|
The SuperImager® Plus 8” 3 NVMe +3 SATA+4 SAS Portable Forensic Unit
SuperImager Plus 8” Portable Forensic Field unit with 3 NVMe + 4 SAS/SATA + 3 SATA+ 2 Thunderbolt 4.0 +8 USB3.2+ one USBC 3.2 Gen 2x2 ports. It is one of the top performance Field Computer Forensic Imaging tools and a Complete Digital Forensic Investigation platform
The unit is Portable, Compact, easy to carry, and extremely fast. It is built with 2 NVMe U.2 data & power ports, 2 SATA3 data & power ports, one e-SATA port in the back of the unit, 8 USB3.2 ports, one USB3.2 Gen 2x2 USBc port, and two Thunderbolt 4.0 ports.
The unit is configured with Dual Open OS of Linux for fast, efficient Forensic imaging and Windows 11 for running full Forensic Analysis (EnCase, Nuix, Axiom, and others), cellphone data extraction(Cellebrite, MASB, and others), and triage data collection. Using the Linux OS, the user can run: multiple,simultaneous independent forensic imaging sessions (mirror image, image a single partition, Linux-DD, EnCase, mix E01/DD, VHD, Triage with Files and Folders) with 4 HASH values(MD5, SHA1, SHA2, and SHA512 run all the four at the same time), encryption AES256 XTS, compression, keyword search all on the fly and save images to a network.
The max speed achieved: 31GB/min SATA SSD, 187GB/min NVMe SSD.
The unit hardware is robust, running i7 13 generation CPU with 32GB of memory, 1TB SSD, and 8” LCD display.
Main ports:
• 3 SATA ports: 2 SATA ports (power & data) and one e-SATA port on the main unit
• 4 SAS/SATA ports: On the TB3.0 Expansion Box
• 3 NVMe ports: 2 U.2 NVMe nativ eports on the main unit (power & data), one U.2 & M.2 NVMe port on the TB3.0 Expansion Box, and addition NVMe port (#4) with the use of the second TB4.0 port with fast USB3.2 Gen2x2 to NVMe adapter.
• 2 TB4.0 ports • 1 USB3.2 Gen2x2 (USBc) port, and 8 USB3.2 ports
The unit supplied with:
• Remote Capture KIT
• Virtual Emulator (viewing the Suspect drive before the capture).
• 2 U.2 Extension Cables.
• 2 U.2 to M.2 NVMe adapters.
• Thunderbolt 3.0 PCI-E Expansion Box with 4 SAS ports controller, split cables, power cables, and with U.2 and M.2 NVMe controller.
The Thunderbolt 3.0 Expansion box brings a lot of additional connectivity.
Thunderbolt 3.0 to 10GbE adapter and the Mac/Thunderbolt acquisition kit are important options.
To compare this unit to other MediaClone Portable units that support NVMe: SuperImager Plus 8” T3 unit has one NVMe port, and the SuperImager Plus 8” with mix 5 NVMe + 5 SAS/SATA has 5 NVMe ports.
Here are some of the tasks that the user can do:
1) Multiple Parallel Forensic Capture: Mirror (bit by bit), Linux-DD format, E01/Ex01 format (with full compression), Mixed-Format DD/E01, Single partition, copy the whole drive or only parts. Copy 1:6/2:4/3:3 for SATA drives, 1:1, 1:2 for NVMe SSD, 2:2 for SAS drives, or any mix between the 3 NVMe ports to 7 SATA/SAS ports or 11 USB3.2 ports.
2) Run a Selective Imaging (Targeted Imaging) of files, folders, and partitions with file extension filters and save HASH and metadata of the files.
3) Erase data from the Evidence drive before use - using DoD (ECE, E), Security Erase, NVMe Secure Erase, Sanitize, or User-Erase protocols.
4) View the Suspect drive directly on the Ubuntu Desktop screen using the virtual drive emulator.
5) Encrypt the data while capturing (using the AES256 XTS engine) and decryption at the destination using MediaClone utility
6) HASH the data while capturing – run all the four MD5, SHA-1, SHA-2, and SHA-512 HASH engines, simultaneously.
7) Run a quick Keyword Search on the Suspect drive before or during the capture.
