- Imaging and Verify: The user can select to run forensic imaging with 3 HASH engines and also enable the "HASH the target and compare HASH" feature. That is kind of a stand operation to make sure the captured image is not altered or corrupted.Reading speed from a source drive (32GB/min SATA, 202GB/min NVMe).
- Drive Spanning: Supports spanning the captured data onto many “Evidence” drives when the Evidence drives are not large enough (also supports restore images that are spanned over multiple drives). Also support parallel drive spanning when the source drive is much faster than the target (source is NVMe for example).
- Encryption: On-the-fly AES256 encryption of the “Suspect” drive, saving the encrypted data on the “Evidence” drive in 100%, DD, E01/Ex01 formats.
- Decryption: The user can perform decryption on a drive that has been previously encrypted by any of the SuperImager units. Alternatively, the user can use a standalone MediaClone Linux decryption utility application to perform decryption on an encrypted drive using any PC. The supplied standalone decryption utility application can be burned onto a USB flash drive that later can be used to boot the PC to the MediaClone Linux decryption utility application, where the encrypted drive and a blank destination drive are attached to the PC (the user needs to supply to the utility application the saved encryption key). MediaClone developed its own decryption utility application in order to make sure that the user can always decrypt the drive was were once encrypted via a MediaClone unit and not to rely on TruCrypt or other third-party applications that might not be supported in the future.
Forensic Imaging Tool: In one read-pass from the “Suspect” drive, the SuperImager Plus application can run the following operations simultaneously: Forensic imaging with E01 format and full compression, Encryption with AES256, calculate 3 HASH Verification and Authentication values (MD5, SHA1, SHA2), save the captured Forensic Images to 2 “Evidence” drives to a local network, and external compact USB3.0/e-SATA TB RAID encrypted storage. The basic Forensic Imaging mode can be 1:1, 1:2, 1:3, 2:2 for SAS/SATA and 2:6 for USB3.0/3.1 storage devices, or 5:8 SATA with USB3.0 adapters, and more possibilities with the use of the supplied Thunderbolt 3.0 Expansion box with additional 4 SAS ports.
- Extreme Speeds when performing Forensic capture with E01/Ex01 formats and full Compression:
- The new Linux-based SuperImager Plus application utilizes and optimizes multiple CPU cores to achieve one of the most efficient operations while also performing at incredibly high speeds with E01/Ex01 formats and full compression. The application allows the user to manually select and adjust the number of hyper-threads and the level of compression used during each session.
- Forensic data captured with Encase E01/Ex01 formats with full compression is widely used for operations in the forensic industry and generally requires a trade-off between speed, space, and time of decompression by the Encase application.
- Comparative tests show a 20% increase in speed when using the SuperImager Plus Linux-based application over the SuperImager Windows-based application. The tests were performed with the same hardware, the same hard disk drives (filled 43% of the drive with random data), and the same level 1 compression. The Linux-based application was set to use 16 compression threads.
Complete Forensic Platform:
- In addition, the unit can serve as a platform for a Forensic Investigator to run a complete investigation and to perform:
- The Forensic investigator can load and run third-party applications such as Cellebrite, Oxygen, DART, Paraben, and BlackBag. The user can also run third-party Triage applications under Windows on the attached Suspect or Evidence drives. The MediaClone Windows Drive Power Utility application allows the user to mount drives safely, either as read-only or read-write (depending on the unit’s port) in a secure way. The application also allows the user to dismount and remove drives in a safe way. The Suspect port is automatically assigned to be read-only.
- Virtual Drive Emulator: Enables the user to run a drive, or image of a drive emulator, on the unit (for Suspect Drives that were extracted previously from a Windows unit) and allows the user to share folders and copy important files (bypass the user Windows password). Mount a Suspect drive or it’s DD/E01 images, simulate it in its native Windows Environment, and extract important files (This function performs on the Linux side).
- Secure Write Blocked File Preview: Browse and preview the captured data on the Internal Display. The user should connect the drive to the unit’s Suspect port to protect the drive via the port’s write-blocking mechanisms, turn on the power to the drive using the application’s power icon, and mount the drive using Ubuntu. The drive Doc files, including XLS, can be viewed using the Ubuntu Open Office package. Alternatively, the user can boot the unit to Windows (if this option was purchased) and view the drive on Windows.
