Post on 19-Mar-2020
IMSolo-5 Forensics
User’s Guide
Intelligent Computer Solutions
8968 Fullbright Avenue Chatsworth, CA 91311
DOC-5000-100A Rev. 4.4
April 2017
Printed in the USA
Sales/Technical Support Phone: 1-818-998-5805
Fax: 1-818-998-3190 E-Mail: sales@ics-iq.com
E-Mail: support@ics-iq.com
Home Page: http://www.ics-iq.com
Copyright© 2009, Intelligent Computer Solutions. All rights reserved. The Image MASSter®
and associated
software are copyrighted and registered in accordance with the laws and regulations of the State of California and
the United States of America. IBM®
and OS/2®
are registered trademarks of the International Business Machines
Corporation. DOS®
, Windows®
, Windows NT®
, and Windows 95/98/2000®
Windows ME®
, Windows XP®
,
Windows VISTA®
are registered trademarks of the Microsoft Corporation. All other brand and product names are
trademarks of their respective owners.
Contents
CONTENTS
CHAPTER 1: INTRODUCTION ........................................... 9
Overview .......................................................................................... 10
Features .......................................................................................... 11 About this User Guide ............................................................................................................................. 14 Typical Conventions Used ...................................................................................................................... 14
Setup ............................................................................................... 15 System Specifications ............................................................................................................................. 15
CHAPTER 2: QUICK START SETUP ............................... 16
CHAPTER 3: INSTALLATION .......................................... 21
CHAPTER 4: OPERATION ............................................... 27
User Interface .................................................................................. 28
IMSolo-5 Forensics Advanced Interface Control Console ................ 29 Advanced Drive Detect Menu ................................................................................................................. 30
Drive Selection Panel ........................................................................................................ 30 Suspect 1-2 Drive Select ............................................................................................... 30 Evidence 1-2 Drive Select ............................................................................................ 30
Detect Drives ................................................................................................................ 31 Remove Drives.............................................................................................................. 31
Add Network Location ................................................................................................. 31 Detect Remote Drives ................................................................................................... 31
Drive Status Panels ........................................................................................................... 32
Active Suspect Drive Panel .......................................................................................... 32 Active Evidence Drives Panel ...................................................................................... 32 Other Detected Drives................................................................................................... 32
Operational Mode Select Menu ........................................................................................ 33
Single Capture ............................................................................................................... 33 LinuxDD Capture.......................................................................................................... 33 LinuxDD and Single Capture ........................................................................................ 34 LinuxDD Restore .......................................................................................................... 34 LinuxDD Hash .............................................................................................................. 34
E01 Capture .................................................................................................................. 34 E01 and Single Capture ................................................................................................ 35 E01 Restore ................................................................................................................... 36
E01 Hash ....................................................................................................................... 36 Format Drives ............................................................................................................... 36
Contents
WipeOut-DoD ............................................................................................................... 37 WipeOut –Fast .............................................................................................................. 37 WipeOut –Secure Erase ................................................................................................ 37 Partial Wipe with ICS Signature ................................................................................... 37
Hash .............................................................................................................................. 38 Event Log Window ........................................................................................................... 38 Navigation Bar .................................................................................................................. 38 Operational Status Information ......................................................................................... 40
Station ........................................................................................................................... 40
Speed ............................................................................................................................. 40 Operational Mode ......................................................................................................... 40 Load Size ...................................................................................................................... 40
Percent Completion ....................................................................................................... 40 Elapsed Time ................................................................................................................ 40 Estimated Time Left ..................................................................................................... 40
Operation Control Functions............................................................................................. 41 Start ............................................................................................................................... 41
Abort ............................................................................................................................. 41 Advanced Operation Settings Menu ....................................................................................................... 42
Single Capture Settings ..................................................................................................... 42
Read Back-Verify ......................................................................................................... 43 Hash Targets ................................................................................................................. 43
Hashing Methods .......................................................................................................... 43
Wipe Remainder ........................................................................................................... 44
Encrypt/Decrypt ............................................................................................................ 45 WipeOut Settings .............................................................................................................. 47
Mode ............................................................................................................................. 47 Iterations ....................................................................................................................... 47 Pattern (0-255) .............................................................................................................. 48
Write ICS Signature ...................................................................................................... 48 Read Back-Verify ......................................................................................................... 48
Format Drives Settings ..................................................................................................... 49 Linux DD Capture Settings ............................................................................................... 50
Capture File Size ........................................................................................................... 50 Custom File Size (MB) ................................................................................................. 50 File Name ...................................................................................................................... 50
LinuxDD Hash Settings .................................................................................................... 51 LinuxDD or E01 Restore Settings .................................................................................... 52
Hash Settings .................................................................................................................... 53 Sectors to Hash ............................................................................................................. 53
E01 Capture Settings......................................................................................................... 54 Capture File Size ........................................................................................................... 54 Custom File Size (MB) ................................................................................................. 54
Ex01 .............................................................................................................................. 54 File Name ...................................................................................................................... 54
Settings Main Menu ................................................................................................................................ 55 User Interface Culture ....................................................................................................... 55
Additional Operational Mode Settings ............................................................................. 55
Contents
Read Back-Verify ......................................................................................................... 55 Protected Area Support Enabled ....................................................................................... 56 Bad Sector Handling ......................................................................................................... 56
Skip Block ..................................................................................................................... 56
Skip Sector .................................................................................................................... 56 Abort drive .................................................................................................................... 56
Start View ......................................................................................................................... 56 Operator Screen ............................................................................................................ 56 Advanced Screen .......................................................................................................... 56
Add/Remove Optional Features ........................................................................................ 57 Advanced Drive Detection Settings Menu .............................................................................................. 58
Drive Detection Mode....................................................................................................... 58
Auto............................................................................................................................... 58 Fast Detection ............................................................................................................... 59
Sequential Detection ..................................................................................................... 59 Fast Detection Settings ..................................................................................................... 59
Wait Time After Powering Up Each Drive................................................................... 59
Wait Time Between Powering Up Each Drive and Starting Drive Detection .............. 59 Max Scanning /Detection Time allowed by Application (Sec) .................................... 59 Auto Calibrate Detection of All Drives ........................................................................ 59
Calibration Starts From Drive ....................................................................................... 59 Calibrate Detection of a Selected Drive ........................................................................ 60
Sequential Detection Settings ........................................................................................... 60
Max Detect Time .......................................................................................................... 60
Max Detect Power Time ............................................................................................... 60 Calibrate Current Threshold ......................................................................................... 60
Drive Detection Warning .................................................................................................. 60 Test Drive Detection ......................................................................................................... 60
Advanced Settings Menu ........................................................................................................................ 61 Warn if Drive is not Inserted ............................................................................................ 61 Use Master Password for Secure Erase ............................................................................ 62 Hash Advisory .................................................................................................................. 62
Confirm Drives ................................................................................................................. 62 Set Target Protected Area ................................................................................................. 62
Forced Power off............................................................................................................... 62
Power off selected drives .............................................................................................. 62
Auto Run ........................................................................................................................... 62 Verify Location of Suspect Drive ..................................................................................... 62
More Settings Menu ................................................................................................................................ 63 Slow Drive Filter Speed Threshold................................................................................... 63
Speed Threshold............................................................................................................ 63 Speed Optimization ........................................................................................................... 64
Transfer Buffer Size (in 64 kb) ..................................................................................... 64 Fan Control ....................................................................................................................... 64
Launch Drive Port Assignment ......................................................................................... 64 Enable IMAccess .............................................................................................................. 64
SAS/SATA Controller Settings ........................................................................................ 64
Disable Destination Writes ............................................................................................... 64 Advanced Case Info Menu ..................................................................................................................... 65
Contents
Advanced Mount Drive Menu ................................................................................................................. 66 Write-Protect the Drive ..................................................................................................... 67 Mount Volumes on the Drive ........................................................................................... 67 Simulate Drive Signature When Mounting Volumes ....................................................... 67 Apply................................................................................................................................. 67 Refresh .............................................................................................................................. 67
Advanced HPA/DCO Menu .................................................................................................................... 68 Protected Area Type ......................................................................................................... 68 Protected Area Support ..................................................................................................... 69
New Capacity .................................................................................................................... 69 Current Capacity ............................................................................................................... 69 Native Capacity ................................................................................................................. 69
Set Capacity ...................................................................................................................... 69 Reset Capacity .................................................................................................................. 69 Volatile .............................................................................................................................. 69
Advanced LOG Menu ............................................................................................................................. 70 Print Logs .......................................................................................................................... 71 Copy Logs ......................................................................................................................... 71
Open Log Folder ............................................................................................................... 71 Set Audit Trail Logo ......................................................................................................... 71
Advanced Tools Menu ............................................................................................................................ 72 Disable Password .............................................................................................................. 72
CHAPTER 5: OPERATIONAL PROCEDURES ............... 73
Prepare for Operation ...................................................................... 74
1. Prepare Suspect’s Drive ............................................................. 74
2. Prepare the Evidence Drive(s) .................................................... 74
3. Connect the printer (optional). ..................................................... 75
4. Configure the unit’s Settings. ...................................................... 75
Capturing Drives using Single Capture Mode .................................. 76
Capturing using LinuxDD Capture Mode .......................................... 78
Capturing using E01 Capture Mode ................................................. 80
Capturing from a PCIe M.2 Drive. .................................................... 82
Capturing from an Unopened PC or Notebook ................................. 84
Capturing to a Local Shared Folder ................................................. 86
Capturing to a Shared Network Folder ............................................. 89
Contents
Encrypting Data During Data Capture .............................................. 91
Decrypting Data During Data Transfer ............................................. 93
Restoring from LinuxDD or E01 Segmented File Format ................. 95
Sanitizing Drives Using WipeOut DoD ............................................. 96
Sanitizing Drives Using WipeOut - User ........................................... 97
Sanitizing Drives Using WipeOut – Secure Erase ............................ 98
Transferring Audit Trail and Log Information .................................... 99
Running Multiple Operational Modes Simultaneously .................... 100
Previewing Write-Protected Drive Data .......................................... 101
Enabling Manual Write-Access to Evidence Drive Positions .......... 102
Verify Location of Suspect Drive Configuration .............................. 103
APPENDIX A: OPERATIONAL NOTES ......................... 104
Image MASSter™ IMSolo-5 Internet/Network Connection Disclaimer105
USB-to-Ethernet Connection.......................................................... 106
USB LinkMASSter Setup ............................................................... 107
USB LinkMASSter Usage .............................................................. 107
IMSolo-5 USB Restore Instructions ............................................... 108
IMSolo-5 System Drive Removal Instructions ................................ 109
LinuxDD and E01 Capture exFAT Usage ...................................... 110
“Verify Location of Suspect Drive” Usage Notes ............................ 111
DEFINITIONS ................................................................................ 112
APPENDIX B: PRODUCT INFORMATION .................... 114
Limited Warranty ............................................................................ 114
Contents
What is Not Covered: ..................................................................... 115
Limitation of Liability....................................................................... 115
Technical Support .......................................................................... 115
Chapter 1 - Introduction
9
Chapter 1: Introduction
Chapter 1 - Introduction
10
Overview
Designed exclusively for Forensic applications, the ImageMASSter IMSolo-5 Forensics system is a versatile, light-weight, portable, high speed data acquisition device. The IMSolo-5 Product Line offers the same slim, low profile design as the IMSolo-5 Slim units with similar features and the same High Speed support for 6Gb/s SAS-2 and SATA-3 drives. SAS/SATA Suspect’s data can be seized at speeds exceeding 20GB per minute. The IMSolo-5 Enterprise offers two additional, unique 4-lane PCIe Expansion Ports, allowing it to acquire data from a PCIe M.2 storage device to another PCIe M.2 device at speeds exceeding 65 GB/min. Using the unit’s on the fly hashing capabilities, the transferred data can be guaranteed to be an exact replica of the Suspect’s data without modification, re-arrangement or corruption. The unit provides Native interface support for SAS, SATA, eSATA, USB 3.0, Firewire1 and PCIe M.22 SSD drives in addition to supporting P-ATA3, including ATA compatible solid state and flash devices. Provides flexible Capture mode formats including “Segmented File” and “Mirror” image formats. Capable of capturing two Suspect drives simultaneously. The unit’s advanced touch screen user interface provides ease of use.
IMSolo-5 Forensics Figure 1
1 Available only on some models.
2 Available only on some models. Requires the M.2 Adapter Module.
3 Optional P-ATA Adapters required.
Chapter 1 - Introduction
11
The New Image MASSter™ Solo 5 Enterprise Forensic unit is designed using Today’s Advanced Acquisition technology, providing a fast, reliable and versatile forensic handheld Data Acquisition Tool. The unit’s Key Features include the support for PCIe M.2 storage devices, the capability of imaging multiple "Suspect" drives to multiple "Evidence" drives simultaneously. Capture Suspect drive’s data in LinuxDD, E01 or EX01 Segmented File Format or as a “mirror” capture. The Image MASSter™ Solo 5 Enterprise supports SHA-1 and SHA-2 Accelerated Drive Hash methods as well as the standard MD5 Hash method. With built-in Hard Drive Encryption support, target drive’s data can be secured utilizing the NIST approved AES-256 Encryption standard. The units are configured with a 1Gbit Ethernet port for Network Connectivity support allowing the simultaneous acquisition and upload of Suspect’s hard drive data directly to External Storage Media or to a Network Location in a forensically secure environment. Network Uploads using the unit’s native 1Gigabit Ethernet interface offers speeds exceeding 2GB/min. The Solo 5 Enterprise units are also designed with a slide out system drive for easy removal.
Features
High-end Processing Power: The Image MASSter™ IMSolo-5 Pro Forensic units are supplied with a powerful INTEL i7™ CPU to handle today’s most demanding Forensic Acquisition and Analysis tasks. The Image MASSter™ IMSolo-5 Basic Forensic units are supplied with a powerful INTEL i3™ CPU.
Advanced SATA-3 Technology: Implements support for 6Gb/s SAS-2 and SATA-3 drives using 6Gb/s SATA-3 SAS Controller technology. The unit is designed to acquire today’s High Performance drives and prepares the user with the hardware necessary to take advantage of tomorrow’s hard drive speed improvements. The unit’s advanced Duplication Technology provides the capability of performing multiple operations simultaneously. Capture and Wipe standard SAS/SATA drives with speeds up to 32 GB/min, and PCIe M.2 drives with speeds up to 70GB/min.
PCIe Expansion Port: Allows expanding the unit’s capabilities to support PCIe M.2 storage devices, using the PCIe M.2 Adapter Module, SCSI drives using the optional SCSI Interface Adapter, and allowing for future performance enhancement options.
PCIe M.2 Support: Two 4-lane PCIe Expansion Ports allows for data acquisition from one PCIe M.2 storage device to another at speeds up to 70 GB/Min. The unit’s M.2 Adapter Module supports varying M.2 form factor lengths of 30, 42, 60, 80 and 110mm and is designed for easy and safe insertion and release of M.2 storage devices. The M.2 Adapter Module also supports U.2 SSD drives with optional 3rd Party Adapters.
