Logicube Talon® User`s Manual
Contents
1. 6 Attach the USB cable to the Talon The PC client software should now detect the presence of the Logicube Forensic Talon you are using The cloning software interface will then come up All available functions will now be controlled from the PC client software application The application will display a menu containing three columns PC Source Drives Partitions and Modes NOTE For DD captures only if the destination drive is not formatted with a FAT32 partition the application will prompt the user and will format the drive accordingly If there is not enough room in the destination drive for a DD file capture the application will exit with an error notifying the user Selectable Capture Modes amp Options Native This is analogous to a mirror copy of the PC s internal drive to the Destination This mode calculates and displays an MD5 Hash value Native V Capture suspect drive and compute MD5 on the master drive The destination drive is then read back an MD5 hash is computed on it and compared with the Master hash The Capture Utility display the Total MD5 Hash value on the screen at the end of the capture session DD Image 650M The Master drive is broken up into 650 M byte files and a MD5 hash is computed on every file MD5 Hash values are calculated for each DD image This requires the drive to be formatted with a FAT32 file system partition There is a log generated and saved in the destination dri2. Caution Never place a suspect drive INSIDE the Logicube Talon amp Forensic Talon amp Forensic Talon as data erasure can result Caution Never place a suspect drive into any other Logicube products e g Sonix that are used for Operating System cloning Forensic Talon User s Manual 11 2 Getting Started Fast Start Applying power to the Logicube Talon The Logicube Talon is able to detect whether an IDE parallel or Serial ATA SATA drive is attached to the Source or Destination position The unit is capable of cloning to from a SATA drive to an IDE drive and vice versa as well as IDE to IDE and SATA to SATA NOTE Never attach both an IDE and SATA drive to the Source or Destination position The unit can only handle one drive on each position Before applying power perform the steps listed below Connecting a Parallel IDE Drive 1 Open the Logicube Talon by pressing on the two latches at the base of the unit and lifting the top You will notice three connections One for a flat cable the drive data cable and another for a small drive power cable Underneath is the third connector for the Serial ATA cable Note See Figure 2 Connecting a Destination drive to the Logicube Talon through 5 Data Power cables 2 Connect a Destination hard drive and close the Logicube Talon 3 Plugin the set of 9 cables to the connections found on the back of the Logicube Talon Note See Figure 3 C
3. IK Tube Logicube Talon User s Manual Logicube Inc Chatsworth CA 91311 818 700 8488 P N MAN TALON Version 1 8 Date 10 07 10 Forensic Talon amp User Manual TABLE OF Limitation of Liability and Warranty Information Logicube Disclaimer LOGICUBE IS NOT LIABLE FOR ANY INCIDENTAL OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROPERTY DAMAGE LOSS OF TIME OR DATA FROM USE OF A LOGICUBE PRODUCT OR ANY OTHER DAMAGES RESULTING FROM PRODUCT MALFUNCTION OR FAILURE OF INCLUDING WITHOUT LIMITATION THOSE RESULTING FROM 1 RELIANCE ON THE MATERIALS PRESENTED 2 COSTS OF REPLACEMENT GOODS 3 LOSS OF USE DATA OR PROFITS 4 DELAYS OR BUSINESS INTERRUPTIONS 5 AND ANY THEORY OF LIABILITY ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OR FROM DELAYS IN SERVICING OR INABILITY TO RENDER SERVICE ON ANY LOGICUBE PRODUCT LOGICUBE MAKES EVERY EFFORT TO ENSURE PROPER OPERATION OF ALL PRODUCTS HOWEVER THE CUSTOMER IS RESPONSIBLE TO VERIFY THAT THE OUTPUT OF LOGICUBE PRODUCT MEETS THE CUSTOMER S QUALITY REQUIREMENT THE CUSTOMER FURTHER ACKNOWLEDGES THAT IMPROPER OPERATION OF LOGICUBE PRODUCT AND OR SOFTWARE OR HARDWARE PROBLEMS CAN CAUSE LOSS OF DATA DEFECTIVE FORMATTING OR DATA LOADING LOGICUBE WILL MAKE EFFORTS TO SOLVE OR REPAIR ANY PROBLEMS IDENTIFIED BY CUSTOMER EITHER UNDER WARRANTY OR ON A TIME AND MATERIALS BASIS Warranty LOGICUBE PROVIDES A BASIC ON
4. Write a unique signature to the destination drive By default the software writes a unique digital signature to the destination drive on the first sector of each logical cylinder boundary across the entire drive This enables the Capture process to quickly verify that the destination drive has been erased prior to the Capture process The unique signature is written to the last 12 bytes of the sector The data pattern is Forensic Talon User s Manual 82 OxAAAA 0x5555 followed by the character string Logicube If needed the user can disable the signature by selecting on the Signature menu located beneath the wipe mode Verify Erasure The destination drive is checked to be sure it has been erased before copying the data from the source to the destination drive Verifying the existence of a unique digital signature that is written to the drive during the Wipe clean or erase function performs this check The signature is written periodically across the entire drive when the Forensic Talon erases it If the drive is verified as erased then the Capture process will proceed without any user intervention If the erase is not verified the user is asked if the drive should be erased now If the user says yes then the drive is erased and the Capture process will proceed If the user declines then this is noted and will show on the printed report The Capture process will pro
5. 8 If running 98 98SE you will be prompted to install drivers At the have disk prompt please point the PC to the drivers CD ROM provided and the installation should complete smoothly 9 The CF Drive is now visible on Windows as an external drive You can copy software update files or anything else to from the drive Removing USB devices Before physically disconnecting the USB cloning adapter and or shutting down power to the Logicube Talon the unit has to be properly unmounted from Windows To do that 1 Locate the USB icon in the system tray typically at the bottom right of screen 2 Click the icon once 3 Wait for Windows to bring up a message that it is safe to remove the device Different versions of windows will behave slightly differently Forensic Talon User s Manual 470 al 11 Software Loading Instructions Enabling the RAID 2 to 1 Option RAID 2 to 1 is an option that allows the Forensic Talon to interface with the RAID Adapter in 2 to 1 Mode To use an option like RAID 2 to 1 it first needs to be enabled NOTE Please refer to Chapter 8 RAID I O Adapter for information on using this product with the Talon To enable an option on the Logicube Talon contact Logicube to receive a license key that is unique to your unit Once you have obtained the license key follow this procedure to enter it into your Logicube Talon 10 From anywhere in the men
6. Scroll buttons 17 Sector bad 20 31 32 33 35 36 38 39 57 75 77 78 86 Sector weak 31 35 36 77 86 Select 17 Set button 17 Setting Enable Option 71 Setting On Error 22 23 32 78 86 Setting Speed 31 34 76 Setting Verify 22 23 24 30 34 57 64 77 83 85 86 Software Loading 67 72 Sonix Logicube 69 70 Speed benchmarking 31 Speed PIO Auto 31 Speed PIO Medium 31 43 Speed PIO Slow 31 Speed UDMA 0 31 76 Speed UDMA 1 31 Speed UDMA 2 31 Speed UDMA 3 31 Speed UDMA 4 8 31 34 Technical Support Logicube 15 19 43 92 Unix 64 USB 1 x 45 48 USB 2 0 45 USB Cloning Option 48 52 USB Port 9 10 15 20 26 45 46 48 66 68 User interface UD 17 19 UTC Coordinated Universal Time 62 Verification CRC 32 77 78 Verification Hardware CRC32 77 Verification Hardware MDS 77 Verification MD5 Disk 25 86 Verification MD5 File 24 25 86 Verification Software CRC32 77 78 Warranty Parts and Labor II III Website Logicube 67 72 89 WipeClean Destination Mode 20 22 35 36 37 81 82 Technical Support Information For further assistance please contact Logicube Technical Support at 001 818 700 8488 7am 5pm PST M F excluding US legal holidays or by email to techsupport logicube com Forensic Talon User s Manual
7. V This setting behaves like MD5 File except that it also reads back captured data and compares it to the Source drive MD5 Disk This setting uses special hardware to compute the MD5 value for the entire Source drive MD5 Disk V This setting behaves like MD5 Disk except that it also reads back captured data and compares it to the Source drive None No verification This setting is only recommended for non Forensic cloning operations Manage Destination DD Image Capture mode also uses a special menu called Manage Dest This menu allows the Destination drive to be prepped before running a DD Image capture The settings available are Format Dest This function formats the destination drive with a single FAT32 partition This is necessary before DD Image files can be copied to the drive When Format Dest Is activated the following prompt appears Reformatting the Drive All data on your Internal Drive will be lost Continue Press the Select button for Yes the display will say Zeroing first FAT and Zeroing second as it formats the drive After 30 60 seconds the drive will be formatted the time varies by drive size Press the Back button for No the display will then go back to the Manage Dest Menu Scandisk This function checks the Destination Drive for proper formatting It also 25 OTHER MODES makes sure that the 2 partition is
8. the Talon will display the SHA 256 or 5 Hash value A copy of the session report will also be copied to the CF drive as lt Log file name gt LOG 12 If the Printer was set to Yes the user will be prompted to connect the printer and make sure that it is powered up and online Press SELECT to print or BACK to skip printing NOTE Please refer to Printing a Report on page 20 for more printing options Audit Trail This mode is used to verify the authenticity of a session report that has been written to the CF Drive It is designed to check for report alteration It verifies a proprietary Hash value that was written to the end of the report at the time of creation Procedure 1 From anywhere in the menu system press the Set button to enter the Settings menu 2 Scrollto the top item called Mode and press the Select button The Mode screen appears Scroll to Audit Trail and press Select again The TALON unit will initialize the CF Drive briefly After that it will display a list of the Log files that are on the CF Drive Scroll to the desired Log file and press Select If the report has not been altered the message will read Log file authenticated Press any key to return 7 If the report has been altered in any way the message will read Log File not authenticated Press any key to return 8 Press a key to return to the Main Screen Forensic Talon User s Manual 39
9. CD at this point Power down the PC as soon as the CD has been removed from the CD ROM drive to maintain the forensic integrity of the capture Do not re boot 51 USING THE USB Cloning Apple computers FireWire using the USB Cloning software 1 Follow these instructions to maintain the forensic integrity of a HDD capture from an Apple computer Ensure that the Apple computer is turned OFF 2 Install a FireWire cable between the host PC running the cloning software and the Apple computer to be cloned 3 Power up the Apple computer wait for the BIOS chime and immediately press and hold T to enter FireWire Target Disk Mode 4 With FireWire Target Disk Mode already established the User Interface on the analysis PC will display the Apple computers hard drive in the list of available drives as soon as the cloning software is loaded 5 Load the cloning software CD onto the non Apple PC by following instructions 1 15 above Additional Notes To clone a drive associated with an Apple PC the analysis PC running off of the boot CD must have both FireWire and USB ports Capture speed depends wholly on the USB and FireWire hardware and the processor speed of the PC Expected capture speeds are up to 1 4GB min with verify and up to 1 8GB min without verify Your capture speeds may vary 400 200 100 speed FireWire ports are supported 800 Mbps FireWire is not supported Upon