- High Performances: As a platform, a forensic investigator can, in addition to imaging and capturing data, load and run third-party applications to analyze the captured data:
- Cellphone/Tablet data extraction and analysis - Cellebrite, Oxygen, BlackBag, MPE+, Paraben applications, and more (the user can also use all of the 8 USB3.0 ports to run cellphone extractions)
- Triage data collection – Nuix/Encase/ADF portable applications.
- Full Computer Forensic Analysis – Encase, Nuix, Axiom, and FTK applications – data is already captured, and the hardware can support a full analysis.
Data Eraser and Format:
- The user can erase drives and USB3.0 storage devices by using the unit’s 4 SATA ports and 8 USB3.1 ports. The application supports DoD erase (Full, Lite), Security Erase, Enhanced Security Erase, and Sanitize erase protocols. DoD (Full and Lite) are NIST 800-88 compliant. The rest of the erase protocols need to be run with verify pass in order for them to be NIST 800-88 compliant. The application also supports the user erase mode with verification pass and the erase verification mode for drives that were previously erase by a third-party application or tool.
- Erase the remainder of the drive after the copy.
- Drive Erase Protocols: DoD 5220-22M, Security Erase, Enhanced Security Erase, Sanitize, NVMe Secure Erase, or a User-erase mode where the user can define the final data filling pattern and the number of iterations (Security Erase, Enhanced Security Erase, Sanitize, and DoD erase protocols are all NIST 800-88 compliant).
- Format: NTFS, FAT, HFS+, EXT4, and exFAT.
- Erase Verify: Run Erase Verify to verify that the drive was erased before use
- Erase Logs and Erase Certification: The application generates extensive erase logs and files with an NIST 800-88 erase certification (also runs S.M.A.R.T. tests before and after the erase operation and is saved to XML file format) which can be exported to a USB thumb drive. The application also has a built-in erase database that can easily be exported to XLS.
- Evidence Drive Formats: exFAT/FAT/NTFS/HFS+/EXT4.
HASH Calculation Authentication and Verification:
- HASH Authentication: Simultaneously calculated on-the-fly up to 3 HASH Authentication values MD5/SHA-1/SHA-2 during the same session.
- HASH while Capture: MD5, SHA-1, SHA-2 (all the 3 HASH protocols can be selected to run simultaneously).
- Network Capture: Data from a network folder can be captured and saved into “Evidence” drives via the use of the iSCSI storage protocols. The SuperImager application (for both capture from a network and save to a network) supports SMB, NFS, and CIFS networks protocols. The capture can run with HASH authentication and HASH verification.
- Saves Forensic Images to Network: Upload multiple Forensic images to a network (DD, E01) simultaneously by using 1 Gigabit/s port/ Thunderbolt 3.0 to 10 Gigabit/s optional adapter, or any of the unit’s USB ports to upload up to 8 parallel 1 Gigabit/s network streams.
- Disable Network process and protocols for security reasons: Those network protocols are easy to disable using Ubuntu Preferences Tools.
- Copy loose files from/to the network: The user can copy files from/to a network with HASH authentication for better data integrity.
- Remote Capture (Intel based CPU)- Capture data from the Internal Drives of an un-opened Laptop or Computer: Using USB or 1 Gigabit Ethernet ports on the laptop/computer enables the user to use the Remote capture application via a USB stick, without the need to remove the drive from the laptop/computer or boot the laptop from its own OS (the capture speed is restricted to the performance of the Laptop/PC CPU and the 1 Gigabit/s connection). The capture application can run using HASH authentication. The Remote Capture Option Kit includes the USB flash drive, 1 Gigabit/s to USB3.0 Adapter, and a crossover network cable. The Remote capture application supports capture via USB/1394/TB/R45 network ports).
- Parallel Forensic Imaging – Multiple Session Operations:
Improves the efficiency of the evidence data collection process by using multitasking and using a parallel imaging process. The user can take advantage of the SuperImager unit’s multiple available ports and run multiple, efficient, simultaneous parallel operations. The user can mix different types of operations, and each operation can be set as a new independent session. An example of an operation:
erase data from a drive connected to one port and HASH verify a different drive connected to the second port, all while performing forensic imagining of 1 to 1 on drives connected to the remaining ports.- Port's rule increase possibilities: The application is very flexible in running multiple sources to multiple destinations, all in simultaneous operations. The user has the flexibility to change a port’s role from “Evidence” to “Suspect” port. The session control application screen provides the user with comprehensive information and direct control over the running sessions, including all the settings of the session and the ability to abort the session.
