How to Choose a Perfect Target Drive

Hi there!

Welcome back to Plug, Image, Repeat, the monthly newsletter where we share practical tips and tricks to improve your image acquisition experience.?

We're delighted to have you with us.??

When every minute counts, fast and reliable storage devices are vital for a digital forensic expert. Today we're going to talk about target drives (also known as destination drives), and how to make the right choice.

1?? General tips

There are typical use cases for a target drive:

• Storing images of evidence drives on network storage.
• Using local storage for images connected to a forensic imager.
• Creating a bit-to-bit copy on a target drive.

Certainly, the criteria for choosing a target drive depend on your priorities. However, based on the experience accumulated by our customers, these factors are crucial:

• Write speed?
• Reliability and integrity
• Cost

Network storage is the most intricate case. To provide high performance and reliability, we set up RAID arrays of drives in a server. We strongly recommend redundancy-based configurations like RAID 5 or RAID 6.

????But which drive type to choose: HDD or SSD??

Overall, HDDs (hard disk drives) are more reliable than SSDs (solid-state drives). SAS HDDs are faster than SATA HDDs. The latter, though, are revered for their cost-effectiveness.

If high speed is a must, then a RAID with NVMe SSDs is the best choice. Choose enterprise SSD models over consumer ones to avoid the high wear-out of the latter. Keep in mind, though, that it is an expensive option.

2?? How to choose reliable HDDs?

To understand the lifetime failure rates of different drive models, we turn our attention to Backblaze's wealth of insights. Their database houses data from over 245,000 drives worldwide, neatly categorized into 30+ distinct models. Here's a summary of their analysis of drive failures in Q2 2023:

• 3 drives have zero failures.

• Over 2,5 years of operation, 4 drive models (out of over 1000 drives researched) have experienced less than 1% AFR (Annual Failure Rate). These exceptional performers are highlighted in red. For a better understanding of the drive lifecycle, please refer to Backblaze's detailed article on the subject.

Now that we've learned how to select the most suitable target drive, let's prepare it for further forensic procedures.?

3?? Securely wipe your target drive?

Erasing data is a little more complicated than many people think, and sometimes data remnants can interfere with the imaged data. Therefore it is vital to use the secure erase option.?

With modern HDDs, a simple linear pattern of binary zeros is usually sufficient. Most hard drives support the ATA Secure Erase command, which is a standard firmware command that prompts the drive itself to erase its contents.

In contrast, wiping an SSD is a little more tricky.

Wiping SATA SSD drives

SSDs store data using electronic circuits and individual memory cells are organized into pages and blocks. It means that data is not stored in a single physical location, but is spread out. When you tell an SSD to erase your data, it does not overwrite the existing data. Instead, it writes new data to a cleared memory block. This has implications for wiping SSDs: even after you have requested data to be erased, some of your data may remain in non-addressable memory cells.

That’s why we highly recommend using methods based on drive firmware implementation such as Secure Erase, which erases all addressable sectors, hidden areas (if HPA/AMA is enabled), and the over-provisioning zone.?

Wiping NVMe SSD drives

Because of overprovisioning, numerous memory blocks remain unaddressable and can retain data. To thoroughly erase all data on the drive, we advise you to employ NVMe commands as outlined by the specifications from the NVM Express Work Group.

Your first option to securely wipe an NVMe drive is Format NVM. This method uses the SSD controller's internal wiping algorithm according to the FORMAT NVM command described in the NVM Express base specification.? Some drives allow to use "Cryptographic Erase" parameter of this command. In this case, all user data on the NVMe drive will be securely erased through the deletion of the encryption key.

Another option is the Sanitize command.

??Sanitize in TaskForce 2023.10

The latest TaskForce firmware supports the Sanitize wiping method for securely wiping NVMe drives.?

? The main difference with the Format NVM command is that the running Sanitise process can't be aborted once it's started. Even a power cycle cannot stop the NVMe controller from erasing the NAND memory cells with Sanitize.

? A disadvantage of the Sanitize is that it is often much slower than Format NVM.

If you are working with an NVMe drive in TaskForce or TaskForce 2, you can select different options for altering user data in all locations on the drive in which user data may be stored:

• Block Erase uses a low-level block erase method specific to the media.
• Crypto Erase changes the media encryption keys.
• Overwrite writes a fixed data pattern.

Find out more about NVMe drives.

Alternative wiping methods recommended by NIST and DoD

?? NIST 800-88

This method combines a linear overwrite with a full verification of the written data, following the requirements outlined in the 'National Institute of Standards and Technology: Draft NIST Special Publication 800-88 Revision 1' document. Successful completion of this wiping is only achieved when each sector has been erased with binary zeros, re-read without error, and verified to contain all binary zeros.

?? DoD 5220.22-M

The DoD 5220.22-M method involves a 3-pass linear overwriting process:

• First pass: Write the hex pattern 'AA' to all sectors.
• Second pass: Write the hex pattern '55' to all sectors.
• Third pass: Overwrite all sectors with the defined pattern.

NOTE: Despite its obsolescence, the standard is widely recognized and is in use in many industries.

3??Image to compressed file formats to save target drive space

Prefer to image to compressed forensic file formats AFF4 or E01 if you don't have enough space on the target drive and want to increase the imaging speed.

• AFF4 supports LZ4 and Snappy fast compression algorithms.?
• E01 file format only employs the zlib algorithm, which is slower than the ones used in AFF4.

Nevertheless, the actual compression ratio is highly dependent on the contents of the drive and the entropy (level of randomness) of the data it contains. The poorly compressible data types you may often encounter are:

• compressed videos, photos, audio files;
• compressed archive files;
• encrypted files or partitions.

4??Track target drive performance during imaging?

When capturing forensic images, it is important to check the writing speed of your target drive or storage to ensure that it does not become a bottleneck in the imaging process. Atola TaskForce provides detailed live speed statistics for all imaging operations.

Consider the stats together with the total speed. If the total imaging speed is too low and the target drive or the image file is the slowest in the process, it may be necessary to upgrade your storage hardware.

Keep in mind that network bandwidth can also be a potential performance bottleneck.

Now that you know how to choose which target drive to use, it's time to put what you've learned into practice!

Previous episodes:

[3] Damaged Drive Imaging: Examples And Popular Questions

[2] Using and Imaging NVMe drives: tips and tricks

[1] ?Atola TaskForce 2: Unveiling the Next-Generation Imager

Thank you for joining us for this edition of Plug, Image, Repeat! Make sure you never miss an issue by clicking the "Subscribe"?? button in the upper right corner of the page. For more articles and insights, visit our website. If you have any questions, please ask us or send them using the comments section below.