For many the name "Vogon" conjures up memories of The Hitch-Hiker's Guide to the Galaxy, but these Vogons are much more interested in reconstruction than destruction.
Originally specialising in data recovery, Vogon's product range extends from individual software modules to complete forensic workstation systems. Its imaging product is based on its proprietary VBus system, a combination of hardware and software that can acquire forensically-sound images from a wide range of hard drive types, including SCSI and S-ATA, and USB devices. Checksums can be generated using MD5 or CRC32 algorithms.
The system can also generate duplicate images on different media at the same time. The imaging process is fast, and produced an image of our test data in minutes. The system operates in a write-blocking mode, and you can examine a drive without imaging it first.
The forensic software is a collection of programs that deal with individual aspects of the process. This provides the opportunity to allocate forensic tasks to different workstations and users.
It also allows the operative to multi-task, being able to examine one image while indexing another. The software has wide-ranging capabilities, and discovered all the secrets in our test data. It did not indicate that there were streamed files present, although the system is aware of the feature and its search engine did locate keywords in the hidden data portions.
Its searching capabilities include regular expression matching and "soundex" features, as well as dictionary-based techniques. Another feature is the ability to produce a list of indexed words that can be shown to witnesses. The Hash Management system can integrate standard hash databases with user-defined data, and can be configured to ignore files of no interest.
Some features are specifically designed to investigate Windows systems. Highly detailed reports on Microsoft Office documents can be produced, for example, and detailed information can be decrypted and displayed from the Registry.