8) Run Multiple Cellphones/Tablets data Extraction and Analysis using a third-party application on the Windows 11 side.
9) Run the Forensic Triage application with selective capture mode or with the use of a third-party application on the Windows 11 side.
10) Run a full Forensic Analysis application like Encase/Nuix/FTK/Axiom.
11) Run Virtual Drive Emulator to view the Suspect drive before captured (Linux)
12) Run Remote Capture from unopened laptops - Intel-Based CPU (supplied with this unit).
13) Use the Thunderbolt 4.0 port to connect to 10GbE network with the use of TB3.0 to 10GbE adapter.
14) Unlock drives with passcode such ATA, BitLocker, Opal for SED drives, and TruCrypt.
15) Use the SuperImager Plus unit as a “Write Blocker” device: This feature enables the unit to function as a secure bridge between workstations on a network to Suspect drives attached to the SuperImager unit and by using the iSCSI protocol over a network connection. A forensic investigator using a workstation or laptop in one location can access a Suspect drive in different places in the Writes-Block safe mode. The unit will be connected to the same network, and the Suspect drive will be attached to the unit in read-only mode. The unit will act as a “write blocker” for any of the unit’s attached storage, such as SAS, SATA, USB, 1394, FC, SCSI, and NVMe.
Additional operations: HASH authentication, Drive Diagnostics, Evidence drive erase before use, image restores from DD/E01, and automation with scripting.
The main difference between using a product with U.2 port (and with Extension cables) vs. using M.2 port and plugging the media directly into the port:
NVMe U.2 port is more versatile and can support three types of NVMe SSD: M.2, U.2, PCIE NVMe storage controller, while M.2 port is limited to M.2 SSD. Using the U.2 Extension cables protects the unit's NVMe port from overuse and many insertions by plugging the SSD directly into the unit's port and damaging the port. (It is easier to replace an extension cable than the interface board of a damaged port!). Competitors that use NVMe M.2 ports are limited with their supports (Only M.2), and force the user to plug the media directly into the port. U.2 extension cables are very durable and built with high quality and precision, and they exhibit an extreme transfer rate of over 200 GB/min.
Performances:
Mirror Imaging of Samsung MZVPV512HDGL NVMe SSD, with a max speed of Mirror Imaging of WD 1 TB NVMe SSD, with a max speed of 187 GB/min!
The SuperImager application is optimized to achieve extreme top speeds when using NVMe SSD: HASH SHA-1 132.5 GB/min, Mirror Image 187 GB/min, Erase + Verify 130 GB/min, Verify 197 GB/min
SuperImager Plus 8" NVMe SATA mix ports unit with i7 CPU, 32GB Memory, and S/W Version 1.8.133.11
|
|
Operation:
|
Avg Speed GB/Min
|
HASH single drive, in a single session (Samsung 870 EVO SSD)
|
|
SHA-1
|
32.1
|
MD5
|
32.1
|
SHA-1+ MD5
|
32.1
|
HASH 2 drives in 2 separate sessions (2 Samsung 870 EVO SSD)
|
|
SHA-1 + MD5 drive 1
|
29.0
|
SHA-1 + MD5 drive 2
|
29.0
|
HASH single drive, in a single session (1TB WD black M.2 NVMe)
|
|
SHA-1
|
132.00
|
SHA-1 + MD5
|
132.00
|
Erase Drives using 1TB WD Black M.2 NVMe SSD
|
|
Read Verify
|
202.00
|
Single Pass - User Erase Mode
|
153.00
|
Forensic Imaging
|
|
100% bit by bit Imaging 1 TB WD Black to 1 TB WD black M.2 NVMe SSD
|
|
no HASH
|
187.00
|
with SHA1 HASH
|
132.00
|
DD Imaging Samsung 850 EVO SSD to Samsung 850 EVO SSD (2GB Files Chunks and NTFS)
|
|
with SHA-1 + MD5 HASH
|
30.1
|
DD Imaging SanDisk Extreme II SSD to Samsung 850 EVO SSD 2 GB file Chunks and NTFS)
|
|
with SHA-1 + MD5 HASH on
|
28.5
|
E01 Imaging Samsung 850 EVO SSD to Samsung 850 EVO SSD (2GB Files Chunks and NTFS)
|
|
with SHA-1 + MD5 HASH on
|
24.2
|
SuperImager Plus Forensic Imaging Application Settings:
- HPA/DCO Automatic Supports: The application can detect HPA and DCO special areas on the Source drive. Then, resize the Source drive to its full native capacity to capture any "hidden data in those areas (HPA/DCO supported by some SATA drives).