Hard Drive Support: Offers native support for SAS, SATA, Firewire and USB 3.0 drives. Optional adapters are available to support M.2 SATA SSD*, IDE Drives*, Micro SATA*, e-SATA Drives*, 2.5”, 1.8” IDE Notebook Drives*, ZIF drives*, and Flash media*. The unit ships with expansion ready hardware to support the Optional PCIe expansion box which can be used to expand the unit’s capability to support additional drive interfaces such as SCSI and Fiber Channel.
*Available for purchase/Optional Adapters Required
Chapter 1 - Introduction
12
Multiple "Suspect" and Evidence Drive interface Ports: Provides 2 Native SATA/SAS ports and 2 USB 3.0 ports dedicated for the Suspect Drive Positions. Both SATA/SAS and USB Suspect ports can be use simultaneously to capture 4 drives in one operation. Provides 2 Native SATA/SAS ports and 2 USB 3.0 ports dedicated for the Evidence Drive Positions. The unit is supplied with an IDE drive adapter for IDE drives. Optional drive adapters are available for 1.8", 2.5" ZIF, proprietary interface/Laptop drives, and Micro Media Cards including Compact Flash, Memory Sticks, SD, Micro SD, MultiMedia cards. Mixed Drive Interface support allows seizing data between different drive interface types (ie. Use IDE "Suspect" drive with a SATA "Evidence" drive). All "Suspect" Drive ports are permanently write-protected to prevent altering “Suspect" Drive Data. The Write-Protect properties of the Suspect ports cannot be disabled.
Multi-Session Capability: Capture multiple Source drives simultaneously or run multiple operations simultaneously. Multi-Session supports the high-speed duplication of up to 2 Source drives simultaneously. Copy and Sanitize drives at the same time.
Multiple Operational Modes: o Single Capture: Creates “Mirror” image of the Suspect’s drive. o LinuxDD Capture: Supports storing one or multiple Suspect drive images on a single
“Evidence” drive using the standard Linux DD Segmented File Format. o E01 Capture: Supports storing one or multiple Suspect drive images on a single
“Evidence” drive using the Encase® Forensics Segmented File Formats E01 and EX01. o IQ Copy: Optional Non-Forensic Format used to capture only the allocated data of a
Suspect’s drive, greatly reducing the time required to capture data. In addition, it can be used to duplicate drives for IT purposes such as backup, deploy and upgrade to larger capacity drives.
o WipeOut: Sanitize drives using Single Pass, DoD Standard, or Secure Erase. The unit has the ability to capture and wipe hidden HPA or DCO areas which may exist on hard drives.
* The IQCopy Option is purchased separately.
Multi-Op Mode: Allows LinuxDD and Single Capture operations to be performed in one operation using the same Suspect drive.
Multiple Hash Verification Methods: The Image MASSter™ IMSolo-5 Forensic G3 supports SHA-1 and SHA-2 Hash Acceleration and Software based MD5 Hashing.
External Storage: Images can be stored externally to a Shared Network folder, e-SATA drive, USB drive or an ICS DFSS External Storage Module.
Upload and Download Images to Network Storage Area: Images files can be uploaded and downloaded to a Network Storage Area allowing the user to take advantage of large storage platforms for the purpose of processing and archiving images. With the use of the Optional 10 Gigabit Ethernet connection, units can copy and upload at speeds exceeding 4GB/min.
Optional Expansion Box: The Image MASSter™ IMSolo-5 Forensic G3 is designed with built-in support to connect the optional Expansion Box module, providing the capability to capture data from additional devices which have interfaces not natively available on the Image MASSter IMSolo-5 Forensic G3 unit. The Expansion Option includes the following hardware:
o SCSI Ultra320 PCI-Express card for connecting SCSI mass storage devices. IMSolo-5 Forensic G3 can capture 2 SCSI Suspect drives simultaneously,
o PCI-Express to Express Card 34 Reader for connecting a broad range of Express Card compliant cards**.
* External Multi-Output Power Adapter (not supplied) is required to power the second SCSI drive when capturing 2 SCSI drives to 2 Evidence drives simultaneously. It is also recommended to use the
Chapter 1 - Introduction
13
External Multi-Output Power Adapter to power two or more external drives connected to the Expansion Box.
**Express Cards are not supplied with the Expansion Option.
“On the fly” Drive Image Encryption*: Utilizing the built- in AES 256 Encryption Technology the Image MASSter™ IMSolo-5 Forensic G3 encrypts with minimal speed degradation all digital data during the Cloning Process for the purpose of safe guarding sensitive information. The Image MASSter™ IMSolo-5 Forensic G3 creates a secure key with a user-chosen pass phrase. An AES 256 encryption key is then generated by the unit and can be saved to any USB thumb drive. The encrypted drive can be decrypted on the fly utilizing the Image MASSter™ IMSolo-5 Forensic G3 or with any PC loaded with the free ICS Decryption utility and USB thumb drive containing the saved key.
* This process is NOT compatible with the DiskCypher product line
ICS Digital Forensic Storage Solutions (DFSS): The Image MASSter™ IMSolo-5 Forensic G3 supports the use of the Optional ICS DFSS Modules to provide additional Storage capacity.
Chapter 1 - Introduction
14
About this User Guide The IMSolo-5 Forensics User Guide will be updated as needed to reflect hardware and software modifications. Therefore, descriptions of features may be subject to change. The document makes use of hyperlinks to provide shortcut links.
Typical Conventions Used Convention Meaning
Highlighted This is a hyperlink: shortcut link to a referred topic. Select it to jump to the topic.
Use the MS Word Back tool to jump back to previous location. Bold Indicates a screen menu item or function such as a setting or control button.
Italic Indicates the name of a IMSolo-5 Forensics feature, system, mode, or other
important reference. Note Identifies additional important information regarding a topic or task.
Indicates a warning or caution
Chapter 1 - Introduction
15
Setup 1. Carefully remove the IMSolo-5 Forensics unit from its shipping box.
2. Use the supplied parts list (Table 1) to complete an inventory check.
3. Follow the outlined steps in the Quick Start Setup Chapter.
Part Part Number Quantity
IMSolo-5 Forensics Unit 1 DC Power Adapter and AC Power Cord 1 SAS/SATA Data/Power Cable 4 SATA-to-PATA Adapter 1 PATA 2.5” 44-Pin Adapter 1 PATA Data Cable 1 PATA Power Cable 1 Stylus 1 USB Restore Media 1 IMSolo-5 Forensics User’s Guide 1
Quick-Reference Parts List Table 1
System Specifications Supply Voltage 100 - 240V / 50 - 60 Hz 400Watt Universal Auto switching input voltage Power Consumption 9W Operating Temperature 5 degrees - 55 degrees C Relative Humidity 20% - 60% non-condensing Net Weight 5.35 lbs Overall Dimensions 10.5” x 4” x 7.6””
Chapter 2 – Quick Start
11
Chapter 2: Quick Start Setup
Chapter 2 – Quick Start
17
1. Place the IMSolo-5 Forensics on a level surface.
2. Attach the unit’s Power Adapter to the unit's DC Power-In port, located on the unit's back panel, and to an electrical outlet. The voltage may be either 110v or 220v. The Power Adapter will automatically switch to use either voltage.
3. Power ON the unit by pressing the unit’s Power ON button, located on top corner of the unit’s back panel. The IMSolo-5 Forensics Advanced Interface Control Console will be displayed.
Advanced Interface Control Console Figure 2
Chapter 2 – Quick Start
18
4. Attach the ICS supplied SATA/SAS drive data/power cables to the unit’s Suspect and Evidence connectors and to the SATA or SAS drives. For PATA drives use the supplied ICS SATA-to-PATA Adapter and connect the supplied PATA data cable’s “Unit Side” connector to the Adapter’s data connector and the “HDD Side” connector to the drive.
Drive Positions
Figure 3
Chapter 2 – Quick Start
19
5. Select the Mode of Operation from the Operations pull down menu.
Figure 4
6. Select the drives to be used for the selected operation from the Drive Selection Panel.
7. Verify all remaining applicable settings and optionally enter Case Information using the CASE INFO screen functions. It is recommended to enable the Hash Targets function. Selecting Hash Targets will result in the Capture operation generating the Hash value for the data read from the Suspect drive and the data written to the Evidence drive. After all the data is written to the Evidence drive, the Capture operation will generate the Hash value for the data read from the Evidence drive.
Hash values generated during the capture operation are generated for the data read from the Suspect’s drive not from the data read from the Evidence (target) drive, unless the unit is instructed to hash the Evidence drive(s) by enabling the Hash Targets function.
8. Select START to begin the operation. Operational status information will be displayed during an operation.
Drive Selection Panel
In-active Drive Panel
Chapter 2 – Quick Start
20
9. After the operation completes, the drives will be powered OFF and the drives can be safely removed. The simulated drive status LEDs will be set to GREEN if the operation passes or RED if the operation fails. Log files will automatically be stored internally and can be transferred to external media using the unit’s USB ports, located on the back of the unit.
NOTE: Audit Trails are saved in both a standard text format and a PDF format using 128-bit password encryption protection, so the Audit Trail contents cannot be changed. The Company Logo can be added to the Audit Trail PDF by selecting its location using the "SET AUDIT TRAIL LOGO" function, located in the LOG menu screen.
The unit can be powered OFF by pressing and releasing the unit’s Power button, located on the top corner of the unit’s back panel.
Chapter 2 – Quick Start
21
Chapter 3: Installation
Chapter 2 – Quick Start
22
Hardware Accessories The following section provides a description of the Hardware Accessories that are available for the IMSolo-5 Forensics unit.
M.2 PCIe Adapter Module
The M.2 PCIe Adapter Module Option adds the option to connect two PCIe M.2 drives. The M.2 PCIe Adapter Module supports varying M.2 form factor lengths of 30, 42, 60, 80 and 110 mm and is designed for easy and safe insertion and release of M.2 PCIe Drives.
Figure 5
Chapter 2 – Quick Start
23
Hardware Description This section describes the hardware of the IMSolo-5 Forensics unit.
Components and Functions
Top Panel (Fig. 8)
Display LCD Touch Screen Color Display.
Front Panel (Fig.8)
Suspect and Evidence
SATA/SAS Hard Disk
Drive Data/Power
Connectors
Used to connect the Suspect and Evidence SATA/SAS drives directly to the Forensics unit for “Direct” data seizure operations.
Suspect 1 and Suspect 2 USB 3.0 Ports
Used to connect the Suspect USB drives.
Back Panel (Fig. 6)
Evidence 1 and 2 USB 3.0
Connectors
Used to connect the USB 2.0/3.0 Evidence device(s) directly to the Forensics unit for “Direct” data seizure operations.
eSATA Ports Used to connect External Storage Device.
Power ON Button Used to power the unit ON and OFF.
DC-IN Power Socket Connect DC Power Adapter to this socket.
USB 3.0 Connectors Provides 2 General Purpose USB v2.0/3.0 ports.
LAN Port Provides a GBit Ethernet Network Interface.
L-out, L-in, MIC Provides Audio Line input/output ports and Microphone port.
HDMI Port Used to connect to an external monitor.
External Power Connector Used to power an external drive.
Left Side Panel (Fig. 7)
Firewire Ports Used to connect Firewire
4 drives directly to the
Forensics unit for “Direct” data seizure operations.
4 Available only on some models
Chapter 4 - Operation
24
Back View Figure 6
Chapter 4 - Operation
25
Left View Figure 7
Chapter 4 - Operation
26
Front View Figure 8
Chapter 4 - Operation
27
Chapter 4: Operation
Chapter 4 - Operation
28
User Interface
The IMSolo-5 Forensics provides Windows based Graphical User Interface applications, which the user can use to setup and control the unit’s various functions. All of the unit’s menus and functions are controlled through the unit’s Touch Screen Display. Screen menu items can be selected by touch or with use of the included Touch Screen Stylus Pen. An On-Screen Keyboard is available for an easy method to enter text related information. Optionally, an external keyboard, mouse or display can be connected. The IMSolo-5 unit provides an Advanced Interface Control Console which will run at start up and can also be activated from Windows START/PROGRAMS menu or by selecting the IMSolo-5 application’s Desktop Shortcut ICON. The Advanced Interface screens are available to customize operations. Multiple instances of the IMSolo-5 application can be activated to allow multiple operations to be performed simultaneously. This chapter provides a detail description of the available functions.
Chapter 4 - Operation
29
IMSolo-5 Forensics Advanced Interface Control Console The IMSolo-5 Forensics Advanced Interface Control Console provides all the functions and controls necessary to setup, customize and perform the unit’s common and advanced Forensic operations. It can be used as an alternative to the Wizard Interface Control Console which provides limited functions for ease of use. Multiple instances of the Advanced Console can be activated, which allows more than one operation to be performed simultaneously. The functional descriptions of the unit’s Advanced Interface Control Console functions are discussed in the following section.
Drive Selection Panel Drive Status Panels
Operational Mode Select Menu
Operation Status Information
Operation Controls
Navigation Bar
Figure 9
Active Drive Status Panels
In-active Drive Panel
Event Log Window
Navigation Bar Operation Status Information
Operational Settings Tabs
Operational Mode Select Menu
Drive Selection Panel
Chapter 4 - Operation
30
Advanced Drive Detect Menu
The IMSolo-5 Forensics Advanced Drive Detect Menu will provide a list of the detected drives and allows detected drives to be configured as active or inactive drives. The menu screen will also allow drives connected in Evidence positions to be configured as Suspect Drives. The menu is displayed by
selecting the Detection Tab from the Advanced Interface Control Console. The descriptions of the available Advanced Drive Detect Menu functions are discussed in the following section.
Drive Selection Panel
The Drive Selection Panel provides the settings and functions used to detect drives connected to the unit’s dedicated Suspect and Evidence drive positions, including devices connected to the dedicated USB ports located on the back of the unit. The Drive Select Panel allows the operator to select the drive position(s) to scan during a drive detect operation.
Suspect 1-2 Drive Select
Select the Suspect Check Box to select the drive(s) in the “Suspect” position(s) for detection. The unit provides two dedicated Write-Protected “Suspect” SAS/SATA drive and USB positions. The drive’s positions are referenced by the drive’s physical location on the unit. The “Suspect 1” position is located on the left side of the unit, labeled “Suspect 1”. The “Suspect 2” position is located on the right side of the unit, labeled “Suspect 2”.
Evidence 1-2 Drive Select
Select the Evidence Check Box to select the drive(s) in the “Evidence” position(s) for detection. The unit provides two dedicated SAS/SATA drive positions and two USB “Evidence” drive positions. The drive’s positions are referenced by the drive’s physical location on the unit. The SAS/SATA “Evidence 1” position is located as the left drive slot on the front of the unit. The SAS/SATA “Evidence 2” position is located as the right drive slot on the front of the unit. The “Evidence 1 and 2 USB” positions are located on the unit’s back panel.
NOTE: The Drive Select menu provides a power indicator for each drive position. The indicator will be GREY prior to drive detection, GREEN if the drive is detected or the operation passed, and RED if the drive is not detected or if the operation was not successful.
Chapter 4 - Operation
31
Detect Drives
Select the Detect Drives Button to turn ON and detect the selected the drive(s).
NOTE: By default, all ports are Write-Protected. The drive’s Write-Protect property will automatically be disabled if the selected operational mode requires writing to the drive(s).
Remove Drives
Select Remove Drives to turn OFF and remove the selected the drive(s).