10. Evidence number and or any alias identifier e The name of the person s acquiring the evidence The date and time that the evidence was acquired Forensic Talon User s Manual 84 REFERENCE Forensic Talon User s Manual e The location at the scene of the investigation where the evidence was acquired A description of the acquired evidence Session Information This section of the printout contains information specific to the actual Capture session Session Settings Information This section contains information pertaining to the actual Session that is not specific to either drive It contains the following Operating Mode This can be Capture DD Capture Scan or Wipe clean e Verify This reflects the Verify option setting for each operating mode as explained in previous sections of this text e Speed This reflects the Speed option setting for each operating mode as explained previously Connection This is the connection method for the operating mode This is meant to indicate whether a direct IDE connection USB or Parallel Link was used for the operating mode e Results This line appears on the hardcopy only if the operating mode was Capture It will contain one of the following lines 100 MIRROR COPY OF THE DRIVE HAS BEEN SUCCESSFULLY EXECUTED SESSION RESULTS ARE INVALID BECAUSE THE OPERATION WAS ABORTED SESSION RESULTS ARE INVALID BECAUSE THE OPE
11. Mode which is a much more automated process for wiping data This mode sends Security AT commands to the Destination drive which allows it to wipe at a very high rate of speed It also eliminates the need for a Source drive to copy the original pattern from The unit will automatically switch to Security Erase if it is supported by the attached drives NOTE Security Erase will not run as part of a Native Capture session Ordinary WipeClean mode is used instead Forensic Talon User s Manual 36 OTHER MODES Forensic Talon User s Manual Procedure 1 10 11 From anywhere in the menu system press the Set button to enter the Settings menu Scroll to the top item called Mode and press the Select button The Mode screen appears Scroll to Wipeclean Dest and press Select again Set the Speed and Printer settings if necessary Set the Signature setting to the desired position there are two choices YES Default Writes a small signature to the drive every 16 065 sectors or every logical cylinder During a later capture session this signature tells the Talon that the drive has been correctly erased NO Leaves the signature off the drive The Talon will not detect that the drive has been erased Press the lt Start Stop gt button to begin wiping The Talon will access the CF Drive then the following message will appear KEYPAD ENTRY Enter Log file nam
12. Time N 34 1412650 W 118 3386953 0 14 3 UTC Aug 18 2006 PDOP 3 13 Capture To Fix Delay seconds 405 Location at scene Description Operating Mode Capture Address Mode LBA verify None Speed UDMA 5 Connection Direct 100 MIRROR COPY OF THE SUSPECT DRIVE HAS BEEN SUCCESSFULLY EXECUTED ON THE EVIDENCE DRIVE d r Desti ded e e e E nd remai Figure 14 Final Capture Report with GPS Information NOTE The time and date information are based off of UTC or Coordinated Universal Time This time zone is also known as GMT or Greenwich Mean Time Hours are displayed in Military Time 0 23 hours Forensic Talon User s Manual 62 9 Keyword searching Introduction The Forensic Talon unit can search for multiple keywords while capturing a suspect drive This is a useful feature to provide early screening of a drive For example one could search for the names of all common drugs or the names of known offenders on a given drive Presence of these keywords might indicate a connection between the suspect and the words searched for In general the user will select a pre defined list of words that will be loaded into the hardware based search engine These words are automatically searched for during the next Capture session At the end of the session the user can print one of several reports that indicate the number of occurrences and absolute location on the drive
13. and a MD5 hash is computed on every file The destination drive is then read back an MD5 hash is computed on it and compared with the Master hash This requires the drive to be formatted with a FAT32 file system partition A log file is generated and saved in the destination drive at the end of the session e Compute Source MD5 An MD5 hash is computed on the entire internal PC drive The resulting value is displayed on the screen e Compute Destination MD5 An MD5 hash is computed on the entire destination drive The resulting value is displayed on the screen Erase Destination A single pass wipe is performed on the destination drive For erase the Capture Utility reports Total Drive Sectors Erased Sectors Erase speed in MB Minute Time to Completion and Complete 7 Usethe arrow keys on your host PC s keyboard to navigate through the various settings of the Forensic Talon User s Manual 50 USING THE USB Forensic Talon User s Manual 10 11 12 13 capture utility Use the Enter key to make selections and the S key to start a process On the left side of the screen you will see a list of up to four available drives Choose the Source drive you wish to capture by scrolling through the selections using the up down arrow keys on your PC s keyboard When your selection is highlighted a brief description of the drive will appear in the middle of the screen Press enter to se
14. during power up Start the computer and immediately enter the BIOS setup menu This varies by computer but usually requires you to press F12 F1 for IBM or the Delete key for most generic PCs just after startup Make sure that the PC is set to boot from the CD ROM as the first bootable device Allow the PC to continue booting off of the boot CD in the CD ROM drive 2 The Forensic USB Cloning CD ROM is configured to automatically load the necessary drivers and run the client application The user will be presented with a User Interface and a menu to select among the various capture options and settings NOTE A USB connection must be made between the computer and the Logicube forensic capture device either before or after the Boot CD application starts The following message will be displayed if the application starts without detecting a connection to the Logicube forensic capture device Searching for Logicube Forensic Device Make sure it is connected Forensic Talon User s Manual 48 USING THE USB Forensic Talon User s Manual 3 On the Logicube Talon attach a hard drive to the Destination Internal position that is larger than the suspect drive you intend to capture 4 Attach a USB cable to the PC do not attach the other end of the cable to the Logicube Talon yet 5 Engage the Talon in USB mode as described in the procedure listed under Master Drive Management follow steps 5 10
15. fix Take unit to area of good reception After thirty seconds the unit will try to get a signal for another 5 minutes NOTE After 60 minutes of searching the GPStamp will go into Sleep Mode if no signal is acquired Press the Start button to get the unit out of Sleep Mode 9 When fix is acquired press the Start button to freeze the information The unit will begin to count down from five minutes NOTE Entering an area of no reception with an acquired signal will auotmatically freeze the GPStamp for five minutes 61 USING THE GPSTAMP 10 Attach the GPStamp to the parallel port the Talon or MD5 with the supplied adapter cable Please refer to Figure 13 below LICID ECT 99090 99990900 9990006 5000 Figure 13 GPStamp Connection to Talon 11 The Talon or MD5 will read Get Fix as it downloads the information If it cannot read the GPStamp it will read No Fix 12 Once the fix is downloaded to the Talon or MD5 M it will finish the capture session The GPS information will appear in the Final Capture Report as shown below Evidence Number Alias Evidence Acquired by_ 5 a Evidence Acquired Location
16. of all matches found All keyword lists are stored on the Compact Flash in a file called keyword1 Ist The file is a simple text file which can be edited by any plain text editor such as Notepad A sample file might look like this Terrorism ABU NIDAL case yes unicode no signature no ABU SAYYAF case yes unicode no signature no AL QAIDA case yes unicode no signature no BLACK SEPTEMBERe case yes unicode no signature no DEMORALIZE case yes unicode no signature no HAMAS case yes unicode no signature no HIZBALLAH case yes unicode no signature no Computer crimes 2600 case yes unicode no signature no BACK ORIFICE case yes unicode no signature no CRACK case yes unicode no signature no DEFCON case yes unicode no signature no ENCRYPTION case yes unicode no signature no FLAME case yes unicode no signature no HACK case yes unicode no signature no SPOOFING case yes unicode no signature no Forensic Talon User Manual 63 KEYWORD SEARCHING In the above example two lists Terrorism and computer Crimes are listed The user can select only one for each search session Many more lists with many more words can be defined Three options are available for each word 1 3 Case yes no If Yes the word is searched exactly as typed No will search for all lower case all Upper case First letter upper case and exact matches Unicode yes no If No the plain ASCII of the word will be s
17. printers The drive capture process implemented in the Forensic Talon is a specific and detailed process designed to ensure maximum integrity and certifiable performance It consists of a number of checks and procedures that are detailed in the following section 79 REFERENCE Power up and Initialization Power and reset are applied to both source and destination drives then the software waits for up to 30 seconds for the source drive to become ready When the source drive is ready the software identifies the drive configuration and initializes drive parameters The software then checks the destination drive for ready status and waits if necessary When the destination drive becomes ready the software identifies the drive configuration and initializes drive parameters If the initialization of either drive fails the software aborts the process with an error message The software verifies that the destination drive capacity is equal to or greater than the source drive If the destination capacity is insufficient then the user is informed and the software will abort the capture process Log file name entry The unit initializes the CF Drive and then asks the user to enter a case name This name must be 8 characters or less and use DOS naming conventions The Log file name is used for the report that is created at the end of the capturing session and written to the CF Drive The report can be opened and print
18. some operations such as file read may appear to show changes in file access time etc but these are purely virtual and do not change anything on the drive itself Removing USB devices Before physically disconnecting the USB cloning adapter and or shutting down power to the Logicube Talon the unit has to be properly unmounted from Windows To do that 1 Locate the USB icon in the system tray typically at the bottom right of screen 2 Click the icon once The Forensic Dock refers to the Portable Forensic Lab which is a Logicube product that is sold separately Forensic Talon User s Manual 47 USING THE USB 3 Wait for Windows to bring up message that it is safe to remove the device Different versions of windows will behave slightly differently Cloning through the USB port This mode allows the user to clone drives through the USB port of a PC The PC drive can only be the Source drive Both USB 1 x and 2 0 are supported Typically the user will boot the computer from the provided boot CD The CD is equipped with USB drivers and our drive capturing application How to set up and use the USB Cloning software 1 Follow these instructions to maintain the forensic integrity of the capture With computer power off insert the boot CD into the CD ROM drive or depending on the computer s CD ROM drive you may need to insert the CD as far as it will go so it can be pulled in
