A few months ago my agency purchased the LogiCube Forensic Dossier for faster hard drive imaging. I was going to buy the Talon, but the Dossier promised much faster speeds and the ability to image drives in the .E01 evidence file format. Here are some of my findings so far:
- The Dossier rarely images faster than 3GB/min, making it about the same speed as the Talon (another LogiCube imaging device). LogiCube boasts speeds greater than 7GB/min for the Dossier, but I have yet to see it image faster than 3.5GB/min, and that’s using 7200rpm SATA source and destination drives. However, it does CONSISTENTLY image between 2-3GB/min, which is still must faster than USB.
- The Dossier boasts that it can image in .E01 format, but there should be some disclaimers to that. The .E01 format used by the Dossier is only compatible with EnCase, and you will not get a matching hash value in FTK. Also, if you pull your .E01 image into FTK, most likely you will never be able to pull it into EnCase, it somehow corrupts it (the two tools use different .E01 formats). I recommend imaging the drive in DD format using the Dossier, then re-acquire the DD (raw) image as an .E01 inside EnCase (raw images have a tendency to become corrupt inside EnCase).
- There is no .E01 compression with the Dossier. In other words, if you image a 250GB drive that only has 5GB of data on it using the Dossier, your image will still be 250GB. EnCase and FTK both compress .E01′s like this, the Dossier will not (although a future firmware update that addresses this has been promised).
- The Dossier can reconstruct a simple standard RAID drive pair into one image (0, 1, JBOD). This is pretty nifty. It must be a standard RAID, not a proprietary solution.
- I have yet to get the Dossier to wipe a drive successfully. My Dossier keeps jacking that up somehow. That could just be mine, I need to call LogiCube about this.
- LogiCube tech support is actually pretty good. They are very friendly and pleasant to deal with on the phone. They are very up front about what their product can an can’t do, albeit slightly too optimistic about their capture speeds and .E01 format in my opinion (which is to be expected).
- Another good use is the ability to clone a drive. This comes in handy for PlayStation 3 (PS3) forensics, where you cannot use a write-blocker to boot the PS3 HDD natively, and you cannot analyze the encrypted image or use the drive in any other PS3. With the Dossier, it is simple to clone the drive then boot the suspect’s PS3 using the copied drive, thus never altering your original evidence.
Overall, I think the LogiCube Forensic Dossier is a good product, but if you already have a working Talon, I wouldn’t upgrade just yet. If you are new in the market, it’s a good buy. It’s actually slightly cheaper than the Talon (LogiCube wouldn’t like it if I publish the price), but I recommend only using the DD capture feature until they work out some more kinks in the .E01 capability. Simply re-acquire the raw image as an .E01 in your forensic tool of choice.
This was cross-posted at the iSCERS digital forensics forum.
No related posts.