- Detection Application Screen: All drives and storage devices that are connected to the unit will be “scanned” and displayed in one application screen called “The Detection Screen”. The user can tap on each drive to get its detailed info and run some specific utilities regarding that drive (as long as it is a target drive) – like a quick S.M.A.R.T. test (only using the “Target” port), run a Virtual Emulator (“Source” port), safely preview the contents of the drive (“Source” port), as well as select it for any desired operation they are planning to use.
- Drive Trim: Allows the user to manipulate the HPA/DCO area on the drive to create an Evidence/Target drive with the same capacity of the Suspect/Source drive.
- Application Audio Notification: The user can enable some audio notification features, like end of a session.
- Unit’s User Configuration: This feature allows the administrator of the unit to set specific operations with specific settings, and allows the user to secure it with a lock password (This feature needs to be requested at the time of purchasing the main unit – it is needed for security purposes).
- Tasks Scripting: The user can create a script to run sequential operations and parallel operations. There are no limitations on the number of scripts and operations one can run. Be aware that if the operation requires the use of an input it will stop and wait for the user to input (like when the user is running a drive scanning and a user’s response is needed).
- Language Supports: Easy to implement translations for new languages. Now supporting Korean and Chinese languages.
- Keyword search before Imaging: Gives the user the ability to perform a quick keyword search on the Suspect drive’s files and folders, with filters on the files extension types and with a few important keywords (this is a quick keyword search to determine if a Suspect drive needs to be captured).
- Keyword search while imaging: Gives the user the ability to perform a quick keyword search on the Suspect drive’s files and folders, with filters on the files extension types and with a few important keywords included in the search images.
- Cloud Storage connection: With the use of Insync paid services the user can sync to Microsoft OneDrive, Google Cloud, and others cloud storage
- Partition imaging: Gives the user the ability to select only one partition (per sessions) to perform forensic imaging and save it into the Evidence drive in DD/E01/Ex01 format.
- Network Multiple Forensic Image “Loader”: Besides the ability of the application to upload forensic images (DD, E01) to the network via the 1 Gigabit/s network port, there is also a unique feature/solution that can solve the streaming bottleneck issue by using a single port. With this solution the user can upload many Forensic images directly to a local network using 7 equivalent 1 Gigabit/s network streams. Alternatively, the user can use the Thunderbolt 3.0 port to connect to a 10 Gigabit/s network.
Expansion Capabilities and Main Hardware Options:
- USB3.0 to SATA Adapters and Kits Option: Today USB3.0 technology is extremely fast and can run read data from SSD drives up to 20GB/min. With the use of the USB3.0 to SATA 4 channel Kit, the user can convert 4 USB3.0 ports to 4 SATA ports.
- Built in the US: The units are built and tested in the US.
- Warranty: One-year free warranty on the main unit (does not include warranty on accessories, adapters, and cables).
- Native SATA: 4 ports with power.
- USB3.0: 20 Ports
- USB2.0: 1 generic port
- Thunderbolt 3.0: 1 port (to connect TB to 10GbE)
- HDMI and DP port to plug external monitor.
- Front Panel: 20 USB3.0 ports
- Back Panel Add-on Ports: 3 SATA 6 Gigabit/s ports with power for external storage (“hot” plugged), HDMI, RJ45 1 Gigabit/s Ethernet, and generic USB2.0.
- A built-in, universal auto switching 450W UL/CE/PSE 110/220V power supply with an input voltage of 100-240V/50-60HZ.
- Temperature: 5°C - 55°C (40°F-130°F).
- Relative Humidity: 20-60% non-condensing.
- Base unit’s dimensions: 16.0” x 15.0” x 4.0² inch. (400 x 380 x 100 mm). A user will have to attach the display pad to the main unit.
- 20-channel open tray dimensions: 11”x 6”x 2”.
- Shipping Dimensions:
- Box dimensions: 20” x 20” x 15” inch.
- Shipping box weight: 28.5 lbs.
- A built-in universal, auto switching 500W UL/CE/PSE power supply
- Input Voltage: 100-240V/50-60Hz.
- Temperature: 5°C - 55°C (40°F-130°F).
- Relative Humidity: 20-60% non-condensing.
- Unit Net Weight: 28 lbs
- Unit Dimensions: 10.6”L x 7.70"W x 3.15"D (270 x 210 x 100 mm).