19. the Bi directional mode through the BIOS setup Refer to your PC user manual Also you could try to update the unit using the Compact Flash card Instructions on how to do that are available elsewhere in this manual Will DD Image capture files have the same odd sector problem of the Linux operating system A Although DD Image capture files are formatted as DD Linux files they do not utilize the Linux kernel The Linux OS is unable to see the last sector of a drive that has an odd number of sectors Some users have asked if this problem will prevent the last sector of an odd sector drive from being captured The answer is no Forensic Talon User s Manual 90 INDEX Alphanumeric Keypad 18 22 36 37 39 Back 17 BIOS 33 56 71 73 89 90 Bootable CD ROM 43 Browse Destination Setting 26 Button BACK 19 22 25 46 69 71 Button HELP 17 Button SELECT 19 22 23 25 26 36 37 39 69 71 72 84 Button SET 46 68 71 84 Button START STOP 17 36 43 66 69 74 Cable Parallel 9 29 73 74 Capture DD Image 2GB 21 Capture DD Image 4GB 21 Capture DD Image 650MB 20 Capture Native 20 36 55 57 82 CARDBUS 41 Case File 24 Chkdsk Microsoft Windows 26 Clone 8 20 22 41 42 48 55 84 89 Clone Card Pro 8 41 Compact Flash CF Slot 67 Cylinders 34 57 86 DD Linux Image File 90 Disclaimer Liability Limitation II Disk Control Overlay
20. to an existing list Edit Mode This mode contains two settings Local Default Modifies the Keyword Lists on the Compact Flash Drive inserted in the unit USB Grants access to a Keyword List on your PC via the USB port This setting will be activated in a later software update NOTE The Keyword Lists can also be manipulated on a PC with Notepad or a similar utility They can be accessed from the Compact Flash Card through a card reader or other device Add new list This setting allows you to add a new Keyword Search List to the Compact Flash Card When chosen it first asks you to add a List name After that it brings up a screen to add Keywords Press the START STOP button once all new words are added Edit List This setting allows Keywords in an existing list to be modified or removed It also allows new Keywords to be added When chosen it asks which list needs to be modified After that it brings up a screen with the choice of adding words or modifying existing words Remove List This setting removes a chosen list from the Compact Flash Card WARNING There is no are you sure screen once a list is chosen for removal Keyword Search Mode In addition to searching for Keywords during a capture the Talon can also perform a separate Keyword Search session This is done by pressing the Set button and changing the Capture Mode to Keyword Search All of the settings are identical to those described abo
21. will employ a utility that creates a HPA or DCO configuration on a hard drive These configurations are designed to change drive characteristics such as drive capacity speed and other settings as they are reported to the PC BIOS Or Host Protected Area can limit the size of a hard drive but it can also change many other settings such as speed and S M A R T status DCO Or Device Configuration Overlay limits the size of a drive only For example a 60GB drive can be made to look like a 30GB drive to a PC The Logicube Talon is able to unlock and capture data from a HPA Furthermore an Talon running software version 2 38 or later can unlock and capture data from a DCO It will then re lock the DCO HPA s are relocked when the Source drive is hard booted after capture The Final capture report is also able to report any HPA and or DCO that is found 33 OTHER MODES The only shows the existence of and if it was unlocked It looks like this O SESSION SETTINGS Wulnnz2nzn2nzsttszsntunscsemcunenscssesedscssssssoseusssesenicHuidic cnicaasusccesescuusnssnussnssnsnss Operating Mode Capture Address Mode LBA Verify HW MD5 Speed UDMA 4 Connection Direct 100 MIRROR COPY COMPLETED HOST PROTECTED AREA WAS UNLOCKED The report also shows the exis
22. 1 Same as UDMA 4 UDMA 0 Same as UDMA 4 PIO Auto PIO 4 Force the unit to use this as the highest speed PIO 4 Set the unit to this mode in some rare situations where one or both drives do not support higher speeds and misbehave during our automatic speed benchmarking PIO Medium This is a fixed value that almost all drives will tolerate It will result in copying speeds from about 200 to over 500 MB per minute depending upon the characteristics of the drives PIO Slow This is a speed value that all drives will be able to tolerate It supports copying 31 OTHER MODES On Error speeds from 100 to over 300 MB per minute depending on the characteristics of the drives NOTE Use the MEDIUM or SLOW modes if you encounter drive time outs or if you are capturing older drives Many older 2 5 notebook drives require the PIO SLOW setting The On Error setting determines the behavior of the unit in the case where bad spots are detected on the source suspect drive This setting has four options which include Skip This is the default setting Skip will allow the Forensic Talon amp to continue by stepping over the bad sector Abort This mode will cause the Forensic Talon to halt if an error such as a bad suspect drive sector is encountered Retry Retry will instruct the Forensic Talon to make several attempts to read data from the damaged area of the drive Recover Recove
23. 5 Using the CloneCard Pro Introduction The CloneCard ProTM is an intelligent PCMCIA adapter designed to provide fast cloning to and from laptop PC s When used properly it will support up to 175 MB min transfer speed The CloneCard ProTM is a real time saver when a laptop drive needs to be captured and it is undesirable to remove the internal hard drive from the PC It is designed to work in both PCMCIA 16 bit and CARDBUS 32 bit systems In general the user would boot the laptop from the supplied floppy and run a client program This client program detects the PCMCIA chip set inside the laptop and will enable communication to the CloneCard Pro Now the Forensic Talon can be connected to the external cable of the card and operation commences as if the Forensic Talon is connected to a real Source suspect hard drive Forensic Talon amp modes and options are operational as though an actual drive is connected with the exception of the speed of transfer Figure 5 Clone Card Pro 40 PIN IDE CONNECTOR CLONE CARD PRO TO TALON SOURCE IDE SOCKET 4 PIN 1 RED STRIPE 40 PIN IDE CABLE Forensic Talon amp User Manual 41 ING THE CLONE CARD PRO USING CLONE C Before Capturing Logicube provides a client floppy disk The floppy has the FREEDOS operating system In some cases it may be desirable from a compatibility point of view to insta
24. 7504 16 63 78125000 37 3 GB x HPA and DCO configurations can only be detected on the Source drive They cannot be seen on the Destination drive The following Modes are able to detect unlock and work with data inside HPA and DCO configurations when the drive is in the Source position e Drive Info e Native Capture e DD Image Capture all sizes e Drive Defect Scan e Calc MD5 e Keyword Search Forensic Talon User s Manual 34 4 Other Modes Introduction This chapter discusses other modes that are found in the Mode Setting menu They are Drive Defect Scan Wipeclean Destination and HASH Scan NOTE Keyword Search is discussed in Chapter 5 and USB Drive Mode is discussed in Chapter 6 Modes Drive Defect Scan This function performs a surface scan of the drive media using the drive controller to verify the media It is designed to look for bad sectors weak sectors or weak spots which it reports at the end of the scan Procedure 1 From anywhere in the menu system press the Set button to enter the Settings menu 2 Scroll to the top item called Mode and press the Select button The Mode screen appears 3 Scroll to Drive Defect Scan and press Select again 4 Scroll down to the Drives setting Choose the Source or Destination drive to scan 5 Scroll down to the Speed setting Here you have two choices FAST This mode does a singl
25. ANE KK I LIMITATION OF LIABILITY AND WARRANTY 2 0 40 II TABLE CONTENT DS i 5x5 l 4esesasesisese se ee ch d s esa cou i os s n kew da e e s da d e be W c e S V so s a ke IV 1 INTRODUCTION TO THE FORENSIC TALONO eee eeee eene 44 00 7 Hn M 8 Using this 9uide s se ee c dee de eee o veteres redet en Feed 8 System description Forensic Talon 9 System description Forensic Talon Standalone cesses esee eene 10 2 GETTING STARTED FAST START s xeoe eee oe eee esee senses 12 Parallel IDE 12 Parallel POLL N 14 ATA SATA iet dett edite ede eere Reed NUR T RU RE oen 14 Connecting other types Of drives e ede torta 15 Shortcut buttons available at all irii tot a E E 17 I ML Tn 17 Sero DUON Serm re eh eb te DAYEN e 17 Alphanu meric Keyp d 4 ore dee rer bed et kune d k re duet uad cun che 18 Indicator Laehts a
26. Chapter 10 Enabling the RAID 2 to 1 Option for the procedure to load the software option on the Logicube Talon Forensic Talon amp User Manual 53 ING THE RAID I O ADAPTER nimm Connecting the RAID I O Adapter Please refer to Figure 9 below Figure 9 RAID I O Adapter RAID I O Adapter Drive 2 Power Power LED Connector Drive 1 D 2 SATA Connector SATA Connector Drive 1 UDMA PATA Connector Drive 2 UDMA PATA Connector Drive 1 Power Connector Drive 2 Drive 1 Status LED Status LED RAID Adapter UDMA Connector RAID I O Adapter Power Connector NOTE The following directions pertain only to the RAID Adapter as it is used in the Destination Drive position Attaching the RAID I O Adapter to the Talon is very similar to attaching an IDE PATA drive 1 Open the Logicube Talon by pressing on the two latches at the base of the unit and lifting the top You will notice three connections One for a flat cable the drive data cable and another for a small drive power cable Underneath is the third connector for the Serial ATA cable NOTE Please refer to Chapter 2 Getting Started for more information on connecting hard drives 2 Connect the Raid Adapter to the UDMA PATA drive power and data cables Leave the Logicube Talon lid open Forensic Talon User s Manual 54 USING THE RAID ADAPTER IT Tub 3 Connec
27. Compact Flash eese EKE EKA eene nnne 72 Loading Software Through the Parallel Port eese eene nennen emen 72 Host PC preparation ue iere o repu cy 73 Logicube Talon Software Update eese nnne nennen emen 74 12 REFERENCE ne 75 Capture Native or DD image uisa 75 Drive Defect Scan sese doa 75 II M X 75 Wipe Clean Destination iste RU RU e HIE 76 DIEM ms 76 Erase process with a source drive 76 EE 76 Forensic Talon User s Manual V TABLE OF CONTENTS n N 77 Nis tl e LEE 77 Si u FA CU 77 MID iue 77 UPDATE 77 LET 78 E 78 79 Power up and Initialization e 80 Log file ndme entry ayi dah na ne OU RI ie Tin ba nak OO ide Mea dd Aa kn naa a 80 Calibrate Transfer Speed ee iei 80 Check Capture Ini amp grity e Ana i a WAW WA He MR H N VEK ER Wa K 81 Er se Wipe ClEGI RR 81 Erase Procedure epe VAR 82 Power up anid Imti liz tioni e Ute kk ak kek Kh k ew 82 Erase process
28. DCO 33 34 Disk Floppy 9 42 45 Display OLED 19 Dongle 60 Drive Defect Scan 20 34 35 57 75 Drive CD ROM 9 10 43 45 47 48 69 70 72 73 Drive Compact Flash CF 21 46 66 69 Drive Destination 7 9 10 20 22 24 25 32 75 76 77 78 79 80 81 82 83 85 86 89 Drive IDE 12 13 21 54 85 Drive Jumper Setting 21 90 Drive Master 36 Drive older 32 Drive Quantum 21 Drive Serial ATA SATA 9 10 12 14 15 16 54 Drive Source 20 21 75 76 78 80 81 82 83 86 89 Forensic Talon User s Manual 14 Index Drive Suspect 7 9 10 20 21 22 32 36 63 85 Drive USB Floppy 44 Drive Western Digital 21 90 Drives External USB 15 Drives SCSI 15 Encase M Guidance Software 20 26 27 Erase Target Mode 36 Error Source Data Lines not Verified 81 EU European Union III Evidence 7 12 15 36 53 61 84 85 Final Capture Report 22 23 32 33 57 59 62 64 81 84 87 Forensic Talon Kit 7 Format Destination Setting 25 FREEDOS 42 FTK M 20 47 Geometry Drives 19 86 89 GPS Global Positioning System 59 61 62 GPStamp 8 14 59 60 61 62 Hard Drive Western Digital 90 HDD Hard Disk Drive 7 9 10 89 90 Help 17 Host Protected Area HPA 33 34 iLook 47 Indicator Lights 18 Keyword Search 8 20 34 35 58 65 66 67 Keywords Case 64 Keywords Signature 63 64 Keywords Unicode 8 64 Lic
