The SuperImager® Plus 8” SAS Forensic Field Unit - is a mobile, compact, easy to carry and extremely fast Forensic Imaging unit that can serve as a complete Field Computer Forensic Investigation platform. The unit is running under Linux Ubuntu OS which is less targeted OS by malware, and it reduces the OS performance overhead especially when it perform compression by almost 20%.
The unit can be used to perform:
Case Study: Some example of the unit’s performances: Complete Hash verification operation with SHA-1 enabled on SSD @ 31GB/min, on WD 1TB Blue @10GB/min Complete Forensic Imaging 1:2 with SHA-1 enabled on 3 SanDisk Extreme II 120GB SSD @ 29GB/Min Forensic Imaging of 1 to 2 with E01 format with compression level 1 @ 8GB/min ("Suspect" Hard Disk Drive was full with 50% of random data and the compression rate was 66%)
- Multiple parallel Forensic Capture using Mirror copy , DD, E01/EX01(with full compression) formats, Mixed-Format DD/E01, Selective Imaging of files and folders
- Erase data from Evidence drive using DoD (ECE, E), Security Erase, Sanitize erase protocols
- View the CAPTURED data directly on Ubuntu Desktop Screen
- Encrypt the data while capturing (AES256)
- HASH the data while capturing (all the three at the same time SHA-1, SHA-2, MD5)
- Run a Quick Keyword Search on the Suspect drive, prior to the data capture
- Run multiple Cellphone/Tablets data Extraction and Analysis
- Run Forensic Triage application
- Run a full Forensic Analysis application like Encase/Nuix/FTK
- Run Virtual Drive Emulator
The unit built-in: 8” Touchscreen color LCD display, 4 native SAS/SATA ports in drive slots, 8 native USB3.0 ports, e-SATA port, 2 Generic USB2.0 ports, 1Gigabit/s Ethernet ports, eSATA port, HDMI port, and 3 audio ports. The unit can be expanded with optional expansion port or express port to support SCSI and 1394 storage devices
The SuperImager Plus 8” Rugged Forensic Field Unit as Forensic Imaging Tool: In one read pass from the "Suspect" Hard Disk Drive, the SuperImager Plus application can run the following operations simultaneously: Forensic Imaging with E01 format and with full compression, Encryption with AES256, simultaneously calculate 3 HASH Verification and Authentication values (MD5, SHA1, SHA2), and Saving the captured Forensic Images to 2 “Evidence” hard disk drives, to a local network, and to external compact USB3.0/e-SATA TB RAID encrypted storage. The basic Forensic Imaging mode can be 1:1, 1:2, 1:3, 2:2 for SAS/SATA and USB3.0 storage devices
The Unit as Complete Forensic Platform:
In addition, the unit can serve as a platform for a Forensic investigator to run a complete investigation and to perform:
1) Cellphones and Tablets data Extraction and Analysis
2) Forensic Triage data collection
3) A complete Computer Forensic investigation Analysis with applications such as Nuix, FTK, EnCase
4) Virtual Drive Emulator: Mount a Suspect drive or it's DD/E01 images, simulate in it's native Windows Environment, and extract important files
The Unit as Data Eraser:
Supports erase protocols that are NIST 800-880 compliance:
Dual Boot Option: The unit is running Ubuntu OS for forensic imaging and virtual drive emulator purpose. The dual boot to Windows 8.1 Pro is optional for additional cost. It needed when user intend to install and use third-party applications to perform data analysis, cellphone extraction and more
- DoD 5220-22M (ECE, E),
- Security Erase, and Enhanced Security
- Saniztie Mode
- Erase User Mode
Network Multiple Forensic Images Loader- Beside the ability of the application to upload forensic images (DD, E01) to the network via the 1Gigabit/s network port, there is also a unique feature/solution that can solve the streaming bottleneck by using a single port. With this solution, the user can upload many Forensic images directly to a local network using 7 equivalent 1Gigabit/s network streams
The SuperImager Plus 8" Rugged Forensic Field unit is one of the top-of-the-line forensic imaging devices on the market today. It will outperform many units running Windows. The unit comes in 2 Optional configurations:
1) Basic model
2) Expansion Port enabled model - Where the user can connect optional Expansion Box and use to plug 1394, SCSI hard disk drives. Also with the use of 1394 to Thunderbolt adapter, the user can run Mac acquisition
Main Hardware Features:
- Case: Mobile and easy to carry
- CPU: i5 6th Generation
- Display: 8" (800x600) LED backlight Touchscreen color LCD display
- Hardware: Very high quality high performing components
- The Unit’s Port:
- o 4 SAS/SATA native ports (2 source and 2 targets)
- o 8 USB3.0 – (2 source and 6 targets- Also all those ports can be used as a host to plug and use keyboard, mouse and other peripherals)
- o 1 e-SATA port (connected directly to the motherboard)
- o 1 Gigabit/s Port
- o 1 Display Port
- o 1 HDMI portHardware Upgrade: The unit can be upgraded at time of purchasing for additional cost, to a larger internal SSD, or the memory can be upgraded to 32GB
- OS: Ubuntu 64 Bit and Win 8.1 Professional 64 Bit in a dual boot. The open Ubuntu OS allows for easy application modification to include new features, easy adaptation to new hardware and ease of adding third-party Ubuntu applications.
