Guardonix Revisited. Keyword searching while imaging!

Short version:

You want this write blocker (because it is not just a write blocker).

You can enter to win this here: https://www.dfir.training/guardonix-giveaway (the drawing is in a few hours, so hurry - July 17, 2020).

Longer version:

I wrote up my personal opinions of the DeepSpar Guardonix here: https://www.dfir.training/dfir-blog/if-you-don-t-already-have-a-deepspar-guardonix-you-might-want-to-get-one . If you don’t know what the Guardonix is, take a look at the post. Basically, this is the most economical data recovery device that recovers bad sectors and works as a write-blocker along with a few other really neat features. It is not just a write-blocker. It is way more.

So then comes an update…and then another update…

As I mentioned, the Guardonix is not just a write-blocker. It is a hardware device that can work through bad sectors better than any write-blocker on the market short of an all-out-data-recovery-device, especially since write-blockers are not designed to recover data from bad drives. They only block writes.

Not the Guardonix. It does more than any ol’ write-blocker.

About the updates

I have an early release of the updates, but by the time you read this, DeepSpar most likely will be pushing out the updates to current owners of the Guardonix. I just couldn’t wait to talk about this.

Faster!

One of the latest updates is a substantial imaging speed increase.

Speed Optimization gives you three choices: Off , Standard , and Aggressive . I ran through each of these settings with varying devices and there is a difference. Compared to several other write-blockers, I found about a 20% increase in speed.

For my testing (generic setup):

Workstation: 4.2Ghz, 64GB RAM, Quad Core

USB Controller: ASMedia USB3 PCIe 1x

SSD drives as both source and destination, with about 30GB of videos on a 128GB source media

Software: FTK Imager (v4.3.1) with settings of: 0-fragment, 1-Compression.  

Software: X-Ways Forensics (v.19.9) with settings of: Compression-none, Speed-Fast Adaptive. 

Since this part of the update is about speed, here are the results with FTK Imager compared against X-Ways Forensics. The intention is not to compare X-Ways Forensics against FTK Imager, but rather give you a frame of reference if you use one or the other, or both. I have been informed that faster speeds are possible…

FTK Imager 4.3.1  (315.027 MB/sec)

X-Ways Forensics 19.9 (17.7 GB/min)

PS:  The latest version of FTK Imager is much faster than any of its prior versions by the length of a football field!

Keyword searching!

I intentionally neglected to mention that for the tests, I was also running keyword searches during the imaging with Guardonix. More accurately, I simply imported a text file with keywords into Guardonix and Guardonix did the searching while it was also imaging.  I tried with a few terms, many terms, and imaged without any terms.  Any speed differences were barely noticeable.  You need at least 4 cores to search (the more, the better!) and I did not see speed hits up to 20 terms that I tested. Be sure the words are uncommon to make sure the search is effective, as it would make no sense to search for a word that is common to every system, like “word” or “microsoft”.

 

 

What’s the big deal?

For the Guardonix to fit your needs, you need to have use of a write blocker. If you don’t image storage media, then this is not for you.

However, if you image lots of media, this is something to consider having because having to handle many drives, you are bound to encounter bad drives (ie; bad sectors), which means you will either accept to miss data or will choose to send the drive out to a data recovery service. Then again, if you have the rare duty to image storage media, you may want to have this in the event the rare drive you have to image is ‘bad’.

The speed increase is very nice, but that is not my primary neatness factor. Don’t get me wrong, if imaging can be faster, I want it!  The neatness factor for me is the keyword searching during the imaging.

I see the big deal in having keyword searches during imaging as a triage method. It’s not all-inclusive as a comprehensive triage, but if a drive that has to be imaged anyway can have a keyword search done at the same time as imaging, you are one step closer to prioritizing drives for analysis with no time loss.  Actually, it ends up being a time gain!

I can see that if multiple media are imaged and each image is accompanied by log of search hits, discussions as to which media is important can happen much faster, whether that be within a forensic lab or between attorneys in a civil matter.

A place for everything and everything in its place

Each DFIR tool, software and hardware, has its place. Tools that you desperately needed today might not be needed for weeks or months after today.  Tools that you have sitting on a shelf may be gathering dust for weeks, but eventually, you may need it.

That is where I see the Guardonix. For me, I image media often. Then I don’t.  I really don’t know when I will be imaging until the day comes. For that, I keep a lot of tools at the ready. Having a write-blocker in the Pelican case that can handle bad sectors, create images faster than other write-blockers, and do keyword searches at the same time when imaging is a tool that I will most likely be using often.

 

 

Written by :Brett Shavers