29. DD Hard Disk Drive data cables to connect suspect drive to Forensic Talon two lengths Two Serial ATA cables one short and one long for attaching Serial ATA drives to your Logicube Talon A Mini B USB cable that allows the unit to be connected to the USB port of a PC A flashlight and screwdriver A CD ROM that includes A utility program to load the Forensic Talon with new software backup copy of the current Forensic Talon software Extra copies of all files found on the Compact Flash Card Another CD ROM that includes Write PROtect Cloning software to capture suspect drives through the USB port Figure 1 Forensic Talon Forensic Talon User s Manual 10 INTRODUCTION PARALLEL PORT AC POWER SUPPLY PORT CASE LATCH FAN SOURCE UDMA CABLE PORT ALPHANUMERIC KEYPAD USER INTERFACE UI SOURCE DRIVE POWER CABLE PORT COMPACT FLASH CF PORT USB CABLE PORT SOURCE SERIAL ATA FAN SATA CABLE PORT DESTINATION SERIAL ATA SATA CABLE PORT CASE LATCHES DESTINATION UDMA CABLE PORT DESTINATION DRIVE POWER CABLE PORT Caution Incorrectly connecting the suspect drive to the system can result in data on the suspect drive to be lost forever
30. E YEAR PARTS AND LABOR WARRANTY FOR ALL OF ITS PRODUCTS EXCLUDING CABLES ADAPTERS AND OTHER CONSUMABLE ITEMS A TWO YEAR EXTENDED WARRANTY IS ALSO AVAILABLE FOR AN ADDED COST TELEPHONE AND EMAIL SUPPORT IS AVAILABLE FOR THE LIFE OF THE PRODUCT AS DEFINED BY LOGICUBE Forensic Talon User s Manual Ii RoHS Certificate of Compliance LOGICUBE PRODUCTS COMPLY WITH THE EUROPEAN UNION RESTRICTION OF THE USE OF CERTAIN HAZARDOUS SUBSTANCES IN ELECTRONIC EQUIPMENT ROHS DIRECTIVE 2002 95 EC THE ROHS DIRECTIVE PROHIBITS THE SALE OF CERTAIN ELECTRONIC EQUIPMENT CONTAINING SOME HAZARDOUS SUBSTANCES SUCH AS MERCURY LEAD CADMIUM HEXAVALENT CHROMIUM AND CERTAIN FLAME RETARDANTS IN THE EUROPEAN UNION THIS DIRECTIVE APPLIES TO ELECTRONIC PRODUCTS PLACED ON THE EU MARKET AFTER JULY 1 2006 Logicube Declaration of Conformity APPROPRIATE EUROPEAN UNION EU HEALTH SAFETY AND ENVIRONMENTAL REQUIREMENTS WHICH ENSURE CONSUMER AND WORKPLACE SAFETY IT IS IN COMPLIENCE WITH ALL REQUIREMENTS AND PROVISIONS OF DIRECTIVE 89 336 EEC AND ALL OTHER RELEVANT DIRECTIVES C C LOGICUBE DECLARES THAT THIS PRODUCT MEETS ALL PLEASE CONTACT LOGICUBE INC FOR A COPY OF THIS DECLARATION Forensic Talon User s Manual I TABLE OF CONTENTS Table of Contents LOGICUBE TALON USER S 1 1111 Hece HK KK HANA KK H
31. Flash CF If a CF reader writer is available on your computer forensic h86 simply needs to be copied to the root directory possibly overwriting the older version that s already there Another file called tIncfldr h86 also needs to be on the root directory of the Compact Flash Card NOTE If a reader is not present the Logicube Talon itself can be configured to behave like CF reader writer Please refer to Connecting Through the Software Setup Menu in Chapter 10 Compact Flash CF Drive Once the new forensic h86 file is present on the CF itis a simple matter to make it re flash the unit 1 Power up the unit while holding down the Start Stop button 2 Select the first option Load SW from CF and press the Select button The status light should start to blink 3 After about 30 40 seconds the unit will re boot to the new software 4 Check the version and date of this software by pressing the About button at the main menu Screen Loading Software Through the Parallel Port This is a legacy method to load software and should only be used in situations where the CF method cannot be used Forensic Talon User s Manual 72 SOFTWARE LOADING INSTRUCTIONS Forensic Talon User s Manual To successfully load new software on to the Logicube Talon with the parallel port connection you need the following The Software Update CD that came with your unit A DB 25 Straight through parallel c
32. HE CLONE CARD Forensic Talon User s Manual 7 Setthe Forensic Talon amp to PIO Medium speed No settings are available on the client program 8 Press the START STOP button and wait for the process to complete Things to note 1 To verify proper communications with the laptop without starting a Capturing session try to get Source drive information by pressing the Drives button then the Source button from the main screen You should see the details of the laptop drive Speed and seek time are likely to be zero since these benchmarks are not run on the CloneCard All other information e g drive model make size in sectors etc should display properly 2 If a CD ROM is available you can create bootable CD ROM that includes pcmcia exe Make sure your CMOS settings allow booting from a CD ROM NOTE Please contact Logicube Technical Support if you need help with creating a bootable CD ROM 3 Laptops that have no floppy or CD ROM drives will require more effort in order to work A B If a docking station is available use it to boot to DOS If the floppy or CD ROM drive connects through the PCMCIA slot and only one slot is present as on many palmtop computers e g some Sony VAIO models follow these steps to boot properly Prepare a bootable floppy or CD ROM that creates a RAMDISK in memory then copies ccclient exe onto the RAMDISK and it Please contac
33. Hash value and it will not match the value calculated by third party software or other means Keyword List keyword search was performed during the capture a list of the found keywords will appear at the very end of the Final Capture report 87 REFERENCE Example of Hardcopy Printout a al a ad d al ab ak ab an ab dn a dn ab d n kb ab ab b d db d d kd ab di a db ab d d d ab ab Bi a Bdb bab Bi LOGICUBE TALON Serial No 65535 Software V2 12RC ene d d db t a i a a a a ab bb ab ab Bi a Bi a ab Bab Bi ab bi ak bi ak abi a ab ali dal di ak bi ab abi Bn ab E i a al a B bbn ab db d db d d B ab d ab d db dl d Evidence Number Alias Evidence Acquired a Evidence Acquired on AT Location at scene _ EN Description face oe ke oo n eee SESE SESS SESSION SETTINGS Bm a man an an am an a axi cam am an as ai an ani Gas Rai ee CE NIN CEN IN HIN CRI ree CA e ken me xil s r dir RS SEHER AR BE JEL BE E Operating Mode Capture Address Mode LBA verify SHA 2564V Speed UDMA Connect ion Direct 100 MIRROR COPY OF THE DRIVE HAS BEEN SUCCESSFULLY EXECUTED Operator declined FULL and remainder Destination D
34. N OUR Physical Characteristics B aem momo M M M GEL aX DA NN UN UON RN UN mnn m m me ae Drive Model WDC 2 p Serial wD WCAJCISO00253 5 Cylinders Heada Sectors Total Sectors Drive Size s 77536 16 78156288 37 3 GB Computed 5 256 Value a STN E3 i HEF LAT Z9DTEPASCS409 ZEAREO u La dn b d n bd nb a b ad b bb bb b bi d bb bb kd kb bd kb bb tb bi a kb bb db BB BB BB BB BB BB BE FRPP Forensic Talon User s Manual 88 E 13 Frequently Asked Questions and Answers Q By comparison my Forensic Talon appears to be operating slower than other units Make sure that your unit is using the latest software Visit http www logicube com and go to the support page to view the latest software level and if necessary download the software for your system My Forensic Talon continues to ask if want to wipe a brand new capture HDD A This is a normal question that will be asked unless the new HDD is wiped by the Forensic Talon Using the Forensic Talon to prepare pre wipe a new Destination HDD will eliminate this screen from displaying while on site thus speeding up the capture process After
35. N Don t confuse this power adapter with the Forensic Talon power adapter Press the power button on the printer until it lights up 29 OTHER MODES Optional Preference Settings Verify 3 Load plain paper into the printer The printer will engage and advance the paper slightly 4 Onthe Forensic Talon press the Set button to go to the Settings menu Scroll down to the Printer option and press the Select button 5 Scroll to the Select reports item and press the Select button 6 Scroll to the Print Last Session item and press the Select button 7 A prompt will come up asking the user which printer is connected to the unit Choose STANDARD NOTE Once a printer is chosen the user will not be prompted again until the unit is rebooted 8 Follow the instructions on the screen A report should now print Every operation performed with the Talon also writes a copy of the report to the CF Drive This report can be easily accessed in Windows and printed from a text editor like Notepad The Verify option is provided to add an increased level of confidence in the capture process The choices are SHA 256 SHA 256 V MD5 MD5 V and None SHA 256 This is the default setting for verification and uses special hardware to compute SHA 256 values at an extremely fast and accurate rate SHA 256 V This setting behaves like SHA 256 except that it also reads back capture
36. Notes k la n de t b H b W ka k u b n k d 52 7 USING THE RAID ADAPTER 0 4 HNH A HHH KHK KHK 53 Supported RAID nenne nennen VA a jA A 56 8 USING THE s s 59 9 KEYWORD 5 0 44 074040 00000 eH He HHHH HHHH HHHH HHHH HHHH HHHH HHHH HNH HHH HHH HHHH HHHH HK 63 To search for a pre defined keyword list during Capture eese ene 64 Keyword Search Setiings dii eR ina k a b ci W cih ba cn Ki h W R e a p d d EE ab s RE H n H R H H k H 65 Modify CREER K HE R H K v i E 65 Keyword Search 66 10 COMPACT FLASH CF setenta tensa tensa etus se tense 67 Inserting and Removing the Compact Flash nene 67 Connecting Through USB 4 68 Connecting Through the Software Setup Menu eese eren eee nee KAKA KE KAKA KA 69 Rem vino USB Em 70 11 SOFTWARE LOADING INSTRUCTIONS 4 eese eese 71 Loading Software Using the
37. RATION WAS IN ERROR e Extra information This line appears on the hardcopy only if the operating mode was Capture It will contain one of the following lines The destination drive was verified as erased before Capture The destination drive was erased during the Capture Operator declined FULL destination drive erase and erased remainder Operator declined FULL and remainder destination drive erase Source drive Information This section of the printout contains information specific to the source or Suspect drive This will only appear if the operating mode was Native Capture or DD Image Capture with 85 REFERENCE Verify set to 256 MD5 Disk It contains the following Drive Identification These lines print the model and serial number as reported by the source drive Physical Geometry These lines indicate the number of cylinders heads and sectors the total number of sectors and the drive size 256 MD5 Value This line prints the computed SHA 256 or MD5 value for the source drive Error recovery information These lines will only appear if the On Error setting for the Capture operation was set to something other than abort If the setting was set to skip then a single line containing the total number of skipped sectors will be printed If the setting was retry or recover two lines will be printed One containing the total number of recovered sectors one cont
38. User s Manual IV sane dd RI Rn 35 WipeClean M Destination 4 3 eee 36 Procedute ise Ie ERE Oeo 37 HASH Scan iiia eJJaererrrrr 38 Procedure uu N A O 38 Audit TUL 39 X 39 5 USING THE CLONECARD 4 00 4 40 0 0000 neee kee Heee HK ANHA HEKA 41 hia Re REA 42 Creating a MS DOS floppy boot disk keke 42 Using the Logicube CloneCard Pro to Capture a Drive esee eene 42 Things 0 OLE 43 Improving Speed of Transfer keke eke kek ee kK kK KK kK kk Ke KA KA KA KA KK KA KARA 44 6 USING THE USB 45 D DOTEM 45 How to use under Windows for Destination Drive Management eene 46 REMOVING USB GEVices Steg m 47 Cloning through the USB e W na Te ld W ZO A 48 How to set up and use the USB Cloning software 48 Selectable Capture Modes amp 49 Cloning Apple computers via FireWire using the USB Cloning software ees 52 Additional
