The typical method used to create a forensic image is to connect the source disk to a write-blocker. The write-blocker is then connected to a computer and a forensic image is made. This process needs to be updated to keep up with the capacity and speeds of the newest disk drive. By making the process as efficient as possible, the forensic imaging times can be substantially reduced.
When making a forensic image of a disk drive, it is necessary to copy every byte available from the source disk and to ensure that nothing is written to the source disk. As the capacity of disk drives has increased, the time required to make a forensic image has also increased. For example, a 20GB disk drive would take approximately 8 minutes to image at best. A 200GB could take approximately 50 minutes at best, while a 1TB disk drive would take approximately 2.5 hours.
We can calculate how fast a disk drive can be imaged by dividing the total capacity of the disk by the maximum sustained transfer rate (MSTR) of the disk. The MSTR is the manufacturers information on how fast data can be read off of a disk drive for a very large transfer. The MSTR tells us how fast data comes off of the disk. (Note that the maximum burst transfer rate is not of use to us since it only provides information on how quickly data comes out of the disk cache, and it only applies to a small amount of data.)
Let’s look at a 1.5TB Western Digitial Caviar Green disk drive as an example. The data for this drive is available here. This disk drive has a capacity of 1,500,301 MB and it has a maximum sustained transfer rate of 110 MB/s. Thus, it would take 227.3 minutes (almost 4 hours) to forensically copy the entire contents of the disk drive. (A transfer rate of 110MB/s is 6.6 GB/minute.) To achieve this speed, all parts of the forensic imaging process must be able to process data at a rate of 6.6GB/minute or greater.
Using a USB 2.0 write-blocker would slow this transfer rate down dramatically, as USB 2.0 has a maximum data transfer rate of approximately 34 MB/s. Using a USB 2.0 write-blocker when imaging the 1.5TB disk drive would require 735.4 minutes (over 12 hours).
Other factors that can alter the efficiency of the disk imaging process include:
- The buffer size of a data transfer.
- The filesystem where the data is being written to.
- Whether compression is used when making the forensic image.
All of the above factors need to be tuned to ensure that forensic images are made as quickly and efficiently as possible.
I have recently published a paper in the Journal of Forensic Sciences entitiled Characteristic of Forensic Imaging. This article discusses the impacts of different factors on the efficiency of forensic imaging. I am also preparing a web page that will provide simple scripts to allow you to evaluate the efficiency of your forensic imaging setup.
Filed under: forensics