Evidence Talks' new SPEKTOR Module 'Rapid Imager', enables faster and new approaches to image acquisition. It offers the ability to store multiple streams per container using an AFF4 format, saving the investigator's valuable time.
This is an exciting development that all organisations and businesses with digital forensic processes should take an interest in. Law Enforcement agencies for example could benefit greatly by using Rapid Imager technology, as police forces tend to have substantial backlogs of cases in their High Tech Crime Units. According to HMIC's Police Effectiveness reports in 2016, one of the UKs largest Police forces, in terms of geographical area, had a current waiting time in the High Tech Crime Unit for computer examinations of 12 to 15 months. This may sound like an extraordinarily long time, however unfortunately this is becoming the industry standard in most areas. More devices per person are now being seized, each having greater storage capacity which therefore take longer for forensic experts to image and analyse. Along with the rapid development of technology, new types of online crime have emerged, allowing criminals to offend whilst remaining as removed as possible from the target.
Corporate companies should also take an interest in the use of SPEKTOR and the new Rapid Imager module as it could help them to do their jobs faster, saving them both time and money. Many smaller businesses will not have their own digital forensic laboratories and so will rely on outsourcing their work to external facilities. This means that larger corporate forensic labs will also have large backlogs which could be dramatically reduced with Rapid Imager.
For the police, long backlog times can result in victims waiting longer for the results of investigations. It can also mean that it takes them longer to prosecute people and therefore cases build up. If offenders are not prosecuted quickly, they are released on bail meaning that they are out on the streets for longer, potentially committing further offences and adding even more cases to the growing backlog. Police forces across the UK are caught in this vicious cycle which could easily be reduced with the use of Rapid Imager.
Rapid Imager could have a significant impact on backlog times for both law enforcement agencies and corporate organisations. This module could provide a solution by reducing the number of seized devices that need to be taken back to a forensic lab. A suspect's family or children's devices could be imaged on scene using Rapid Imager and the image could then be brought back to the lab and analysed, saving both time and space in the forensic facility.
A flowchart illustrating the digital backlog cycle
So, what is Rapid Imager?
Rapid Imager is a forensic imaging tool, providing the same service as many competitors currently on the market. However, the difference is that Rapid Imager condenses stored data into a smaller space to allow for a much faster imaging process. The development of the new module was inspired by the fact that other tools are simply not fast enough to keep up with the vast number, and increasing size, of the storage devices being seized every day.
How does it compare to other imaging tools?
In order to truly understand the advantage of Rapid Imager above other imaging toolkits, an array of different store disk, Universal Serial Bus (USB) and pod brands were tested alongside one another by our product testing team, to identify the best combination to produce the most efficient outcome for the end user. The below is a graph to show the different speeds on different imaging platforms using the Toshiba TransMemory 16GB USB as a target, with a data table correlating to the graph.
Below is a chart to show a comparison in time taken to image a much larger 500GB hard disk with a Tableau TD2 and Rapid Imager.
From these results, it is clear to see that the quickest imaging format was in fact the Rapid Imager. The Tableau TD2 managed to image and verify the disk in a total of 217 minutes (3 hours and 37 minutes), whereas the rapid imager performed the same imaging and verification process in 160 minutes (2 hours 40 minutes), concluding that the rapid imager is 57 minutes faster than the tableau.
Why is it so much faster?
The Tableau TD2, along with most other imaging toolkits, images in an E01 format whereas Rapid Imager uses AFF4. A report constructed by our product testers explains;
'Throughout the years of digital forensics, methods have been researched and developed in order to analyse data faster, but also efficiently. Advanced Forensics Format (AFF) is one of those enhancements. AFF is an extensible open format, which ultimately enhances better storage of disk images and related forensic metadata. This however, has been developed further by Dr. Bradley Schatz, enabling the creation of the AFF4 format. AFF4, also known as Rapid Imager, offers significant new features such as the ability to store multiple kinds of evidence from multiple devices in a single archive, and an improved separation between the underlying storage mechanism and forensic software that makes use of evidence stored using AFF. This improved system allows a single archive of evidence to be used in a variety of modes, including single evidence files, multiple evidence files stored on multiple workstations, and evidence stored in a relational database or object management system, and all without making changes to forensic software. Ultimately, its development is based on obtaining data efficiently, rapidly and with less hassle.'
It is a common misunderstanding within the forensic industry that nothing understands AFF4 format. This is incorrect. Evidence Talks are able to provide a free Windows System Driver which mounts the image to be read only – this does the job of a write blocker. This makes the image accessible and it becomes available to your computer to be converted and viewed by any tool. The free Windows System Driver can be pointed at the rapid image and it can be read as normal.
Many of our customers work in the Law Enforcement sector and so Rapid Imager could help them by helping to reduce their backlogs in High Tech Crime Units. The new SPEKTOR module will also allow them to complete the same job without spending as much time on scene with suspects in hazardous situations. Police officers will no longer be required to seize every device they find. The unparalleled speed of Rapid Imager will allow them to image the device in a fraction of the time, meaning that they can leave devices behind and simply examine the AFF4 images back at the station.
Where do we go from here?
SPEKTOR users can contact us for a free one month trial of Rapid Imager NOW. The development of our products is actively driven by customer feedback and ideas. We want to hear your thoughts and allow you to test the new module to experience the speed advantages for yourselves.
Looking to the future, Rapid Imager will be a vital part of our new Cascade® Forensics Automated Workflow System. Cascade Forensics is a scalable, client-server architecture combining our core SPEKTOR triage technology with policy driven automated processing logic. Both the Cascade System and the new Rapid Imager module are changing the very nature of forensic investigations. Look out for a separate blog post focusing on Cascade Forensics in the near future.
Rapid Imager has been released and is now available for purchase to all SPEKTOR customers. It is faster than its competitors by a significant margin. The research conducted by our software testers clearly outlined that the most efficient way of imaging a 500GB hard disk was by using Rapid Imager. It was 57 minutes quicker than imaging with an E01 format (Tableau TD2) but the acquired image size was still the same (466GB). The speed of Rapid Imager could significantly help reduce digital forensic backlogs. This means that our customers can complete their objectives faster than before. Illegal activity can be discovered faster, leading to the resolution of more cases.