Tableau Imager: First Look
I haven’t paid much attention to write blocking technology for the last few years. As long as I was able to validate that the device worked as expected and it had a high speed connection (Firewire 800 / eSATA), I was happy. But I spent some time with Tableau’s founder, Robert Botchek at the end of last year and he impressed upon me how much room for innovation still exists in the write-blocker market. We are up against some major hurdles in the digital forensics world that are rapidly changing the way we do business. With 2TB drives on the shelves, the decision to take a full forensic image is no longer obvious. If a user has to be without their computer or a server has to be down for 2 days, that significantly changes the equation. That’s why I was excited to see Tableau enter the imaging software space with Tableau Imager (TIM).
Michael Cloppert recently made an excellent plea for innovation in the IDS industry in his post, Detection, Bandwidth and Moore’s Law. A key takeaway was that processor speed has reached a plateau and new advances are now occurring through number of cores per die. In many cases, software must be re-written to take advantage of multi-core processors. TIM takes advantage of this shift by parallelizing the actions that occur during the imaging process. Thus actions like hashing and compression can be performed in parallel with the imaging process, having little effect on the total imaging time.
The current feature set is limited, but it includes many of the features you want in a dedicated imaging product. For those of you who have used Tableau’s Disk Monitor software, you will notice that TIM has incorporated it into the product.
TIM provides a well thought out view of the available devices. Double-clicking on a device gives a Disk Information page that can be exported for report inclusion. The HPA / DCO information section is particularly helpful.
Double clicking in the Acquisition Queue brings up a graphical display of the current imaging process. The graphic is more than just eye candy. It is apparently designed to provide real-time feedback about any choke points that may be slowing the acquisition. I was unable to test this, which is likely due to using a relatively new quad-core system.
My initial testing results were impressive, with 2.5 GB/min sustained speeds using 5400rpm SATA drives, while creating MD5 and SHA1 hashes and employing maximum compression. This was 30-40% faster than other imaging software I tested using the same hardware. When I performed the same acquisition with no hashing or compression, the acquisition speed was the same, indicating that the tasks are indeed being peformed in parallel. Imaging speeds should be much faster using 7200 or 10000 rpm drives. For all my tests, I used the Tableau T35e bridge from the SANS FOR408 Computer Forensic Essentials course. TIM won’t beat most handheld imagers, but the speed is excellent for a digital forensic workstation based acquisition.
There are some limitations with this product. Most notably, it will only image drives connected using a Tableau bridge / write blocker. Additionally, v1.0 of the product only performs physical acquisitions. TIM is available here for free.
Chad Tilbury, GCFA, has spent over ten years conducting computer crime investigations ranging from hacking to espionage to multi-million dollar fraud cases. He currently teaches FOR408 Computer Forensic Essentials and FOR508 Computer Forensic Investigations and Incident Response for the SANS Institute.
Note: This post originally appeared on the SANS Forensics blog