Case study: 1TB Macbook Pro (A1502)
Evimetry scales acquisition and analysis to today's high IO bandwidth, multi-core computing environment.
The following describes a case study comparing time taken to underake the most wait-inducing forensic activities in common workflows: acquisition, copying, verfication, and initial processing of images.
Evimetry is 3X faster at acquisition than X-Ways, saving 1h 56m.
Evimetry is 8X faster at acquisition than Macquisition, saving 6h 16m.
Evimetry nearly halves pre-analysis processing time.
For each of the three acquisition technologies, the MacBook Pro was powered down, and booted into the Dead Bood environment. Evidence drives were attached and a full linear acquisition of the suspect storage device undertaken using the compression and hasing parameters described below. The total time taken to acquire the suspect device and perform a hash verification was recorded.
Suspect Device: Macbook Pro
- CPU: Core i7-4578U, 2 Cores (Haswell)
- Storage: 1TB PCIe Flash SSD
- Allocation: ~50%
|Dead boot OS environment||Evimetry (Linux-based)||WinFE (Windows 8.1)||Macquisition (OSX)|
|Compression||Snappy||Deflate (Fast)||Deflate (Fast)|
|Hash algorithm||SHA1/SHA256 block based||SHA1 linear||SHA1 linear|
|Evidence bus||2x USB3/SATA Bridge||1x USB3/SATA Bridge||1x USB3/SATA Bridge|
|Evidence storage||2x Toshiba 2TB 3.5"||1x Toshiba 2TB 3.5"||1x Toshiba 2TB 3.5"|
|Destination Filesystem||exFAT||exFAT||HFS+ Journalled|
Copying and verification
The forensic images were copied from the evidence hard drives to the RAID storage volume on the analysis workstation. The evidence hard drives were connected via the same USB3 bridges as above. Copies of each test run were made one at a time to prevent destination device contention.
For the Evimetry test run, the image is composed of two parts stored as single files on each of the evidence hard drives. Both files were copied at the same time.
After copying, the images were verified. The images produced by X-Ways and Macquisition were verified using X-Ways, and the image produced by Evimetry was verified using the Evimetry Controller.
- CPU: Core i7-5820K, 6 Cores (Haswell E)
- Storage: 4X 2TB SATA3 3.5" HDD (RAID-0)
The forensic images were then opened using X-Ways Forensics, and case pre-processing applied
- Filesystem metadata search (Particularly thorough filesystem search)
- All files hashed (SHA1) and file header validation
- Carving of unallocated (jpeg, png, office documents, pdf, sqlite)
The AFF4 image was accessed by X-Ways as a Raw image via the the Evimetry Filesystem Bridge.
More InformationRead more about the Filesystem Bridge