- Writes-Blocking: MediaClone is using a Linux environment that never automatically mounts any of the Suspect/source drive partitions and all the source drives are automatically set as read-only to prevent accidental writes.
- Application Updates: The application can be easily updated by using USB thumb drives and by using the “Update Software from USB” icon in the application tools screenApplication Settings:
- HPA/DCO Automatic Supports: The application has the ability to automatically open HPA and DCO areas, and resize the "Suspect" hard drive to its full native capacity, in order to capture any “hidden data” (HPA/DCO are special areas on the drive that support this feature)
- Bad Sectors Handling: The user can select to skip bad sectors, a block of bad sectors, or to abort the operation when it encounters bad sectors on the "Suspect" drive.
- The skipped bad sectors will be reported in the log file in detailed or in summary
- Forensic Images - Destination: The user can save Forensic Images to any attached storages to the SuperImager unit, or to any connected network using the unit 1Gigabit/s port or the 10Gigabit Option, or to any external USB3.0 RAID (encryption is optional) or external NAS storage in a very good speed.
- Captured Storage Protocols and Interfaces: SAS, SATA, e-SATA enclosures, IDE, USB2.0, USB3.0, MMC, M.2 NGFF(SATA or PCIE base), SCSI*, FC*, 1394*, NVMe*
- PCIe Supports: With the use of the Expansion Box Option and optional Express card reader, or special NVMe Adapters to support PCIE Express cards,PCIE express Memory, NVMe SSD
- Form Factors: Capture data from various form factor devices: 3.5", 2.5", ZIF, 1.8", Micro-SATA, Mini-SATA, Slim SATA, Ultra Slim SATA, PCIE*, Mini PCIE*, NVme*,M.2 NGFF, CF-30
- Cross Copy from Ports and Interfaces: The user can choose to capture from one port with one type of storage protocol and interface, and save the forensic Image into a different storage protocol and interface using destination ports. The cross copy of data can be done between any of those SAS/SATA/IDE/USB/SCSI/1394/TB interfaces
- GUI: The application is built with large icons and is very simple and easy-to-navigate. In a few clicks, the user can set an operation, and it will be quickly up and running
- Extremely fast – One of the fastest Forensic Imaging solution available in the market today achieving a speed of above 30GB/min
- • Tested with HASH verification operation with SHA-1 enabled the recorded top speed was 30GB/min with Solid State Drive, and 10GB/min with 1TB WD Blue SATA-3 Hard Disk Drive
- • Tested with Forensic Imaging operation of 1 to 2 with SHA-1 enabled the recorded sustained top speed was 29GB/min with 3 SSD of SanDisk 120GB Extreme IIExtreme Speeds when performing Forensic capture with E01/Ex01 formats and with full Compression:
- • The new Linux-based SuperImager Plus application utilizes and optimizes multiple CPU cores to achieve one of the most efficient operations while performing at incredibly high speeds with E01/Ex01 formats with full compression. The application allows users to manually select and adjust the number of hyperthreads and the level of compression used during each session
- • Forensic data capture with Encase E01/Ex01 formats with full compression is widely used operation in the forensic industry, and generally requires a trade-off between speed, space, and time of decompressing by the EnCase application
- • Comparative tests show a 20% increase in speed when using the SuperImager Plus Linux-based application over the SuperImager Windows-based application. Tests were performed with the same hardware and the same hard disk drives (filled with 43% of random data), and the same level 1 of compression. The Linux-based application was set to use 16 compression threads
- HASH Authentication: Simultaneously calculates on-the-fly up to 3 HASH Authentication values MD5/SHA-1/SHA-2 at the same session
Encryption: On-the-fly AES256 encryption of the "Suspect" drive, saving the encrypted data on "Evidence" drive in 100%, DD, E01/Ex01 formats.
