The SuperImager Plus 12 inch Rugged Forensic Field Unit - is a mobile, compact an extremely fast Forensic Imaging unit that can serve as a complete Field Computer Forensic Investigation platform. The unit is running under Linux Ubuntu OS which is less targeted OS by malware, and it reduce the OS performance overhead especially when it perform compression by almost 20%. User can use to the unit to perform: Forensic Imaging with full E01 compression, Erase data includes DoD/ Security Erase/Enhanced Security Erase, View the data directly on Ubuntu Desktop, Encrypt data, Cellphone/Tablets data Extraction and Analysis, and Full Forensic Analysis like Encase/Nuix/FTK. The Unit can be expanded with optional expansion port or express port to support SCSI and 1394 storage devices.
Some example of the unit’s performances:
- Complete Hash verification operation with SHA-1 enabled on SSD @ 31GB/min, on WD 1TB Blue @10GB/min
- Complete Forensic Imaging 1:2 with SHA-1 enabled on 3 SanDisk Extreme II 120GB SSD @ 29GB/Min
- Forensic Imaging of 1 to 2 with E01 format with compression level 1 @ 8GB/min ("Suspect" Hard Disk Drive was full with 50% of random data and the compression rate was 66%).
The Unit Built:
It is very compact and easy to carry, has built-in 12 inch Touchscreen color LCD display, 4 native SAS/SATA ports in a drive slots, 6 native USB3.0 ports, e-SATA port, 2 Generic USB2.0 ports, 1Gigabit Ethernet ports, and audio ports.
The Unit as Forensic Imaging Tool:
In one read pass from the "Suspect" Hard Disk Drive, the SuperImager Plus application can run the following operations simultaneously: Forensic Imaging with E01 format and with full compression, Encryption with AES256, simultaneously calculate 3 Hash Verification and Authentication values (MD5, SHA1, SHA2), a Binary Keyword Search, and Saving the captured Forensic Images to 2 “Evidence” hard disk drives, to a local network, and to external compact USB3.0/e-SATA TB RAID encrypted storage. The basic Forensic Imaging mode can be 1:1, 1:2, 1:3, 2:2 for SAS/SATA and USB3.0 storage devices.
The Unit as Complete Forensic Platform:
In addition the unit can serve as a platform for a Forensic investigator to run a complete investigation and to perform:
- Cellphones and Tablets data Extraction and Analysis
- Forensic Triage data collection
- A complete Computer Forensic investigation Analysis with applications such as: Nuix, FTK, EnCase, ProDiscovery.
The Unit as Data Eraser:
Supports DoD and Security Erase, Enhanced Security erase protocols that are NIST 800-88 compliance. The application generates NIST 800-88 certificate.
The Unit Performances:
The SuperImager Plus 12" Rugged Forensic Field unit is one of the top-of-the-line forensic imaging device on the market today. It will outperform many units running Windows with i7 CPU.
The Main unit comes in 3 Optional configurations:
- Basic model.
- Express Port enabled model - Where user can plug optional Express Card adapters like 1394, PCIE memory cards.
- Expansion Port enabled model - Where user can plug optional Expansion Box and connect SCSI hard disk drives.
Dual Boot Option:
User can purchase the unit with only Linux OS for Forensic Imaging purpose. Dual Boot to Windows is optional for additional cost.
- For Data Capture Under Linux: Perform Forensic Imaging under Linux for a faster, more efficient and a more secure operation.
- To Analyze the Captured Data Under Windows: Reboot the unit to Windows, and use third-party applications to perform data analysis and other tasks.
Network Multiple Forensic Images Loader
Unique feature solves 1Gigabit/s Port Bottleneck. User can upload many Forensic images directly to a local network using 5 equivalent 1Gigabit/s network streams.
- HPA/DCO Automatic Supports: The application has the ability to automatically open HPA and DCO areas, and resize the "Suspect" hard drive to its full native capacity, in order to capture any “hidden data” (HPA/DCO are special areas on the hard disk drive that support this feature).
- Bad Sectors Handling: User can select to skip bad sectors/blocks, or abort the operation when it encounters bad sectors/block of sectors on the "Suspect" hard disk drive.
- Forensic Images Destination: User can save Forensic Images to a local network shared folder for easy access and analysis, or save images to external USB3.0 RAID (encryption is optional) storage in a very good speed.
- Captured Storage Protocols and Interfaces: SAS, SATA, e-SATA enclosures, IDE, USB2.0, USB3.0, MMC, M.2 (NGFF)*, 1394*, and SCSI*
- Form Factors: Capture data from various form factor devices: 3.5", 2.5", ZIF, 1.8", Micro-SATA, Mini-SATA, PCIE*, Mini PCIE*, M.2(NGFF)*
- Cross Copy from Ports and Interfaces: The user can choose to capture from one type of port, storage protocol and interface, and save the forensic Images into a different port, storage protocol and interface. The cross copy of data can be done between SAS/SATA/IDE/USB/SCSI/1394 interfaces.