Add Network Location
Allows a Suspect’s drive contents to be captured and stored in a Network or Locally Shared Folder. The Shared Folder location can be designated as the “Evidence” drive using the Add Network Location function. The Add Network Location function is available when running the LinuxDD or E01 Capture operations. The descriptions of the available settings are discussed in the following section.
Browse
Figure 10
Browse
Select Browse to select the Shared Folder Location.
Detect Remote Drives
The Detect Remote Drives function allows capturing data from a drive installed in a Notebook or PC5, using the unit’s Ethernet port.
5 The Detect Remote Drives Option requires purchase
Chapter 4 - Operation
32
Drive Status Panels
The Active Drive Status Panels lists the drives detected and their respective locations. The Panels will also indicate the drive’s “burst” transfer rate during operation. Detected drives are listed in their respective Drive Status Panels. NOTE: Drives can be manually transferred between Drive Panels by selecting and
“dragging” the listed drive using the Touch Screen or using an attached mouse. Suspect’s Drives cannot be moved to Evidence locations.
Active Suspect Drive Panel
The Suspect Drive Panel will list the detected and active Suspect drives for the active session. Drives listed in the Other Detected Drives Panel can be manually transferred to the Active Suspect Drive Panel. The drive listed in this panel is considered an “active” drive and will be used as the Suspect’s drive during the operation.
NOTE: Drive(s) in the Suspect position(s) cannot be configured as Destination
drives.
Active Evidence Drives Panel
The Active Evidence Drives Panel will list the detected and active Evidence drive(s) for the active session. Drives listed in the Other Detected Drives Panel can be manually transferred to the Active Evidence Drives Panel. The drive listed in this panel is considered an “active” drive and will be used as the Evidence drive during the operation.
NOTE: Evidence drives can be configured as Suspect drives by transferring the
drive from the Active Evidence Drive Panel to the Active Suspect Drive Panel.
Other Detected Drives
The Other Detected Drives Panel will list the “non-active” drives detected on all ports other than the dedicated Suspect and Evidence ports. Drives listed in the Suspect Drive or Evidence Drive Panels can be manually transferred to the Other Detected Drives Panel. The drive(s) listed in this panel are “non-active” drives, and will not be used during an operation.
Chapter 4 - Operation
33
Operational Mode Select Menu
The Operational Mode Select Menu provides a list of the available Operational Modes. The functional descriptions of the available Operational Modes are discussed in the following section.
Single Capture LinuxDD Capture LinuxDD Restore LinuxDD Hash E01 Capture E01 Restore E01 Hash LinuxDD and Single Capture E01 and Single Capture Hash WipeOut Format Drives
Single Capture
The Single Capture operational mode will seize the entire contents of the Suspect’s drive to the Evidence drive. The operation will create an exact duplicate of all of the Suspect’s drive partitioned and un-partitioned areas as well as all used and unused sectors on the Suspect’s drive. The process of acquiring the data from the Suspect’s drive is methodical and contiguous, beginning from the first byte of the first sector on the drive, and ending on the last byte of the last sector of the drive. The data is copied to the corresponding sector on the Evidence drive. Only one seizure operation can be performed to the same Evidence drive. See Single Capture Settings for more details.
LinuxDD Capture
The LinuxDD Capture Mode will copy the entire contents of the Suspect’s drive to the Destination drives. The data will be written as individual segmented LinuxDD files and stored in an individual subdirectory on the Destination drive(s). The size of the individual LinuxDD files can be set by selecting a value within the Capture File Size pull down menu. The default setting is 650MB (CD). The File Name information entered by the user will be used as the name of the subdirectory where the Suspect’s LinuxDD files will be stored. This File Name will also be used as the filename of all LinuxDD files associated with this seizure. The Linux DD files will begin with the extension 000, and incremented by 1 for each additional file.
The Destination drive will be inspected prior to transferring data. The operation will verify if the first partition on the Evidence drive is based on the exFAT or NTFS File System and will have “EVIDENCE” as the volume label. A Destination drive that meets these criteria will be a valid Destination drive, a new subdirectory will be created, and the transfer will begin. A Destination drive that fails these criteria will cause the user to be prompted with a message asking whether or not to overwrite the current contents of the Destination drive in order to make it a valid LinuxDD
Chapter 4 - Operation
34
Destination drive. The operation will abort unless the user agrees to overwrite the Destination drive.
Any number of “Loads” can be placed on the same Destination drive provided there is adequate space to save the transferred data on the Destination drive. See LinuxDD Capture Settings for more details.
LinuxDD and Single Capture
Provides “Multi-Op Mode” support, allowing LinuxDD and Single Capture operations to be performed in one operation using the same Suspect drive.
o The drive connected to the last Evidence drive position will be configured using the Single Capture format. The remaining Evidence drive(s) will be configured with the LinuxDD Capture format.
LinuxDD Restore
This function allows restoring the captured LinuxDD formatted Case to its original file format. This function requires the LinuxDD drive, containing the LinuxDD Case files, to be connected to one of the unit’s Suspect positions and the “Destination” drive to be connected to the unit’s Evidence position.
LinuxDD Hash
This function will generate a Hash value for the selected LinuxDD Case. The LinuxDD drive can be connected to either the Suspect or Evidence position.
E01 Capture
The E01 Capture Mode will capture the entire contents of the Suspect’s drive to the Destination drives using Guidance Software’s EnCase® Forensic format. The data will be written as individual segmented EnCase® formatted files and stored in an individual subdirectory on the Destination drive(s). The size of the individual E01 files can be set by selecting a value within the Capture File Size pull down menu. The default setting is 650MB (CD). The EnCase® format limits the File Size to 2GB. The File Name information entered by the user will be used as the name of the subdirectory where the Suspect’s files will be stored. This File Name will also be used as the filename of all files associated with this seizure. The E01 files will begin with the extension E01, and incremented by 1 for each additional file. The Compression Level can be set as “Disabled”, “Minimum” and “Maximum”.
The Destination drive will be inspected prior to transferring data. The operation will verify if the first partition on the Evidence drive is based on the exFAT or NTFS File System and will have “EVIDENCE” as the volume label. Otherwise, the operation will prompt the User that the Evidence drive will be overwritten.
Any number of “Loads” can be placed on the same Destination drive provided there is adequate space to save the transferred data on the Destination drive. See E01 Capture Settings for more details.
Chapter 4 - Operation
35
NOTE: The E01 Capture Mode will result in reduced transfer rates when compared with other Capture Modes.
E01 and Single Capture
Provides “Multi-Op Mode” support, allowing E01 and Single Capture operations to be performed in one operation using the same Suspect drive.
o The drive connected to the last Evidence drive position will be configured using the Single Capture format. The remaining Evidence drive(s) will be configured with the E01 Capture format.
Chapter 4 - Operation
36
E01 Restore
This function allows restoring the captured E01 formatted Case to its original file format. This function requires the E01 drive, containing the E01 Case files, to be connected to one of the unit’s Suspect positions and the “Destination” drive to be connected to the unit’s Evidence position.
E01 Hash6
This function will generate a Hash value for the selected E01 Case. The E01 drive can be connected to either the Suspect or Evidence position.
Format Drives
This function can be used to quickly format drives as exFAT or NTFS drives, if necessary.
6 Pending development as of release of this document (11/09).
Chapter 4 - Operation
37
WipeOut-DoD
The WipeOut DoD Operational mode provides a method of sanitizing a drive that meets the U.S. Department of Defense specification DOD 5220-22M for sanitizing drives. Using ordinary “DELETE” and “ERASE” commands, data on a hard drive remains accessible to a variety of intrusive procedures. The WipeOut DoD erasure technique provides a solution to this problem using a series of null-coded overwrites that completely removes all data from the hard drive. The process is performed in three iterations and two individual passes that completely over writes the drive connected to the internal drive position. Each iteration makes two write-passes over the entire drive. The first pass writes ONEs (Hex 0xFF) over the entire drive surface. The second pass writes ZEROes (Hex 0x00) over the entire drive surface. After the third iteration, a seventh pass writes the government designated code “246” (Hex 0xF6) across the entire drive surface, which is then followed by an eighth pass that inspects the drive with a Read-Verify review.
WipeOut –Fast
The Wipeout Fast Operational mode provides a quick non-DoD method of sanitizing a drive of all previously stored data. The process involves writing a user defined hex pattern to the drive connected in the Target drive position, for a number of user defined iterations. The process is methodical and contiguous, beginning from the first byte of the first sector on the drive, and ending on the last byte of the last sector of the drive.
WipeOut –Secure Erase
The WipeOut-Secure Erase option uses the drive’s own built-in firmware ”Secure Erase” function to erase data. The WipeOut-Secure Erase option offers two modes which are automatically selected if the drive supports the modes. Normal Erase and Enhanced Erase. Normal Erase will erase drives using the 0x00 pattern. The Enhanced Erase mode will erase drives with a predetermined pattern and will clear Relocation List Sectors.
NOTE: Not all drives provide support for the Secure Erase command. Secure erase is recognized by NIST 800-88 as an effective and secure way to meet legal data sanitization requirements
Partial Wipe with ICS Signature
Performs a partial Wipe of the Evidence drive and writes an ICS signature.
Chapter 4 - Operation
38
Hash
The Hash operation provides a method of generating a hash value for either the entire area of a drive or for a selected number of sectors of a drive. No data is written to the selected drives during this operation. When hashing the entire drive the process is methodical and contiguous, beginning with the first sector on the drive and ending with the last sector of the drive. See Hash Settings for more details.
Event Log Window
The Event Log Window displays real time operational event log information.
Navigation Bar
The Navigation Bar menu provides the user with functions to select the various User Interfaces and IM support functions.
The following functions are provided by the Navigation Bar.
Advanced Screen
Provides access to the Advanced User Interface Screen functions. These functions include
access to advanced settings and advanced operational modes.
Operator Screen
Provides access to the Operator User Interface Screen functions. Allows the Operator to start or
abort common operations.
Keyboard Provides access to an On-Screen-Keyboard. The On-Screen-Keyboard allows for an easy method to enter text related information. A keyboard and mouse can also be connected to the IMSolo-5 Forensics unit.
New Copy Session Selecting this function results in starting a new session of the IMSolo-5 Forensics Wizard Interface Control Console. Multiple sessions allow more than one operation to be performed simultaneously.
Next Copy Session Switches between the different active session views.
Explorer Allows access to Windows Desktop while running session(s)
Chapter 4 - Operation
39
Exit Terminates the active visible session. The function automatically releases all detected drives before exiting the session.
About
Selecting About, displays information about the IMSolo-5 Forensics unit, such as serial number and software version in use.
Chapter 4 - Operation
40
Operational Status Information
The Control Console provides Operational Status Information supplying the user-with real time event log data.
The following Operation Status Information fields are available:
Station Speed Operational Mode Load Size Percent Completion Elapsed Time Estimated Time Left
Station
Displays the Computer Name of the IMSolo-5 Forensics unit.
Speed
The Speed field displays the average transfer rate in megabytes per minute.
Operational Mode
Displays the selected Operational Mode.
Load Size
The Load Size field displays the total data required to be transferred.
Percent Completion
Displays the percent of completion for the active operation.
Elapsed Time
Refers to the time elapsed during an operation. This field will also display the total elapsed time at the end of an operation.
Estimated Time Left
Refers to the time remaining to complete the operation.
Chapter 4 - Operation
41
Operation Control Functions
The Control Console provides the functions necessary to start or stop the selected operation. The following Control Functions are available:
Start Abort
Start
Selecting Start will instruct the Control Console to turn ON the drives and begin the selected operation.
Abort
Selecting Abort will instruct the Control Console to turn OFF the drives and terminate the selected operation.
Chapter 4 - Operation
42
Advanced Operation Settings Menu The IMSolo-5 Forensics Advanced Operation Settings Menu provides access to the Operational Mode settings. The menu is displayed by selecting the Main Tab from the Advanced Interface Control Console.
The Advanced Operation Settings Menu provides the Operator with a menu of Operational Mode Settings for the selected Operation. The Settings menu list is dynamic, and will change to reflect the selected Operational Mode. The descriptions of the available Operational Mode Settings are discussed in the following section.
Single Capture Settings Hash Settings LinuxDD Capture Settings LinuxDD Hash Settings LinuxDD Restore Settings E01 Capture Settings E01 Hash Settings E01 Restore Settings WipeOut Settings Format Drives Settings
Single Capture Settings
The Single Capture Settings menu provides the Operator with a list of settings available for the selected operation. The menu is selected when the Operational Mode is selected from the Operational Mode Select Menu.
Read Back-Verify
Hash Targets
Hashing Methods
Encryption/Decryption
Wipe Remainder
Figure 11
Chapter 4 - Operation
43
Read Back-Verify
Provides additional data integrity checks during data transfers. When Read Back-Verify is selected the operation will verify each block of data transferred during the data transfer process. Data written to the Evidence drive is read back and compared to the data read from the Suspect’s drive. Enabling this option results in reducing the transfer rate. Disabling this option will result in the data transfer process to make use of the drive's own Ultra DMA Mode error-detection handling mechanism known as cyclical redundancy checking (CRC-16) to check for Data Integrity. In most cases the CRC-16 error checking algorithm is sufficient. CRC is an algorithm that calculates an order and value sensitive checksum used to detect errors in a stream of data. Both the Suspect’s drive and the Evidence drives calculate a CRC value for each Ultra DMA burst. After the Suspect’s data is sent, the Evidence drive calculates a CRC value and this is compared to the original Suspect’s CRC value. If a difference is reported, the unit may be required to select a slower transfer mode and re-try the original request for data. The transfer rate will not be affected when using the drive’s CRC-16 mechanism for checking data integrity.
Hash Targets
The Hash Targets function provides a method of generating Hash values for the Source drive’s data and for the data written to the Target drives, in the same operation. The data is read back and hashed from the target drive(s) after each transferred block. Since data is read back during the operation the average transfer rate will decrease and the total time of completion will increase when this function is enabled.
Hashing Methods
The Hashing Methods menu selection provides the user with list of different Hash Algorithms to generate a Hash value for the Source drive’s data. Hashing is a process that calculates a "unique signature" value for the contents of an entire drive.
CRC32
Selecting CRC32 will result in the operation generating the CRC32 32-bit hash value for the data read from the source drive(s). Selecting the Hash Targets function will result in the operation generating the CRC32 Hash values for the data read from the Source drive and the data written to the Target drive.
MD5
Selecting MD5 will result in the operation generating the MD5 128-bit hash value for the data read from the source drives. Selecting the Hash Targets function will result in the operation generating the MD5 Hash values for the data read from the Source drive and the data written to the Target drive.
Chapter 4 - Operation
44
SHA-1
Selecting SHA-1 will result in the operation generating the SHA-1 160-bit hash value for the data read from the source drives. Selecting the Hash Targets function will result in the operation generating the SHA-1 Hash values for the data read from the Source drive and the data written to the Target drive.
NOTE: The SHA-1 Hash function uses Hardware Acceleration for calculations and therefore effects on transfer rates are limited.
SHA-2 (224,384,256,512)
Selecting SHA-2 (224,384,256,512) will result in the operation generating the SHA-2 (224,384,256,512)-bit hash value for the data read from the source drives. Selecting the Hash Targets function will result in the operation generating the Hash values for the data read from the Source drive and the data written to the Target drive.
