Logical Imaging

How much time does it take to image a 10TB SATA drive physically? 10-12 hours at best (if the evidence HDD is healthy).

What about creating a bit-to-bit copy of newer 20TB drives or assembled 30-60TB RAID arrays?

This is when logical image acquisition comes to aid. It saves valuable time by focusing on acquisition of specific files rather than of an entire source. Logical imaging provides a forensically sound method of evidence capture that does not alter the data and metadata stored on a source device, such as file names and creation dates. As a result, it creates an L01 image file that contains the selected files and their MD5/SHA1 hashes calculated during the imaging process.

Here are the key features of logical imaging in TaskForce 2:

Logical imaging: main page.

Logical imaging: main page.

The possible types of evidence sources in TaskForce's logical imaging module are:

L01 image format.

Pause/Resume logical imaging

With a growing quantity of files on an average evidence source, logical image acquisition still can take a substantial amount of time. It is easy to pause any running imaging sessions when you can't finish the job at the moment. TaskForce 2 reliably stores an L01 image and allows continuing the logical imaging later.

Use case 1. Pause the task to avoid leaving it unattended.

  1. Pause logical data acquisition
  2. Turn off the TaskForce 2
  3. Power the unit on later
  4. Resume the logical imaging session from exactly the point in data set where it was paused

Use case 2. Share the case with your colleague

  1. Pause logical data acquisition
  2. Export the case into a file
  3. Transfer the source drive with the case file to a different location that has another TaskForce 2
  4. Resume the logical imaging session
Paused logical image acquisition session.

Paused logical image acquisition session.