- Decryption: The user can perform decryption on a drive, previously encrypted by any of the SuperImager units. Alternatively, the user can use a standalone MediaClone Linux decryption utility application to perform decryption on the encrypted drive using any PC. The supplied standalone decryption utility application can be burned onto a USB flash drive that later can be used to boot the PC to the MediaClone Linux decryption utility, where the encrypted drive and a blank destination drive were attached to the PC. (The user needs to supply to the utility application the saved encryption key). MediaClone developed its own decryption utility in order to make sure that the user can always decrypt the drives that were encrypted via the MediaClone units, and not to relay on TruCrypy or other third-party application that might not be supported in the future
Forensic Images Formats: Multiple Image Formats 100% Bit by Bit Mirror copy, Linux DD Format, Encase E01/Ex01 Formats (include options for optimizing the compression by adjusting the compression level and the number of compression parallel engines) and Mix-Format of E01/E01/DD. Mix-Format is where the user can capture from one source drive and save the images into multiple destination ports, each target port can be selected to be one of the 3 E01/EX01/DD formats. In addition, the user can use a file-based copy to copy files and folders, by using selective imaging with file extension filters
- Evidence Drive Formats: exFAT/FAT/NTFS/HFS+/EXT4
- Audit trail and operation Log Files: Generated automatically by the application and saves on the Evidence/Target drive (PDF).
- Drive Spanning: Supports spanning the captured data onto many “Evidence” drives, when the Evidence drives are not large enough (Also supports restore images from spanned over multiple drives)
- Main application Features:
- • Forensic Imaging Mode
- • Forensic Restore back the data that was captured to another drive in the original format
- • Erase data from drives and Quick Format
- • HASH calculation authentication and verification
- • Virtual Drive Emulator Option: Enable the user run a drive or image of a drive emulator on the unit (Windows only), and ability to share folders and copy important files. (Bypass the user Windows passcodes)
- • Remote Capture (Intel based CPU) – capture from un-opened laptops and PCMain Forensic Imaging Mode Features:
- • Forensic Imaging Modes: Mirror Imaging bit by bit (100% or any % of the drive), DD, E01/Ex01 – with optional compression, Selective Capture(Capture Partitions, Files and Folders and with the use of file extension filters), Mix-Format of DD/E01/Ex01
- • Targeted Imaging: Some time the forensic investigator does not have the time to do a full data capture of the Suspect drive. Now he/she can use the Selective Imaging feature to select only partitions, files, or folders (like the Windows user folders or Windows User- Documents and User-Pictures). With the use of pre-set file extension filters or add its own filter, the Forensic investigator, can narrow it capture scope and shorten is the acquisition time
- • HASH while capture: MD5, SHA-1, SHA-2 (all 3 can be selected simultaneously)
- • Erase The Reminder of the drive, after the copy
- • Encryption/Decryption
- Parallel operations:
- Parallel Forensic Imaging - Multiple Session Operations: Improve efficiency of the evidence data collection process by using multitasking and parallel imaging process. The user can run multiple efficient parallel operations taking advantage the availability of the SuperImager unit’s multiple ports. The user can mix different type of operations, and each operation can be set as a new independent session. An example of operations: erase data from a drive connected to one port, HASH verify on a different drive connected to the second port, while performing forensic imaging of 1 to 1 on drives connected to the remaining ports.With the use of USB3.0 to SATA fast adapters and with the combination of e-SATA port, the unit can support up to 2 to 7 and up to 4 to 7 Forensic Imaging of SATA drives.