39. able If loading new software a floppy or other removable drive with the new version of forensic h86 loaded on it A host PC with the following An EPP 1 9 capable parallel port ACD ROM drive floppy drive or other removable drive accessible by DOS Ability to boot from a CD This can be determined by checking the PC s BIOS Host PC preparation 1 Place the Software Update CD in the Host PC s CD ROM drive Boot the PC and go into BIOS Make sure that the PC is set to boot from the CD ROM Reboot the PC It will go into a menu on the CD that contains six different boot methods Try the first boot method If it doesn t work reboot and try the second Keep trying until you find one that works goes to an A prompt Once the above has been accomplished perform the following 5 Attach the parallel cable between the host PC and Logicube Talon If you are loading a new version of software Insert the removable drive with the new forensic h86 file and copy it to the Ramdrive created by the CD NOTE Ignore step 2 if you are reloading the original forensic h86 file which is automatically copied to the Ramdrive 5 Go to the Ramdrive always the last drive letter and run UPDATE The Software Update screen will appear 73 SOFTWARE LOADING INSTRUCTIONS Logicube Talon Software Update Note Make sure the update is running on the PC and the Logicube Talon i
40. aining the total number of non recovered or skipped sectors Destination drive Information This section of the printout contains information specific to the destination drive It contains the following Drive Identification These lines print the model and serial number as reported by the destination drive Physical Geometry These lines indicate the number of cylinders heads and sectors the total number of sectors and the drive size 256 MD5 Value This line prints the computed SHA 256 or MD5 value for the destination drive This will only appear if the operating mode was Native Capture with Verify set to 256 or MD5 Disk Media Verify information These lines will only appear if the operating mode was set to Scan If after a Scan operation any bad sectors weak sectors or weak spots are detected then the addresses of those sectors are printed followed by the grand totals for each type If one of the DD imaging modes was used with verify set to 256 or MD5 File a list of file names with their respective SHA 256 or MD5 values will be printed at the bottom of the page Audit Trail Authentication Checksum This number is used to verify that the report residing on the CF Drive has not been altered in any way The Checksum is a proprietary Hash value Forensic Talon User s Manual 86 REFERENCE Forensic Talon User s Manual Note The Audit Trail Authentication Checksum value is not a standard MD5
41. amination Handling of the suspect drive is held to a minimum with zero alteration of its contents Designed with the Forensics investigator in mind the system ensures that proper evidence capture procedures are maintained speeding up the process significantly with little room for error The Forensic Talon is a successor to our highly acclaimed MD5 It represents the 5 generation in Computer Forensic related tools from Logicube Forensic Talon User Manual 7 INTRODUCTION Features Using this guide Capturing Speeds nearing 4GB min Achieved through the use of synchronized UDMA 5 engines Ability to compute SHA 256 or MD5 Hash in real time at full Capturing speed Keyword search capabilities Search for hundreds of words concurrently on a hard drive Either during the capture process or on a single drive Specify upper case case insensitive Unicode start of sector regular expression DD image capture mode Capture a suspect s hard drive to multiple DD image files User specified file size of 650MB 2GB and 4GB for later archiving on to CD R s Jaz drives and DVD R s respectively Removable Compact Flash slot 64 CF card included Stores keyword lists software updates reports etc Fully integrated QWERTY keypad For easy entry of file names user password keywords etc This user guide is made up of 12 sections Introduction Getting Started Fast Start Clon
42. ash If the destination drive s health is unknown use the V setting SHA 256 V This mode uses special hardware to compute SHA 256 Hash values at an extremely fast and accurate rate It also performs a read back and comparison of each block of data as it is captured It is highly recommended that this mode be selected to ensure the accuracy of the SHA 256 Hash MD5 This setting uses special hardware to compute 128 bit MD5 Hash values at an extremely fast and accurate rate NOTE If the Destination drive has bad or weak sectors this mode may not guarantee the accuracy of the MD5 Hash If the destination drive s health is unknown use the V setting MD5 V This mode uses special hardware to compute MD5 Hash values at an extremely fast and accurate rate It also performs a read back and comparison of each block of data as it is captured It is highly recommended that this mode be selected to ensure the accuracy of the MD5 Hash 77 REFERENCE On Error None This method performs no special verification and is used only for non forensic cloning purposes The On Error option controls what actions are taken when the software runs into problem areas on the source drive The choices are ABORT The Abort option causes the software to stop the copying process and display an error message when an unreadable area is encountered on the source drive SKIP The Skip option causes t
43. ceed Capture Source Drive Data To Destination Drive All Data on the source drive is copied sector by sector to the destination drive Check for Erasure of Unused Portion of Destination Drive If the destination drive has not been previously verified as erased and the source drive has less capacity than the destination drive then the software will ask the user whether or not to erase the unused remaining portion of the destination drive If the user accepts then the remainder of the destination drive will be erased and the Capture process will continue If the user declines then this is noted and will show on the printed report The Capture process will proceed This is to ensure that there is no leftover data from any previous usage on the extra portion of the drive Note In the DD imaging modes erasure of remainder of drive is not an option Forensic Talon User s Manual 83 REFERENCE Print Capture Report If the Printer setting was set to YES prior to Capture then the unit will prompt the user with a message Make sure that the printer is connected powered up and online Press lt OK gt to print Press the Select button to initiate printing A Final Capture Report will then be printed If this is the first time that the printer is used since the Talon amp was powered up a prompt will come up asking the user to choose Pentax or Standard Choose Pentax if the Pentax Pocketjet 200 ther
44. cess with a source drive present The software first scans the source drive for a chunk of zero filled sectors to use as a data source for erasing sectors on the destination drive If a chunk larger than 16 sectors is found then the software will continue to erase the destination drive by streaming the zero filled chunk of sectors from the source drive to the entire destination drive If the software fails to find an acceptable chunk of zero filled sectors on the source drive then the software will inform the user and ask to continue the erase process without a source drive as described elsewhere If the user declines then the erase process will abort Procedure The Power up and Initialization procedure for the erase process is identical to that previously described for the Capture process except if the source drive is not detected the erase process will continue instead of aborting Forensic Talon User s Manual 76 REFERENCE Additional Commands Verify Forensic Talon User s Manual The Verify option adds an increased level of confidence in the capture process The choices are SHA 256 SHA 256 V MD5 MD5 V and None SHA 256 This is the default setting for verification and uses special hardware to compute SHA 256 Hash values at an extremely fast and accurate rate NOTE If the Destination drive has bad or weak sectors this mode may not guarantee the accuracy of the SHA 256 H
45. classified as bad If the sector fails to verify after a good read any time up to the tenth read it is classified as weak If the sector is verified good for ten reads it is classified as good If after the individual sectors are all scanned and there are no bad sectors found the block is classified as a weak Spot Options Drive Choices are Destination or Source Speed The choices are Fast or Thorough Printer The print report option controls whether or not a hardcopy printout is automatically generated immediately following the operation The choices are YES or NO Forensic Talon User Manual 75 REFERENCE Wipe Clean Destination The Wipe Clean lt WIPCLEAN DEST gt function is the process that erases or wipes all existing information from the surface of destination disk drive Options These are the user configurable options for the Forensic Talon erase process Speed The speed setting provides the option to set the speed at which an operation will be performed The choices are UDMA 5 to UDMA 0 PIO AUTO PIO MED and PIO SLOW Signature A unique digital signature is written to the destination drive on the first sector of each logical cylinder boundary across the entire drive Choices are Yes or No Printer The print report option controls whether or not a hardcopy printout is automatically generated immediately following the operation The choices are Yes or No Erase pro
46. d data and compares it to the Source drive This setting is recommended to ensure the accuracy of the SHA 256 Hash MD5 This setting uses special hardware to compute 128 bit MD5 values at an extremely fast and accurate rate Forensic Talon User s Manual 30 OTHER MODES Speed Forensic Talon User s Manual MD5 V This setting behaves like MD5 except that it also reads back captured data and compares it to the Source drive This setting is recommended to ensure the accuracy of the MD5 Hash NOTE The V settings will double the cloning time of a capture session None No verification This setting is only recommended for non Forensic cloning operations NOTE Without verification bad or weak sectors on the Destination drive will not be detected This could cause the copy to be invalid The speed setting provides the option to set the speed at which an operation will be performed at UDMA 5 The software performs a test procedure to determine the fastest setting that the drives will tolerate while streaming data from one to the other When set to UDMA 5 all speeds grades below will be tested i e UDMAO 5 0 4 UDMA 4 Force the unit to use at most this speed Set the unit to this mode in some rare situations where one or both drives do not support the higher speeds and misbehave during our automatic speed benchmarking UDMA 3 Same as UDMA 4 UDMA 2 Same as UDMA 4 UDMA
47. d report back the drive s model number capacity geometry and other information To return to the main menu you may select Done by pressing the back button at any time Screen Saver After 25 seconds of inactivity the Logicube Talon display will switch to a screen saver This is designed to extend the life of the OLED display used by the unit Pressing any one of the UI buttons will switch the display back to normal Forensic Talon User Manual 19 OTHER MODES Modes of Operation The Logicube Talon supports two different operations to clone data from a suspect drive They are Native Capture and DD Image Capture These modes are found in the Mode Setting Menu along with several other operations The different modes of operation are briefly described below NOTE Each time the Logicube Talon is powered off the cloning mode and preference settings are returned to their factory defaults The following Modes of Operation are found in the Mode Setting Menu Capture Native This process captures all data from the source drive to the destination drive This mode is called a Native Capture since data is captured at the sector level to another dedicated destination drive Drive Defect Scan This operation performs a surface scan of the drive media using the drive controller to verify the media and detect bad or weak sectors This mode is described in Chapter 4 Other Modes Wi
