Duplicating forensic images by splitting a RAID1
It is considered very good practice to make two copies of any image collected, particularly in the field. On one very long collection trip we did this by collecting to one set of drives during the day and running Robocopy over night to duplicate the image set. FTK allows writing to two destinations, and the various versions of dd have always allowed this via one means or another. But these all require either time or precious IO bandwidth.
So, I thought, is there any way to create two images in real time without pushing the data down the pipe twice? Isn’t that what RAID1 is supposed to provide? But, are two drives in a hardware RAID 1 *really* identical? Turns out, that at least in my test case, they are.
I bought a vAGE220-SAU two drive, USB 2.0/eSATA, RAID0/1 external enclosure. ($275 @ Amazon.) It’s fairly well constructed, compact, and easy to use. The instructions weren’t clearly translated but were sufficient unto the task. Once I flipped the dip switches correctly and waited a few hours for it to do the initial mirroring, I was good to go.
I hooked my source drive up to one port on my field laptop’s eSATA card and the RAID enclosure up to the other one. Fired off FTK (but dd, or EnCase, or whatever would have done just as well.) Imaged the drive and it ran at near expected speeds. The process finished and the image was verified.
Now the test. I pulled both drives and hashed them via a writeblocker. The hashes matched. I had two identical, forensically sound, images of my source drive. This required less time that imaging to two destinations using the hardware available on my field laptop, and a lot less time than running a copy overnight.
I need to try this a few more times and do some more performance measurements, but I’m pretty happy with the outcome. I wish there was a drop in drive dock with RAID1 capability. That would eliminate the need to open the enclosure up when changing disks.
Integriography: A Journal of Broken Locks, Ethics, and Computer Forensics 
David,
This is good stuff and definitely requires further testing. I’m in the process of updating my forensic machine and may be getting an additional RAID external enclosure for this purpose. Thank you for taking the time to review and share your findings!
Very cool, David! I’d like to give this a try sometime as well.
KP
Perhaps this is what you’re looking for: http://usb.brando.com/prod_detail.php?prod_id=00559 ? No experience with any of this, but the specs seem right: $70, supports RAID1 out of the box, eSATA and USB, seems easy to connect everything.
David,
We have been doing this for some time now with no problems I’m based in Asia and I use the following product. http://www.jpcentury.com/pro_con.aspx?id=P_00000024 This will do RAID-0 (4Tb) RAID-1 (2Tb) Big Disk (4Tb) or JBOD via a selector switch on the front of the unit; has both a USB2 and eSATA connection on the back. Each member of my team has two of these on onsite collections. A USB3 eSATA6 device is due in September.