Basic Parallel Forensic Imaging: The supported modes are:
Native SAS/SATA: 1 to 1, 1 to 2, 1 to 3, 2 to 2, 2 to 3. The 2 to 3 imaging mode uses the e-SATA port with the need to supply external power to the e-SATA plugged device and the 1:3 imaging mode need to be configured at time of purchasing of the main unit
USB3.0: 1 to 1, 1 to 2, 2 to 2 and up to 2:6
More Ports for Forensic Imaging:
Parallel operation – Linux Elaborated:
Detection Application Screen: All drives and storage devices that are connected to the unit will be "scanned" and displayed in one application screen called “The detection screen”. The user can tap on each drive to get its detailed info, run a quick S.M.A.R.T. tests (only using Target port), run Virtual Emulator (Source port), Safely preview the content of the drive (Source port), as well as selecting it for the desire operation they are planning to us
Parallel Forensic Imaging: It depends on the number and the kind of ports that each model has. The application is very flexible in running multiple sources to multiple destinations, all in simultaneous operations. The user has the flexibility to change a role of a port from been Evidence port to be Suspect port and is not limited by the pre-assigned "Suspect" ports. The session control application screen provides the user with a very comprehensive information and control over the running sessions, including all the setting of the session, and the ability to abort the session
- Network Capture: Data from a network folder can be captured and saved into “Evidence” drives via the use of the iSCSI storage protocols. The SuperImager application (for both capture from a network or save to a network) supports SMB, NFS, CIFS network protocols. The capture can be run with HASH authentication and HASH verification
- Saves Forensic Images to Network:Upload multiple Forensic images to a local network (DD, E01), simultaneously by using 1Gigabit/s port, 10Gigabit/s option, or any of the unit’s USB port to upload up to 8 parallel 1Gigabit/s network streams.
- Disable Network process and protocols for security reason: Those network protocols are easy to disable using Ubuntu Preferences tools
- Copy lose files from/to the network: The user can copy files from to network with HASH authentication for a better data integrity
- Remote Capture - Capture Data from the Internal Drives of a un-opened Laptops or Computer: Using USB or 1Gigabit Ethernet ports of the laptop/computer, enables capture with the supplied Remote capture application on a USB stick, without the needs to remove the drive from the Laptop/computer or boot the laptop from its own OS (The capture speed is restricted to performance of the Laptop/PC CPU and the 1Gigabit/s connection). The captured can run with using HASH authentication. The Remote Capture Option Kit includes the USB flash drive, 1 Gigabit/s to USB3.0 Adapter and a crossover network cable. The Remote capture application supports capture via USB/1394/TB/R45-network ports
A few More Features:
- Drive Trim Feature: Allows the user to manipulate the HPA/DCO area on the drive to create an Evidence/Target drive with the same capacity of the Suspect/Source drive
- The Unit’s User Configuration Feature: This feature allows the administrator of the unit to set specific operation with a specific setting and with a lock password to be used by operators and users. (This feature need to be requested at the time of purchasing of the main unit - It needed for security purpose)
- Tasks Scripting Feature: The user can create a script to run sequential operation and parallel operations (more than 1 operation at the same time). There are no limitations on the number of scripts and operations. Be aware that for operation requires the use input, in that case, the operation will still stop and wait for the user input (Like when the user is running a drive spanning and a user respond is needed.
- Language Supports Feature: Easy to implement translation for a new languages. Supporting today the Korean and Chines languages
- Keyword search: Ability to perform a quick keyword search on the Suspect drive files and folder with filters on the files extension types, and with a few important keywords. (This is a quick keyword search to determent if a Suspect drives need to be captured)
- Keyword search while imaging: Ability to perform a quick keyword search on the Suspect drive files and folder with filters on the files extension types, and with a few important keywords include search images
- Partition Imaging: Ability to select only one partition (per session) to perform forensic imaging and save it into Evidence drive in DD/E01/Ex01 format
- Use the unit as a drive Eraser and Quick Format: Erase the Evidence drive prior to use, with extremely fast speed of up to 28GB/min with use of SSD and up
- to 11GB/min with use of Hard Disk Drives.