48. detection of an error the capture will skip the bad sector s and write zeroes to the corresponding sector s on the destination drive Older computers may require the use of a bent paper clip to eject the drive tray for boot CD installation and removal During most operations the capture utility reports Total Drive Sectors Cloned Speed in MB Minute Time to Completion and Complete e Due to the absence of a Firewire connection MacBook Air is not compatible with the Logicube boot CD Forensic Talon User s Manual 52 7 Using the RAID I O Adapter Introduction The Logicube RAID Adapter is designed to work exclusively with the Talon It is an adapter that allows two hard drives to be connected to the Source or Destination position simultaneously In the Destination Position or RAID 1 to 2 the RAID Adapter allows two Destination drives to be cloned at the same time This is important if the investigator needs to have one drive for evidence and a second drive for investigation In the Source position or RAID 2 to 1 the RAID Adapter will allow two drives in a RAID O RAID 1 or JBOD configuration to be cloned to a single Destination drive This feature is only supported with a software option that needs to be loaded on the TalonTM NOTE The Talon must have software ver 2 36 or later installed in order to properly work with the RAID Adapter NOTE Please refer to
49. drive Forensic Talon User s Manual 55 USING THE RAID ADAPTER Supported RAID Configurations S 80GB BIOS EE 40GB BIOS 40GB 40GB 100GB BIOS Connecting the RAID I O Adapter 2 to 1 Mode supports RAID 0 RAID 1 and JBOD configurations These configurations are described below RAID 0 This configuration splits data evenly over two separate hard drives so that they are seen as one large drive in the PC BIOS This configuration is also known as a striped set RAID 1 This configuration creates an exact copy of one drive s data across two separate hard drives It is designed to provide uninterrupted service should one of the hard drives go down This configuration is also known as a mirror JBOD This configuration is able to distribute data over two drives of different size so that the drives appear in BIOS as one single drive JBOD stands for Just a Bunch of Drives Plug in the set of 9 cables to the connections found on the back of the Logicube Talon NOTE Please refer to Chapter 2 Getting Started for more information on connecting hard drives Connect the RAID I O Adapter to these cables Connect Source Drive 1 and 2 to the appropriate connectors on either side of the RAID Adapter Note A Source drive can be connected to either position on the RAID I O Adapter if only one Source drive is to be used Connect a single Destina
50. e Press Select when done Use the alphanumeric keypad to enter a Log file name of 8 characters or less Press the Select button when finished The Talon will automatically detect whether or not the Destination drive will support a Security Erase If not then the Talon will perform an ordinary WipeClean operation based on the settings chosen by the user If the Talon performs a Security Erase it will do a rough estimate of the Time Remaining This estimate will appear on the progress bar while an Elapsed Time counter will count up the actual erase time NOTE The Progress bar will appear to hang at 9996 if the actual erase time is longer than the estimated time The elapsed time counter will continue to run and the Status light will keep blinking until the wipe is finished When finished the Talon will display the following message drive successfully erased A copy of the session report will also be copied to the CF drive as Log file name gt LOG 37 OTHER MODES Scan 12 NOTE The operation will abort with error message if bad sectors are encountered on the Destination drive If the Printer was set to Yes the user will be prompted to connect the printer and make sure that it is powered up and online Press SELECT to print or BACK to skip printing NOTE Please refer to Printing a Report on page 20 for more printing options This mode computes the SHA 256 or MD5 Ha
51. e eie eee pelea rd reed dee Deere dee tuuc tbe oe o po E qus 18 3 DRIVE CAPTURE MODES AND SETTINGS ceres 011 eese eee en essen eset 19 bot eoe DEK Pee pisi rr 19 Dive Info eed PII EU E 19 Screen d 19 To perform a Native Capture 22 To Perform a DD image ii ii as ana d eie ceste ino eed an k VE e kak LE ka Med H l VU needed ined 23 Special Settings for DD Image Capture 24 Verity Disk or Elle e ERE RR RE ee A PLUIE Re genus 24 Manage Destinations ies err reri ete er e re Puce ree pe ken ek 25 Loading DD Image files into 26 Printuig d Te DOT 5 suci epe p BED RN a d na ad RU a aa W a bada S R SANA D 3 01 n n 27 Printing with the included Brother thermal Printer eese 27 Printing with the Pentax thermal Printer eese esses entente enne eene 28 Printing with a Standard non thermal Printer esses eee 29 I 30 AU 3l t 32 4 MODES e 35 Drive Defect SCAN 35 Forensic Talon
52. e surface scan of the drive None of the data is moved around or removed Forensic Talon User Manual 35 OTHER MODES THOROUGH This mode actually writes patterns to the drive and scans more thoroughly for bad sectors NOTE Never perform a Thorough Scan on a Suspect drive as data erasure will result 6 Press the START STOP button to start the scan 7 The Talon will access the CF Drive then the following message will appear KEYPAD ENTRY Enter Log file name Press Select when done 8 Use the alphanumeric keypad to enter Log file name of 8 characters or less Press the Select button when finished 9 When finished the Talon will display the number of bad or weak sectors found on the drive A copy of the session report will also be copied to the CF drive as Log file name LOG 10 If the Printer was set to Yes the user will be prompted to connect the printer and make sure that it is powered up and online Press SELECT to print or BACK to skip printing NOTE Please refer to Printing a Report on page 20 for more printing options WipeClean Destination This function is the process that erases or wipes all existing information from the surface of the Destination drive It is a good idea to erase the drive prior to performing Native captures It ensures that no old data remains on the drive to be later confused as evidence Many newer drives will also support Security Erase
53. earched for Yes the Unicode encoding of word is searched for NOTE The Unicode search utilizes the little endian code that is utilized by Microsoft operating systems Other systems like Linux UNIX Mac etc utilize the big endian code future version of the Logicube Talon software will also support big endian Unicode Signature the word is only searched at the beginning of sector This is useful to find all files of a certain type e g all graphic files The unit allows some editing of the keyword lists Please refer to the Modify Lists section below for more details NOTE As of this writing only the English alphabet is supported Future software updates will include support for different languages Please contact Logicube for further details To search for a pre defined keyword list during Capture 1 Press the Set button to enter the Settings screen Set the desired Capture mode and subsequent settings Speed Verify etc Scroll down to the Word List option and note the name of the currently selected keyword list If none is selected press the Select button The unit will read the list of available keyword lists from the Compact Flash and display it on the screen Scroll to the desired list and press Select Form now on the words in this list will be searched for as a by product of any of the Capture modes At the end of a session the Final Capture report will also list any keyw
54. echnical Support for assistance Note SCSI drives cannot be connected directly to the Logicube Talon Please refer to Chapter 6 Using the USB Port for cloning SCSI drives Figure 4 Connecting a Serial ATA SATA Destination Drive ETTING STARTED erie Tube PIN 1 RED STRIPE SERIAL ATA DRIVE ALSO CALLED SATA DRIVE 5 SATA DRIVE CABLE LOGICUBE TALON OPEN Figure 5 Connecting a Serial ATA SATA Source Drive 9 SATA DRIVE CABLE PLUGS INTO POWER SOCKET SERIAL ATA DRIVE ALSO CALLED SATA DRIVE LOGICUBE TALON 9 SATA DRIVE CABLE PLUGS INTO SATA CONNECTOR Forensic Talon User s Manual 16 GETTING STARTED The user interface Forensic Talon User s Manual The user interface Ul has been designed with the professional in mind It is fast responsive and to the point which means it requires very few key strokes to achieve a desired action Shortcut buttons available at all times NOTE Refer to Figure 3 as you read the information below START STOP Button Press it twice to begin cloning operation using the current settings press the START STOP button in mid process to abort it A single key stroke presents a preview screen where you can see the current setting and decide whether to press it again to begin the capture or back out to reconfigure e The Help button provides context sensitive help and is active at all ti
55. ed from any text editor in Windows like Notepad Calibrate Transfer Speed If the Speed option described previously is set to UDMA 5 then the calibration procedure is performed as follows 1 The transfer speed is set to a conservative initial value 2 Achunk of the source drive is copied to the destination drive 3 If there are no errors then the elapsed time is stored If there is an error then the software will set the transfer speed to a lower value and exit the routine 4 The transfer speed is set to the next higher value and the process is repeated until the highest speed is reached that does not result in any errors Forensic Talon User s Manual 80 REFERENCE Check Capture Integrity This procedure tests the integrity of the data path including the following items Drive interface Data cables Unit integrity Loose connectors The method used is as follows 1 3 All bits of the data lines of the source drive are checked for toggling between one and zero while reading data from the drive This is necessary because the data lines can be broken or unreliable and we can still communicate with and control the drive without transferring data NOTE For this test the unit checks an 8 MB portion of the drive that starts 50 from the start of the drive If the drive is wiped or there is no data in that area then the unit will pause with an error Source drive data lines can
56. ense key 71 Light Error 18 85 Light Power 18 60 Light Status 18 37 72 Linux 64 90 Logicube 7 Logicube MD5 7 33 59 60 62 Mac 64 Manage Destination Menu 25 MDS Hash 8 23 24 31 33 38 39 77 87 Menu Software Setup 68 69 72 Mode Security Erase 36 37 82 Modify Lists Keyword Setting 64 65 MS DOS 42 On Error Abort 32 33 78 91 REFERENCE On Error Recover 32 33 78 On Error Retry 32 33 78 On Error Skip 32 33 78 On Match Keyword Setting 65 Optional Preference Settings 22 23 30 Paper Thermal 28 29 Parallel Port 14 72 Partition FAT32 25 26 PCMCIA 9 41 42 43 PCMCIA slot 42 43 PCMCIA Supported chip Sets 44 Printer 9 23 24 27 28 29 30 36 37 38 39 75 76 79 84 Printer Pentax Pocketjet 200 27 28 29 84 QWERTY 8 RAID 1 to 2 Mode 53 55 RAID 2 to 1 Mode 53 55 56 57 71 RAID Controller 57 RAID I O Adapter 8 53 54 55 56 57 58 71 RAID JBOD Configuration 53 56 57 RAID RAID 0 Configuration 53 56 57 RAID RAID 1 Configuration 53 56 57 RAMDRIVE 43 73 Report Print Search Detail 65 Report Print Search Text 65 RoHS Directive 2002 95 EC III Scandisk Setting 25 Scandisk Microsoft Windows 25 26 Scratch drive 8 Screen Saver 19 Screen About 19 Screen Drive Info 19 Screen Main Menu 19 72 Screen Settings 22 23 28 29 30 35 37 38 39 64 71
