Case study: 1TB Macbook Pro (A1502)

Evimetry scales acquisition and analysis to today's high IO bandwidth, multi-core computing environment.

The following describes a case study comparing time taken to underake the most wait-inducing forensic activities in common workflows: acquisition, copying, verfication, and initial processing of images.

Results

Evimetry is 3X faster at acquisition than X-Ways, saving 1h 56m.

Evimetry is 8X faster at acquisition than Macquisition, saving 6h 16m.

Evimetry nearly halves pre-analysis processing time.

scale imaging across multiple devices

Acquisition

For each of the three acquisition technologies, the MacBook Pro was powered down, and booted into the Dead Bood environment. Evidence drives were attached and a full linear acquisition of the suspect storage device undertaken using the compression and hasing parameters described below. The total time taken to acquire the suspect device and perform a hash verification was recorded.

Suspect Device: Macbook Pro

  • CPU: Core i7-4578U, 2 Cores (Haswell)
  • Storage: 1TB PCIe Flash SSD
  • Allocation: ~50%
Evimetry X-Ways Macquisition2015
Dead boot OS environment Evimetry (Linux-based) WinFE (Windows 8.1) Macquisition (OSX)
Compression Snappy Deflate (Fast) Deflate (Fast)
Hash algorithm SHA1/SHA256 block based SHA1 linear SHA1 linear
Evidence bus 2x USB3/SATA Bridge 1x USB3/SATA Bridge 1x USB3/SATA Bridge
Evidence storage 2x Toshiba 2TB 3.5" 1x Toshiba 2TB 3.5" 1x Toshiba 2TB 3.5"
Destination Filesystem exFAT exFAT HFS+ Journalled
Evidence Container AFF4 EWF EWF

Copying and verification

The forensic images were copied from the evidence hard drives to the RAID storage volume on the analysis workstation. The evidence hard drives were connected via the same USB3 bridges as above. Copies of each test run were made one at a time to prevent destination device contention.

For the Evimetry test run, the image is composed of two parts stored as single files on each of the evidence hard drives. Both files were copied at the same time.

After copying, the images were verified. The images produced by X-Ways and Macquisition were verified using X-Ways, and the image produced by Evimetry was verified using the Evimetry Controller.

Analysis workstation

  • CPU: Core i7-5820K, 6 Cores (Haswell E)
  • Storage: 4X 2TB SATA3 3.5" HDD (RAID-0)

Analysis

The forensic images were then opened using X-Ways Forensics, and case pre-processing applied

  • Filesystem metadata search (Particularly thorough filesystem search)
  • All files hashed (SHA1) and file header validation
  • Carving of unallocated (jpeg, png, office documents, pdf, sqlite)

The AFF4 image was accessed by X-Ways as a Raw image via the the Evimetry Filesystem Bridge.

More Information

Read more about the Filesystem Bridge