SuperImager® Plus Forensic 7" Mini - Field Forensic Imaging and Platform. The unit can be used as a Field Forensic Imaging device, Cellphone data extractions and analysis, and Triage data collections.
- The unit as Forensic Imaging device: The SuperImager Plus 7" Mini Forensic field unit is very compact, lightweight, and easy to carry, and it is the perfect tool to perform Forensic Imaging out in the field. It built with 7" Touchscreen color high-resolution LCD display, 3 SATA ports (with secure and keyed SATA power connector), 4 USB3.0 ports, 1 Gigabit/s Ethernet port, and a VGA port. It is affordable and capable of performing extremely fast Forensic Imaging (Run a 100% bit by bit imaging at 21GB/min on SSD) and fast Hash Authentication (Run SHA-1 at 26GB/min on SSD and 8GB/min on 1TB WD Blue Drive).
The SuperImager Plus application has the capabilities to perform in one read pass from the "Suspect" drive:
1) Forensic Imaging with E01/Ex01 format and full compression
2) Encryption with AES256
3) Parallel HASH authentication (Run all the 3 HASH engines MD5, SHA1, SHA2 in the same session),
It is also capable of saving Forensic Images to three destinations in the same time:
1) 2 external SATA Evidence Drives
2) External compact USB3.0/eSATA RAID encrypted storage device
4) Also, with the use of 4 USB3.0 to SATA optional KIT, the user can convert the unit's 4 USB3.0 ports to 4 SATA ports, and have a total of 7 SATA ports available to be used. Thus using 6 of the 7 available SATA ports, the user can perform Forensic Imaging from 3 "Suspect" drives to 3 "Evidence" drives in 3 separate sessions
5) Ability to run a Quick Keyword Search on the Suspect drive, prior to capture (with filters on the file extension)
- The Unit as a field Erase unit:
The user can erase drives and USB3.0 storage devices, by using the unit’s 2 SATA ports and 3 USB3.0 ports. The application supports DoD erase (Full, Lite), Security Erase, Enhanced Security Erase, Sanitize erase protocols. DoD(Full and Lite) which are NIST 800-88 compliant. the rest of the erase protocols need to be run with verify pass in order for them to be NIST 800-88 compliance. The application also supports the User erase mode with verification pass, and erase verification mode for drives that were previously erased by a third-party applications or tools. The Application generates easy-to-extract Erase log files and NIST erase certificates.
- The unit as a field Forensic platform:
The Forensic investigator can load and run third-party applications such as Cellebrite, Oxygen, DART, Paraben, BlackBag. The user can also run third-party Triage applications under Windows on the attached Suspect or Evidence drives. The MediaClone Windows Drive Power Utility application allows the user to mount safely drives as read-only or read-write (depends on the unit’s port) in a secured way. The application also allows the user to dismount and remove drives in a safe way. Suspect’s port is automatically assigned to be read only
- The unit as a field Virtual Drive Emulator (Optional S/W)
The user can use the Drive Emulator Built-in module in the SuperImager Plus Linux application to simulate, on the spot, the Suspect PC environment, browse the Suspect drive under Windows, transfer and copy important files from the Suspect drive to any destination drive. The Drive Emulator works only on Windows-based Suspect drives. The application can mount Suspect raw drives or an image of the Suspect drives (DD/E01)
- Optional External Battery: An External Compact Battery Option is available: the user can complete Forensic Imaging 100% bit-by-bit from one WD 1TB hard disk drive to 2 WD 1TB drives for about 2 hours, or perform a continuous cellphone extraction and analysis for about 5 hours
- Crucial data upload with External Wi-Fi and Cellphone HotSpot features: With the use of USB3.0 to Wi-Fi adapter and with the user Cellphone HotSpot feature, The SuperImager Plus 7” Mini unit can connect to the internet, satellite or any other network to upload crucial data.
- Dual Boot Option:
- The user can purchase the unit with only Linux OS for Forensic Imaging purpose. Dual Boot to Windows is optional for additional cost
- For Data Capture Under Linux: Perform Forensic Imaging under Linux for a faster, more efficient and a more secure operation
- To Analyze the Captured Data Under Windows: Reboot the unit to Windows, and use third-party applications to perform data analysis and other tasks
- Multiple Forensic Images Network Loader:
A unique feature solves the 1 Gigabit/s Ethernet port bottleneck. The user can upload many forensic images directly to a local network using 5 equivalent 1 Gigabit/s Ethernet network streams
Main Hardware Features:
- Case: Mobile and easy to carry
- CPU: i5
- Display: 7" (1280X800) LED backlight Touchscreen color LCD display
- Hardware: Very high quality high performing components
- The Unit’s Port:
- o 3 SATA native ports (1 source and 2 targets)
- o 4 USB3.0 – (2 source and 2 targets- Also all those ports can be used as a host to plug and use keyboard, mouse and other peripherals)
- o 1 e-SATA port (connected directly to the motherboard)
- o 1 Gigabit/s Port
- o 1 VGAHardware Upgrade: The unit can be upgraded at time of purchasing for additional cost, to a larger internal SSD
- OS: Ubuntu 64 Bit and Win 7 Professional 64 Bit in a dual boot. The open Ubuntu OS allows for easy application modification to include new features, easy adaptation to new hardware and ease of adding third-party Ubuntu applications.