NOTE: The SHA-2(256) Hash function uses Hardware Acceleration for calculations and therefore effects on transfer rates are limited.
Wipe Remainder
The Wipe Remainder function instructs the capture operation to wipe (erase) remaining sectors after a capture operation is performed, if the Evidence drive is larger than the Suspect’s drive.
Chapter 4 - Operation
45
Encrypt/Decrypt
The Encrypt/Decrypt menu selection provides the user with the functions and settings necessary to configure an operation to Encrypt or Decrypt captured data.
Figure 12
AES Key Length (bits)
Provides the user with the list of two AES Key Sizes to choose from. The choices are 192, and 256 bits.
AES Mode
Provides the user with the list of AES Modes to choose from. The IMSolo-5 uses the ECB Mode.
Action - None
Instructs the operation to transfer data without Encrypting or Decrypting data.
Action - Encrypt
Instructs the operation to Encrypt data during the data transfer operation.
Action - Decrypt
Instructs the operation to Decrypt data during the data transfer operation.
Save Key
The Encryption Key used to Encrypt the Suspect drive’s data is generated and saved.
Chapter 4 - Operation
46
Load Key
Provides the function to allow the User to select and load the Encryption Key which can be used to Decrypt the Evidence drive’s Encrypted data.
NOTE: For compatibility with the IMSolo-III Encryption and ICS DiskCypher hardware, choose 192 as the AES Key Length and ECB as the AES Mode.
Chapter 4 - Operation
47
WipeOut Settings
The WipeOut Settings menu provides the Operator with a list of settings available for the selected operation. The menu is selected when the Operational Mode is selected from the Operational Mode Select Menu.
User DoD Secure Erase Partial Wipe with ICS Signature
Iterations
Pattern (0-255)
Read Back-Verify
Write ICS Signature
Figure 13
Mode
The WipeOut Mode provides the Operator with two methods of sanitizing drives.
User
The Wipeout User option provides a quick non-DoD method of sanitizing a drive of all previously stored data. The process involves writing a user defined pattern to the drive connected in the Target drive position, for a number of user defined drive passes (iterations). The process is methodical and contiguous, beginning from the first byte of the first sector on the drive, and ending on the last byte of the last sector of the drive.
Iterations
Allows the Operator to define the number of WipeOut-User iterations or passes to perform. Selecting 0 instructs the operation to sanitize the drive in one pass.
Chapter 4 - Operation
48
Pattern (0-255)
Allows the Operator to define the WipeOut-User Pattern to be used to sanitize the Target drive(s). The available range is 0-255.
DoD
The Wipeout DoD function provides a method of sanitizing a drive that meets the U.S. Department of Defense specification DOD 5220-22M for sanitizing drives.
The operation is performed in three iterations and two individual passes that completely overwrites the destination drives. Each iteration makes two write-passes over the entire drive. The first pass writes ONEs (Hex 0xFF) over the entire drive surface. The second pass writes ZEROes (Hex 0x00) over the entire drive surface. After the third iteration, a seventh pass writes the government designated code “246” (Hex 0xF6) across the entire drive surface, which is then followed by an eighth pass that inspects the drive with a Read-Verify review.
Secure Erase
The WipeOut-Secure Erase option uses the drive’s own built-in firmware ”Secure Erase” function to erase data. The WipeOut-Secure Erase option offers two modes which are automatically selected if the drive supports the modes. Normal Erase and Enhanced Erase. Normal Erase will erase drives using the 0x00 pattern. The Enhanced Erase mode will erase drives with a predetermined pattern and will clear Relocation List Sectors.
NOTE: Not all drives provide support for the Secure Erase command. Secure erase is recognized by NIST 800-88 as an effective and secure way to meet legal data sanitization requirements
Partial Wipe with ICS Signature
Performs a partial Wipe of the Evidence drive and writes an ICS signature.
Write ICS Signature
Performs a Wipe of the Evidence drive and writes an ICS signature.
Read Back-Verify
Use Link for previous description.
Chapter 4 - Operation
49
Format Drives Settings
The Format Drives Settings menu provides the Operator with a list of settings available for the selected operation. The menu is selected when the Operational Mode is selected from the Operational Mode Select Menu. The exFAT setting instructs the Format Drive operation to use the exFAT File System to format drives.
Figure 14
Chapter 4 - Operation
50
Linux DD Capture Settings
The LinuxDD Capture Settings menu provides the Operator with a list of settings available for the selected operation. The menu is selected when the Operational Mode is selected from the Operational Mode Select Menu.
Capture File Size
Custom File Size (MB) File Name
Read Back-Verify
Hash Targets Hash Methods
Encryption/Decryption
Figure 15
Capture File Size
The size of the individual LinuxDD files can be set by selecting predefined values within the Capture File Size menu. The options are 640MB, 1GB, 2GB, 4.7GB, Whole Drive, and Custom. The default setting is 640MB.
Custom File Size (MB)
The size of the individual LinuxDD files can manually entered in Megabytes. The entry is active when the Custom value is selected in the Capture File Size menu.
File Name
The File Name entry will be used as the name for the LinuxDD subdirectory, where the individual LinuxDD files will be stored. This File Name will also be used as the name of all LinuxDD files associated with the selected operation.
NOTE: If the File Name field is left blank, the operation will use a default LinuxDD file name referenced as “CASE<DATE><TIME>.”
Chapter 4 - Operation
51
LinuxDD Hash Settings
The LinuxDD Hash Settings menu provides the Operator with a list of settings available for the selected operation. The menu is selected when the Operational Mode is selected from the Operational Mode Select Menu.
Hash Methods
File Name
Encryption/Decryption
Figure 16
Chapter 4 - Operation
52
LinuxDD or E01 Restore Settings
The LinuxDD or E01 Restore Settings menu provides the Operator with a list of settings available for the selected operation. The menu is selected when the Operational Mode is selected from the Operational Mode Select Menu.
Hash Methods
File Name
Read Back-Verify
Hash Targets Encryption/Decryption
Figure 17
Figure 18
Chapter 4 - Operation
53
Hash Settings
The Hash Settings menu provides the Operator with a list of settings available for the selected operation. The menu is selected when the Operational Mode is selected from the Operational Mode Select Menu.
Sectors to Hash
Hash Methods
Encryption/Decryption
Figure 19
Sectors to Hash
Allows the Operator to define the number of sectors to hash. The default value of 0 will instruct the Hash operation to hash the entire drive.
Chapter 4 - Operation
54
E01 Capture Settings
The E01 Capture Settings menu provides the Operator with a list of settings available for the selected operation. The menu is selected when the Operational Mode is selected from the Operational Mode Select Menu.
Capture File Size
Custom File Size (MB) Hash Methods File Name
Figure 20
Capture File Size
The size of the individual E01 files can be set by selecting predefined values within the Capture File Size menu. The default setting is 650MB (CD).
Custom File Size (MB)
The size of the individual E01 files can manually entered in Megabytes. The entry is active when the Custom value is selected in the Capture File Size menu.
Ex01
Instructs the operation to use the Ex01 format instead of the E01 format.
File Name
The File Name will be used as the name for the E01 Case subdirectory, where the individual E01 files will be stored. This File Name will also be used as the name of all E01 files associated with the selected operation.
NOTE: If the File Name field is left blank, the operation will use a default E01 file name referenced as “CASE<DATE><TIME>.”
Chapter 4 - Operation
55
Settings Main Menu The IMSolo-5 Forensics Advanced Settings Main Menu provides access to the common Operational Mode settings. The menu is displayed by selecting the Main Tab from the Advanced Settings Menu. The descriptions of the available settings are discussed in the following section.
Bad Sector Handling Start View Add/Remove Optional Features Drive Handling Functions User Interface Culture Read Back-Verify Protected Area Support Enabled
Figure 21
User Interface Culture
The User Interface Culture menu provides the Operator with a list of available User Interface Languages.
Additional Operational Mode Settings
The Additional Operational Mode Settings menu provides the Operator with a list of additional settings available for the selected operation.
Read Back-Verify
Chapter 4 - Operation
56
Protected Area Support Enabled
When selected, this function instructs the selected Operation to determine if a Source drive is configured with an HPA or DCO Area. If an HPA or DCO area exists on a Source drive, the Operation will copy all of drive’s data including the data stored in the drive’s HPA or DCO area.
Bad Sector Handling
This setting allows the user to select from a list of three methods of handling bad sectors when they are encountered on the source drive.
Skip Block
When enabled, the bad sector handling process time is reduced by skipping the entire transferred block in which the bad sector was encountered. Each transferred block is composed of 1280 sectors. When the block is skipped it results in writing ‘0’s to Evidence drive’s corresponding block. This process is significantly faster but would not capture any data that may exist in any of the good sectors of the block(s) containing bad sectors.
Skip Sector
The operation will log the location of the bad sector on the source drive and the bad sector will be skipped.
Abort drive
The operation will abort when encountering a bad sector on the source drive.
Start View
The Start View menu provides optional Start Up View options.
Operator Screen
Instructs the unit to Start Up using the Operator Interface Control Console. The
Operator Interface provides all the functions and controls necessary to start or stop the operations pre-selected using the Wizard Interface or Advanced Interface. It provides the user with a graphical view of the Source and Target drive positions and the ability to change the active drive(s) for the selected operation.
Advanced Screen
Instructs the unit to Start Up using the Advanced Interface Control Console. The Advanced Interface provides all the functions and controls necessary to setup, customize and perform the unit’s common and advanced IT operations.
Chapter 4 - Operation
57
Add/Remove Optional Features
This function allows adding or removing Software Options.
Chapter 4 - Operation
58
Advanced Drive Detection Settings Menu The IMSolo-5 Forensics Advanced Drive Detection Settings provides the Operator with User-Defined settings to customize the unit’s drive detect handling functions.
Drive Detection Mode Fast Detection Sequential Detection Drive Detection Warning Test Drive Detection
Figure 22
Drive Detection Mode
Allows the Operator to choose between the three available Drive Detect methods.
Auto
Automatically selects Drive Detection method based on the hardware detected. This mode will automatically select Fast Detection for the IMSolo-5 Forensics systems.
Chapter 4 - Operation
59
Fast Detection
Selects use of the Fast Detection method to detect drives. This method identifies the drive by the SAS/S-ATA controller’s physical address location used by polling the drive. It is the quickest method to detect drives.
Sequential Detection
Selects the Sequential Detection method to detect drives. This method identifies the drive by sensing the drive’s “current load”. The selected drives are detected in turn by powering Up the individual drive and then waiting for each individual drive to be detected before powering Up the next selected drive. This method is slower than the Fast Detection method to detect drives.
Fast Detection Settings
The Fast Detection Settings menu provides optional Fast Detection User-Defined settings.
Wait Time After Powering Up Each Drive
This is the time allocated before powering Up the next selected drive. The default value is 2 seconds.
Wait Time Between Powering Up Each Drive and Starting Drive Detection
This is the time allocated after powering Up each drive, and before checking the controller and O/S for detected drives. The default value is 20 seconds.
Max Scanning /Detection Time allowed by Application (Sec)
This is the time allocated for the O/S to detect “New Hardware” or discover each selected drive. The default value is 60 seconds.
NOTE: Some drives may take longer to be discovered by the O/S. This setting
limits the wait time.
Auto Calibrate Detection of All Drives
Used to restore the “map” which links the unit’s SAS/SATA controller’s physical addresses to the unit’s assigned drive positions, listed in the Drive Detection menu screen, for all connected drives. The Calibration starts with the drive specified in the Calibration Starts From Drive input box.
NOTE: Calibration would only be necessary if the unit can no longer detect
drives.
Calibration Starts From Drive
The Auto Calibration starts with the drive number specified in the Calibration Starts From Drive input box. The drive number starts with 0 and follows the order of the drive positions listed in the Drive Detection menu screen.
Chapter 4 - Operation
60
Calibrate Detection of a Selected Drive
Used to restore the “map” which links the unit’s SAS/SATA controller’s physical addresses to the unit’s assigned drive positions, for individually selected drives.
NOTE: Calibration would only be necessary if the unit can no longer detect
drives.
Sequential Detection Settings
The Sequential Detection Settings menu provides optional Sequential Detection User-Defined settings.
Max Detect Time
This is the time allocated for the O/S to detect “New Hardware” or discover each selected drive. The default value is 60 seconds.
NOTE: Some drives may take longer to be discovered by the O/S. This setting
limits the wait time.
Max Detect Power Time
Maximum time allowed for the drive’s applied “current load” to be detected. After the set time, if the drive’s applied “current load” is not detected, the drive will be powered OFF.
Calibrate Current Threshold
The Calibrate Current Threshold function will measure the idle current used by the unit’s power control board. A current level measured that is greater than the Calibrated Current Threshold value will indicate that a device is connected.
NOTE: Verify that NO drive is connected, while calibrating the current
thresholds.
Drive Detection Warning
Warns the Operator when one of the selected drive positions could not detect a drive.
Test Drive Detection
Powers on each drive port to test for proper drive detection. Requires drives to be connected to each port.
Chapter 4 - Operation
61
Advanced Settings Menu The IMSolo-5 Forensics Advanced Settings provides the Operator with User-Defined settings to enable or disable displayed prompts, active the Auto Run function and provides some additional Drive Handling functions. The menu is displayed by selecting the Settings/Advanced Tab. The descriptions of the available settings are discussed in the following section.
Drive Detection Prompts Secure Erase Setting Target Protected Area Force Power Off Auto Run Verify Location of Suspect Drive
Figure 23
Warn if Drive is not Inserted
When enabled, this function will prompt the User if a selected drive is not connected.
Chapter 4 - Operation
62
Use Master Password for Secure Erase
When enabled, this function instructs Secure Erase to use the drive’s Master Password to access the drive.
Hash Advisory
When enabled, this function will prompt the User if the Hash Method is not enabled.
Confirm Drives
When enabled, this function will prompt the User if the operation should proceed with the detected drives.
Set Target Protected Area
When enabled, this function instructs the operation to set the HPA or DCO Area of the Target drive if the Source drive is detected as having an HPA or DCO Area.
Forced Power off
Provides a function to manually power OFF all selected drives.
Power off selected drives
Manually powers OFF the selected drives. The function should only be used if the Remove Drives function does not power off the selected drives.
NOTE: Exit all applications which may be using the drives prior to manually
powering OFF the drives.
Auto Run
Instructs the selected Operation to continuously run until the Operation is manually aborted. This function can be used to test drives or unit’s hardware.
Verify Location of Suspect Drive
Instructions the Operation to check if the drive connected in the Evidence position
contains the pre-wiped ICS Signature. If the signature is not located, the operation will
display a warning indicating “Possible Suspect Drive Detected in the Evidence Position.
Operation will be aborted.”
Chapter 4 - Operation
63
More Settings Menu The IMSolo-5 Forensics More Settings provides the Operator with User-Defined settings to configure some of the unit’s hardware and software settings. The menu is displayed by selecting the Settings/More Tab. The descriptions of the available settings are discussed in the following section.
Slow Drive Filter Enable IMAccess Speed Optimization Fan Control Launch Drive Port Assignment SAS/SATA Controller Settings Disable Destination Writes
Figure 24
Slow Drive Filter Speed Threshold
The Slow Drive Filter menu allows the operation to abort individual drives which would cause slow transfer rates. After aborting the individual drive, the operation would continue for the remaining drives, without reducing the transfer rate.
