Testing Acquisition Software Part 1

At work we’re going for the ISO 17025 certification. As part of this I have been verifying and testing tools for a few weeks. This has involved creating a set hard drive containing sample evidence and using my forensic tools (both hardware and software) against that drive and subsequent images.

The most recent tests have involved testing imaging software. I need to make sure that this is accurate and that each forensic tool acquires the same data and produce the same acquisition and verification hash. I thought I’d share my results as they may of interest to you. The software I have been using for acquiring hard drives is Tableau Imager, FTK Imager 3, and EnCase 6.17. My computer in an HP z600 with two quad-core Xeon processors an 12GB RAM. My OS is Windows 7. I have a Tableau T3458is Forensic Bridge installed attached via FireWire 800.

I started with a 320GB laptop hard drive, wiped it, and installed an OS. I then used it to generate some artefacts. When finished it had around 12GB of allocated space, so not a great deal, but enough for testing purposes. Each piece of software was set to full compression.

First up was Tableau Imager version 1.1. It acquired the drive in one hour and fourteen minutes. I wondered if this was wrong as that makes it about 4GB/minute in acquiring speed.

Next up was FTK Imager version 3. That acquired the same drive in three hours and forty-seven minutes. Quite a long time, I thought, but the hash was exactly the same as Tableau Imager.

Finally was EnCase 6.17. This acquired the hard drive in one hour and fifty-one minutes. Same hash value.

So, what does this mean? It kills me to say it but the Guidance products way outperformed FTK Imager. Would this have changed if the drive was completely full? I’ll find out in the future when I run more tests. I like FTK Imager, I still think it is one of the best pieces of software out there as it is full of other features and is still available for free.

I knew that TIM (Tableau Imager) was quick when used with a Tableau write-blocker but I didn’t expect it to image that quickly. I think that this will, at least temporarily, become my tool of choice for acquisitions. I very much doubt that it’ll be the same story when used with a different brand of write-blocker but it is still impressive. However my heart still belongs to FTK Imager.

EDIT

It should be noted that the compression used on each piece of software was exactly the same. Each produced the same size image.

F-Response TACTICAL Review

Matt Shannon of F-Response has been kind enough to send a copy of F-Response TACTICAL to me for review.

I have never written a product review before so please be gentle with me. I’m hoping that product reviews will become a regular item on the Forensic 4cast website.

On with the show…

F-Response software is designed to retrieve data from live systems through a network connection without altering the data on the original device.

The Hardware

Unlike previous releases of F-response, TACTICAL has dual dongles.  These dongles are uniquely paired and are clearly marked as ‘Examiner’ and ‘Subject’ and are provided in a handy little dongle case.

When conducting an investigation the subject dongle will be plugged into the computer to be examined and the examiner dongle will be plugged into your examination machine.  At the moment the subject dongle only supports Windows (version 7 included), OS X, and Linux. The examiner dongle only supports Windows operating systems at the moment.  Support for other operating systems will, no doubt, follow in the near future.

The Software

The process of getting access to the subject machine is somewhat simpler than in ‘Field Kit’ edition. In field kit edition an examiner would need to plug the dongle into a computer, find the IP address of that computer, enter that IP into their examination machine, and enter a username and password to connect.

With TACTICAL plug the subject dongle in to any computer on a network and start the software. It sends out a beacon across the network. Once you plug the examination dongle into your examination machine, run the software, and click on ‘Auto Connect’ it will find the beacon and automatically connect to the subject machine. No username or password is necessary as the verification is performed by the paired dongles.

Once a connection has been made the user is presented with a list of storage devices connected to that computer.  This includes internal hard drives, RAIDs, external USB devices, etc.  The one thing that I did notice, however, is that the F-Response subject dongle also appears in this list.  This has potential for causing confusion if the examiner does not take care when conducting an investigation.  In order to connect to a disk/volume a user simply right-clicks on the desired item and selects ‘Login to F-Response Disk’.

At this point the examiner is free to use whatever tools they see fit to conduct their investigation.  As with other F-Response releases TACTICAL is vendor neutral so any of your typical forensic tools should work. I’ve tested TACTICAL with X-Ways, EnCase, FTK Imager, Drive Prophet, Histex, and so on. Each can perform their tasks exactly the same as if the device was plugged directly into the examination machine.

Conclusion

First the good:

• This is a superior product to the field kit edition.
• It will ease the process of gathering data from live systems and be of great use to many investigators.
• The instructions are straight forward and simple to follow.
• Compared with other similar products TACTICAL is a steal at only $490 ($390 for Law Enforcement, government, and non-profit organisations) for a year’s license.

The not-as-good:

• F-Response does not encrypt traffic. If you want to protect the data you’ll have to set up something yourself.
• Although TACTICAL support Windows, Linux, and OS X as subjects, at the moment it only supports Windows on the examiner’s side. I suspect that Matt Shannon and his crew are working on this and expect them to address this before much longer.

With each release F-Response gets better and better. I personally can’t wait to see what they have in store in the future.

What are you thoughts? The comment are open for you to leave your own point of view.