- Writes Block: Using “device driver” blocking mechanism based on Maxim Suhanov Mechanism (https://github.com/msuhanov/Linux-write-blocker)
- Application Updates: The application can be easily updated by using USB thumb drives and by using the “Update Software from USB” icon in the application tools screenApplication Settings:
- HPA/DCO Automatic Supports: The application has the ability to automatically open HPA and DCO areas, and resize the "Suspect" hard drive to its full native capacity, in order to capture any “hidden data” (HPA/DCO are special areas on the drive that support this feature)
- Bad Sectors Handling: The user can select to skip bad sectors, a block of bad sectors, or to abort the operation when it encounters bad sectors on the "Suspect" drive.
- The skipped bad sectors will be reported in the log file in detailed or in summary
- Forensic Images - Destination: The user can save Forensic Images to any attached storage to the SuperImager unit, or to any connected network using the unit 1Gigabit/s port, or to any external USB3.0 RAID (encryption is optional) or external NAS storage in a very good speed.
- Captured Storage Protocols and Interfaces: SATA, e-SATA enclosures, IDE, USB2.0, USB3.0, MMC, M.2 (SATA base)
- Form Factors: Capture data from various form factor devices: 3.5", 2.5", ZIF, 1.8", Micro-SATA, Mini-SATA, Slim SATA, Ultra Slim SATA, M.2 SATA, CF-30
- Cross Copy from Ports and Interfaces: The user can choose to capture from one port with one type of storage protocol and interface, and save the forensic Image into a different storage protocol and interface using destination ports. The cross copy of data can be done between any of those SATA/IDE/USB
- GUI: The application is built with large icons and is very simple and easy-to-navigate. In a few clicks, the user can set an operation, and it will be quickly up and running
- Extremely fast – One of the fastest Forensic Imaging solution available in the market today achieving a speed of above 30GB/min
- • Tested with HASH verification operation with SHA-1 enabled the recorded top speed was 30GB/min with Solid State Drive, and 10GB/min with 1TB WD Blue SATA-3 Hard Disk Drive
- • Tested with Forensic Imaging operation of 1 to 2 with SHA-1 enabled the recorded sustained top speed was 29GB/min with 3 SSD of SanDisk 120GB Extreme IIExtreme Speeds when performing Forensic capture with E01/Ex01 formats and with full Compression:
- • The new Linux-based SuperImager Plus application utilizes and optimizes multiple CPU cores to achieve one of the most efficient operations while performing at incredibly high speeds with E01/Ex01 formats with full compression. The application allows users to manually select and adjust the number of hyperthreads and the level of compression used during each session
- • Forensic data capture with Encase E01/Ex01 formats with full compression is widely used operation in the forensic industry, and generally requires a trade-off between speed, space, and time of decompressing by the EnCase application
- • Comparative tests show a 20% increase in speed when using the SuperImager Plus Linux-based application over the SuperImager Windows-based application. Tests were performed with the same hardware and the same hard disk drives (filled with 43% of random data), and the same level 1 of compression. The Linux-based application was set to use 16 compression threads
- HASH Authentication: Simultaneously calculates on-the-fly up to 3 HASH Authentication values MD5/SHA-1/SHA-2 at the same session
Encryption: On-the-fly AES256 encryption of the "Suspect" drive, saving the encrypted data on "Evidence" drive in 100%, DD, E01/Ex01 formats.
- Decryption: The user can perform decryption on a drive, previously encrypted by any of the SuperImager units. Alternatively, the user can use a standalone MediaClone Linux decryption utility application to perform decryption on the encrypted drive using any PC. The supplied standalone decryption utility application can be burned onto a USB flash drive that later can be used to boot the PC to the MediaClone Linux decryption utility, where the encrypted drive and a blank destination drive were attached to the PC. (The user needs to supply to the utility application the saved encryption key). MediaClone developed its own decryption utility in order to make sure that the user can always decrypt the drives that were encrypted via the MediaClone units, and not to relay on TruCrypy or other third-party application that might not be supported in the future
Forensic Images Formats: Multiple Image Formats 100% Bit by Bit Mirror copy, Linux DD Format, Encase E01/Ex01 Formats (include options for optimizing the compression by adjusting the compression level and the number of compression parallel engines) and Mix-Format of E01/E01/DD. Mix-Format is where the user can capture from one source drive and save the images into multiple destination ports, each target port can be selected to be one of the 3 E01/EX01/DD formats. In addition, the user can use a file-based copy to copy files and folders, by using selective imaging with file extension filters
- Evidence Drive Formats: exFAT/FAT/NTFS/HFS+/EXT4
- Audit trail and operation Log Files: Generated automatically by the application and saves on the Evidence/Target drive (PDF).