Speed Threshold
Minimum transfer rate accepted before the drive is aborted. The decision to abort a drive is based on the individual drive speed and not on the average speed of the process.
Chapter 4 - Operation
64
Speed Optimization
Used to obtain optimal transfer rates.
Transfer Buffer Size (in 64 kb)
The default setting of (10) instructs to operation to use a Transfer Buffer size of 640KB. In most cases a Transfer Buffer size of 640KB is optimal; however with some drive combinations it might be useful to change the value in order to achieve faster transfer rates.
Fan Control
Controls Drive Bay Fan Speeds.
Launch Drive Port Assignment
Opens the Drive Port Assignment Screen which provides interface to change default port assignments.
Enable IMAccess
Provides function for proprietary 3rd Party applications to access USB drive volumes connected in the unit’s general purpose USB ports.
SAS/SATA Controller Settings
Provides function to set the minimum and maximum negotiating transfer rate of the unit’s SAS/SATA Controller.
Disable Destination Writes
Allows to disable writing of Log, Audit or other Drive information files to the Destination drive.
Chapter 4 - Operation
65
Advanced Case Info Menu The IMSolo-5 Forensics Advanced Case Info Menu provides the user with a list of specific Case Information to enter for the Capture Operation. This Case Information will be stored for Audit Trail output. The menu is displayed by selecting the Case Info Tab from the
Advanced Main Menu.
Figure 25
Chapter 4 - Operation
66
Advanced Mount Drive Menu The IMSolo-5 Forensics Advanced Mount Drive Menu provides access to the functions and controls
necessary to change the state of the detected device Write Protection and Mount Volume properties. By default, all ports including the Evidence Drive ports and unit’s USB ports are Write-Protected. In addition, the detected drive’s partitions or volumes are “hidden” from the unit’s O/S. The drive’s properties will automatically be configured for the common Operational Modes. The recommended state of each device will depend on the operation to be performed with the detected devices. The menu is displayed by selecting
the Mount Drive Tab from the Advanced Interface Control Console. The descriptions of the available Mount Drive Settings are discussed in the following section.
Write-Protection Mount Volumes Simulate Drive Signature Apply Refresh
Figure 26
Chapter 4 - Operation
67
Write-Protect the Drive
When selected (checked), the detected drive will be Write-Protected. This setting should be enabled only when it is necessary to allow the unit’s O/S or 3rd party application write access to the drive’s volume. The detected drive’s Write-Protect property can be changed by first selecting the detected drive then using the Mount Drive Menu, Write-Protect function.
NOTE: By default, all ports are Write-Protected. The Write-Protect property of drives detected in the Suspect positions cannot be disabled.
Mount Volumes on the Drive
When selected (checked), the detected drive’s volume will be accessible by the unit’s Operating System. This setting should be enabled only when it is necessary to allow the unit’s O/S or 3rd party application preview access to the drive’s volume. The detected drive’s Mount Volume property can be changed by first selecting the detected drive then using the Mount Drive, Menu Mount Volume function.
Simulate Drive Signature When Mounting Volumes
When selected (checked), the O/S will be provided with a “simulated” Device Signature for the selected drive. The O/S requires each drive to have a different Device Signature. After the duplication operation, drives may have the same Device Signature. The drive’s volume may not mount properly when attempting to mount the drive’s volume under the unit’s O/S if the same Drive Signatures are detected. If the setting is not selected, the Drive’s unaltered Device Signature is presented to O/S or applications.
Apply
Applies the selected Drive Property settings.
Refresh
Selecting Refresh, displays the drive properties of the currently selected drive.
68
Advanced HPA/DCO Menu The IMSolo-5 Forensics Advanced HPA Menu provides the functions to view and modify the drive’s Host Protected Area (HPA) and Device Configuration Overlay (DCO) Capacity feature set. The menu is displayed by selecting the HPA Tab from the Advanced Interface Control Console.
The descriptions of the available HPA Menu Settings are discussed in the following section.
Protected Area Type Protected Area Support Set Capacity Reset New Capacity Volatile
Figure 27
Protected Area Type
Allows the User to select use of either HPA or DCO Support functions.
69
Protected Area Support
When selected, this function instructs the selected Operation to determine if a Suspect’s drive is configured with an HPA or DCO Area. If an HPA or DCO area exists on a Suspect’s drive, the Operation will seize all of drive’s data including the data stored in the drive’s HPA or DCO area.
New Capacity
Value in sectors which will define the drive’s programmed HPA or DCO capacity.
Current Capacity
Displays drive’s current DCO or HPA programmed capacity in sectors.
Native Capacity
Displays drive’s Native capacity in sectors.
Set Capacity
Provides the function to program the Evidence drive’s capacity using the HPA or DCO User Defined values.
Reset Capacity
Provides the function to reset the Evidence drive’s capacity to its Native Capacity.
Volatile
Instructs the Set Capacity function to modify the drive’s capacity only when the drive is power cycled.
70
Advanced LOG Menu The IMSolo-5 Forensics LOG Menu provides the functions for viewing, transferring and printing Event Log and Audit information. The menu is displayed by selecting the LOG Tab from the Advanced Interface Control Console. Event Log and Audit files are automatically stored in the unit’s local file folder. Files are stored using a DATE_TIME.TXT naming convention. The Audit Trail file will be
referenced as such. The descriptions of the available LOG functions are discussed in the following section.
Print Logs Copy Logs Open Log Folder Set Audit Trail Logo
Figure 28
71
Print Logs
Provides the functions to print Event Log files and Audit Trail Log files to a connected printer.
Copy Logs
Provides the function to copy Event Log files and Audit Trail Log files to an external device.
Open Log Folder
Provides access to the folder used to store the Log files, for viewing.
Set Audit Trail Logo
Provides the function to add a Company Logo onto the generated PDF Audit Trail.
Chapter 5 – Operational Procedures
72
Advanced Tools Menu The IMSolo-5 Forensics Advanced Tools Menu provides the functions to Disable an Evidence drive’s User Password.
Disable Password
Figure 29
Disable Password
Provides the function to Disable the drive’s User Password. It may be necessary to Disable the “ics” password which is set on the drive during Secure Erase if the operation is aborted prior to completion. If the User Password is not reset, the drive will block Read and Write commands.
NOTE: It is not necessary to disable the drive’s User Password if Secure Erase is used to erase the drive.
Chapter 5 – Operational Procedures
73
Chapter 5: Operational Procedures
Chapter 5 – Operational Procedures
74
Prepare for Operation This section describes the recommended procedure to follow when preparing to perform an operation with drives connected directly to the unit. References to P-ATA drive setup in this section, requires use of S-ATA-to-PATA adapters.
1. Prepare Suspect’s Drive
When using PATA drives, verify that the Suspect’s drive jumper block is properly configured. For P-ATA drives the jumper block should be set for “Single/Master” operation. For SAS or SATA drives, the drive’s default jumper block settings are recommended.
Connect the Suspect’s drive to the unit’s SUSPECT-1 SAS/SATA or USB position, located on the unit’s Left Panel (Fig. 8). Use of P-ATA drives requires use of the supplied S-ATA-to-P-ATA Adapters.
NOTE: The drive detected in this position will be listed in the Active Source Drive Panel.
If necessary, connect a second Suspect’s drive to the unit’s SUSPECT-2 SAS/SATA or USB position, located on the unit’s Right Panel (Fig. 9). NOTE: A second instance of the Control Console will be required to capture data from two
Suspect drives simultaneously. Refer to the section titled Running Multiple Operational Modes Simultaneously in Chapter 5 for additional information.
2. Prepare the Evidence Drive(s)
Connect the Evidence drive to the unit’s EVIDENCE-1 SAS/SATA position located on the unit’s Front Panel (Fig. 10) or to the EVIDENCE-1 USB position, located on the unit’s Back Panel. Use of P-ATA drives requires use of the supplied S-ATA-to-P-ATA Adapters.
NOTE: The drive detected in this position will be listed in the Active Destination Drive Panel.
If necessary, connect a second Evidence drive to the unit’s EVIDENCE-2 SAS/SATA data connector located on the unit’s Front Panel (Fig. 10).
The Evidence drive(s) should be sanitized prior to performing a Capture operation.
NOTE: To configure the Capture Operation to verify the location of the Suspect Drive, refer to the section titled “Verify Location of Suspect Drive Configuration”
NOTE: By default, all ports including the dedicated Evidence drive ports are Write-Protected. The Write-Protection feature of all Evidence drive ports will automatically be disabled if the selected operational mode requires writing to the Evidence drive(s).
Chapter 5 – Operational Procedures
75
3. Connect the printer (optional).
4. Configure the unit’s Settings.
Select the required operation from the Control Console’s Operation pull down menu located in the Advanced Interface Control Console.
Verify Settings of selected Operation. See Chapter 5 for Operational Mode recommended
settings.
Verify unit’s Common Settings (See Table 2). The Common Settings are located in the Advanced Settings Screen.
Common Settings
Table 2
Menu Item Setting
Read Back-Verify Disable
Confirm Drives Before Operation
Enable
Auto Run Disable
Bad Sector Handling Skip Sector
Transfer Buffer Size 10
Drive Detection Mode Sequential Detection
Max Detect Drive Time 60
Max Detect Drive Power Time
0
Verify Location of Suspect Drive
Enable
Hash Advisory Enable
Protected Area Support Enable
Start View Advanced Screen
5. Removing Drives
The Drive Select menu provides a power indicator for each drive position. The indicator will be GREY prior to drive detection, GREEN if the drive is detected or if the operation passed, and RED if the drive is not detected or if the operation was not successful. Drives are powered OFF after an operation completes. Drives can be physically removed after an operation completes and the drive is removed from its assigned Active Drive Status Panel.
Chapter 5 – Operational Procedures
76
Capturing Drives using Single Capture Mode The following section describes the procedure to use the Single Capture mode for Capturing Suspect’s data from drive(s) that have been removed from its PC or Notebook.
1. The Advanced Interface Control Console will be displayed after the unit is powered ON.
2. Connect and configure the drives as outlined in the “Quick Start” and “Prepare to Capture” sections of the manual.
NOTE: By default, all ports including the dedicated Evidence drive ports are Write-Protected. The port’s Write-Protection will automatically be disabled if the selected operational mode requires writing to the Evidence drive(s).
3. Select Single Capture from the Operation pull down menu, located in the Main Screen.
4. Set the Operational Mode Settings which are dynamically displayed in the Operation’s Main
Screen. See Table 3 for recommended settings.
5. Verify the Common Settings located in the Settings Screen. See Table 2 for recommended
settings.
6. Select CASE INFO from the Main Screen and enter the required information.
7. Select the drives to be used for the selected operation from the Drive Selection Panel.
8. Select the drives to be used for the selected Operation using the Drive Selection Panel.
9. Select Start from the Main Screen to begin the operation. A prompt will be displayed requesting
the Operator to verify that the detected drives are listed in the appropriate Drive Status panels. The Suspect drive should be listed in the Source Drive panel’s list, and the Evidence drive should be listed in the Destination Drives panel’s list.
NOTE: If necessary, select “non-active” drive(s) listed in the Other Detected Drives panel and move them to either the Source Drive or Destination Drives panels. The drive(s) listed in the Source Drive or Destination Drives panels are considered “active” drives and will be used during data transfer operations. If necessary, also transfer “active” drives from the Source Drive or Destination Drives panel to the Other Detected Drives panel.
Chapter 5 – Operational Procedures
77
10. If capturing from two Suspect’s drives start a second instance of the IMSolo-5 Forensic Capture application and follow steps 2 through 9.
NOTE: Refer to the section titled Running Multiple Operational Modes Simultaneously in Chapter 5 for additional information.
Hash values generated during the capture operation are generated for the data read from the
Suspect’s drive not from the data read from the Evidence (target) drive unless the operation is instructed to hash the Evidence drive by enabling the Hash Targets function.
Single Capture Recommended Settings
Table 3
Menu Item Setting
Operational Modes Single Capture
Hash Method SHA-2
Hash Targets Enable (Optional)
Read Back-Verify Disable (Optional)
Chapter 5 – Operational Procedures
78
Capturing using LinuxDD Capture Mode The following section describes the procedure to use the LinuxDD Capture mode for Capturing Suspect’s data from drive that has been removed from its PC or Notebook.
1. Connect and configure the drives as outlined in the “Quick Start” and “Prepare to Capture” sections of the manual.
NOTE: By default, all ports including the dedicated Evidence drive ports are Write-Protected. The port’s Write-Protection will automatically be disabled if the selected operational mode requires writing to the Evidence drive(s).
2. Select LinuxDD Capture from the Operation pull down menu, located in the Main Screen.
3. Set the Operational Mode Settings which are dynamically displayed in the Operation’s Main
Screen. See Table 4 for recommended settings.
4. Select File Name and enter the name of the file which will be used by the operation for creating the LinuxDD directory and segmented files.
5. Set the LinuxDD file fragment size by selecting the size from the Capture File Size pull down menu.
6. Verify the Common Settings located in the Settings Screen. See Table 2 for recommended
settings.
7. Select CASE INFO from the Main Screen and enter the required information.
8. Select the drives to be used for the selected Operation using the Drive Selection Panel.
9. Select Start from the Main Screen to begin the operation. A prompt will be displayed requesting
the Operator to verify that the detected drives are listed in the appropriate Drive Status panels. The Suspect drive should be listed in the Source Drive panel’s list, and the Evidence drive should be listed in the Destination Drives panel’s list.
NOTE: If necessary, select “non-active” drive(s) listed in the Other Detected Drives panel and move them to either the Source Drive or Destination Drives panels. The drive(s) listed in the Source Drive or Destination Drives panels are considered “active” drives and will be used during data transfer operations. If necessary, also transfer “active” drives from the Source Drive or Destination Drives panel to the Other Detected Drives panel.
Chapter 5 – Operational Procedures
79
10. If capturing from two Suspect’s drives start a second instance of the IMSolo-5 Forensic Capture application by selecting New Copy Session from the Navigation Bar and follow steps 2 through 9.
NOTE: Refer to the section titled Running Multiple Operational Modes Simultaneously in Chapter 5 for additional information.
Hash values generated during the capture operation are generated for the data read from the
Suspect’s drive not from the data read from the Evidence (target) drive unless the operation is instructed to hash the Evidence drive by enabling the Hash Targets function.
LinuxDD Capture Recommended Settings
Table 4
Menu Item Setting
Operational Modes LinuxDD Capture
Hash Method SHA-2
Hash Targets Enable (Optional)
Read Back-Verify Disable (Optional)
Capture File Size 4GB
Chapter 5 – Operational Procedures
80
Capturing using E01 Capture Mode The following section describes the procedure to use the E01 Capture mode for Capturing Suspect’s data from drive that has been removed from its PC or Notebook.
1. Connect and configure the drives as outlined in the “Quick Start” and “Prepare to Capture” sections of the manual.
NOTE: By default, all ports including the dedicated Evidence drive ports are Write-Protected. The port’s Write-Protection will automatically be disabled if the selected operational mode requires writing to the Evidence drive(s).