57. er cable Underneath is the third connector for the Serial ATA cable Note The UDMA drive data and power cables should be removed from the Talon when a SATA drive is connected This will ensure optimal cloning speeds Note See Figure 4 Connecting a Destination drive to the Logicube Talon through a 5 SATA cable 2 Connect a Destination hard drive and close the Logicube Talon Make sure that Pin 1 is properly aligned Plug in the long SATA cable to the connections found on the back of the Logicube Talon Forensic Talon User s Manual 14 GETTING STARTED Forensic Talon User s Manual Note See Figure 5 Connecting a Source drive to the Logicube Talon through a 9 SATA cable 4 Connect the Source drive to this cable Note The internal drive is always referred to as the Destination or Evidence drive and the outside drive is always referred to as the Source or Suspect drive 5 Connect the power supply to the Logicube Talon and power up the unit In 2 3 seconds the main display appears Connecting other types of drives Logicube sells specialized adapters that allow other types of drives to be connected to the Logicube Talon Such drives include 2 5 laptop drives 1 8 laptop drives e g Toshiba iPod drives compact Flash CF drives and USB drives Other specialized adapters are also available If you are unsure about the type of drive that you have please contact Logicube T
58. h NOTE See the Optional Preference Settings section of this chapter for more information on these preference settings Also see the Special Settings section below Press the lt START STOP gt button twice The Talon will briefly access the CF Drive The following message will appear Continuing will overwrite a portion of your Destination drive Are you sure Press the Select button for lt Yes gt The Destination Drive needs to be formatted before data capture is possible If it hasn t been formatted yet a prompt will come up Choose Yes to format the drive 23 OTHER MODES 10 11 12 13 NOTE See the Special Settings section below for more information on managing the Destination drive You will then be prompted to enter a Case file name using the keypad Up to 8 characters are allowed following traditional DOS naming conventions NOTE Case file already exists on the destination drive i e from a previous DD Image capture the unit will not allow you to enter the same file name again A sub directory by the same name will be created under the root directory on the destination drive The capturing process will create as many files as necessary within this sub directory with increasing extension numbers e g my disk 001 my disk 002 etc At the end of the process a file with the log extension is created and placed in the same sub directory The file is also w
59. he Back button to choose lt gt the unit will access the Master drive If lt CF gt is chosen the unit will access the Compact Flash Drive instead Forensic Talon User s Manual 46 USING THE USB 9 A prompt will come up asking if the unit is connected to Forensic Dock Choose YES if itis connected to one otherwise choose NO NOTE Please refer to the Logicube Portable Forensic Lab User Manual if one is in use 10 The Logicube Talon will power up the Master drive A prompt will appear saying that it is safe to attach the USB Cable 11 Attach the USB cable to the Logicube Talon You should now see some activity on your PC screen which depends on the operating system 12 If running ME 2000 XP your drive will automatically be mounted and drive letters assigned to all recognizable partitions 13 If running 98 98SE you will be prompted to install drivers At the have disk prompt please point the PC to the drivers CD ROM provided and the installation should complete smoothly 14 The Master Drive is now visible on Windows as an external drive Any partitions that can be accessed by your Operating System will be assigned a Drive Letter At this point the drive is fully visible to any Forensic analysis tool such as EnCase iLook and FTK The drive contents however cannot be altered in any way Note that since Windows keeps caching information for every drive
60. he software to ignore a bad sector and not copy it to the destination drive All prior and subsequent sectors are copied while only the unreadable sector is skipped RETRY The Retry option makes up to 50 attempts to reread an offending sector using the following sequence 1 Reinitialize the source drive 2 Dump the drive s cache buffer 3 Reread the offending sector If a good read occurs then the retry loop is aborted immediately and copying continues If the sector is still unreadable after the maximum number of retries then it is skipped and the copying process continues with the following sectors RECOVER At least one reinitialize and retry is performed for all choices before recovery is attempted This prevents recoverable errors from halting the completion of the copying process For all modes except ABORT the hardcopy printout will provide a list of sector numbers that failed The Recover option makes up to 50 attempts to reread an offending sector using the following sequence 1 Reinitialize the source drive 2 Dump the drive s cache buffer 3 Reread the offending sector If a good read occurs then the retry loop is aborted immediately and copying continues 4 Ifthe read failed the low level code transfers the drive s buffer contents anyway The buffer is examined and information is collected for a majority vote algorithm Forensic Talon User s Manual 78 REFERENCE Printer Anato
61. ing Modes and Settings Other Modes Using the Clone Card Pro Using the USB Write PROtect Adapter Using the RAID I O Adapter Using the GPStamp Keyword Searching Compact Flash CF Drive Software Loading Instructions Reference FAQ s Please read Modules 1 Introduction and Module 2 Getting Started before attempting a drive capture It is recommended that you practice with a scratch drive to fully appreciate the procedures Forensic Talon User s Manual INTRODUCTION System description Forensic Talon Kit Forensic Talon User s Manual The Forensic Talon Kit is packed in a rugged watertight carrying case Inside you will find the following components The Logicube Forensic Talon with power adapter A 64MB Compact Flash Card that includes A backup copy of the current Forensic Talon software A text file that contains sample Keyword Lists Sets of standard length 5 and 9 drive power cables used to connect the suspect and destination drives to the unit HDD Hard Disk Drive data cables to connect suspect drive to Forensic Talon two lengths Two Serial ATA cables one short and one long for attaching Serial ATA drives to your Logicube Talon An extra long 18 drive data cable to reach a suspect drive still mounted in a PC chassis One 2 5 drive adapter to allow the connection of laptop drives One Logicube CloneCard Pro A PCMCIA adapter with a floppy disk contain
62. ing a client application This is used for capturing data from notebook PCs A Mini B USB cable that allows the unit to be connected to the USB port of a PC A Brother MW 120 portable thermal printer which also comes with an AC power supply parallel cable internal battery carrying case and documentation 100 sheets of thermal printer paper NOTE Please contact Logicube if extra paper is needed A flashlight and screwdriver A CD ROM that includes A utility program to load the Forensic Talon with new software backup copy of the current Forensic Talon software Extra copies of all files found on the Compact Flash Card INTRODUCTION i ub Another CD ROM that includes Write PROtectTM Cloning software to capture suspect drives through the USB port A hard plastic carrying case NOTE It is recommended that you always use the carrying case to store and carry the unit This manual System description Forensic Talon Standalone The Forensic Talon Standalone unit comes in a rugged canvas carrying bag Inside you will find the following components The Logicube Forensic Talon with power adapter A 64MB Compact Flash Card that includes A backup copy of the current Forensic Talon software A text file that contains sample Keyword Lists Sets of standard length 5 and 9 drive power cables used to connect the suspect and destination drives to the unit H
63. installing a brand new destination drive in my Forensic Talon amp and starting a capture received a message that the drive was not erased is this normal A Even though new drives are usually blank they still need to be wiped to guarantee that they do not contain any data The Forensic Talon writes a signature to the destination drive during the wipe session It is this signature that tells the Forensic Talon that the destination or capture drive was previously wiped Destination drives can be prepared ahead of time by wiping them with signature set to YES Can make bootable Clone with the Forensic Talon A While the Forensic Talon amp was not designed to produce bootable clone it will create a copy of the source drive with bit for bit accuracy Whether or not the destination drive will boot depends upon many factors that include drive geometry operating systems and PC BIOS issues Forensic Talon User Manual 89 REFERENCE Capturing data from a Western Digital HDD is not working A Most Western Digital drives require that the jumpers be removed for a capture to work The exception to this statement is for the Western Digital Xpert series Hard Drives an older manufactured version where the jumper is set to the master position Q I m trying to update my Forensic Talon with the latest software but cannot get my PC to communicate with the unit A The PC must be set up to communicate in
64. ion freezing a reading and bringing the GPStamp out of Sleep Mode Forensic Talon User s Manual 60 USING THE GPSTAMP NOTE The Logicube Talon must have software ver 2 37 or later installed in order to use the GPStamp Using the GPStamp in a Capture Operation Forensic Talon User s Manual The following procedure will take you through a typical hard drive capture operation with the Logicube Forensic Talon and GPStamp 1 Attach the Source Suspect and Destination Evidence drives to the Talon Set up all capture settings as desired 2 Inthe Settings Menu scroll down to the GPS Available option Press Select to set it to Yes 3 error message will appear briefly that says The GPStamp was not detected Ignore the message and continue 4 Start the capture session After data has been transferred to the Destination drive the Talon will display a message that reads Get Fix 5 Power up the GPStamp when it goes into Sleep mode press the Start button The Main Screen will appear 6 After thirty seconds the GPStamp will attempt to lock on to a signal The Signal Acquisition screen will appear 7 The GPStamp should acquire a useable signal within two minutes If it does then the Information Screen will appear 8 If the GPStampTM does not get a signal within five minutes an error message will appear that reads Unable to get GPS
65. ion for a hard drive capture session This information appears in the final capture report The GPStamp uses GPS Global Positioning System technology to provide location coordinates that are accurate to within 50 feet The GPStamp is designed to work exclusively with the Logicube Forensic Talon amp and Forensic MD5 The GPStamp pulls information from four or more GPS satellites to provide the exact capture location in 3D space c 4 i a Figure 11 GPS Satellite Forensic Talon amp User Manual 59 USING THE GPSTAMP Overview Please refer to Fig 12 below DONGLE CONNECTION DISPLAY POWER SWITCH START BUTTON Figure 12 GPStamp Orthographic Views The GPStamp is extremely simple to use with very few user controls DISPLAY This small OLED display is very bright and easy to read DONGLE CONNECTION This jack is where the Adapter cable Dongle connects when the GPStamp is attached to the Talon amp or MD5 NOTE This jack is NOT a power supply port The GPStamp is powered by an internal 9V Lithium battery POWER SWITCH Turns the GPStamp on and off Keep the switch OFF when the GPStamp is not in use NOTE Although the GPStamp goes into Sleep Mode the best way to conserve battery power is to shut the unit off Sleep Mode still draws a small charge from the battery START BUTTON This button has multiple functions such as starting a location acquisit
