I did more testing (and actual real-case use) of the Guardonix since the last post. In short, with the latest update to the Guardonix, the speed is faster. Like most people, I like things to be faster! But practically, I know that speed is fine, but accuracy is final.
From last year, my go-to write blocker became the Guardonix. I was sold on the ' data recovery ' aspect of the Guardonix, in that I had an original evidence drive in a real case that had bad sectors. I knew that the drive had problems because when it was given to me by the IT point-of-contact, the drive had a yellow sticker note of "bad drive". Visions of sending the drive off to a lab for recovery meant waiting for a week..or two weeks...or however long it would take. But, I was able to image the entire drive with Guardonix and that confirmed that the Guardonix is my first choice for imaging, especially when dealing with these "bad drives".
Then came keyword searching while imaging . I have yet to put keyword-searching-while-imaging to actual (real-life) use, but in testing, it works and I can't wait to have the first case where I can keyword search while imaging as part of triage of drives. This is a neat selling point to clients in eDiscovery cases and I can see a real benefit in criminal cases where time is of the essence.
And the speed increase! I did a test recently and the speeds were impressive, but I have since retested with my new workstation (new system = happy dayz!). And yes, speeds were faster with better and newer hardware.
DeepSpar tells me that with a more ideal workstation setup, the speed can even be faster*. By the way, the 396.6 MB/s was with FTK Imager v22.214.171.124 and the speed of FTK Imager outperformed every other imaging tool that I tested.
The Guardonix is a little thing, but it packs a big punch in a small package. The fast imaging speeds are nice. The keyword searching while imaging is cool. The handling of bad drives is awesome. Each of these in the same package makes the Guardonix the write blocker to have within arms reach.
In my real-life case with a bad drive, the imaging speeds were slow if you just look at the speed, because the Guardonix had to do its magic with the bad sectors. But, since this was a bad drive, I was prepared to have it sent to a clean room if I couldn't image it. The short story is that with the Guardonix, I imaged the entire drive. There were bad sectors, but the Guadonix clawed through them. So for speed, the Guardonix, plowing through the drive for hours was much faster than sending it to data recovery lab where it would be weeks before getting it back to me.
*About imaging speed: Much like an auto manufacturer will state the best gas mileage for a new car on the sticker, they also state that "mileage will vary", simply because everyone drives differently and may use different grades of gas (regular vs premium, etc..). The same holds true for any computer system or write blocker. Ideal setups can get you ideal speeds, but there may always be something that causes a bottleneck, or the source drive may be problematic, or the chosen settings on the imaging application will cause the imaging to go slower (or faster).
As Wyatt said, "Speed is fine, but accuracy is final". This holds true for imaging and any type of data collection. It is nice to go fast, but it is so much more important to be accurate and complete. Finishing up any task in minutes and not doing a good job is not only useless, but it will take a toll on reputation, credibility, and the scale of the veracity of the evidence.
My recommendation on buying anything based on speed is that going fast should not be the primary factor unless it is the only factor. We may want to drive a Ferrari at 120MPH to get to work, but practically, we would do better driving the vehicle that fits our needs best. In the case of the Guardonix, we have speed, but more importantly, we have the ability to plow through a bad drive to do a righteous collection of evidence.
I almost forgot!
You can get a Guardonix here: https://guardonix.com/