X-Ways
·.·. Computer forensics software made in Germany .·.·
   
 

X-Ways Imager
Best speed, most intelligent compression, not free

Forensic disk imaging tool. Stripped down version of the X-Ways Forensics computer forensics software with just the disk imaging functionality and little more (see below). X-Ways Imager was originally introduced in 2009 based on a request from an agency in the US, which had found out during performance tests that X-Ways Forensics was much faster than other imaging tools, especially when used together with hardware write blockers. Another test run by a similar agency in Australia also confirmed significant speed advantages over competing product. X-Ways Forensics/X-Ways Imager proved to be around twice as fast as competing products (the usual suspects) in a test ran by the F-Response development team for remote acquisitions! (blog post) X-Ways Forensics/X-Ways Imager was twice or 3 times as fast as the competing products here. Another win here. Another.

X-Ways Imager can be run directly for example from a USB device if desired, without installation, i.e. fully portable, just like WinHex and X-Ways Forensics. Totally different from a competing product that claims that it is suitable for live acquisition but in reality installs itself into the temp folder of the live system, thereby overwriting ~45 MB of drive space, and clandestinely removes itself from there after execution. Please don't get fooled by 3rd party disk imaging software.

The intelligence of the compression is another important factor. The compression algorithms in X-Ways Forensics and X-Ways Imager offer unsurpassed adaptability and a great range of compromises between speed and compression rate. They do not blindly compress almost incompressible data to death, forcing analysis software to waste time decompressing the data although the compression gain was negligible, unlike some really bad other disk imaging tools that waste your time and shall not be named here.

Images created by X-Ways Forensics and X-Ways Imager also allow X-Ways Forensics to to treat originally zeroed out disk areas as sparse, i.e. enable the software to totally skip these areas, neither read or decompress the compressed data in the image, let alone parse the decompressed version of the data, for example when carving files or running keyword searches. This can save a lot of time with today's huge hard disks if their space is not completely utilized. What's more, there are advanced features such as optional exclusion of free drive space and reverse imaging make X-Ways Imager the perhaps best disk imaging software on the market.

Plus X-Ways Imager can reconstruct virtually all conceivable variants of disk-based RAID systems like JBOD, RAID 0, RAID 5, RAID 6  from the physical storage devices (not images), if you know the correct parameters, and can image or clone the RAID. Disk-based means that the components of the RAIDs are physical hard disks/SSDs, not logical partitions/volumes.

The following menu commands in the software are available:

  • Tools | Open Disk

  • File | Create Disk Image (except for the ability to omit excluded files)

  • File | Restore Image

  • Tools | Disk Tools | Clone Disk

  • Tools | Compute Hash

  • Specialist | Reconstruct RAID System

  • Specialist | Technical Details Report

The contents of the sectors are displayed in a hex and a text column. The directory browser shows the partitions on physical disks. You can image or clone entire physical disks or individual partitions, i.e. copy them sector-wise, and create either raw images or .e01 evidence files. The so-called technical details report is output at that occasion, too. You can convert images from one format to the other. Free space can be omitted optionally if you don't need to acquire it, to save a lot of time and drive space. Raw images can additionally be filled backwards if you are struggling with severely damaged hard disks that freeze or crash your computer when reaching a certain sector. Detection and acquisition of HPA or DCO areas supported. Almost all other functions and display elements known from X-Ways Forensics are grayed out/not available in X-Ways Imager. In particular X-Ways Imager cannot create evidence file containers or skeleton images or cleansed images.

F-Response is an ideal add-on product that allows X-Ways Forensics to remotely analyze disks and RAM. And the other way around X-Ways Imager is an ideal add-on product for F-Response that allows you to image remote disks and dump remote RAM, too!

Screenshot of X-Ways Imager

NIST imaging test results, Aug 2016