2. Select E01 Capture from the Operation pull down menu, located in the Main Screen.
3. Set the Operational Mode Settings which are dynamically displayed in the Operation’s Main
Screen. See Table 5 for recommended settings.
4. Select File Name and enter the name of the file which will be used by the operation for creating the E01 directory and segmented files.
5. Set the E01 file fragment size by selecting the size from the Capture File Size pull down menu.
6. Verify the Common Settings located in the Settings Screen. See Table 2 for recommended
settings.
7. Select CASE INFO from the Main Screen and enter the required information.
8. Select the drives to be used for the selected operation from the Drive Selection Panel.
9. Select Start from the Main Screen to begin the operation. A prompt will be displayed requesting
the Operator to verify that the detected drives are listed in the appropriate Drive Status panels. The Suspect drive should be listed in the Source Drive panel’s list, and the Evidence drive should be listed in the Destination Drives panel’s list.
NOTE: If necessary, select “non-active” drive(s) listed in the Other Detected Drives panel and move them to either the Source Drive or Destination Drives panels. The drive(s) listed in the Source Drive or Destination Drives panels are considered “active” drives and will be used during data transfer operations. If necessary, also transfer “active” drives from the Source Drive or Destination Drives panel to the Other Detected Drives panel.
Chapter 5 – Operational Procedures
81
10. If capturing from two Suspect’s drives start a second instance of the IMSolo-5 Forensic Capture application by selecting New Copy Session from the Navigation Bar and follow steps 2 through 10.
NOTE: Refer to the section titled Running Multiple Operational Modes Simultaneously in Chapter 5 for additional information.
Hash values generated during the capture operation are generated for the data read from the
Suspect’s drive not from the data read from the Evidence (target) drive unless the operation is instructed to hash the Evidence drive by enabling the Hash Targets function.
E01 Capture Recommended Settings
Table 5
Menu Item Setting
Operational Modes E01 Capture
Hash Method SHA-1
Hash Targets Enable (Optional)
Read Back-Verify Disable (Optional)
Capture File Size 2GB
Compression 0
Chapter 5 – Operational Procedures
82
Capturing from a PCIe M.2 Drive. The following section describes the procedure to connect and use the M.2 Adapter Module to acquire data from a PCIe M.2 Drive.
1. Please refer to the embedded instructional video to install the M.2 Adapter Module and to connect the PCIe M.2 drive(s).
Power OFF the unit before connecting the M.2 Adapter Module and inserting or removing PCIe M.2 drives.
2. Connect the SAS/SATA Evidence drive to the unit’s EVIDENCE-1 SAS/SATA position located on the unit’s Front Panel.
NOTE: This step is optional if one of the connected PCIe M.2 drives will be used as the only connected Evidence drive.
3. If a SAS/SATA Evidence drive is connected, select the Evidence drive position from the Drive Selection Panel, otherwise do not select any Evidence drive positions.
NOTE: Do not select any Suspect position from the Drive Selection Panel.
4. Select the Mode of Operation from the Operation pull down menu.
5. Configure the Operational Mode using the dynamically displayed settings.
6. Verify that the recommended Common Settings are in use. See Table 2 for recommended settings.
7. Select Detect Drives from the Console’s main menu.
a. The detected PCIe M.2 drive(s) will be listed in the Other Detected Drives (In-active Drives) Panel. The SAS/SATA Evidence drive will be listed in the Destination Drives Panel list.
8. Identify the PCIe M.2 Suspect drive by the listed Serial Number. Using the touch screen display, select and move the PCIe M.2 Suspect drive from the Other Detected Drives (In-active Drive) Panel to the Suspect Drive Panel.
9. If connected, identify the PCIe M.2 Evidence drive by the listed Serial Number. Using the touch screen display, select and move the PCIe M.2 Evidence drive from the Other Detected Drives (In-active Drives) Panel to the Destination Drives Panel
10. Select CASE INFO from the Main Screen and enter the required information.
Chapter 5 – Operational Procedures
83
11. Select Start from the Main Screen to begin the operation. A prompt will be displayed requesting the Operator to verify that the detected drives are listed in the appropriate Drive Status panels.
Hash values generated during the capture operation are generated for the data read from the Suspect’s drive not from the data read from the Evidence (target) drive unless the operation is instructed to hash the Evidence drive by enabling the Hash Targets function.
12. After the operation completes, the PCIe M.2 drive(s) will remain powered ON and should not be removed until the unit is powered-OFF. The SAS/SATA drive(s) will be powered OFF and the drive(s) can be safely removed. The simulated drive status LEDs will be set to GREEN if the operation passes or RED if the operation fails. Log files will automatically be stored internally and can be transferred to external media using the unit’s USB ports, located on the back of the unit
Chapter 5 – Operational Procedures
84
Capturing from an Unopened PC or Notebook The following section describes the procedure for Capturing Suspect’s data from an Unopened PC or Notebook.
1. Connect and configure the Evidence drives as outlined in the “Quick Start” and “Prepare to Capture” sections of the manual.
NOTE: By default, all ports including the dedicated Evidence drive ports are Write-Protected. The port’s Write-Protection will automatically be disabled if the selected operational mode requires writing to the Evidence drive(s).
2. Select the Operational Mode from the Operation pull down menu, located in the Main Screen.
3. Set the Operational Mode Settings which are dynamically displayed in the Operation’s Main
Screen.
4. Verify the Common Settings located in the Settings Screen. See Table 2 for recommended
settings.
5. Select DETECT REMOTE DRIVES from the Drive Selection Panel.
NOTE: Do not select any Suspect position from the Drive Selection Panel.
6. Select the Evidence Drive(s) to be used for the selected operation from the Drive Selection Panel.
7. Verify all remaining applicable settings and optionally enter Case Information using the CASE INFO screen functions.
NOTE: Hash values generated during the capture operation are generated for the data read from the Suspect’s drive not from the data read from the Evidence (target) drive, unless the unit is instructed to hash the Evidence drive(s) by enabling the Hash Targets function. As an alternative, the Evidence Drives can also be hashed after the capture operation using the Hash mode of operation.
8. Connect the ICS supplied Crossover Ethernet Cable to the IMSolo-5 unit’s Ethernet port and to the Notebook/PC Ethernet port. Alternately, connect the Gigabit USB-to-Ethernet Network Adapter to the Notebook/PC USB port and the Ethernet Cable connector end to the IMSolo-5
unit’s Ethernet port. See the instructions titled “USB-to-Ethernet Connection”, for additional
details.
9. Configure the Suspect’s PC or Notebook BIOS to boot from its CD-ROM or DVD drive. Most BIOS have a section titled “Boot Order” to perform this function.
NOTE: Various PC or Notebook BIOS require deferent key combinations at boot up to change the default Boot Order. It is the user’s responsibility to correctly setup the Suspect’s PC or Notebook BIOS.
10. Insert the LinkMASSter Bootable CD and allow the Suspect’s PC or Notebook to boot from the LinkMASSter CD.
11. After “Initializing the Environment”, the LinkMASSter application will display a prompt indicating “Do you want to prepare a USB Flash?” Select “NO” to continue.
NOTE: To configure a USB device for LinkMASSter usage, see the instructions titled USB LinkMASSter Setup and Usage, for additional details.
12. The LinkMASSter Network Capture Agent Screen is display with the computer’s detected drive information.
Chapter 5 – Operational Procedures
85
13. Select Detect Drives from the IMSolo-5 Forensics Advanced Interface Control Console screen. The Suspect drive, located in the Suspect’s computer, will be listed in the Source Drive panel list and the Evidence drive will be listed in the Destination Drives panel list.
14. Select START to begin the operation. Operational status information will be displayed during an operation.
15. After the operation completes, the Evidence drive will be powered OFF and can be safely removed. Remove the LinkMASSter CD from the Suspect’s computer prior to powering OFF the computer. The simulated drive status LEDs will be set to GREEN if the operation passes or RED if the operation fails. Log files will automatically be stored internally and can be transferred to external media using the unit’s USB ports, located on the back of the unit.
NOTE: Prior to saving logs to external media, disable the DETECT REMOTE DRIVES function from the Drive Selection Panel.
Chapter 5 – Operational Procedures
86
Capturing to a Local Shared Folder The following section describes the procedure to use the LinuxDD or E01 Capture modes for capturing and storing Suspect’s data to a local Shared Folder. A local Shared Folder would be considered a location on an Evidence drive connected directly to the unit’s Evidence-1 or Evidence-2 port.
1. Connect the Evidence drive(s) as outlined in the “Quick Start” and “Prepare to Capture” sections of the Manual.
NOTE: The Evidence drive needs to be preformatted with NTFS or exFAT prior to starting the capture operation. The Evidence drive can be formatted on a PC or using the IMSolo-5. If using a PC Workstation to format the drive, use “EVIDENCE” as the Volume label and skip to step 5.
2. Select the Evidence drive(s) which needs to be formatted, from the Drive Selection Panel.
3. Select FORMAT from the Operation pull down menu, located in the Main Screen and choose either NTFS or exFAT.
4. Select Start from the Main Screen to format the Evidence drive.
5. Select LinuxDD or E01 Capture from the Operation pull down menu, located in the Main Screen.
6. Select the Evidence drive(s) from the Drive Selection Panel.
NOTE: Do not select any Suspect position from the Drive Selection Panel.
7. Select Detect Drives from the Console’s main menu.
8. Select the Mount Drive function Tab from the Advanced Interface Control Console.
9. Highlight and Select the detected Evidence drive from the Console’s Drive Status Panel.
10. De-Select (uncheck) the Write-Protect setting in the Mount Drive Screen Menu.
11. Select (check) the Mount Volumes setting in the Mount Drive Screen Menu.
12. Select APPLY.
NOTE: Repeat steps 9-12 for the second Evidence drive if applicable.
13. Select New Copy Session from the Navigation Bar to begin a new session of the IMSolo-5
Forensic Capture application.
14. Connect the Suspect drive(s) as outlined in the “Quick Start” and “Prepare to Capture” sections of the IMSolo-5 User’s Manual.
15. Select LinuxDD or E01 Capture from the Operation pull down menu, located in the Main Screen.
16. Select the Operational Mode Settings which are dynamically displayed in the Operation’s
Main Screen.
Chapter 5 – Operational Procedures
87
17. Select File Name and enter the name of the file which will be used by the operation for creating the LinuxDD or E01 directory and segmented files.
18. Set the file fragment size by selecting the size from the Capture File Size pull down menu.
19. Verify the Common Settings located in the Settings Screen. See Table 2 for recommended
settings.
20. Select the Suspect drive to be used for the selected Operation using the Drive Selection Panel.
NOTE: Do not select any Evidence position from the Drive Selection Panel.
21. Select Add Network Location from the Drive Selection Panel. The “Add Network Location” menu screen is displayed.
22. Select Browse from the “Add Network Location” menu screen.
23. Select “D:\”. The Shared Drive Letter will be listed in the Evidence Drives Panel.
NOTE: Select “E:\” if “D:\” is in use by a previous session.
24. Select Detect Drives from the IMSolo-5 Forensics Advanced Interface Control Console screen. The Suspect drive will be listed in the Source Drive Panel list and the Shared Drive Letter will be listed in the Evidence Drives Panel.
25. Select CASE INFO from the Main Screen and enter the required information.
Chapter 5 – Operational Procedures
88
26. Select Start from the Main Screen to begin the operation. A prompt will be displayed requesting
the Operator to verify that the detected drives are listed in the appropriate Drive Status panels.
NOTE: Repeat steps 13-26 to begin a second session.
Hash values generated during the capture operation are generated for the data read from the
Suspect’s drive not from the data read from the Evidence (target) drive unless the operation is instructed to hash the Evidence drive by enabling the Hash Targets function.
27. After the operation completes, the Suspect drive(s) will be powered-OFF and can be safely removed but the Evidence drives will remain powered-ON until they are manually powered-OFF. Using the NEXT COPY SESSION function, select the initial Session which was used to mount the physical Evidence drive(s) and select REMOVE DRIVES to power-OFF and safely removed the Evidence drive(s).
NOTE: If more than one operation is running at the same time, do not select REMOVE DRIVES until both operations have completed.
Chapter 5 – Operational Procedures
89
Capturing to a Shared Network Folder The following section describes the procedure to use the LinuxDD or E01 Capture modes for capturing and storing Suspect’s data to a Shared Network Folder.
1. Connect and configure the Suspect drives as outlined in the “Quick Start” and “Prepare to Capture” sections of the manual.
NOTE: Attach an Evidence drive if capturing to both a local Evidence drive and a Network Shared Folder.
2. Configure a Shared Network Folder on the Network PC.
3. Connect the appropriate Ethernet Cable to the IMSolo-5 unit and to the Network PC.
NOTE: An Ethernet Cross-Over cable would be required for direct connection.
4. Establish a Network Connection between the IMSolo-5 and the Destination Network PC using the IMSolo-5 O/S DESKTOP/CONTROL PANEL/NETWORK and INTERNET CONNETIONS Tools.
NOTE: It is the responsibility of the User to properly configure the Network for proper connectivity and to properly configure the Shared Network Folder. The Shared Network Folder requires write access. If properly configured, the Shared Network Folder should be accessible from the IMSolo-5.
5. Select LinuxDD or E01 Capture from the Operation pull down menu, located in the Main Screen.
6. Set the Operational Mode Settings which are dynamically displayed in the Operation’s Main
Screen.
7. Select File Name and enter the name of the file which will be used by the operation for creating the LinuxDD or E01 directory and segmented files.
8. Set the file fragment size by selecting the size from the Capture File Size pull down menu.
9. Verify the Common Settings located in the Settings Screen. See Table 2 for recommended
settings.
10. Select the Suspect drive to be used for the selected Operation using the Drive Selection Panel.
NOTE: Do not select any Evidence position from the Drive Selection Panel unless an Evidence drive will also be used as a Destination drive.
11. Select Add Network Location from the Drive Selection Panel. The “Add Network Location” menu screen is displayed.
12. Select Browse from the “Add Network Location” menu screen.
13. Select “My Network Places” to locate and select the Shared Network Folder. The Shared Network Folder will be listed in the Evidence Drives Panel.
14. Select Detect Drives from the IMSolo-5 Forensics Advanced Interface Control Console screen. The Suspect drive will be listed in the Source Drive Panel list and the Shared Network Folder will be listed in the Evidence Drives Panel.
Chapter 5 – Operational Procedures
90
15. Select CASE INFO from the Main Screen and enter the required information.
16. Select Start from the Main Screen to begin the operation. A prompt will be displayed requesting
the Operator to verify that the detected drives are listed in the appropriate Drive Status panels.
Hash values generated during the capture operation are generated for the data read from the
Suspect’s drive not from the data read from the Evidence (target) drive unless the operation is instructed to hash the Evidence drive by enabling the Hash Targets function.
Chapter 5 – Operational Procedures
91
Encrypting Data During Data Capture The following section describes the procedure to Encrypt data seized from the Suspect’s drive.
1. Connect and configure the drives as outlined in the “Quick Start” and “Prepare to Capture” sections of the manual.
NOTE: E01 Capture Encryption Support was pending development at time of this document’s (Rev 4.0) release. By default, all ports including the dedicated Evidence drive ports are Write-Protected. The port’s Write-Protection will automatically be disabled if the selected operational mode requires writing to the Evidence drive(s).
