There are a few good imaging tools out here. When creating a forensic image you always try to pick the best tool for the job. In this post, I will compare six forensic imagers.
This is a comparison I wanted to do for a long time, I have always wondered if there would be a noticeable performance difference between the tools. Most tools I use during my investigation are used without a second thought. I picked them up throughout the years and they do their job. However, there is nothing wrong with checking new tools from time to time. In this comparison, I picked six well-known imaging tools and compared their features, ease of use and performance. While I have included a top 3 of the, in my opinion, best imaging tools, I highly recommend that you match your requirements from a tool with the results of the tests below.
Table of contents:
For this comparison, I decided to select six well-known forensic imaging tools.
- FTK Imager by Accessdata
- Encase Forensic Imager by OpenText
- Belkasoft Acquisition Tool by Belkasoft
- Paladin by Sumuri
- Guymager by Guy Voncken
- OSFClone by PassMark
FTK Imager by Accessdata
Along with Encase Forensic Imager the most popular imaging tool on the market. Regardless of its name, FTK Imager does a lot more than only imaging. It can also mount images as a physical and/or logical drive and has a very capable evidence browser build in. You are able to perform basic forensic analysis and file recovery right from within FTK Imager.
FTK Imager supports a wide variety of image sources, Physical and Logical drives are supported as well as logical file-level images. FTK Imager includes the functionality to capture the system Registry and physical ram. It’s capable of converting images from and to other image types. Supported imaging formats include RAW (dd), SMART, E01 and AFF.
Encase Forensic Imager by OpenText
Along with FTK Imager the most popular imaging tool on the market. A very solid choice for creating images. While the interface can be very intimidating for first-time users, the tool offers some great features.
Encase Forensic Imager is able to perform imaging on a physical and logical drive as well on logical file-level. It only supports the encase imaging formats E01 and Ex01.
Belkasoft Acquisition Tool by Belkasoft
The Belkasoft Acquisition Tool is gaining a lot of popularity among forensic investigators because of its portability versatility and ease of use.
BAT is able to create images from physical and logical drives, mobile devices running iOS and Android (full physical images if rooted) and cloud storage. It’s able to create RAW (dd) and E01 images.
Paladin by Sumuri
Paladin isn’t a real imaging tool as it’s more of a complete forensic investigation environment. Paladin is a modern bootable Linux distribution with a really good user interface and great imaging capabilities.
Paladin uses DC3DD for RAW (dd) images and EFWACquire for E01 images.
Guymager by Guy Voncken
A popular free imaging tool developed by Guy Voncken. This imaging tool is included in most bootable forensic toolkits. It’s available in the standard repositories in Debian making installation rather easy.
Guymager is only able to create Physical images from mass storage devices and supports the RAW, E01 and AFF (disabled by default) file format.
OSFClone by PassMark
While unknown to many investigators, OSFClone is a great tool to create images. OSFClone is a bootable imaging environment that directly boots to the imaging tool.
OSFClone is easy to use and has all the basic features you expect from an imaging tool. It only supports Physical imaging and is able to generate RAW (dd), E01 and AFF images.
I have listed all noteworthy features in the table below.
It wouldn’t be fair to rank the imaging tools based on the number of features. In imaging tools, it’s quality over quantity. It all depends on what features you really need in your tool. For example, while both FTK and Paladin have the richest feature set, they both don’t support encrypted Ex01 images, so if encrypted Ex01 images are a requirement, both tools are not for you.
FTK Imager supports all image types and is able to image Mass storage devices and the RAM. It also has the unique feature to capture system files. This option creates a dump of the system registry including the SAM, Security, Software, System, and user registry files. It circumvents the Windows operating system and its file locks, thus allowing you to copy the live Registry files.
Encase Forensic Imager supports all image types and is able to image Mass storage devices and the RAM. It’s the only tool in this test to both support encryption and the Ex01 image format. This isn’t surprising since Encase is the creator and maintainer of the image format.
