SANS Digital Forensics and Incident Response Blog

Tableau Imager: First Look

I haven't paid much attention to write blocking technology for the last few years. As long as I was able to validate that the device worked as expected and it had a high speed connection (Firewire 800 / eSATA), I was happy. But I spent some time with Tableau's founder, Robert Botchek at the end of last year and he impressed upon me how much room for innovation still exists in the write-blocker market. We are up against some major hurdles in the digital forensics world that are rapidly changing the way we do business. With 2TB drives on the shelves, the decision to take a full forensic image is no longer obvious. If a user has to be without their computer or a server has to be down for 2 days, that significantly changes the equation. That's why I was excited to see Tableau enter the imaging software space with Tableau Imager (TIM).

Michael Cloppert recently made an excellent plea for innovation in the IDS industry in his post, Detection, Bandwidth and Moore's Law. A key takeaway was that processor speed has reached a plateau and new advances are now occurring through number of cores per die. In many cases, software must be re-written to take advantage of multi-core processors. TIM takes advantage of this shift by parallelizing the actions that occur during the imaging process. Thus actions like hashing and compression can be performed in parallel with the imaging process, having little effect on the total imaging time.

The current feature set is limited, but it includes many of the features you want in a dedicated imaging product. For those of you who have used Tableau's Disk Monitor software, you will notice that TIM has incorporated it into the product.

Tableau Imager Disk MonitorTableau Imager Disk Monitor

TIM provides a well thought out view of the available devices. Double-clicking on a device gives a Disk Information page that can be exported for report inclusion. The HPA / DCO information section is particularly helpful.

Tableau Imager Disk DetailsTableau Imager Disk Details

Double clicking in the Acquisition Queue brings up a graphical display of the current imaging process. The graphic is more than just eye candy. It is apparently designed to provide real-time feedback about any choke points that may be slowing the acquisition. I was unable to test this, which is likely due to using a relatively new quad-core system.

Tableau Imager Acquisition StatusTableau Imager Acquisition Status

My initial testing results were impressive, with 2.5 GB/min sustained speeds using 5400rpm SATA drives, while creating MD5 and SHA1 hashes and employing maximum compression. This was 30-40% faster than other imaging software I tested using the same hardware. When I performed the same acquisition with no hashing or compression, the acquisition speed was the same, indicating that the tasks are indeed being peformed in parallel. Imaging speeds should be much faster using 7200 or 10000 rpm drives. For all my tests, I used the Tableau T35e bridge from the SANS FOR408 Computer Forensic Essentials course. TIM won't beat most handheld imagers, but the speed is excellent for a digital forensic workstation based acquisition.

There are some limitations with this product. Most notably, it will only image drives connected using a Tableau bridge / write blocker. Additionally, v1.0 of the product only performs physical acquisitions. TIM is available here for free.

Chad Tilbury, GCFA, has spent over ten years conducting computer crime investigations ranging from hacking to espionage to multi-million dollar fraud cases. He teaches FOR408 Windows Forensics and FOR508 Advanced Computer Forensic Analysis and Incident Response for the SANS Institute. Find him on Twitter @chadtilbury or at http://ForensicMethods.com.

3 Comments

Posted February 16, 2010 at 11:53 PM | Permalink | Reply

Dennis York

Thanks for this post. I had tried it when it came out but was unable to get it to work with my T35e. But Tableau released a new firmware update today. Although the T35e isn't actually updated (no newer firmware released) the firmware installer must have installed a newer driver, which fixed the issue. My T35e is also now detecting attached drives much faster than in the past. Now I can do my own testing.
I'm also liking Tableau's new Test Utility (Beta) for their write-block devices. The ability to run a diagnostic test and save the results out to a text file to be included in a case is a good thing.

Posted February 17, 2010 at 4:20 PM | Permalink | Reply

jg

I have run a number of tests with TIM. My focus was onsite collections using a laptop. I compared TIM against various tools including EnCase 6.8 and 6.15 (32-bit); FTK Imager Lite 2.6.1, XWays 15.4 and the Tableau TD1. The basic test specs and results are below:
Computer Specs: Dell, E6400, Dual-Core, 2.40GHz, 3.45gb ram, XP Pro x/sp3, eSATA port.
Source Drive: WD, WD3200AAKS; Contents: 52 Files, 65.4gb.
Destination Drive: Seagate, ST31000528AS; Contents: Deleted after each acquisition.
Path: (IN) Source ''" T35es-RW ''" Onboard eSATA port ''" (OUT) Belkin SATA II Expresscard ''"Destination.
TIM, Fast Compression, MD5 & SHA1 Hash; Path 1; 1 hr, 21 minutes.
FTK Imager Lite 2.6.1, Compression #1, MD5 & SHA1, Path 2; 1 hr., 30 minutes.
EnCAse 6.8, Good Compression, MD5; Path 2; 2 hrs, 32 minutes.
EnCase 6.15 (32bit) Good Compression, MD5 & SHA1; Path 2; 2 hrs., 56 minutes
XWays 15.4; No Compression, MD5, Path 2; 1 hr., 6 minutes.
XWays 15.4; Fast Compression, MD5, Encryption, Path 2; 1 hr, 23 minutes.
Tableau TD1; No Compression, MD5 & SHA1, 1 hr, 9 minutes.
A couple of points.
It was difficult to get head to head results for all test options.
At work I use Tableau WBs and personally I have WiebeTech. Since TIM works with Tableau WBs I was glad to see the results for FTK Imager and XWays.
In the cyperspeak podcast of 1/31 Robert Botcheck of Tableau discusses TIM and seems to point to it being optimized for the quad-core which might explain the results above on the dual-core. Another comment of interest mentioned that TIM was optimized for queued acquisitions. You can queue up acquisitions for as many Tableau WBs as you have available. In a lab setting this could be very useful.

Posted February 17, 2010 at 4:25 PM | Permalink | Reply

jg

I forgot to list the best time for TIM, sorry.
TIM, Fast Compression, MD5 & SHA1 Hash; 1 hr, 17 minutes.