- GUI: The application is built with large icons and is very simple and easy-to-navigate. In a few clicks user can set the operation, and it will be quickly up and running.
- Speed: Extremely fast.
- Tested with Hash verification operation with SHA-1 enabled the recorded top speed was 30GB/min with Solid State Drive, and 10GB/min with 1TB WD Blue SATA-3 Hard Disk Drive.
- Tested with Forensic Imaging operation of 1 to 2 with SHA-1 enabled the recorded sustained top speed was 29GB/min with 3 SSD of SanDisk 120GB Extreme II.
Extreme Speeds when performing Forensic capture with E01/Ex01 formats and with full Compression:
- The new Linux-based SuperImager Plus application utilizes and optimizes multiple CPU cores to achieve one of the most efficient operations, while performing at incredibly high speeds with E01/Ex01 compression. The application allows users to manually select and adjust the number of threads and the level of compression used during each session.
- Forensic data capture with Encase E01/Ex01 formats with full compression is widely used operation in the forensic industry, and generally requires a trade-off between speed, space, and time of uncompressing by the EnCase application.
- Comparative tests show a 20% increase in speed when using the SuperImager Plus Linux-based application over the SuperImager Windows-based application. Tests were performed with the same hardware and the same hard disk drives (filled with 43% of random data), and the same level 1 of compression. The Linux-based application was set to use 16 compression threads.
Main application settings:
- Hash Authentication: Simultaneously calculates on-the-fly up to 3 Hash Authentication values MD5/SHA-1/SHA-2.
- Encryption: On-the-fly AES256 encryption of the "Suspect" Hard Disk Drive, saving the encrypted data on "Evidence" Hard Disk Drive in 100%, DD, E01/Ex01 formats.
- Keyword Search: Instantaneous binary keyword search on the "Suspect" Hard Disk Drives (not a Unicode match).
- Forensic Images can be saved in those Formats: 100% Bit by Bit, Linux DD Format, Encase E01/Ex01 formats include options for optimized compression.
- Evidence Drive Formats: exFAT/FAT/NTFS/HFS+/EXT4.
- Log Files: Audit trail in PDF formats, or txt formats with ability to customize the reports and adding company Logo.
- S.M.A.R.T drive tests: Test the “health” condition of the “Suspect” drive prior to data capturev.
- Drive Spanning: Supports spanning the captured data onto many “Evidence” drives , when the Evidence drives are not large enough (Also supports restore from spanned multiple drives).
Main application Features:
- Forensic Imaging Mode.
- Forensic Restore back data to original.
- Erase data from drives and Quick Format.
- Hash calculation authentication and verification.
Main Forensic Imaging Mode Features:
- Forensic Imaging Mode 100%, DD, E01/Ex01 – with optional compression.
- Hash while capture: MD5, SHA-1, SHA-2 (all 3 can be selected simultaneously).
- Erase Reminder of the drive.
- Keyword search.
Parallel Forensic Imaging - Multiple Session Operations: User can run a multiple efficient parallel operation, since many ports are available. User can mix different type of operations, and each operation is set as a new independent session. Example of operations: erase data from a hard disk drive on one port, hash verify on second port, while forensic imaging 1 to 1 on the remaining ports.
Basic Parallel Forensic Imaging: The supported modes are:
- Native SAS/SATA: 1 to 1, 1 to 2, 1 to 3, 2 to 2, 2 to 3. The 2 to 3 imaging mode uses the e-SATA port with the need to supply external power to the e-SATA plugged device and the 1:3 imaging mode need to be configured at time of purchasing of the main unit.
- USB3.0: 1 to 1, 1 to 2, 2 to 2
- More Ports for Forensic Imaging:
- With the use of USB3.0 to SATA fast adapters and with the combination of e-SATA port, the unit can support up to 2 to 5 and up to 4 to 5 Forensic Imaging of SATA Hard Disk Drives. With the use of Express Port Option enabled, and the Optional Sonnet 4 SAS Ports Express Card Adapter, the application can support up to 2 to 6 Forensic Imaging of SAS Hard Disk Drives.
Parallel operation – Linux Elaborated:
- Hard Drive Detection Application Screen: All hard disk drives and storage devices that are connected to the units will be scanned and displayed in one application screen called "the detection screen". User can tap on each drive to get its detailed info, as well as selecting it for the desired operation they are planning to use.
- Parallel Forensic Imaging: It depends on the number and the kind of ports that each model has. The application is very flexible in running multiple sources to multiple destinations, all in a simultaneous operations. The user has the flexibility to change a role of a port from Evidence to Suspect, and is not limited by the pre-assigned "Suspect" ports. The session control application screen provides the user with a very comprehensive information and control over the running sessions, including all the setting of the session, and ability to abort the session.