- enerated automatically by the application and saves on the
- Drive Spanning: Supports spanning the captured data onto many “Evidence” drives, when the Evidence drives are not large enough (Also supports restore images from spanned over multiple drives)
- Main application Features:
- • Forensic Imaging Mode
- • Forensic Restore back the data that was captured to another drive in the original format
- • Erase data from drives and Quick Format
- • HASH calculation authentication and verification
- • Virtual Drive Emulator Option: Enable the user run a drive or image of a drive emulator on the unit (Windows only), and ability to share folders and copy important files. (Bypass the user Windows passcodes)
- • Remote Capture (Intel based CPU) – capture from un-opened laptops and PCMain Forensic Imaging Mode Features:
- • Forensic Imaging Modes: Mirror Imaging bit by bit (100% or any % of the drive), DD, E01/Ex01 – with optional compression, Selective Capture(Capture Partitions, Files and Folders and with the use of file extension filters), Mix-Format of DD/E01/Ex01
- • Targeted Imaging: Some time the forensic investigator does not have the time to do a full data capture of the Suspect drive. Now he/she can use the Selective Imaging feature to select only partitions, files, or folders (like the Windows user folders or Windows User- Documents and User-Pictures). With the use of pre-set file extension filters or add its own filter, the Forensic investigator, can narrow it capture scope and shorten is the acquisition time
- • HASH while capture: MD5, SHA-1, SHA-2 (all 3 can be selected simultaneously)
- • Erase The Reminder of the drive, after the copy
- • Encryption/Decryption
- Parallel operations:
- Parallel Forensic Imaging - Multiple Session Operations: Improve efficiency of the evidence data collection process by using multitasking and parallel imaging process. The user can run multiple efficient parallel operations taking advantage the availability of the SuperImager unit’s multiple ports. The user can mix different type of operations, and each operation can be set as a new independent session. An example of operations: erase data from a drive connected to one port, HASH verify on a different drive connected to the second port, while performing forensic imaging of 1 to 1 on drives connected to the remaining ports.With the use of USB3.0 to SATA fast adapters and with the combination of e-SATA port, the unit can support up to 4 to 4 Forensic Imaging of SATA drives.
Basic Parallel Forensic Imaging: The supported modes are:
Native SATA: 1 to 1, 1 to 2, 1 (with the use of e-SATA port the user can run 1:3 or 2:2)
USB3.0: 1 to 1, 1 to 2, 2 to 2
More Ports for Forensic Imaging:
Parallel operation – Linux Elaborated:
Detection Application Screen: All drives and storage devices that are connected to the unit will be "scanned" and displayed in one application screen called “The detection screen”. The user can tap on each drive to get its detailed info, run a quick S.M.A.R.T. tests (only using Target port), run Virtual Emulator (Source port), Safely preview the content of the drive (Source port), as well as selecting it for the desire operation they are planning to us
Parallel Forensic Imaging: It depends on the number and the kind of ports that each model has. The application is very flexible in running multiple sources to multiple destinations, all in simultaneous operations. The user has the flexibility to change a role of a port from been Evidence port to be Suspect port and is not limited by the pre-assigned "Suspect" ports. The session control application screen provides the user with a very comprehensive information and control over the running sessions, including all the setting of the session, and the ability to abort the session
- Network Capture: Data from a network folder can be captured and saved into “Evidence” drives via the use of the iSCSI storage protocols. The SuperImager application (for both capture from a network or save to a network) supports SMB, NFS, CIFS network protocols. The capture can be run with HASH authentication and HASH verification
- Saves Forensic Images to a Network:The user can upload simultaneously multiple Forensic images to a local network (in DD, E01 mode) by using the unit' 1Gigabit/s port,or any of the unit’s USB port to upload up to 5 parallel 1Gigabit/s network streams.