- Bad Sectors Handling: The user can select to skip bad sectors, skip bad blocks, or abort the operations. The skipped, bad sectors will be displayed in the log file in detail or summary format.
- 48bit LBA Addressing: Supports drives with sizes up to 256TB.
- OS: Dual open OS of Ubuntu and Windows.
- Security: Imaging is done under the Linux OS (Linux is less targeted by malware).
- Application Updates: The application can easily be updated by using any of the unit's USB ports and by a simple tap on the "update software" icon from the unit' main menu.
Application Features:
- GUI: The application is built with large, easy-to-use icons. In a few clicks, the user can set up an operation.
- Speed: Extremely fast, it is one of the fastest Forensic Imaging solutions available on the market today, achieving a speed of above 32GB/min for SATA SSD and above 100GB/min for NVMe SSD.
- Tested with the HASH verification operation with SHA-1, SSD ran at a top speed of 30GB/min and with 1TB WD Blue SATA-2 HDD ran at a top speed of 10GB/min.
- Tested with the Forensic Imaging operation of 1 to 2 with SHA-1, 3 SSD of Samsung Pro 240GB ran a top speed of 32GB/min.
- Tested with the Forensic Imaging operation of 1 to 2 with SHA-1, 3 SSD of Samsung NVMe 1 TB ran at a top speed of 100GB/min.
- Forensic Images – Destination: The user can save Forensic Images to any storage device attached to unit, or any connected network, using the unit's 1 Gigabit/s port (or 10 Gigabit/s depend on the unit), or to any external USB3.2 RAID (encryption is optional), or to an external NAS storage.
- Cross Copy from unit's ports: The user can select to capture from one port with one type of storage interface and save the forensic image onto a different storage interface using the unit's destination ports.
- Audit trail and operation Log Files: Logs are generated automatically by the application and saved on the Evidence/Target drive in PDF format.
Application's Main Operations:
- Forensic Imaging Mode includes Restore Images.
- Virtual Drive Emulator.
- Complete Forensic Platform.
- Data Erase and Format
- HASH Calculation Authentication and Verification
- Remote Capture and Network Supports
Forensic Imaging Mode:
Full Drive Imaging
- Mirror imaging bit by bit (100% or any % of the drive), DD, E01/Ex01 – with optional adjustable compression level, Mix-Format of DD/E01/Ex01, Selective Capture (Capture Partitions, Files & Folders, with the use of file extension filters), Selecting a partition to capture.
- Forensic Restore: Back up the captured data (DD/E01/Ex01) into another drive in the original format.
Targeted Imaging (Triage):
- Selective Imaging feature to select only partitions, files, or folders (like the Windows User-Folders or Windows User-Documents and User-Pictures). With the use of pre-set file extension filters or adding its filters, the Forensic Investigator can narrow their capture scope and shorten its acquisition time. In this mode, the application also supports calculating 4 HASH values (all the 4 at the same time) for each selected and captured file and saves its metadata. It supports capture from the "Suspect" drive that is formatted and mountable under Linux: FAT/eFAT/NTFS/EX2-4,/HFS+/HPFS/APFS.
Forensic Images Formats:
- 100% Bit by Bit Mirror Image.
- Linux-DD Format.
- Encase E01/Ex01 Formats (Includes options for optimizing the E01 compression by adjusting its level and the number of parallel engines).
- Mix-Format: The user can capture from one source drive and save the images onto multiple destination ports; each target port can be selected as one of the 3 E01/Ex01/Linux-DD formats.
- AFF4.
- File-based copy: Copy files and folders using selective imaging with file extension filters, calculate 4 hash values for each file and capture the file's metadata.
- Single partition Capture: Gives the user the ability to select only one partition (per session) to perform forensic imaging and save it into the Evidence drive in DD/E01/Ex01 format.
