« Certified Computer Examiner (CCE) | Main | Voom HardCopy Takes on Seagate Barracuda 7200.10 750 GB Hard Drive »

Voom HardCopy

For drive acquisition, we purchased the Voom HardCopy unit from Digital Intelligence for $995. Digital Intelligence shipped the device the next day, and it works great! The URL to order it is: http://www.digitalintelligence.com/products/hardcopy/

Previously, we used an "ultimate" write block kit containing Tableau Firewire 800 bridges with a Linux PC and a Firewire 800 PCI card to acquire images. While MUCH faster than USB 2.0, the speed still left a lot to be desired. The HardCopy device has clearly been much faster than using our Tableau Firewire 800 bridges connected to a PC to acquire images.

The HardCopy device can clone hard disks, or, more importantly for us, can take a dd-style image and save it to a HardCopy formatted NTFS file system. It also can calculate/compare MD5 values as an option, and outputs the values as a text file on the destination drive. Of course there are additional features, but those are just gravy to me.

I was drawn to the HardCopy line of acquisition devices for several reasons. A big one was the writeup at http://www.voomtech.com/docs/HC2 Review.pdf. I also like that the write blocking of the source drive is within the hardware itself, and can't accidentally be bypassed. (Some devices offer you a switch or software to control the write protection.)

I do know that the review linked to above was for the HardCopy 2 device, but from all that I can see, the HardCopy 2 mostly is a new version of HardCopy containing the ability to automatically separate the output file into several chunks - so you can break large images into something that will fit on your target media. I don't expect to need to do this often, and we do have other equipment that can handle these situations (albeit they are slower). So, I didn't want to pay about $400 for more the HardCopy 2.

Another important feature is the HardCopy's ability to write zeroes to the destination drive. Reportedly, courts like to hear that the drive you copied your forensic image onto did not contain any data other than that obtained from the suspect drive. The HardCopy offers the ability to fill the destination drive using one pass of zeroes - all that is really needed to ensure old data isn't generally readable on the destination drive. (You could of course run this several times if you need several passes - as long as it's ok that they are all zeroes. I don't think you gain much by that.)

When writing zeroes in a test, a 400 GB Seagate Barracuda 7200.8 ATA-100 was seen writing at 4.16 GB/min peak, and finished in 1:55:18. A Maxtor DiamondMax Plus 9 80 GB ATA-133 filled in 32:40. Pretty impressive numbers, if you ask me.

Note that while the HardCopy only makes images to/from IDE/ATAPI (PATA) drives, a cheap SATA - IDE/ATAPI converter, such as the Addonics ADSAIDE that we purchased from Buy.com for $25.99 (free shipping) (link: http://www.buy.com/retail/product.asp?sku=10374161 works great and will let you acquire and/or write to SATA drives as needed. I have used this adapter to image a SATA drive with HardCopy, and it worked perfectly. Similar adapters are available for 2.5" notebook drives (our "ultimate" write block kit contains one).

Caveats:

  • HardCopy will write image files to an NTFS file system, but only when the file system was formatted with the HardCopy device. Apparently their NTFS partition is a little different than what Windows creates. (Although the HardCopy NTFS file system is readable in Windows and Linux - I have made sure!) The good news is, the format only takes a few minutes.
  • The "Wipe Drive" feature will write zeroes to the hard drive once. That is the only option. For folks who have a policy requiring overwriting disks random stuff, or 0s and 1s alternating, etc., this won't be usable to "clean" drives containing private data. This might be because they sell a device that will do the random passes, etc. The Voom Drive Wiper is what to look for (will let you wipe two drives at once).
  • I don't know of a way to obtain images from SCSI using this.

HardCopy URL: http://www.voomtech.com/voom_products/HardCopyS0.html