Wednesday, October 2, 2013

Daily Blog #101: Forensic Imaging Speed Testing

Howdy Reader,
         I'm off today to Burlington, Vermont to go talk to the students at Champlain College about computer forensics. I'm looking forward to a room full of students that are passionate about computer forensics who want to talk about what their future holds for them. If you watch the Forensic Lunch you got to see a preview of Eric Zimmerman's results from his speed testing of different forensic imaging tools, both hardware and software. As of yesterday Eric has released his results in the form of a Google Docs spreadsheet found here:

https://docs.google.com/spreadsheet/lv?key=0Al7os14ND-cFdGp1NDR2WGwyakR2TkJtNUFXa29pNXc&type=view&gid=0&f=true&sortcolid=11&sortasc=true&rowsperpage=250

The link above is in Google Doc's 'list view' and already sorted by total seconds elapsed to image so that fastest tools appear first in the list.

According to Eric's testing the fastest forensic imaging combination of filesystem and software today is Guymager writing an E01 to Ext4 beating out the Tableau Imager writing an E01 to NTFS by 53 seconds. Guymager is a free and open source forensic imaging program that runs on Linux and comes with most forensic Linux Boot CDs while Tableau Imager is a windows based program that only works with Tableau's hardware write blockers.

The winner of Eric's testing was surprising to me not only because writing to Ext4 was faster than writing to Ext2 (I thought writing to a journaled filesystem would have some kind detrimental performance impact that would let ext2 edge out) but that the software imaging solutions beat the hardware imagers.

One of the main selling features of the expensive hardware imaging solutions has always been there speed, I think what Eric's testing is showing is that modern imaging programs that are multi threaded running on modern hardware have the ability to outdo their embedded hardware solution competition. That's not to say you should never buy a hardware imager like Tableau's TD3, but do so because you want the safety of reduced error rather than the speed.

There is a 1 hour and 10 minutes difference between the fastest result, Guymager, and my current standard imaging tool FTK Imager. I didn't expect that but then again I did all my prior testing of Guymager writing to NTFS before learning more about the performance impacts of the FUSE driver. An hour per TB image difference is pretty huge when you consider how many systems are being imaged now and their growing drive sizes. As Eric's testing hopefully moves on to further phases I'm hoping to donate some larger storage disks so we can see if the performance benefit he see's is linear.

I will be testing TIM and Guymager again looking to change my lab's standard imaging toolkit based on these results, as well as looking more deeply into the possibility of the X-Ways Imager since it could fully AES encrypt an image with only two minutes difference while writing to NTFS from Guymager. The only reason this is not my first choice is that I hate having forensic imaging programs that require dongles as they restrict my ability to deploy and respond to cases.