- Disable Network process and protocols for security reason: Those network protocols are easy to disable using Ubuntu Preferences tools
- Copy lose files from/to the network: The user can copy files from to network with HASH authentication for a better data integrity
- Remote Capture - Capture Data from the Internal Drives of a un-opened Laptops or Computer: Using the USB port or the1Gigabit Ethernet port of the laptop/computer, enables the user to capture data from Suspect laptop (with the supplied Remote capture application on a USB stick) without the needs to remove the drive from the Laptop/computer or boot the laptop from its own OS (The capture speed is restricted to performance of the Laptop/PC CPU and the 1Gigabit/s connection). The captured can run with using HASH authentication. The Remote Capture Option Kit includes the USB flash drive, 1 Gigabit/s to USB3.0 Adapter and a crossover network cable. The Remote capture application supports capture via USB/1394/TB/R45-network ports
A few More Features:
- Drive Trim Feature: Allows the user to manipulate the HPA/DCO area on the drive to create an Evidence/Target drive with the same capacity of the Suspect/Source drive
Unit’s User Configuration Feature: This feature allows the administrator of the unit to set specific operation with a specific setting and with a lock passcode to be used by operators and users. (This feature needs to be requested at the time of purchasing of the main unit - It needed for security purpose)
Tasks Scripting Feature: The user can create a script to run sequential operations and parallel operations (more than 1 operation at the same time). There are no limitations on the number of scripts and operations. Be aware that for operation requires the use input, in that case, the operation will still stop and wait for the user input (Like when the user is running a drive spanning and a user respond is needed.
Keyword Search: Ability to perform a quick keyword search on the Suspect drive files and folder with filters on the files extension types, and with a few important keywords. (This is a quick keyword search to determent if a Suspect drives need to be captured)
Language Supports Feature: Easy to implement translation for a new language. Supporting today the Korean and Chines languages
- Use the unit as a drive Eraser and Quick Format: Erase the Evidence drive prior to use, with extremely fast speed of up to 28GB/min with use of SSD and up
- to 11GB/min with use of Hard Disk Drives.
- Drive Erase Protocols: DoD 5220-22M, Security Erase, Enhanced Security Erase, Sanitize, or a User-mode where the user can define the final data filling pattern and the number of iterations (Security Erase, Enhanced Security Erase, Sanitize, and DoD erase protocols are NIST 800-88 compliance)
- Quick Format: NTFS, FAT, HFS+, EXT4, and exFAT
- Logs and Erase Certification: The application generates extensive erase log files and NIST 800-88 erase certification (Also S.M.A.R.T. tests before and after the erase operation and are saved to XML file format) and erase that can be exported to USB thumb drive. The application has also built-in erase databases that easily can be exported to XLS
Use the Unit as a Platform:
- Secure Write Blocked File Preview: Browse and preview captured data on the Internal Display. The user should connect the drive to the unit’s Suspect port to protect the drive via the port write-blocking mechanism, turn the power to the drive by using the application power icon, and mount the drive using Ubuntu. The drive can be viewed including XLS, Docs files using the Ubuntu Open Office package. Alternatively, the user can boot the unit to Windows (if this option was purchased) and view the drive under Windows.
- High Performances: As a platform, a forensic investigator can, in addition to imaging and capturing data, load and run third-party applications to analyze the captured data:
• Cellphone/Tablet data extraction and analysis: Cellebrite, Oxygen, BlackBag, MPE+, Paraben applications and more, the user can use all the 8 USB3.0 ports to run cellphone extractions.
- • Triage data collection: Nuix/Encase/ADF portable applications
- • Full computer forensic analysis: Encase, Nuix, and FTK applications - data is already captured, and the hardware can support a full analysis
- Expansion capabilities and the main options:
- USB3.0 to SATA adapters and Kits Option: Today USB3.0 technology is extremely fast and can run read data from SSD drives up to 20GB/min with the use of USB3.0 to SATA 4 channel Kit, the user can convert 4 USB3.0 ports to 4 SATA ports on any of MediaClone units. The optional Kit is supplied with one external PS, and it includes all the cabling to power and connected the 4 USB3.0 to SATA adapters.The tested performance when running 4 adapters in parallel was measured at a very high speed, with a very little speed degradation
- USB3.0 to M.2 (NGFF) adapters Option: Currently, most laptops and tablets use M.2 (NGFF) Storage devices. This adapter supports connectivity to some of the newest SSD M.2 storage (Storage that is supported by SATA Protocols). There is a class of SSD drives with NGFF connectors, which are not supported by SATA protocols, and cannot be used with those adapters. Also the M.2 (NGFF) connectors use to comes in a variety of connectors and it was not standardized until 2014
- USB3.0 to M.2 (NGFF) PCIE(not NVMe) base adapters Option: Few adapters are available that supports PCIE base SSD that are been used in MackBook Air 2012+, MacBook Pro Retina 2012+, MacBook 2013-14 with special interface (12+16), and adapter with M.2 generic B+M connectors
- External Battery Option: Support the use of an external Lithium-Polymer battery that enables the user to run a full data capture in the field on hard disk drives, operated on battery for a long time. (Able to complete forensic imaging of WD 1TB hard disk drives with imaging mode of 1 to 2 for 2 hours, or Cellphone data extraction and analysis for 5 hours, all performed with the use of the external battery)
- Built in the US: The units are built and tested in the US
- Warranty: One year warranty for the main unit. (It does not include cables and accessories)