- Parallel Forensic Imaging - Multiple Session Operations: User can run multiple efficient parallel operations and can mix different type of operations; for example erase hard disk drive on one port, hash verification on another port, while performing forensic imaging on other ports (each operation can function as a new independent session). The number of sessions also depends on the CPU: i5 -4 sessions, i7- 8 sessions.
- Network Capture: Data from network folder can be captured and saved into “Evidence” drives via iSCSI storage protocols.
- Saves Forensic Images to Network: Upload multiple Forensic images to a local network (DD, E01), simultaneously by using up to 5 parallel 1Gigabit/s network streams.
- Remote Capture - Capture Data from the Internal Hard Disk Drives of a Computer: Using USB or 1Gigabit Ethernet ports of the laptops/computers, enables capture without the needs to remove the hard drive from multiple Laptops/computers (Speed is restricted to performance of the Laptop/PC CPU and the 1Gigabit/s connection).
Erase and Quick Format Operation:
- Hard Disk Drive Erase Protocols: DoD 5220-22M, Security Erase, Enhanced Security Erase, or user can define the final data filling pattern and the number of iterations (Security Erase, Enhanced Security Erase, and DoD erase protocols are NIST 800-88 compliance).
- Quick Format: NTFS, FAT, HFS+, EXT4, and exFAT.
- Logs and Erase Certification: The application generates extensive erase log files and erase certification (option to save to NIST 800-88 format) that are easy to export to USB thumb drive.
Unit as a Platform:
- File Preview: Browse and preview captured data on the Internal Display.
- High Performances: As a platform, a forensic investigator can, in addition to imaging and capturing data, load and run third-party applications to analyze the captured data:
- Cellphone/Tablet data extraction and analysis: Cellebrite, Oxygen, BlackBag, MPE+, Paraben applications.
- Triage data collection: Nuix/Encase portable applications.
- Full computer forensic analysis: Encase, Nuix, and FTK applications.
Expansion capabilities and the main hardware options:
- Express Card Port Option: Optional port that needs to be pre-installed at time of purchasing in the main unit: This option gives the user the ability to plug and use a few kinds of express cards adapters to support capture and erase data from additional interfaces and devices. This option is very useful and saves in most of the cases the need for expensive and bulky expansion box. The Express Card adapters can be dual port 1394A/B, PCIE memory cards (Sony SxS), Mini-PCIE that are not supported by SATA protocols (are used in some MacBook Air, with M.2 (NGFF) form factor).
- Expansion Port and Expansion Box Option: Optional expansion ports that enable user to plug in an Expansion Box in order to add-on many other devices: User can configure the main unit with only one connectivity port or Express Card Port or Expansion Port. The Expansion Port is mostly required when user needs to erase data from SCSI Hard Disk Drives. In addition to purchasing the Expansion Box, user can also purchase the SCSI 2 drives Kit which supports capture or erase from 2 SCSI Hard Disk drives. The SCSI 2 drives Kit includes all the cables, terminators and adapters that are needed to operate 2 SCSI hard disk drives. (The SCSI controller is installed inside the Expansion Box). The Expansion Box is also supplied with a low profile Express Card reader pre-installed inside the Expansion Box.
- USB3.0 to SATA adapters and Kits Option: Today USB3.0 technology is extremely fast and can run read data from SSD drives up to 20GB/min. With the use of USB3.0 to SATA 4 channel Kit, user can convert 4 USB3.0 ports to 4 SATA ports on any of MediaClone units. The optional Kit is supplied with one external PS, and it includes all the cabling to power and connected the 4 USB3.0 to SATA adapters. The tested performance when running 4 adapters in parallel was measured at a very high speed, with a very little speed degradation.
- SCSI KIT Option: The SCSI Kit includes the low profile SCSI 1 ports PCIE –x1 controller, 2 channel SCSI LVDS cable (68pin connectors), SCSI terminator, and VHDCI to SCSI 2 adapter.
- 1394 Option: This option is supplied with 1394A/B Express Card. It is a very easy and quick way to add support for 1394 devices that can be daisy chained. This option works on units that support and installed with Expansion Port or Express Port options.
- USB3.0 to M.2 (NGFF) adapters Option: Currently, most laptops and tablets use M.2 (NGFF) Storage devices. This adapter supports connectivity to some of the newest SSD M.2 storage (Storage that is supported by SATA Protocols). There is a class of SSD drives that has NGFF connectors that are not supported by SATA protocols and they will not work with those adapters. Also the M.2 (NGFF) connectors use to comes in a variety of connectors and it was not standardized until 2014.
- USB3.0 to M.2 (NGFF) PCIE base adapters Option: Supports SSD used in MacBook Air 2012+, MacBook Pro Retina 2012+
- Warranty: One year warranty for the main unit. (It is not include cables and accessories).
* Expansion ready unit.