Imaging and Verify:
The user can select to run forensic imaging with 4 HASH engines on the fly simultaneously (MD5, SHA1, SHA2, SHA512) and also enable the "HASH target and compare HASH" feature. That is a standard operation to ensure the captured image is not altered or corrupted.
Drive Spanning:
Supports spanning the captured data onto multiple "Evidence" drives when the Evidence drives are not large enough (Supports restore images spanned over multiple drives).
Encryption:
On-the-fly AES256 XTS encryption of the "Suspect" drive, saving the encrypted data on the "Evidence" drive in 100%, DD, E01/Ex01 formats.
Decryption: The user can perform decryption on a drive that has previously been encrypted with any of the SuperImager units. Alternatively, the user can use a standalone MediaClone Linux decryption utility application to perform decryption on an encrypted drive using any PC. The supplied standalone decryption utility application can be burned onto a USB flash drive that later can be used to boot the PC to the MediaClone Linux decryption utility application, where the encrypted drive and a blank destination drive are attached to the PC (the user needs to supply to the utility application the saved encryption key). MediaClone developed its decryption utility application to ensure that the user can always decrypt the drive that was once encrypted via a MediaClone unit and not rely on TruCrypt or other third-party applications that might not be supported in the future.
Forensic Imaging Sessions:
In one read-pass from the "Suspect" drive, the application can run the following operations simultaneously: Forensic imaging with E01 format and full compression, Encryption with AES256, 4 HASH Verification and Authentication values (MD5, SHA1, SHA2, SHA512), and save the captured Forensic Images to 2 "Evidence" drives to a local network, and external compact USB3.2/e-SATA TB RAID encrypted storage. The basic Forensic Imaging mode can be 1:1, 1:2, 1:3, 2:2, 2:3... The new Linux-based SuperImager Plus application utilizes and optimizes multiple CPU cores to achieve one of the most efficient operations while performing at incredibly high speeds with E01/Ex01 formats and full compression. In addition, the application allows the user to manually select and adjust the number of CPU hyper-threading and the level of compression used during each session.
Forensic data capture with Encase E01/Ex01 formats with full compression is widely used for operations in the forensic industry and generally requires a trade-off between speed, space, and time of decompression by the Encase application.
Data Eraser and Format:
- Erase the Evidence drive before use (with an extremely fast speed of up to 32 GB/min with SSD and up to 11 GB/min with HDD). The user also can select to erase the remainder of the drive after the copy.
- Drive Erase Protocols: DoD 5220-22M, Security Erase, Enhanced Security Erase, Sanitize, NVMe Secure Erase, or a User-mode where the user can define the final data filling pattern and the number of iterations (Security Erase, Enhanced Security Erase, Sanitize, and DoD erase protocols are all NIST 800-88 compliant).
- Quick or Full Format a drive: NTFS, FAT, HFS+, EXT4, and exFAT.
- Erase Verify: Run Erase Verify to verify that the drive was erased before use.
- Erase Logs and Erase Certification: The application generates extensive erase logs and files with an NIST 800-88 erase certification (also runs S.M.A.R.T. tests before and after the erase operation and is saved to XML file format), which can be exported to a USB thumb drive. The application also has a built-in erase database that can easily be exported to XLS.
- Evidence Drive Formats: exFAT/FAT/NTFS/HFS+/EXT4.
HASH Calculation Authentication and Verification as a Standalone Operation:
It simultaneously calculated 4 HASH values MD5/SHA-1/SHA-2/SHA512 on a captured drive for image no alter verification (This operation is different from the HASH calculation during the capture).
Network Supports:
- Network Capture: Data from a network folder can be captured and saved into "Evidence" drives using the iSCSI storage protocols. The application (for both capturing from a network and saving to a network) supports SMB, NFS, and CIFS network protocols. The capture can run with HASH authentication and HASH verification.
- Saves Forensic Images to Network: Upload multiple Forensic images to a local network (DD, E01) simultaneously by using 10 Gigabit/s port.
- Disable Network process and protocols for security reasons: Those network protocols are easy to disable using Ubuntu Preferences Tools.
- Copy lose files from/to the network: The user can copy files from/to a network with HASH authentication for better data integrity.
