Efficiency Options

The two premier options for forensic collection are the Voomtech Hardcopy 3P, and the Tableau offerings.  We use both here, in limited ways, along with dcfldd booted from a CD.

One of the things that new people in the field sometimes miss, is effective use of technology for client efficiency.  The emphasis here is on parallel collections, but this actually works for any volume, from one on up.

As a new forensicator, the impulse can be to obtain the best “device” for collection, based on LE input or marketing or whatever.  Many of us rush to buy the best device for collection, when in fact, no device is necessary, and in many cases, detrimental.

Our first loyalty is to the preservation, and our second is to the client, which means, our imaging must be flawless and our billing must be minimal.  We are not here to maximize our billable hours; that is morally repugnant.  We should always strive for greater efficiency, and the way to do that is through the use of boot images for collection.

Assuming modern computer hardware (SATA2+, USB2+), the difference between using a dedicated device and using a boot image can be startling.  While a single PC can quickly show an advantage for a dedicated device, truly modern hardware (3 series SATA/USB) exceeds or equals it in cost and speed.

Dedicated devices cost money, around $2000 a piece.  A boot image is free, other than time to create it.  Both collection processes require opening a PC and messing with wires.  Both take about the same time on similar hardware, with the dedicated devices being faster on older hardware.

But if you need to do two or more, the cost effectiveness of a boot disk clearly shines. Duplicate the boot disk however many times necessary for a parallel effort (one tech can manage 10 running instances, typically) and do multiple PC’s at the same time.

The cost for using a dedicated device is $2000 x # of collections.

The cost for using a boot disk is $0 x # of collections.

The time (assuming you can afford that many) for dedicated devices is X collection devices x connect time.  It looks like this: fraction(x1)+fraction(x2)+fraction(xN).  By the time you get to the end of your loop in setup, the first device is finished and by the time you finish putting them all back together, the last one is finished and you close up.

The time is the same for the boot disk, only there’s no upfront cost for equipment. And they don’t break.  And they stay current with technology and don’t cycle out as technology advances.

(Slower machines are better on devices, but this is offset if the number of collected devices grows to overcome the efficiency gap.  Meaning, usb2 is slow, but 20 usb2 collections is faster than 20 dedicated hardware collections split using two devices.  There’s lots of wiggly room in low volume, do the math yourselves.)

And you can do a BUNCH of collections in a single sweep.  As mentioned previously (thanks Vestige!) the boot disk is the ONLY WAY to do an entire building in one night.

So if you’re considering buying yet another device, please reconsider.  Devices are nice for collection personnel that don’t know what they’re doing inside a boot image and require strict training (like criminal evidence collection by LE), but for forensic ePreservation, you can’t beat a boot disk.

We like Ubuntu + dcfldd.  It keeps overhead down and increases billing efficiency.  DO IT.