There’s an ongoing debate regarding the role of the public “trust” when performing an HDD cloning action.

What does a notary or a judicial clerk add to the action? And regarding the tools, is it better to use a single purpose device as a cloning machine or a multi-purpose one as a laptop computer?

In my humble opinion both the cloning machine and the notary/judicial clerk don’t add much more in a technical sense, but in fact they create an scenario in which it is less likely that the part that suffers the action will attack it in court.

As the time that takes to complete the action may be important, performance may be a factor in the decision, and here’s where the tittle comes in.

For some time now I’ve been experimenting with different means to acquire forensically sound disk images. The cloning machine I use is an Intelligent Computer Solutions Image MASSter Solo-3 Forensics. It can deliver 2,5GBpm when hashing SHA1 on SATA 7.200 drives. This means close to 7 hours for a 1TB drive…

I prefer to use the cloning machine when I perform the cloning procedure in court or with the intervention of a notary. When cloning big disks, I try to get the room locked while the copy is being performed and get back the next day to see the result.

But in other cases you may consider the following performance results the next time you need to perform a disk image:

• No hash 1.080GB/h
• MD5 923GB/h
• SHA1 923GB/h

So, what if instead of almost 7h you could perform a complete clone of a 1TB HDD in a bit more than 1h?

Enter the “poor’s man cloning machine”…

Continue reading «Block Size Matters»