- Remote Capture (Intel based CPU)- Capture data from the Internal Drives of an un-opened Laptop or Computer: Using USB or 1 Gigabit Ethernet ports on the laptop/computer enables the user to use the Remote capture application via a USB stick without the need to remove the drive from the laptop/computer or boot the laptop from its OS (the capture speed is limited to the performance of the Laptop/PC CPU and the 1 Gigabit/s connection). The Remote Capture Option Kit includes the USB flash drive, 1 Gigabit/s to USB3.0 Adapter, and a crossover network cable. The Remote capture application supports capture via USB/1394/TB/R45 network ports.
Parallel Operations:
- Parallel Forensic Imaging – Multiple Session Operations:
Improves the efficiency of the evidence data collection process by using multitasking and using a parallel imaging process. The user can take advantage of the SuperImager unit's multiple available ports and run multiple, efficient, parallel operations. The user can mix different types of operations, and each operation can be set as a new independent session. An example of an operation: erase data from a drive connected to one port and HASH verify a different drive connected to the second port, all while performing forensic imagining of 1 to many on drives connected to the remaining ports.
- Port's rule Increases Possibilities:
The application is very flexible in running multiple sources to multiple destinations, all in simultaneous operations. The user has the flexibility to change a port's role from "Evidence" to "Suspect" port. The session control application screen provides the user with comprehensive information and direct control over the running sessions, including all the settings of the session and the ability to abort the session.
- Detection Application Screen:
All drives and storage devices that are connected to the unit will be "scanned" and displayed on one application screen called "The Detection Screen". The user can tap on each drive to get its detailed info and run some specific utilities regarding that drive (as long as it is a target drive) – as a quick S.M.A.R.T. test (only using the "Target" port), run a Virtual Emulator ("Source" port), safely preview the contents of the drive ("Source" port), as well as select it for any desired operation they are planning to use.
More Features:
- Drive Trim: This allows the user to manipulate the HPA/DCO area on the drive to create an Evidence/Target drive with the same capacity of the Suspect/Source drive.
- Application Audio Notification: The user can enable some audio notification features, like the end of a session.
- Unit's User Configuration: This feature allows the administrator of the unit to set specific operations with specific settings and allows the user to secure it with a lock password (This feature needs to be requested at the time of purchasing the main unit – it is needed for security purposes).
- Tasks Scripting: The user can create a script to run sequential and parallel operations. There are no limitations on the number of scripts or operations. If the operation requires the user's input, it will pause and wait for it.
- Language Supports: Easy to implement translations for new languages. It supports Korean and Chinese languages.
- Keyword search before imaging: It allows the user to perform a quick keyword search on the Suspect drive with filters on the file extension types and a few important keywords. (This is a quick keyword search to determine if a "Suspect" drive needs to be captured.
- Keyword search while imaging: Gives the user the ability to perform a quick keyword search on the Suspect drive's files and folders, with filters on the files extension types and with a few important keywords included in the search images.
- Cloud Storage Connection: With Insync paid services, the user can sync to Microsoft OneDrive, Google Cloud, and other cloud storage and capture the data.
The unit as a Complete Forensic Platform:
The unit built-in with High Performances Hardware and configured with dual open OS (Linux, Win) and can serve as a platform for a Forensic Investigator to perform a complete investigation using one unit. A forensic investigator can, in addition to imaging and capturing data, install and run any third-party applications to: analyze the captured data, extract data from cellphone, preformes RAID reconstruction, network analysis, and more.
- Virtual Drive Emulator (Linux): Enables the user to run a drive, or image of a drive emulator, on the unit (Windows only) and allows the user to share folders and copy important files (bypass the user's Windows password). Mount a Suspect drive, or its DD/E01 images, simulate it in its native Windows Environment and extract important files.
- Secure Write Blocked File Preview (Linux and Win): Browse and preview the captured data on the unit' monitor. The user should connect the drive to the unit's Suspect port to protect the drive via the port's write-blocking mechanisms, turn on the power to the drive using the application's power icon, and mount the drive using Ubuntu. The drive Doc files, including XLS, can be viewed using the Ubuntu Open Office package. Alternatively, the user can boot the unit to Windows and view the captured data using Windows.