2. Select the Capture Mode from the Operation pull down menu, located in the Main Screen.
NOTE: Sanitize (WipeOut) the Evidence drive(s) prior to Encrypting data. Do not use LinuxDD Evidence drives which contain previously captured cases which were not Encrypted.
3. Select On-Screen Keyboard from the Navigation Bar.
4. Select Encrypt/Decrypt from the Operation’s dynamically displayed settings menu.
5. Select the AES Key Length and AES Mode.
NOTE: For compatibility with the IMSolo-III Encryption and ICS Disk Cypher hardware, choose 192 as the AES Key Length and ECB as the AES Mode.
6. Select Encrypt.
7. Select Save Key. Select a name for the Encryption Key. which will be required
NOTE: In addition to unique password information, the saved Encryption Key will also contain the selected AES Key Length and AES Mode settings.
8. Select Exit Encryption Dialog.
9. Verify the Operational Mode Settings and Common Settings located in the Settings
Screen. See Table 2 and 6 for recommended settings.
10. Select CASE INFO from the Main Screen and enter the required information.
11. If LinuxDD Capture is in use, select File Name and enter the name of the file which will be used
by the operation for creating the Case directory and segmented files. Set the File Fragment Size by selecting the size from the Capture File Size pull down menu.
12. Select the drives to be used for the selected operation from the Drive Selection Panel.
13. Select Start from the Main Screen to begin the operation. A prompt will be displayed requesting
the Operator to verify that the detected drives are listed in the appropriate Drive Status panels. The Suspect drive should be listed in the Source Drive panel’s list, and the Evidence drive should be listed in the Destination Drives panel’s list.
NOTE: If necessary, select “non-active” drive(s) listed in the Other Detected Drives panel and move them to either the Source Drive or Destination Drives panels. The drive(s) listed in the Source Drive or Destination
Chapter 5 – Operational Procedures
92
Drives panels are considered “active” drives and will be used during data transfer operations. If necessary, also transfer “active” drives from the Source Drive or Destination Drives panel to the Other Detected Drives panel. If capturing from two Suspect’s drives start a second instance of the IMSolo-5
Forensic Capture application and follow steps 1 through 13.
NOTE: Refer to the section titled Running Multiple Operational Modes Simultaneously in Chapter 5 for additional information.
Hash values generated during the capture operation are generated for the data read from the
Suspect’s drive not from the data read from the Evidence (target) drive unless the operation is instructed to hash the Evidence drive by enabling the Hash Targets function.
Encryption Capture Recommended Settings
Table 6
Menu Item Setting
Operational Modes Single Capture/ LinuxDD Capture/ E01 Capture
7
Hash Method SHA-2
Hash Targets Enable (Optional)
Read Back-Verify Disable (Optional)
AES Key Length 192
AES Mode ECB
Encrypt Enable
7 E01 Capture Encryption Support was pending development at time of this document’s release.
Chapter 5 – Operational Procedures
93
Decrypting Data During Data Transfer The following section describes the procedure to Decrypt data from an Encrypted Evidence drive.
1. Connect the Evidence drive with the Encrypted Case data to one of the unit’s Suspect positions.
2. Connect a blank Destination drive to one of the unit’s Evidence positions.
NOTE: By default, all ports including the dedicated Evidence drive ports are Write-Protected. The port’s Write-Protection will automatically be disabled if the selected operational mode requires writing to the Evidence drive(s).
3. Select the Operational Mode from the Operation pull down menu, located in the Main Screen.
NOTE: The supported Operational modes for Decryption are Single Capture, LinuxDD Restore and E01 Restore8. The “Hash Only” modes would also be supported to generate hash values based on decrypted data.
4. Select On-Screen Keyboard from the Navigation Bar.
5. Select Encrypt/Decrypt from the Operation’s dynamically displayed settings menu.
6. Select Decrypt.
7. Select Load Key to select the saved Encryption Key which was used to Encrypt the Case data.
NOTE: Since the saved Encryption Key also contains the original AES Key Length and AES Mode settings, it is not necessary to manually enter these settings.
8. Select Exit Encrypt/Decrypt Dialog.
9. Verify the Operational Mode Settings and Common Settings located in the Settings
Screen. See Table 2 and 8 for recommended settings.
10. Select CASE INFO from the Main Screen and enter the required information.
11. If LinuxDD Restore or E01 Restore is in use, select File Name and enter the name of the file which will be used by the operation for selecting the Case directory and segmented files.
12. Select the drives to be used for the selected operation from the Drive Selection Panel.
13. Select Start from the Main Screen to begin the operation. A prompt will be displayed requesting
the Operator to verify that the detected drives are listed in the appropriate Drive Status panels.
8 E01 Decryption Support was pending development at time of this document’s (Rev 2.1) release.
Chapter 5 – Operational Procedures
94
Hash values generated during the capture operation are generated for the data read from the
Suspect’s drive not from the data read from the Evidence (target) drive unless the operation is instructed to hash the Evidence drive by enabling the Hash Targets function.
Decryption Capture Recommended Settings
Table 7
Menu Item Setting
Operational Modes Single Capture/ LinuxDD Restore/ E01 Restore
9
Hash Method SHA-2
Hash Targets Enable (Optional)
Read Back-Verify Disable (Optional)
AES Key Length N/A
AES Mode N/A
Decrypt Enable
9 E01 Decryption Support was pending development at time of this document’s (Rev 2.1) release.
Chapter 5 – Operational Procedures
95
Restoring from LinuxDD or E01 Segmented File Format The following section describes the procedure to use the LinuxDD or E01 Restore mode to restore the captured Linux-DD or E01 segmented file formatted case to its original drive format.
1. The Advanced Interface Control Console will be displayed after the unit is powered ON.
2. Connect and configure the drives as outlined in the “Quick Start” and “Prepare to Copy” sections of the manual.
3. Select LinuxDD Restore or E01 Restore from the Operation pull down menu, located in the Main Screen.
4. Set the Operational Mode Settings which are dynamically displayed in the Operation’s Main
Screen. See Table 7 for recommended settings.
5. Select File Name and enter the name of the file which was used by the LInuxDD or E01 Capture operation for creating the segmented Case files.
6. Verify the Common Settings located in the Settings Screen. See Table 3 for recommended
settings.
7. Select the drives to be used for the selected Operation using the Drive Selection Panel.
8. Select Start from the Main Screen to begin the operation. A prompt will be displayed requesting
the Operator to verify that the detected drives are listed in the appropriate Drive Status panels. The Source drive should be listed in the Source Drive panel’s list, and the Target drive should be listed in the Destination Drives panel’s list.
Restore Recommended Settings
Table 8
Menu Item Setting
Operational Modes LinuxDD Restore/E01 Restore
Hash Method Disable (Optional)
Hash Targets Disable (Optional)
Read Back-Verify Disable (Optional)
Capture File Size Not Applicable
Chapter 5 – Operational Procedures
96
Sanitizing Drives Using WipeOut DoD Use the Wipe Out DoD mode to sanitize drives using the U.S. Department of Defense DoD 5220-22M specification.
1. The Advanced Interface Control Console will be displayed after the unit is powered ON.
2. Connect and configure the drives as outlined in the “Quick Start” and “Prepare to Copy” sections of the manual.
3. Select WipeOut from the Operation pull down menu, located in the Main Screen.
4. Select DoD as the Operational Mode setting.
5. Set the Operational Mode Settings which are dynamically displayed in the Operation’s Main
Screen. See Table 9 for recommended settings.
6. Verify the Common Settings located in the Settings Screen. See Table 3 for recommended
settings.
7. Select the drives to be used for the selected operation from the Drive Selection Panel.
8. Select Start from the Main Screen to begin the operation. The Suspect drive should be listed in the Suspect Drive panel’s list, and the Evidence drive(s) should be listed in the Destination Drives panel’s list.
WipeOut DoD SETTINGS
Table 9
Menu Item Recommended Setting
Copy Mode WipeOut
ReadBack-Verify Disable (Optional)
WipeOut Mode DoD
Chapter 5 – Operational Procedures
97
Sanitizing Drives Using WipeOut - User The Wipe Out User operation can be used to sanitize drives in one pass rather than 7 passes which is required using the DoD Wipe Out method.
1. The Advanced Interface Control Console will be displayed after the unit is powered ON.
2. Connect and configure the drives as outlined in the “Quick Start” and “Prepare to Copy” sections of the manual.
3. Select WipeOut from the Operation pull down menu, located in the Main Screen.
4. Select User as the Operational Mode setting.
5. Set the Operational Mode Settings which are dynamically displayed in the Operation’s Main
Screen. See Table 10 for recommended settings.
6. Verify the Common Settings located in the Settings Screen. See Table 3 for recommended
settings.
7. Select the drives to be used for the selected operation from the Drive Selection Panel.
8. Select Start from the Main Screen to begin the operation. The Suspect drive should be listed in the Suspect Drive panel’s list, and the Evidence drive(s) should be listed in the Destination Drives panel’s list.
WipeOut-User SETTINGS
Table 10
Menu Item Recommended Setting
Copy Mode WipeOut
ReadBack-Verify Disable (Optional)
WipeOut Mode User
Iterations 0
Pattern 0
Chapter 5 – Operational Procedures
98
Sanitizing Drives Using WipeOut – Secure Erase The Wipe Out Secure Erase operation can be used to sanitize drives in one pass using the drive’s built-in Erase functions.
1. The Advanced Interface Control Console will be displayed after the unit is powered ON.
2. Connect and configure the drives as outlined in the “Quick Start” and “Prepare to Copy” sections of the manual.
3. Select WipeOut from the Operation pull down menu, located in the Main Screen.
4. Select Secure Erase as the Operational Mode setting.
5. Verify the Common Settings located in the Settings Screen. See Table 3 for recommended
settings.
6. Select the drives to be used for the selected operation from the Drive Selection Panel.
7. Select Start from the Main Screen to begin the operation. The Suspect drive should be listed in the Suspect Drive panel’s list, and the Evidence drive(s) should be listed in the Destination Drives panel’s list.
NOTE: It may be necessary to Disable the “ics” password which is set on the drive during Secure Erase if the operation is aborted prior to completion. If the User Password is not reset, the drive will block Read and Write commands.
It is not necessary to disable the drive’s User Password if Secure Erase is used to erase the drive after an aborted operation.
WipeOut-Secure Erase SETTINGS
Table 11
Menu Item Recommended Setting
Copy Mode WipeOut
WipeOut Mode Secure Erase
Chapter 5 – Operational Procedures
99
Transferring Audit Trail and Log Information The following section describes the procedure to transfer Audit Trail and Log information from the unit’s internal storage to an External USB Storage Device.
1. Select the LOG Tab function, located in the Advanced Interface Control Console.
2. Select “Copy Logs to a Removable Device”. A message will be displayed prompting the User to insert a USB Storage Device.
3. Insert a USB Storage Device on one of the unit’s available USB general purpose ports, located on the back of the unit. Select OK to continue.
4. The USB Storage Device Volume will be mounted and the Device will be listed in the Other Detected Drives Panel. Disregard the Windows AutoPlay prompt and wait for the prompt indicating Select Files to Copy. Select the Event Log and Audit file(s) to copy.
NOTE: If the USB Device is not properly detected, remove the USB Device and repeat steps 3-7.
5. Select OPEN from the Select Files to Copy prompt, to continue.
6. Select the destination folder on the USB Device to store the selected file(s) and select OK to store the selected files.
7. The USB Storage Device can be removed after the Device is removed from the Other Detected Drives Panel.
NOTE: Audit Trails are saved in both a standard text format and a PDF format using 128-bit password encryption protection, so the Audit Trail contents cannot be changed. The Company Logo can be added to the Audit Trail PDF by selecting its location using the "SET AUDIT TRAIL LOGO" function, located in the LOG menu screen.
Chapter 5 – Operational Procedures
100
Running Multiple Operational Modes Simultaneously The following section describes the general procedure to use the IMSolo-5 Forensic Application to run multiple operations simultaneously.
1. Connect and configure the drives as outlined in the “Quick Start” and “Prepare to Capture” sections of the manual.
2. Select the required Operation from the Operation pull down menu, located in the Main Screen.
3. Select CASE INFO from the Main Screen and enter the required information.
4. Verify the Operational Mode Settings and Common Settings.
5. Select only the drives to be used for the selected operation from the Drive Selection Panel.
6. Select Start from the Main Screen to begin the operation using the current active instance of the IMSolo-5 Forensic Capture application.
7. Verify that the detected drives are in their respective Drive Status Panels. The drives listed in the Source Drive and, Destination Drives Panels are considered “Active” drives and will be used by the current instance of the IMSolo-5 Forensic
Capture application.
8. Select New Copy Session from the Navigation Bar to begin a new instance of the IMSolo-5
Forensic Capture application.
NOTE: The second instance of the IMSolo-5 Forensic Capture application can be started before or after beginning an operation using a prior instance of the application.
9. Repeat steps 1 to 7.
NOTE: The number of operations which can be performed in parallel is limited by the available ports and unit’s available resources.
Chapter 5 – Operational Procedures
101
Previewing Write-Protected Drive Data The following section describes the procedure to securely view data from the drive(s) connected to the IMSolo-5 ports.
1. Connect and configure the drive as outlined in the “Prepare for Operation” section of the manual.
2. Select the drives to be used for the selected operation from the Drive Selection Panel.
3. Select Detect Drives from the Console’s main menu.
4. Select the Mount Drive function Tab from the Advanced Interface Control Console.
5. Highlight and Select the drive to be previewed from the Console’s Drive Status Panel.
6. Verify that the Write-Protect function is Enabled (checked) in the Mount Drive
Screen Menu.
7. Select (check) the Mount Volumes setting in the Mount Drive Screen Menu.
8. Select APPLY. This operation will allow preview access to the drive’s volume using the unit’s O/S or 3rd party application.
9. Select DESKTOP from the Navigation Bar to preview the drive’s volume.
10. To turn OFF the drive after previewing the drive’s volume, select the drive from the Drive Selection Panel and select REMOVE DRIVES.
Chapter 5 – Operational Procedures
102
Enabling Manual Write-Access to Evidence Drive Positions The following section describes the procedure to allow write operations to be performed manually to drives connected in the Evidence drive positions.
1. Connect and configure the Evidence drive as outlined in the “Prepare for Operation” section of the manual.
2. Select the drives to be used for the selected operation from the Drive Selection Panel.
3. Select Detect Drives from the Console’s main menu.
4. Select the Mount Drive function Tab from the Advanced Interface Control Console.
5. Highlight and Select the drive to be accessed from the Console’s Drive Status Panel.
6. De-Select (uncheck) the Write-Protect setting in the Mount Drive Screen Menu.
7. Select (check) the Mount Volumes setting in the Mount Drive Screen Menu.
8. Select APPLY. This operation will allow preview and write access to the Evidence drive’s volume using the unit’s O/S or 3rd party application.
9. Select DESKTOP from the Navigation Bar to access the drive’s volume.
10. To turn OFF the drive after accessing the drive’s volume, select the drive from the Drive Selection Panel and select REMOVE DRIVES.
Chapter 5 – Operational Procedures
103
Verify Location of Suspect Drive Configuration The following section describes the procedure to configure an operation to verify the location of the Suspect Drive.
