If you don’t already have a DeepSpar Guardonix, you might want to get one.

If you don’t already have a DeepSpar Guardonix, you might want to get one.

DeepSpar has a solid reputation in regards their products for recovering data from bad drives. It goes to figure that anything with DeepSpar’s name on it should be just as good, andin the case of the Guardonix, this is true.

Short version

  1. The DeepSpar Guardonix does what it says it does.
  2. You should have one if you have any chance of doing forensic disk imaging.
  3. The price is reasonable. You can even get 25% off before the end of this year*.

 

Side note: If you want a chance to win the DeepSpar Guardonix with Professional Upgrade and set of adapters, enter your contact info before September 15, 2019 here:

https://www.dfir.training/dfir-training-blog/enter-to-win-a-deepspar-guardonix

Longer version

This longer version doesn’t include an extensive “how to use” tutorial, but rather my overall opinion of the Guardondix.  The DeepSpar videos explain how everything works much better than I could do justice for it. Take a look at the videos on their blog at https://guardonix.com/blog.html.

How to use it

  • Connect to workstation
  • Connect to evidence
  • Run your imaging tool

Why have one of these in your DFIR toolbox?

For that one time (or multiple times) where the drive you need to image has any bad sectors. There is no need to keep accepting bad sectors when you may be able to recover most or all data.

The features

  • Stabilizes USB Connection (Standard)
  • Blocks Write Commands (Standard)
  • Shows Status Information (Standard)
  • Speeds up bad sector processing ( Pro )
  • Repowers drive as needed ( Pro )
  • Graphical display of speed and sector map ( Pro )
  • Blocks Filesystem Mounting ( Pro )

 

I really like the visual of being able to see the imaging process of good/bad sectors.

I’ve tried all the features and settings using the Professional Edition and strongly recommend the Professional Edition over the Standard Edition, primarily because the Pro features are where you gain control over how bad sectors are handled.

As for seeing details of the log, where a Failed Read is followed by a Successful Read Retry ..very nice.

The log is updated in real time to get an idea of the processing of bad sectors.

Another cool feature is that the Guardonix logs show both Failed Reads and the Successful Read Retry. #1 below is Guardonix's log showing a failed read at ...655 and then a successful read retry (...655).  #2 is what my imaging tool reported: nothing, because the read was successful.  #3 shows a failed read at ...280 with the next successful read at ...281. The imaging software (#4) reported the same read failure of ...280.  Basically, you can see the bad sectors that were imaged using Guardonix and most likely would have been skipped with your imaging software.

Perhaps the most impressive is the granularity that you have with the software.  Guardonix is not imaging software, nor has imaging software. It does have a control panel that can be configured to wide degrees of control, such as read timeouts .  If your imaging software doesn’t have any options to control the imaging process, Guardonix gives you some. If your imaging tool gives you options, then Guardonix is icing on the cake of granularity of control.

My personal thoughts : When we have to create a full disk image from a deadbox machine, we write-block the source and create an image. When our imaging tools run into bad sectors, the imaging software either gets stuck for some time or it skips chunks and keeps going. It can be days or weeks sometimes to get through one hard drive, or worse, skip a ton of bad sectors that could have been captured if we didn’t configure it to skip ahead so drastically.

Rather than have a drive take weeks to hopefully create a good image or push the software to skip large amounts of data in order to finish the image faster, the Guardonix seems to be a reasonable option to do both: create an image within a reasonable time frame while also being able to recover more data from bad sectors instead of gratuitously skipping over them.

My fear in not using software and hardware designed specifically to work on a drive with identified bad sectors, is that I would be questioned at some point later with something like, “ If you knew there were bad sectors, and you knew that affordable technology exists that can handle bad sectors, why didn’t you use it?”

Bottom line

The Guardonix is now a mandatory part of my DFIR kit. You should seriously consider one for yours too.

 

Tip: There are two power supply adapters. The power supplies are not the same. Be sure to plug the appropriate power supply to the appropriate piece.  The Guardonix uses the 5V and the adapter uses the 12V.  This is the only suggestion that I can make for improvement to reduce the chance someone mixes up the power supplies.  For me, and maybe a tip that you can also use, is that for every power cord and adapter that I have, I use a label printer to wrap on the cord (5V, 12V, Tableau, etc...). This makes the jungle of cords under my desks easier to deal with when unplugging something rather than tracing the plug to the device...

             

*About that discount

All DFIR Training patrons ( https://www.patreon.com/DFIRtraining ) will be getting a promo code this month for a free set of Adapters from DeepSpar with the purchase of a Guardonix with Professional Upgrade. The adapters are $250 (which comes out to about 25% off), so it a really good promotion to build a DeepSpar imaging kit.

If you want this promotion too, be sure to subscribe to the Patreon page. And definitely if you are going make the purchase anyway, join the DFIR Training Patreon just for the discount and be able to take advantage of the courses at the same time :)

 

 

Written by :Brett Shavers