- Cellphone/Tablet data extraction and analysis: Install and run Cellebrite, Oxygen, BlackBag, MPE+, Paraben, Axiom, MSAB, Graykey applications, and more (the user can also use the many of the unit's USB3.2 ports to run multiple cellphone extractions in a very good performance)
- Triage data collection: Install and Nuix/Encase/Axiom/ADF portable applications.
- Full computer forensic analysis: Install and rub Encase, Nuix, Axiom, and FTK applications (data is already captured, and the hardware can support running a full analysis with good performance).
Built-in the USA: The units are designed, built, and tested in the USA.
Warranty: One-year free warranty on the main unit (does not include a warranty on accessories, adapters, and cables).
Main Hardware Features:
- Case: Mobile, lightweight,and easy to carry.
- CPU: i7 latest generation CPU.
- Display: Color LCD 8" display with touchscreen, LED back-light.
- Hardware: Very high-quality, high performing components; some with military specifications.
- OS: Linux Ubuntu 64 bit and Win 10 Professional 64 Bit in a dual boot.
- Security: Linux OS (Linux is less targeted by malware).
- Hardware Upgrade: The unit can be upgraded at the time of purchasing for additional cost to a larger internal SSD.
Hardware Specifications: -
RAM: 32GB DDR4 internal memory.
Internal storage: 1TB SSD SATA.
Storage controller: NVMe 2 ports storage controller
Hardware Ports and Supports:
- Source Ports: One SATA, one NVMe U.2, one USB3.2 Gen 2x2 (USBc) port, and 2 USB3.2 ports are set as source ports (the user cannot change the role of these ports).
- Target Ports: One SATA, one U.2 NVMe, 6 USB3.2 ports, one e-SATA port
- Thunderbolt 4.0 ports: Two target ports you can connect to:
- Supplied Thunderbolt to PCIE Expansion Box.
- Connect to HDMI external monitor with supplied adapter.
- Connect to un-opened Mac.
- Connect to 10 GbE with optional adapter
- USB 2.0 ports: 2 ports that can be use for mouse and keyboard. In general any of the unit's USB ports can be used for peripherals.
- Supports Storage Protocols and Interfaces: NVMe, SAS,SATA, e-SATA enclosures, IDE, USB2.0, USB3.2, MMC, 1394, TB.
- Supports Form Factors: 3.5”, 2.5”, ZIF, 1.8”, Micro-SATA, Mini-SATA, Slim SATA, Ultra Slim SATA, M.2 SATA, PCIE-Memory Card*, Mini PCIE, SFF-8639 U.2 NVMe, M.2 NVMe, and CF-30.
* with optional adapters
Power Characteristics:
Power Supply: A built-in, universal, auto switching 192W UL/CE/PSE power supply.
Input Voltage: 100-240V/50-60Hz with OVP- over voltage protection, SCP- short circuit protection, OCP- over current protection, OTP- over temperature protection
Operating Environment:
Temperature: 5°C - 55°C (40°F-130°F).
Relative Humidity:20-60% non-condensing.
Mechanical Characteristics:
Unit net weight: 8.5 lbs.
Unit dimensions: 10.6”L x 7.70"W x 3.85"D
Shipping dimensions: 15" x 15" x 15", 20.00 lbs.
Included items:
- One Micro SATA adapter
- One Mini SATA adapter
- One M.2 to SATA adapter
- Two 29-pin SATA data and power combo cables
- Two NVMe U.2 extenssion external cables with secure brackets to the metal
- Two U2. to M.2 external adapters (NVMe)
- One USB3.2 Gen2x2 to NVMe M.2 adapter
- Remote Capture Kit via USB and 1Gigabit/s Ethernet ports
- Thunderbolt 3.0 to PCIE 3.0 Expansion box - with 4 SAS/SATA ports controller, split SAS/SATA cable to 4 ports, 4 extension power cables, one 12v/5v external PS, and one U.2 & M.2 NVMe controller
Options:
- SATA to USB3.0 Adapter (user can transform every USB3.0 port into SATA port with the use of external PS)
- Hard Case with Foam
- Thunderbolt/Mac KIT - capture from Mac via 1394/TB2/TB3
- SCSI KIT
- Thunderbolt 3.0 to 10 Gigabit/s adapter
|
|
|