SANS Digital Forensics and Incident Response Blog

Putting Disk Imaging in the Fast Lane

When it comes to imaging a hard disk, I believe that keeping it simple is best. I also believe that faster is better. The less time it takes to prepare for imaging, and the faster the imaging speed, the sooner I can begin analysis.

I've imaged disks using many different methods. A few of the more common methods are:

For ease of use and imaging speed, when circumstances allow for it, I much prefer using the HardCopy 2.

HardCopy 2

Imaging appliances expedite the imaging processImaging appliances expedite the imaging process

The HardCopy 2 contains everything needed to image a 3.5" IDE drive, without needing a computer. Simply pick up a couple SATA adapters, and a 1.8" and 2.5" drive adapter, and you're ready to image most hard drives you'll encounter.

Features of the HardCopy 2 include:

  • The IDE port labeled "Read Only Suspect Drive" uses built-in write block functionality that can't be disabled (I appreciate this feature, as it reduces the possibility of making a mistake)
  • Its "Wipe Drive" feature overwrites the entire destination disk with zeros —handy for sanitizing your destination disk
  • Its "Format Drive" feature will format the destination disk (you can choose NTFS or FAT32)
  • Its "Image Drive" feature performs a bit-level image of the source drive, saving it as a file onto the (pre-formatted) destination drive (It also records critical information about the source drive, including its make/model, geometry, serial number, and an MD5 hash of the drive as calculated during the imaging process)
  • Its "Clone Drive" feature will perform a bit-level copy of the source drive onto the destination drive

Summary

Because the Hard Copy 2 (with the help of a few inexpensive adapters) can quickly image hard drives in a forensically sound manner, with very little prep time, it has become my tool of choice. I use it to sanitize my destination drive, format it with NTFS, then image the source drive to a file. It's compact size lets me keep it, the needed adapters and accessories, and a couple hard drives in a Pelican 1450 case.

Brian Eckman, GCFA Silver #434, is currently the lead Forensic Analyst at the University of Minnesota. In addition to the GCFA, Brian holds the EnCE certification, and serves on the REN-ISAC Technical Advisory Group.

2 Comments

Posted September 6, 2008 at 2:57 PM | Permalink | Reply

hughtp

I've been pleased with the HardCopy2 device, but a truely compelling feature would be if they could devise a module that allows for hardware decryption of whole-disk encrypted drives during acquisition. While they are at it, they should incorporate hardware compression of the image. There will be increasing need for these features as whole-disk encryption is adopted across organizations, and end-user hard drive capacities balloon.

Posted September 7, 2008 at 1:05 PM | Permalink | Reply

arjames

I started reading this post because the topic seemed very interesting to me, but I was left disappointed that it was simply a person hyping a single product. As a reader of this blog and a GCFA, I would like to have value added when I read the posts. A one sided review of a product, with less information than I can get from the product's website doesn't provide a lot of value in my opinion. I was hoping to see the key features or disadvantages of the Hard Copy 2 compared to say the Logicube Talon. Or more detail of the benefits/drawbacks that an external device provides (such as documented speed comparisons) over the other two methods you listed and a listing of ALL of the different devices of that type for me to research myself.
I appreciate that you guys are putting in the time to provide the posts on this blog. I just want to make sure that the time you are spending is adding real value to the forensic community, which this blog is intended it to do.