SANS Digital Forensics and Incident Response Blog

Hardcopy III

by Quinn Shamblin

HC3 ControlsHC3 ControlsParts that come in the packageParts that come in the package

VOOM has released a new version of their forensic hard drive imaging tool: Hardcopy III

As I reviewed their first two versions in a previous post, I figured I would test this one as well.
First, I like the size and portability of this version. Unlike HC and HC2, which have IDE connectors, HC3 has SATA connectors, so is more compact. The package includes the HC3 device itself, power supply, three SATA cables, power cords for three drives.
HC3 Connection PortsHC3 Connection Ports

The reason for three of everything is that it will make 2 evidentiary copies in parallel with no slowdown. VOOM has retained the simple and intuitive 3-button control system they have used for all three versions, but have added a few new features to HC3.

You can still Test, Format, Clone, Image and Wipe. You can still collect evidence from multiple suspect drives onto a single evidence drive (assuming you have enough space). But HC 3 adds increased support for unlocking DCO and HPA so your image will be complete. It also adds a feature that allows you to set the date and time on the device for inclusion in your imaging records. For a full list of features, see the Hardcopy III Tech Specs.

It boots up and is ready for action very quickly, roughly 7 seconds.

Evidence capturing layout with two evidence capturing driveEvidence capturing layout with two evidence capturing driveBoot up ready screenBoot up ready screenHC3 with date and time addedHC3 with date and time addedCapture speed on a drive with 3.0 GB/min transfer speedCapture speed on a drive with 3.0 GB/min transfer speed
VOOM specs state that HC3 will duplicate the source at up to 7.5 GB/min., or at up to 5.7 GB/min. with SHA256 verify enabled, but keep in mind that this is dependent on the transfer speed limits of your hard drives. In my tests, my hard drives were rated at 3.0 GB/min and as you can see above, my speeds were limited to that rate (as expected). It hashes using SHA-256 only. No MD5 or SHA-1 option.
One interesting behavior that was present in Hardcopy and Hardcopy II still exists in Hardcopy III, and, while your evidentiary procedure may preclude you from ever running into this, it is something of which to be aware.
The HC series uses a particular form of NTFS that is different than that used by XP or Vista. If you connect a drive containing an evidence image to XP or Vista without using a write-blocker, the OS will update NTFS on your evidence drive. The evidence images themselves remain completely intact and can be verified via SHA 256 hash, but NTFS on the host drive is changed. Once this happens, you will be required to format that evidence drive again using HC before you can use it to collect more evidence.
One scenario where this might happen: HC allows for the collection of multiple suspect drives onto a single evidence drive. However, unless you have a write-blocker in line, do not try to confirm that the capture process is working properly by disconnecting your evidence drive after the first capture and connecting it to a computer so you can review the contents?
I like this product. As with the others in its line, it is fast, reliable and easy to use. A good addition to any kit.

Quinn Shamblin, quinn.shamblin@uc.edu, GCFA Silver #2801 Investigator, University of Cincinnati Information Security

4 Comments

Posted March 9, 2009 at 1:53 PM | Permalink | Reply

turtlecovetech

The lack of MD5 checksums is an issue.
It is true that a SHA-256 is mathematically stronger than an MD5. However, for simply guarding against a random bit error in copying a hard drive to an image, MD5 is fine, even a CRC-32 would have been fine. For guarding against malicious or accidental alteration of data during an investigation SHA-256 is no help because the main forensic tools in use, EnCase and FTK, do not provide a SHA-256 checksum. The end result is a second pass must be done with other hardware or software to calculate an MD5, doubling the effective copying time using the HC3.
Someone please point out the flaw in my argument because I'd love to purchase some HC3's :-)

Posted March 9, 2009 at 8:39 PM | Permalink | Reply

qshamblin

Thanks for bringing this up. You raise a good point. I would have preferred that they keep MD5 and added SHA-1 and or SHA-256 as an additional feature. As it is, I still find it a good addition to my toolkit as the SHA algorythm is well known and many third party hashing tools exist that can be used for verification. I am a fan of HashCalc for example. It is free and will calculate many different hashes. Here is a link if you are interested: http://www.slavasoft.com/hashcalc/index.htm

Posted May 18, 2009 at 1:03 PM | Permalink | Reply

voomtech

Thank you for the review of the HC3; you were very thorough, fair and accurate. Note that VOOM has recently released an HC3 MD5 version. You can go to the website at http://www.voomtech.com, or email info@voomtech.com to receive additional information.

Posted September 26, 2014 at 1:36 PM | Permalink | Reply

188bet mobile

Thanks for sharing sch a fastidious opinion, piece of wtiting is good, thats why i have
read it fully