USB3.0: 1 to 1, 1 to 2, 2 to 2 and up to 4:4
More Ports for Forensic Imaging:
With the use of USB3.0 to SATA fast adapters and with the combination of e-SATA port, the unit can support many more sessions
Parallel operation – Linux Elaborated:
Detection Application Screen: All drives and storage devices that are connected to the unit will be “scanned” and displayed in one application screen called “The detection screen”. The user can tap on each drive to get its detailed info, run a quick S.M.A.R.T. tests (only using Target port), run Virtual Emulator (Source port), Safely preview the content of the drive (Source port), as well as selecting it for the desire operation they are planning to us
Parallel Forensic Imaging: It depends on the number and the kind of ports that each model has. The application is very flexible in running multiple sources to multiple destinations, all in simultaneous operations. The user has the flexibility to change a role of a port from been Evidence port to be Suspect port and is not limited by the pre-assigned “Suspect” ports. The session control application screen provides the user with a very comprehensive information and control over the running sessions, including all the setting of the session, and the ability to abort the session
Network Capture: Data from a network folder can be captured and saved into “Evidence” drives via the use of the iSCSI storage protocols. The SuperImager application (for both capture from a network or save to a network) supports SMB, NFS, CIFS network protocols. The capture can be run with HASH authentication and HASH verification
Saves Forensic Images to Network:Upload multiple Forensic images to a local network (DD, E01), simultaneously by using 1Gigabit/s port, 10Gigabit/s option, or any of the unit’s USB port to upload up to 8 parallel 1Gigabit/s network streams.
Disable Network process and protocols for security reason: Those network protocols are easy to disable using Ubuntu Preferences tools
Copy lose files from/to the network: The user can copy files from to network with HASH authentication for a better data integrity
Remote Capture – Capture Data from the Internal Drives of a un-opened Laptops or Computer: Using USB or 1Gigabit Ethernet ports of the laptop/computer, enables capture with the supplied Remote capture application on a USB stick, without the needs to remove the drive from the Laptop/computer or boot the laptop from its own OS (The capture speed is restricted to performance of the Laptop/PC CPU and the 1Gigabit/s connection). The captured can run with using HASH authentication. The Remote Capture Option Kit includes the USB flash drive, 1 Gigabit/s to USB3.0 Adapter and a crossover network cable. The Remote capture application supports capture via USB/1394/TB/R45-network ports
A few More Features:
Drive Trim Feature: Allows the user to manipulate the HPA/DCO area on the drive to create an Evidence/Target drive with the same capacity of the Suspect/Source drive.
Unit’s User Configuration Feature: This feature allows the administrator of the unit to set specific operation with a specific setting and with a lock password to be used by operators and users. (This feature need to be requested at the time of purchasing of the main unit – It needed for security purpose)
Tasks Scripting Feature: The user can create a script to run sequential operation and parallel operations (more than 1 operation at the same time). There are no limitations on the number of scripts and operations. Be aware that for operation requires the use input, in that case, the operation will still stop and wait for the user input (Like when the user is running a drive spanning and a user respond is needed.
Language Supports Feature: Easy to implement translation for a new languages. Supporting today the Korean and Chines languages
Keyword Search: Ability to perform a quick keyword search on the Suspect drive files and folder with filters on the files extension types, and with a few important keywords. (This is a quick keyword search to determent if a Suspect drives need to be captured)
Keyword Search while imaging: Ability to perform a quick keyword search on the Suspect drive files and folder with filters on the files extension types, and with a few important keywords include search images
Partition Imaging: Ability to select only one partition (per session) to perform forensic imaging and save it into Evidence drive in DD/E01/Ex01 format
Partial Captures: When a Forensic imaging operation is terminated before it completes due to power failure or other reasons, some of the captured data can still be usable. In this case the SuperImager Plus application saves the partial captured data to the Evidence drive. A forensic investigator can use the data to extract vital information: 1) For 100% bit-by-bit capture mode using any forensic analysis application 2) For E01 Capture mode using some data mining utilities (since the E01 was not completed it cannot be used by the Encase application since EnCase will detect the image as corrupted)
Use the unit as a drive Eraser and Quick Format: Erase the Evidence drive prior to use, with extremely fast speed of up to 28GB/min with use of SSD and up
to 11GB/min with use of Hard Disk Drives.
Drive Erase Protocols: DoD 5220-22M, Security Erase, Enhanced Security Erase, Sanitize, or a User-mode where the user can define the final data filling pattern and the number of iterations (Security Erase, Enhanced Security Erase, Sanitize, and DoD erase protocols are NIST 800-88 compliance)
Format: NTFS, FAT, HFS+, EXT4, and exFAT
Erase Logs and Erase Certification: The application generates extensive erase log files and NIST 800-88 erase certification (Also S.M.A.R.T. tests before and after the erase operation and are saved to XML file format) and erase that can be exported to USB thumb drive. The application has also built-in erase databases that easily can be exported to XLS
Use the Unit as a Platform:
Secure Write Blocked File Preview: Browse and preview captured data on the Internal Display. The user should connect the drive to the unit’s Suspect port to protect the drive via the port write-blocking mechanism, turn the power to the drive by using the application power icon, and mount the drive using Ubuntu. The drive can be viewed including XLS, Docs files using the Ubuntu Open Office package.
Build in the USA: The unit is build and tested in the US
Warranty: One-year free warranty on the main unit (it is not included warranty on accessories, adapters, and cables)
* With Expansion options
Are you interested in this product?
or Please contact CDFS for more information
1300 55 33 24 | E-mail: firstname.lastname@example.org