Belkasoft Acquisition Tool has the lowest amount of features of all the tested tools. Don’t let this number fool you since the features it does have are quite valuable. It only supports physical and logical imaging and doesn’t support RAM capture (Belkasoft has a separate ram capture tool). It has the unique feature to image Android and iOS devices and is able to acquire data from Google Drive, Google Plus, and iCloud cloud services.
Paladin is a bootable forensic environment, but during this test, I limited the scope to the build in imaging tool. It supports Physical and Logical image types as well as image files. Since it’s a bootable environment it does not support RAM capture. It supports a wide variety of image formats including DMG, VMDK, and VHD.
Guymager is a Linux imaging tool. It’s limited in it’s set of features and doesn’t have a unique feature that sets it apart from other tools.
OSFClone is a bootable no-nonsense imaging tool. It has all the basic features you want from an imaging tool and is the only tool in this test to offer SHA-512 hashing out of the box.
All tools (excluding Encase Forensic Imager) had support for both RAW (dd) and E01 images. Some tools also included support for the now deprecated Advanced Forensics Format. I personally like imaging in RAW (dd) because the format is universally compatible with all tools you might want to use to investigate the RAW data. E01 or Ex01 images need to be mounted in some way to enable other tools to access the data. Tools like Guymager disable AFF by default, requiring modification of the config file to enable it again.
An important aspect of each piece of software is the ease of use. A complicated piece of software can lead to mistakes, something you can’t afford during investigations.
Several actions were performed and evaluated on each tool.
- Download and installation (e.g. How complicated is it to get the tool up and running)
- Initial startup (e.g. Does it require initial setup)
- General interface (e.g. Is the interface easy to understand)
- Image creation (e.g. How many steps does it take to create an image)
- Configuring options (e.g. Configure the image type, split and verification options)
- Monitoring progress (e.g. How detailed is the image progress)
- Verifying result (e.g. Is it clear if the progress was successful)
Each action can receive a score ranging from 1 (hard) to 3 (easy).
Requires knowledge of the software and/or use of a guide/manual.
Some users will likely fail to perform the action.
Requires some knowledge of this type of software.
The action will generally be accomplished with some effort.
Requires no knowledge of the software.
First-time users will accomplish the action with relative ease
|Download and installation||3||3||3||2||2||2|
Based on the scores above the ranking of the tools by ease of use is as folllows:
|Belkasoft Acquisition Tool|
|Encase Forensic Imager|
Belkasoft Acquisition Tool gets a full 5 star rating as it received the full 21 points. The tool is completly wizzard driven and extremely easy to use.
FTK Imager follows with 20 points, While the imaging process is rather easy once started, FTK imager can be a bit overwhelming for first-time users.
Encase Forensic Imager is a bit more complicated, it’s user interface is modeled after Encase itself and it requires some basic understanding of the software in order to use it. The imaging process lacks detailed progress information and requires the use of the console to verify the results.
Guymager is a rather simple tool and not that difficult to use, advanced options, however, need to be set in the config file and once and it lacks detailed progress information.
Paladin is a great bootable environment for forensic investigations. Their build in imaging tool is easy to use and gives detailed progress information. However, first-time users might be overwhelmed by the options in the interface and it can take some getting used to the way the program works.
OSFClone is a straight-forward imaging tool. Since it’s text-based all settings must be done via a text-based menu system. This might mean you are going back and forth throughout the menu’s to get all the settings right increasing the likelihood of a mistake.
The main reason why I started this comparison was that I was curious if there is any noticeable difference in performance between these tools. There is little information on the internet regarding the performance of imaging tools. A good excuse for some benchmarks.
I did my tests inside a VMWare virtual machine. I created a virtual machine with the following setup:
- Ram: 12GB
- CPU: 4 cores @ 4,2GHz
- HDD1: 60GB (SSD-Backed VHD) – OS disk
- HDD2: 250GB (VHD on Physical HDD1) – Evidence disk (Source)
- HDD3: 500GB (CHD on Physical HDD2) – Image disk (Destination)
- OS: Windows 7 x64 latest updates&patches
In case of Guymager, Paladin, and OSFClone the virtual system was booted directly from the ISO.