1. Enable the "Verify Location of suspect drive" setting, located in the Settings/Advanced menu.
2. Prior to use, Wipe the Evidence drive using the "Write ICS Signature" setting, which is displayed when the Wipe operation is selected.
NOTE: If the Suspect drive is connected in the Evidence position the operation will abort when the "Verify Location of suspect drive" setting is enabled. If the Evidence drive containing the “ICS Signature” is detected in the Suspect position, the operation will abort. In addition, if an Evidence drive which is not prepared using the Wipe process outlined above is detected in the Evidence position, the operation will abort. The User will be alerted with the following prompt:
"Warning: Possible Suspect Drive Detected in the Evidence Position. Operation will be aborted."
Appendix A
104
Appendix A: Operational Notes
Appendix A
105
Image MASSter™ IMSolo-5 Internet/Network Connection Disclaimer
Intelligent Computer Solutions, Inc. (ICS) assumes no liability for the security of the customer’s computer/network systems. ICS assumes no liability for the security of the Image MASSter™ IMSolo-5 when it is connected to either the Internet or another Network. Utilizing the Image MASSter™ IMSolo-5 for data seizure from a network or uploading data to a network requires the unit to be connected to the network and this may cause a risk of the system being compromised. The user is responsible for taking the necessary steps to ensure the safety of both the Image MASSter™ IMSolo-5 and the network in use when the unit is utilized to either seize or upload data to/from a network.
The security of the Image MASSter IMSolo-5™ when connected to the Internet or a network relies on the user’s discretion; however, ICS recommends, at a minimum, to the user to take the following steps:
1) The Image MASSter™ IMSolo-5 is set to have Internet Connection and Automatic Windows Updates disabled as default. Users will need to enable Internet Connection when seizing or uploading data from/to a network. It is highly recommended that the user install anti-virus and firewall Hardware Device protection prior to connecting the Image MASSter™ IMSolo-5 to either the Internet or a network. A lesser protection can be achieved with personal firewall software. Continuously running an updated version of anti-virus software with the Image MASSter™ IMSolo-5 may help prevent an intrusion into the unit or network. ICS recommends updating the anti-virus software program every time the Image MASSter™ IMSolo-5 is connected to the Internet or a network.
2) Users should always utilize a clean (scanned for viruses) USB Thumb Drive
when updating the Image MASSter™ IMSolo-5 unit Software or Firmware. 3) Users should ONLY connect the Image MASSter™ IMSolo-5 to a network when
either seizing or uploading data. It is imperative for users to REMOVE the Image MASSter™ IMSolo-5 connection when not actively performing these tasks.
These recommendations are provided to the user as a reference; however ICS cannot assure that the Image MASSter™ IMSolo-5 will not become compromised when connected to the Internet or a network. User assumes all responsibility for the data and security of the Network.
Customers understand and agree that the use of the Image MASSter™ IMSolo-5 implies acceptance to the terms and conditions specified in this disclaimer.
Appendix A
106
USB-to-Ethernet Connection
The IMSolo-5 LinkMASSter Option will also include a Gigabit USB-to-Ethernet Network Adapter (CSAR-0265-000A) to allow connecting to a Notebook or PC which does not have an Ethernet port, or if drivers are unavailable for the computer’s network interface. For improved performace, the Gigabit USB-to-Ethernet Network Adapter would also be recommended when connecting to a Notebook or PC which uses an Ethernet interface that offers less than a 1 Gigabit connection. NOTE: When using the Gigabit USB-to-Ethernet Network Adapter, connect the
Ethernet connector to the IMSolo-5 unit and connect the USB connector to the computer.
1. Connect the ICS supplied Crossover Ethernet Cable to the IMSolo-5 unit’s Ethernet port.
2. Connect the Crossover Ethernet Cable to the Gigabit USB-to-Ethernet Network Adapter.
3. Connect the ICS supplied USB 8” Cable to the Gigabit USB-to-Ethernet Network Adapter.
4. Connect the USB 8” Cable to the Notebook/PC USB port.
Figure 36
Connect to IMSolo-5
Connect to PC
Appendix A
107
USB LinkMASSter Setup
The LinkMASSter-NET CD provides the function to configure a bootable USB Flash device for LinkMASSter usage. Use of a USB Flash device may be necessary if the computer does not have a CD or DVD drive.
1. Connect a spare USB Flash Drive10 to your PC or Notebook.
2. Insert the LinkMASSter Bootable CD and allow the PC or Notebook to boot from the LinkMASSter CD.
3. After “Initializing the Environment”, the LinkMASSter application will display a prompt indicating “Do you want to prepare a USB Flash?” Select ‘Y’ to continue.
4. The USB Flash Drive will be detected and its information will be displayed. Verify that the correct device is listed and select ‘YES’ to the prompt indicating “Format this Disk?”
5. The USB Flash Disk will be formatted and the LinkMASSter image will be transferred from the CD to the USB Flash Disk. The USB Flash Disk has been prepared for LinkMASSter usage. Press a key to power-OFF the computer.
USB LinkMASSter Usage
1. Follow the LinkMASSter Quick Start Steps 1-9, previously outlined.
2. Connect the LinkMASSter USB Flash Drive to the Suspect’s PC or Notebook.
3. Configure the Suspect’s PC or Notebook BIOS to boot from the USB Flash Drive.
NOTE: Various PC or Notebook BIOS require deferent key combinations at boot up to change the default Boot Order. It is the user’s responsibility to correctly setup the Suspect’s PC or Notebook BIOS.
4. Allow the Suspect’s PC or Notebook to boot from the LinkMASSter USB Flash Drive.
5. Follow the LinkMASSter Quick Start Steps 13-16, previously outlined.
10
The USB Flash Drive is not supplied with the LinkMASSter Option
Appendix A
108
IMSolo-5 USB Restore Instructions
The following are instructions to restore the unit’s System Drive contents. The following hardware is required:
ICS Supplied USB Restore Drive.
USB Keyboard. 1. Insert the IMSolo-5 USB Restore drive to one of the available general purpose
USB ports, located on the back of the unit and connect a USB Keyboard.
2. Access the IMSolo-5 Boot Device Selection menu by pressing <F12> during Power ON when the POST Startup Screen is displayed.
3. Highlight and selected the listed USB Device.
4. Type “Restore” after the unit boots from the USB Restore drive. Type ‘Y’ to start the Restore process. The Restore process will take approximately 7 minutes. When the message is displayed indicating “Success,” power off the unit and reboot.
NOTE: The request to type “Y” is Case Sensitive. The operation will wait until the proper key is entered.
5. After the unit reboots, Windows SETUP will run for approximately 7 minutes. Once Windows SETUP completes check Device Manager by running devmgmt.msc from the Desktop START function. If Device Manager lists “Unknown Device” in the “Other Devices” Header, follow the Restore Addendum instructions listed below. Otherwise complete the installation by installing the unit’s ImageMASSter application by running s4v4.12.xx.x Setup_x64 located in the root directory of the supplied USB Flash Drive.
Appendix A
109
IMSolo-5 System Drive Removal Instructions
The following are instructions to remove the IMSolo-5 unit’s System drive.
1. Remove the single Drive Bay Screw located on the bottom of the unit as shown in the diagram below.
2. Slide out the drive as shown in the diagram below.
Appendix A
110
LinuxDD and E01 Capture exFAT Usage The exFAT File System provides enhanced drive data security for LinuxDD and E01 Evidence drives. The following are the benefits of using the exFAT File System: • Provides improved data security when transferring data between the Suspect
drive and Evidence drive during the LinuxDD Capture or E01 Capture operation. The data is isolated from the unit's O/S environment.
• Provides for a quicker format of drives and uses less overhead.
• The exFAT file system uses 64 bits to define file size.
• Support for volumes that are larger than 32 GB when compared with FAT32. The theoretical maximum volume size is 64 ZB.
• Support for files that are larger than 4 GB when compared with FAT32. The theoretical maximum file size is 64 ZB.
• Support for more than 1000 files in a single directory.
NOTE: To preview exFAT LinuxDD or exFAT E01 Evidence drives using WIN-XP
Workstations or IMSolo-5 units configured with S/W versions prior to v4.2.54.0, it will be necessary to load the exFAT File System driver (WindowsXP-KB955704-x86-ENU), which can be downloaded using the ICS FTP Link IMSolo-5 Support Files. The exFAT File System is currently supported by Win-VISTA and Windows 7.
Appendix A
111
“Verify Location of Suspect Drive” Usage Notes The following procedure is recommended to use the unit's "Verify Location of Suspect drive" function:
1. Enable the "Verify Location of Suspect drive" setting, located in the Settings/Advanced menu.
2. The function requires Evidence drives to be pre-wiped using the "Write ICS Signature" setting, which is displayed when the Wipe operation is selected.
a. Perform either a "full" Wipe using the "User" or "DoD" mode or a "quick" Wipe using the "Partial Wipe with ICS Signature" mode.
NOTE: If the “full” Wipe operation is aborted prior to completion, the drive
would not be considered a valid Evidence drive.
If the Suspect drive is connected in the Evidence position the operation will abort when the "Verify Location of suspect drive" setting is enabled. If the Evidence drive containing the “ICS Signature” is detected in the Suspect position, the operation will abort. In addition, if an Evidence drive which is not prepared using the Wipe process outlined above is detected in the Evidence position, the operation will abort. The User will be alerted with the following prompt:
"Warning: Possible Suspect Drive Detected in the Evidence Position. Operation will be
aborted."
Appendix A
112
DEFINITIONS HASHING
Hashing is a process that calculates a "unique signature" value for the contents of an entire drive.
MD5 Hash
Message Digest Algorithm is a 128-bit cryptographic hash function.
SHA-1
Secure Hash Algorithm is a 160-bit cryptographic hash function. Designed by the NSA.
SHA-2
Variant of SHA-1 with increased output ranges. Secure Hash Algorithm-2 is a 256-bit cryptographic hash function.
CRC32
Cyclic Redundancy Check Algorithm based on a 32-bit size hash value.
Sanitize
Sanitize refers to the process of clearing a drive of all previously stored data. The WipeOut function can be used to sanitize a drive. Host Protected Area (HPA) HPA is defined as a reserved area for data storage outside the normal operating file system. This area is hidden from the operating system and file system and is normally used for specialized applications. Systems may wish to store configuration data or save memory to the hard disk drive device in a location that the operating systems cannot change. If an HPA area exists on a Suspect’s drive, the IMSolo-5 Forensics seizure operation will detect this area and capture all the contents of the drive’s sectors, including all the HPA hidden sectors, to the Evidence drive.
Appendix A
113
Device Configuration Overlay (DCO) DCO allows systems to modify the apparent features provided by a hard disk drive device. DCO provides a set of commands that allows a utility or program to modify some of the modes, commands and feature sets supported by the hard disk drive. DCO can be used to hide and protect a portion of the drive’s area from the operating system and file system. If DCO is detected on a Suspect’s drive, the IMSolo-5 Forensics seizure operation will capture all the contents of the drive’s sectors, including all the DCO hidden sectors, to the Evidence drive. Advanced Encryption Standard (AES) AES is a 128-bit block cipher Encryption Standard, which supports a choice of three key sizes (128, 192 and 256-bits) according to the level of security required. AES has become the encryption algorithm of choice for applications requiring a high degree of data security. AES Modes AES Modes provide a method of implementing different AES properties. The AES modes provided by the IMSolo-5 Forensics unit are described as follows:
Electronic Code Book (ECB)
The message is divided into blocks and each block is encrypted separately.
Cipher Block Chaining (CBC)
Each block of plaintext is XORed with the previous ciphertext block before being encrypted.
Cipher FeedBack (CFB)
Makes a block cipher into a self-synchronizing stream cipher. A stream cipher is a symmetric key cipher where plaintext bits are combined with a pseudorandom cipher bit stream (keystream), typically by an xor operation.
Output FeedBack (OFB)
Makes a block cipher into a synchronous stream cipher: it generates keystream blocks, which are then XORed with the plaintext blocks to get the ciphertext
Counter (CTR)
Counter mode turns a block cipher into a stream cipher. It generates the next keystream block by encrypting successive values of a "counter".
NOTE: For IMSolo-III Encryption/Decryption Compatibility and ICS DiskCypher usage, it is recommended to use the IMSolo-5 AES CBC Mode settings , and the AES 192 Key Length if DiskCypher-192 is in use or the AES 256 Key Length if DiskCypher-256 is in use.
Appendix A
114
Appendix B: Product Information
Limited Warranty Intelligent Computer Solutions, Inc. warrants that our products are free from defects in materials and workmanship for a period of twelve (12) months from the date of purchase by the original buyer. If you discover physical defects or malfunction, Intelligent Computer Solutions, Inc. will, at our discretion, repair or replace the product. You must return the defective product to Intelligent Computer Solutions, Inc. within the warranty period accompanied by an RMA number that has been issued by Intelligent Computer Solutions, Inc. All products purchased from Intelligent Computer Solutions, Inc. include a seven-day unconditional money-back guarantee. Intelligent Computer Solutions, Inc.’s products are shipped in cardboard boxes that have been designed and tested to ensure that our products can endure standard commercial shipping methods and still arrive in working order. We advise you to save your box and original packing materials in case you need to return the product(s) for any reason. If product(s) are returned without proper protective packaging, the warranty may be void. When you received your product(s), please note the following:
-That the shipping box does not have dents or visible damage. -What you have received conforms to the packing list. -There is no apparent damage to the product(s) or accessories.
If any shipping damage is found:
-Please contact the shipper immediately to inspect. -Please contact our Technical Support Department to report the damage.
Appendix B
115
What is Not Covered: This limited warranty provided by Intelligent Computer Solutions, Inc. does not cover:
- Products which have been subjected to abuse, accident, alteration, modification, tampering, negligence, misuse, faulty installation, lack of reasonable care, or if repaired or serviced by anyone without prior authorization from Intelligent Computer Solutions, or if the model or serial number has been altered, tampered with, defaced or removed.
- Normal maintenance. - Damage that occurs in shipment due to act of God and/or cosmetic damage. - Accessories
Please note that External cables are covered by a 30-day warranty. This Agreement also does not include service (whether parts or labor) necessitated by any natural cause such as flood, tornado, earthquake or other acts of nature.
Limitation of Liability
The following limitations of ICS liability apply:
ICS is not liable for any incidental or consequential damages, including, but not limited to
property damage, loss of time, loss resulting from use of an ICS product, or any other damages
resulting from breakdown or failure of a serviced product or from delays in servicing or inability
to render service on ICS product. ICS will make every effort to ensure proper operation of its
product. It is, however, the Customer’s responsibility and obligation to verify that the output of
ICS product meets the Customer’s quality requirement. Customer acknowledges that improper
operation of ICS product and/or software, or hardware problems, can cause defective formatting
or data loading to target drive. It is the customer, not ICS, who is responsible for verifying that
the drive meets the Customer’s quality standards. ICS will make efforts to solve any problems
identified by Customer.
Technical Support For help in resolving a problem, contact ICS Technical Support at: Phone: 1-818-998-5805 between 7 a.m. and 6 p.m. Pacific Time. Please be prepared with the following information:
serial number of the IMSolo-5 unit nature of the problem steps you have taken your phone and fax numbers error messages displayed on the screen