Introduction

DeepSpar is the big name in data recovery, making all sorts of data recovery hardware used by many of the big data recovery warehouses. They've recently ventured into getting their recovery hardware into the hands of smaller operations. A couple of years back, they launched the RapidSpar (reviewed here), which offered a nice little package that enabled smaller shops and small businesses to bring a fair chunk of their data recovery operations in-house. While these tools could also be used for data forensics, that's a 'different crowd' really. Forensic operations want to just be able to plug a drive into a write blocker and hit GO on their imaging software. Write blockers are hardware devices that prevent any write requests from ever reaching the storage device, which lets the forensic shop later prove to the court (if needed) that the evidence (source drive) has not been tampered with. Historically, write-blocking hardware has not implemented data recovery functionality, meaning that a drive that times out with read errors would do the same thing when connected via a write blocker. This equates to added headaches for the data forensics guys that are just trying to get their drives imaged and get on with their cases (digging through the image looking for evidence of system compromise, illegal activity, etc). A few hard drive errors throwing a big wrench into the drive imaging process should be a solvable problem, and DeepSpar has stepped in to take a crack at just that:

Enter the Guardonix. This simple little box sits inline, between the capture PC and the USB device (flash drive, HDD in a USB dock, etc). It naturally performs the typical write blocking functionality expected from the device, but it throws in a round of data recovery functionality as well. Let's look at the simple software interface to help explain further:

2018-12-04-09-42-08.png

Connecting the device to the system the first time mounts a small volume containing software to get up and running. The app handles firmware and driver updates within its own interface, making things simple. DeepSpar recommends using the Asmedia USB3 controller on your system board for best possible compatibility, with the vendor driver installed (don't use the Microsoft InBox driver – download the USB 3 controller driver from your motherboard/laptop vendor). The same Asmedia controller recommendation applies to the use of a USB 3 dock connected to the Guardonix – Asmedia controllers best support the necessary device resets necessary for the data recovery tricks it is capable of.

2018-12-04-16-05-12.png

Once up and running, there is a series of configuration and data recovery options available. Logging options are extensive and necessary for inclusion in forensic reports. The 'PRO' settings (added cost) enable greater control of read timeouts, allow file system mounting, and enable some cool tricks like the ability to fake write attempts instead of replying with 'write denied' errors.

2018-12-04-16-15-50.png

Above is a typical setup showing the whole operation in action. I'm using a simple data recovery app instead of ($$$) dedicated forensic software, but the principles are the same.

2018-12-04-16-09-22.png

Here's a look at the Guardonix output while pushing through a drive containing read errors. Note that once past the errors, we see full speed of the source drive (a 2.5" SATA HDD in this case). The configurable timeouts are 1.25 (short), 4 (medium), and 10 (long) seconds. If the drive fails to come back after each reset attempt, the Guardonix is able to repower the drive a few seconds later. The error handling is definitely robust. I was able to go as far as to remove and reinsert the drive from the dock during imaging, and it just picked right back up from where it left off. Here's the Guardonix demo video:

Pricing and conclusion:

The base Guardonix goes for $320 at the time of this writing, with the PRO add-on features tacking on another $470. This may seem steep, but compared to other write-blocking hardware I've seen in the past, it's about average, with the PRO add-on tacking on some data recovery options capabilities not normally possible with simpler write blockers. So long as you are ok with only USB and docked SATA connectivity, that $470 is actually a good deal compared to the pricier RapidSpar (but not nearly as feature-packed).

*edit* Prices adjusted slightly after publishing. Article updated to reflect current prices.

pcpereditorschoicepng-300.png

Overall this is good stuff from DeepSpar. I'm glad to see them venturing into the forensics space, as that arena could stand to benefit from less frustration during their imaging operations. I know it would have saved me a bunch of time and headaches back when I was dealing with data forensics!