X-Ways
Imager
Best speed, most intelligent compression, not free
Forensic disk imaging tool. Stripped down version of
the X-Ways
Forensics computer forensics software with just the disk imaging
functionality and little more (see below). X-Ways Imager was originally introduced in 2009 based on a request from an agency
in the US, which had found out during performance tests that X-Ways
Forensics was much faster than other imaging tools, especially when used
together with hardware write blockers. Another test run by a similar
agency in Australia also confirmed significant speed advantages over
competing product. X-Ways Forensics/X-Ways Imager proved to be around twice as
fast as competing products (the usual suspects) in a test ran by the F-Response
development team for remote acquisitions! (blog
post) X-Ways Forensics/X-Ways Imager was twice
or 3 times as fast as the competing products
here. Another win here.
Another.
X-Ways Imager can be run directly for example
from a USB device if desired, without installation, i.e. fully
portable, just like WinHex and X-Ways Forensics. Totally different
from a competing product that claims that it is suitable for live
acquisition but in reality installs itself into the temp folder of
the live system, thereby overwriting ~45 MB of drive space, and
clandestinely removes itself from there after execution. Please
don't get fooled by 3rd party disk imaging software.
The intelligence of the
compression is another important factor. The compression algorithms
in X-Ways Forensics and X-Ways Imager offer unsurpassed adaptability
and a great range of compromises between speed and compression rate.
They do not blindly compress almost incompressible data to death,
forcing analysis software to waste time decompressing the data
although the compression gain was negligible, unlike some really bad
other disk imaging tools that waste your time and shall not be named
here.
Images created by X-Ways Forensics
and X-Ways Imager also allow X-Ways Forensics to to treat originally
zeroed out disk areas as sparse, i.e. enable the software to totally
skip these areas, neither read or decompress the compressed data in
the image, let alone parse the decompressed version of the data, for
example when carving files or running keyword searches. This can
save a lot of time with today's huge hard disks if their space is
not completely utilized. What's more, there are advanced features such as
optional exclusion of free drive space and
reverse imaging make X-Ways Imager the
perhaps best disk imaging software on the market.
Plus X-Ways Imager can
reconstruct virtually all conceivable variants of disk-based
RAID systems like JBOD, RAID 0, RAID 5, RAID 6 from the
physical storage devices (not images), if you know
the correct parameters, and can image or clone the RAID. Disk-based
means that the components of the RAIDs are physical hard disks/SSDs,
not logical partitions/volumes.
The following menu
commands in the software are available:
-
Tools
| Open Disk
-
File | Create Disk Image
(except for the ability to omit excluded files)
-
File | Restore Image
-
Tools | Disk Tools | Clone Disk
-
Tools | Compute Hash
-
Specialist | Reconstruct RAID
System
-
Specialist | Technical Details
Report
The contents of the sectors are
displayed in a hex and a text column. The directory browser shows
the partitions on physical disks. You can image or clone entire
physical disks or individual partitions, i.e. copy them sector-wise,
and create either raw images or .e01 evidence files. The so-called
technical details report is output at that occasion, too. You can
convert images from one format to the other. Free space
can be omitted optionally if you don't need to acquire it, to save a
lot of time and drive space. Raw images can additionally be filled
backwards if you are struggling with severely damaged hard disks
that freeze or crash your computer when reaching a certain sector.
Detection and acquisition of HPA or DCO areas supported. Almost all other functions and display elements
known from X-Ways Forensics are grayed
out/not available in X-Ways Imager. In particular X-Ways Imager
cannot create evidence file containers or skeleton images or cleansed images.
F-Response is
an ideal add-on product that allows X-Ways Forensics to remotely
analyze disks and RAM. And the other way around X-Ways Imager is an ideal add-on product
for F-Response that allows you to image remote disks and dump remote
RAM, too!
Screenshot of X-Ways Imager
NIST imaging test
results, Aug 2016
|