HDD2 contained 170GB of data.
All virtual drives were thick images with all space preallocated.
Each tool was run 5 times and an average time was calculated. If supported, each tool created 2 images, a RAW (dd) image, and an E01 image.
Compression and Encryption were not enabled during these tests.
During the tests, I was surprised to see that all tools performed about the same. In the RAW image test, FTK Imager was the fastest tool completing the entire task in 00:59:14. Belkasoft was the slowest in this test taking 01:03:05 to complete the task, a difference of +6,5%. Encase didn’t participate in this task since it does not support generating RAW images.
The difference was much bigger in the E01 image test. Here Belkasoft Acquisition tool was the fastest at 00:52:26 while Paladin was the slowest taking 01:08:34 a difference of +30%.
Interestingly enough there seemed to be 2 distinct groups of tools, Belkasoft Acquisition Tool, FTK Imager and Encase all finished under an hour while Guymager, OSFClone, and Paladin took over an hour to finish. The similar performance of Guymager, OSFClone, and Paladin isn’t surprising since all three use the Libewf library to generate E01 images. Guymager seems to be the most optimized of these three have the best performance of the Libewf based tools.
I was also surprised to see that Encase Forensic Imager wasn’t the fastest tool when generating images in its own format.
In both cases, FTK Imager performed really well ranking first in the RAW (dd) test and second in the E01 test. Belkasoft Acquisition tool ranked last in the RAW (dd) test and first in the E01 test since the performance difference in the RAW (dd) test was only 6% you could say that performance wise both FTK Imager and Belkasoft Acquisition Tool are a solid choice.
250GB RAW (dd) Image
250GB E01 Image
The tested tools can be divided into two groups, the “commercial” windows tools and the “open-source based” Linux tools. In general, both groups performed about the same. The windows tools do feel a bit more polished than the Linux tools. FTK Imager is packed with features targeted at the investigator and can be used to perform basic forensic analysis (e.g. triage). Both Encase and Paladin also offer this functionality but in a less appealing package.
I was quite pleased to see that performance wise all tools performed really well in my benchmarks. There was a noticeable difference between the closed source windows tools and the Libewf library based Linux tools when generating an E01 image file. In all cases, the images completed successfully and all tools generated the same hash values. If speed is important for you might consider using one of the windows tools.
The biggest surprise for me was how well Belkasoft Acquisition Tool performed. I had rarely used this tool in the past, mainly because I stuck with what I knew (Encase Forensic Imager and FTK Imager).
If you don’t need the extra features offered by Encase Forensic Imager or FTK Imager you might want to consider using Belkasoft Acquisition Tool in the future. The performance, in general, is quite solid and it was the fastest tool in the E01 tests. Combined with the unique option to image Android and iOS devices, and to acquire cloud storage from within the same tool it’s a great tool to have.
Based on the tests performed I give you my personal top 3 forensic imaging tools:
1. FTK Imager
Solid performance combined with a lot of features.
When looking at its performance in the benchmarks and feature set it’s clear why FTK Imager is one of the most known imaging tools.
While I really liked the Belkasoft Acquisition Tool I chose FTK Imager as my number 1 because you are able to analyze your image with FTK Imager where Belkasoft Acquisition Tool is only an imaging tool.
2. Belkasoft Acquisition Tool
Easy to use combined with some unique features.
When you are looking for an easy tool to use in the field this is the tool. Because it’s one of the few imaging tools that only does one job, but it does it well.
The tool also supports the imaging of mobile devices and cloud storage.
Great toolkit with a solid imaging solution.
Both FTK Imager and Belkasoft Acquisition Tool can be used during a live response. When it comes to the imaging capabilities, features and ease of use the Paladin live cd offers the best combination of the three.