- Drive Erase Protocols: DoD 5220-22M, Security Erase, Enhanced Security Erase, Sanitze, or a USer-mode where the user can define the final data filling pattern and the number of iterations (Security Erase, Enhanced Security Erase, Sanitze, and DoD erase protocols are NIST 800-88 compliance)
- Format: NTFS, FAT, HFS+, EXT4, and exFAT
- Erase Logs and Erase Certification: The application generates extensive erase log files and NIST 800-88 erase certification (Also S.M.A.R.T. tests before and after the erase operation and are saved to XML file format) and erase that can be exported to USB thumb drive. The application has also built-in erase databases that easily can be exported to XLS
Use the Unit as a Platform:
- Secure Write Blocked File Preview: Browse and preview captured data on the Internal Display. The user should connect the drive to the unit’s Suspect port to protect the drive via the port write-blocking mechanism, turn the power to the drive by using the application power icon, and mount the drive using Ubuntu. The drive can be viewed including XLS, Docs files using the Ubuntu Open Office package. Alternatively, the user can boot the unit to Windows (if this option was purchased) and view the drive under Windows.
- High Performances: As a platform, a forensic investigator can, in addition to imaging and capturing data, load and run third-party applications to analyze the captured data:
• Cellphone/Tablet data extraction and analysis: Cellebrite, Oxygen, BlackBag, MPE+, Paraben applications and more, the user can use all the 8 USB3.0 ports to run cellphone extractions.
- • Triage data collection: Nuix/Encase/ADF portable applications
- • Full computer forensic analysis: Encase, Nuix, and FTK applications - data is already captured, and the hardware can support a full analysis
- The units have very firm hardware that enables those said applications to run with excellent performance
Expansion capabilities and the main hardware options:
- Expansion Port and Expansion Box Option: Optional expansion ports that enable user to plug in an Expansion Box in order to add-on many other devices: The Expansion Port is mostly required when user needs to erase data from SCSI Hard Disk Drives. In addition to purchasing the Expansion Box, user can also purchase the SCSI 2 drives Kit which supports capture or erase from 2 SCSI Hard Disk drives. The SCSI 2 drives Kit includes all the cables, terminators and adapters that are needed to operate 2 SCSI hard disk drives. (The SCSI controller is installed inside the Expansion Box). The Expansion Box is also supplied with a low profile 1394B controller pre-installed inside the Expansion Box
- USB3.0 to SATA adapters and Kits Option: Today USB3.0 technology is extremely fast and can run read data from SSD drives up to 20GB/min. With the use of USB3.0 to SATA 4 channel Kit, user can convert 4 USB3.0 ports to 4 SATA ports on any of MediaClone units. The optional Kit is supplied with one external PS, and it includes all the cabling to power and connected the 4 USB3.0 to SATA adapters.The tested performance when running 4 adapters in parallel was measured at a very high speed, with a very little speed degradation
- SCSI KIT Option: The SCSI Kit includes the low profile SCSI 1 ports PCIE –x1 controller, 2 channel SCSI LVDS cable (68pin connectors), SCSI terminator, and VHDCI to SCSI 2 adapter
- 1394 Option: This option is supplied with 1394 controller. It is a very easy and quick way to add support for 1394 devices that can be daisy chained. This option works on units that support and installed with Expansion Port or Express Port options.
- Thunderbolt Option:With the use of 1394 Option and Thunderbolt to 1394 adapter, a user can connect the unit into a Mac that have a TB port (that is booted in target mode) and access the Mac internal drive
- Express Card Option: With the use of Express card reader plugged into the the Expansion Box, to support PCIE memory card such Sony SxS.
- NVMe Option: To support NVMe M.2 SSD, include M.2 NVMe controller.
- USB3.0 to M.2 (NGFF) adapters Option: Currently, most laptops and tablets use M.2 (NGFF) Storage devices. This adapter supports connectivity to some of the newest SSD M.2 storage (Storage that is supported by SATA Protocols). There is a class of SSD drives that has NGFF connectors, but they are not supported by SATA protocols and by those adapters. Also the M.2 (NGFF) connectors use to comes in a variety of connectors and it was not standardized until 2014
- USB3.0 to M.2 (NGFF) PCIE (Not NVMe) base adapters Option: Few adapters are available that supports PCIE base SSD that are been used in MackBook Air 2012+, MacBook Pro Retina 2012+ , MacBook 2013-14 with special interface (12+16), and adapter with M.2 generic B+M connectors
Warranty: One year warranty for the main unit. (It is not include cables and accessories)
- Built-in the US: The units are built and tested in the USA
- * Expansion ready unit