In the field of digital forensics, properly handling the task of disk imaging is crucial for preserving data integrity. Using write blockers ensures that no data is altered during the imaging process, a key requirement for maintaining the chain of custody. While there are many factors influencing the efficiency and speed of this process, this article offers advanced tips and considerations that can help achieve optimal performance.
To recap, write blockers are software or hardware tools designed to prevent accidental modifications to the original evidence stored on disks being imaged. In this article, we will focus solely on SATA-based hardware write blockers. This type of write blockers act as intermediaries between the forensic expert’s computer and the storage device being imaged. We’ll focus on the latest generation of write blockers features a modern 10 Gbps chip that supports USB 3.2 Gen2 connectivity, while maintaining backward compatibility with older USB versions down to USB 2.0. We will test disk imaging performance for SATA storage devices in 2.5″/3.5″ and m.2 form factors.
The speed of disk imaging is important, yet it is not a critical or factor. While imaging speeds for magnetic hard drives don’t vary significantly across different write blockers, the performance difference is much more pronounced with faster solid-state drives (SSDs). Using a modern write blocker equipped with a last-generation chipset can substantially reduce the time required to extract data.
A high imaging speed is one that approaches the maximum read speed of the specific storage device, considering overhead and port limitations. For SSDs operating over the SATA protocol, a good speed is close to the interface speed minus overhead costs. For SATA3 SSDs connected to a USB3.2 Gen2 port, a good imaging speed would be around 450 MB/s, while an excellent speed is approximately 500 MB/s. Magnetic hard drive speeds vary widely. Due to the hardware design, maximum read speeds are achieved on the outer tracks in the beginning of the imaging process, while dropping significantly towards the end of the disk. Note that these maximum speeds are unattainable via legacy USB coonnections such as USB3.0, USB3.1 Gen1, or USB3.2 Gen1 due to overhead crippling data transfer rates.
In our testing process, we compared the performance of several imaging programs using the same disk and a 10 Gbps-capable hardware write blocker. Notably, enabling data compression may significantly affect the imaging speed, which will greatly depend on the compression type and the disk’s content.
We tested the imaging performance using OSForensics, FTK Imager, and X-Ways Imager, selecting various compression levels. The results are summarized in the table below.
When using compresion, X-Ways Imager generally outperformed other tools. However, when imaging into an uncompressed RAW, OSForensics demonstrated the best performance, reaching 480 MB/s. FTK Imager lagged behind slightly, particularly in uncompressed E01.
Our tests demonstrated that the choice of imaging tool and compression settings can greatly affect the imaging speed. If you aim for the fastest performance, particularly with uncompressed RAW data, OSForensics is the best choice. However, for better performance with compressed formats, X-Ways Imager is ahead. FTK Imager, while competent, tends to lag behind slightly in speed compared to the other tools.
We ran multiple tests in both desktop and portable environments, across different generations of USB ports, and with various cables. Here are the key findings and tips for achieving maximum performance.
When it comes to using write blockers for imaging hard disks, there are a few additional considerations that can enhance performance, even if they aren’t strict requirements.
Currently, the most common SSD sizes are 1TB or 2TB. Using a modern write blocker, copying 2TB of data can take just over an hour. With an older write blocker or without following the optimal conditions, this process could easily take 2 or 3 hours. For magnetic hard drives (HDDs), the read speed is much slower, so the difference in performance between different write blockers or software should be minimal.
Please note that smaller SSD drives will typically be slower than their higher-capacity counterparts due to decreased parallelism. In addition, SSDs with higher wear (greater write count) may demonstrate random slowdowns due to the overhead of the internal data correction algorithms. Finally, older SSD drives of equal capacity may be either faster or slower than their modern counterparts depending on the technology used (MLC, planar TLC, 3D TLC, or QLC NAND) and the number of NAND chips installed (which equals parallelism, which affects read and write speeds).
In forensic imaging, the most commonly used format is .e01 with default compression settings. Compression helps a lot when one needs to store multiple disk images. The dd/raw format is less commonly used due to its lack of compression and the resulting large size.
Achieving maximum imaging speed requires adhering to several conditions and using proper equipment and software. Implementing these recommendations can significantly reduce the time you’ll need to spend for disk imaging.