66. ity of your destination hard drive the unit s internal drive to any USB enabled PC It also ensures zero alteration to the drive under any operating system Both USB 1 1 and USB 2 0 are supported USB connectivity can be used in two modes of operation Drive analysis mode and DOS capturing mode Minimum requirements e A Logicube Talon unit with integral USB port e 586 or better PC compatible computer with a floppy or CD ROM drive An available USB port on the PC USB 1 1 and USB 2 0 are automatically supported Microsoft Windows 98 98SE ME 2000 XP operating system for drive access under Windows A CD ROM for DOS capturing mode optional e A CD ROM with Windows 98 98SE USB drivers installed No drivers need to be installed for ME 2000 XP Forensic Talon User Manual 45 USING THE USB Figure 8 USB Port on Logicube Talon How to use under Windows for Destination Drive Management Please refer to Figure 8 above 1 e Make sure a Destination drive is properly attached inside your Logicube Talon Make sure your PC is running Win98 or above Connect the USB cable provided to a PC USB slot on one end Do not attach the other end to the Logicube Talon yet Set the Logicube Talon to USB mode Press the SET button on the unit Scroll up to the MODE entry Press SELECT Scroll down to the USB DRIVE MODE entry Press SELECT again Press t
67. lect a source drive On the right side of the screen you will see a list of capture modes You can scroll through the selections using the up down arrow keys on your PC s keyboard Press enter to make your selection Once you have selected the source drive to be captured and selected the method of capture press S to start the data capture A progress bar will appear on the screen You may cancel or abort the capture at any time by pressing the Esc key Press any key and answer Y es to return to the main menu Once the capture has been completed a message will pop up indicating the capture session has completed successfully If you have selected a capture method with an MD5 Hash the hash values will appear at the bottom of the screen NOTE Except for DD captures the hash values generated will not be saved if you exit this screen You must record the hash values before exiting 14 15 Upon completion of the data capture press any key and answer Y es to go back to the main screen To perform a data capture from another source drive install a new destination drive only if the current destination drive is full or your next capture will be performed as Native Repeat steps 7 through 14 to perform a subsequent data capture To exit the Forensic Cloning Software press the Esc key and answer Y es A message will display that indicates You can now remove the CD ROM Some computers will automatically eject the
68. ll a real MS DOS operating system onto the supplied floppy This can be done on a WIN9X or a DOS machine Creating a MS DOS floppy boot disk 1 Open a DOS window or boot a PC in DOS mode 2 Unprotect the client floppy disk and insert into the A drive 3 Atthe command prompt e g gt type sys a ENTER Wait for completion Copy Himem sys from C Windows to the floppy Note This operation needs to be done just once but cannot be carried out on an NT WIN2000 XP or a Windows ME system Using the Logicube CloneCard Pro to Capture a Drive Cloning with the CloneCard takes just a few steps 1 Insert the CloneCard ProTM into one of the PCMCIA slots on the laptop you are about to clone make sure to remove all other PCMCIA cards Insert the floppy into the laptop floppy drive Turn laptop on Ensure that the laptop is set to boot from a floppy This is done through the setup screens that can be accessed by pressing F2 or DEL key during initial boot consult your laptop manual regarding how to set the boot order 4 The floppy is configured to run the client application CCclient exe or pcmcia exe automatically 5 Connect the Forensic Talon to the flat cable provided with the CloneCard Pro Do not use the standard drive cable It is incompatible with the CloneCard ProTM 6 Make all the necessary settings on your Forensic Talon Forensic Talon User s Manual 42 USING T
69. loading instructions NOTE The Brother printer cannot use plain paper It uses thermal paper only 4 On the Forensic Talon press the Set button to go to the Settings menu Scroll down to the Printer option and press the lt Select gt button 5 Scroll to the Select reports item and press the Select button 6 Scroll to the Print Last Session item and press the Select button 7 A prompt will come up asking the user which printer is connected to the unit Choose BROTHER MW 120 NOTE Once printer is chosen the user will not be prompted again until the unit is rebooted 8 Follow the instructions on the screen A report should now print Every operation performed with the Talon amp also writes a copy of the report to the CF Drive This report can be easily accessed in Windows and printed from a text editor like Notepad Printing with the Pentax thermal Printer Forensic Talon kits sold prior to January 2007 included a Pentax Pocketjet 200 portable thermal printer To use this printer 1 Connect the Pentax printer to the Forensic Talon using the special cable included with the kit 2 Power the printer using the printer power adapter Forensic Talon User s Manual 28 OTHER MODES CAUTION Don t confuse this power adapter with the Forensic Talon power adapter Press the power button on the printer until it lights up Load a sheet of the special thermal paper in
70. mal printer is attached to the unit otherwise select Standard for any other printer If the Printer setting was set to NO prior to capture then a report can still be printed as long as the unit hasn t been powered down rebooted or used to clone more drives Just press the Set Button Scroll down to Printer press the Select button scroll down to Additional Reports press Select again highlight Print Last Session and hit Select A copy of the report is also written to the CF drive It is named Log file name gt LOG Final Capture Report Hardcopy Printout The hardcopy printout available on the Forensic Talon amp was designed to provide sufficient information for use as an evidence identification tag It contains information on the unit used to acquire the evidence the personnel acquiring the evidence and the important information for the actual Capture session Information Format This section describes the information format that appears on the Forensic Talon amp hardcopy printouts For an example see the included page at the end of this section Unit Information The unit Information section identifies the model name of the acquiring unit the unit serial number and the software version installed Forensic Information The Forensic Information section contains several lines for the user to enter the necessary information relevant to each investigation There are spaces for the following information e
71. mes Press it to get specific help on the current screen If the selection cursor is on the screen pressing the Help button will retrieve specific help for that item pointed to Press the help button again to return to the current Screen e The Set button is the third shortcut button It brings you to the settings screen where you can change capture modes and other settings of the unit Soft Buttons The two Soft buttons are directly under the LCD dis play The button functions change depending on the labels displayed above them Note Labels are always enclosed by angular brackets When no labels are displayed they function as navigational buttons The right button functions as Select or toggle and is used to select an option to move through multiple available options or to select a sub menu The left button is the Back button This button is used to go up in the menu system or to cancel out of a given operation Scroll buttons The two scroll buttons are active when the right side of the screen displays the scroll arrows This occurs when the amount of information to display exceeds the screen size Menus are also scrollable GETTING STARTED INDICATOR LIGHTS OLED DISPLAY BACK BUTTON HELP BUTTON Alphanumeric Keypad The alphanumeric keypad is laid out like the keypad on your PC or typewriter It is used for labeling capture sessions entering passwo
72. my of a Drive Capture Forensic Talon User s Manual 5 Ifthe sector is still unreadable after the maximum number of retries the software will then attempt to reconstruct the sector by applying a majority vote algorithm to the data collected while performing the retries The sector is then written to the destination drive and the copying process continues with the following sectors The printer option contains a submenu with various functions controlling the generation of hardcopy printouts of Capture DD Imaging Scan or Wipe Sessions PRINT REPORT The print report option controls whether or not a hardcopy printout is automatically generated immediately following a Capture Scan or Wipe session The choices are YES or NO PRINT LAST SESSION The Print Last Session option enables the user to get a hardcopy printout of the previous Capture Scan or Wipe session even if the Print Report option above was not enabled As long as power remains applied to the unit the previous session s results are available PRINT SEARCH DETAIL Prints a detailed report of all words matched during the last session and their absolute location PRINT SEARCH TEXT Prints a snippet of text before and after the matched word for every word matched during the last session EJECT PAGE The Eject Page option is a utility function that will send a page eject or form feed command to the printer This may be necessary when using certain kinds of laser
73. nd DD Modes work with one or two Source drives The procedure for cloning is the same as cloning from a single Source drive without the RAID I O Adapter Verification cannot be set to a V setting on the Forensic Talon or the cloning session will stop with an error message The current Verify setting is not supported with a RAID Source All other verification settings are acceptable and Dual Hash MD5 or SHA 256 is supported Drive Defect Scan is supported for one or two Source drives The final report will list all bad sectors found on the first drive then a separate list for the second drive 57 USING THE RAID ADAPTER Other Notes Calc Hash and Keyword Search modes are not supported through the RAID I O Adapter in the Source position To verify the MD5 or SHA 256 Hash with a third party method RAID Source drives must be write protected then re attached to their RAID coniroller and examined with a software based utility like Winhex Connecting to different RAID controllers will produce uneven results Also connecting the Source drives without write protection will change the MD5 or SHA value of the Source drives Destination drives can be scanned without the use of a RAID controller Forensic Talon User s Manual 58 8 Using the GPStamp Introduction The GPStamp provides accurate location time and date informat
74. not corrupt It functions much like Microsoft Windows Scandisk or Chkdsk Press the Select button to run Scandisk After 30 seconds it will display a list of errors if any Browse Dest If the Destination Drive is formatted with a FAT32 partition Browse Dest Will allow the user to navigate directories on the drive It will also show the size of files on the drive Use the Arrow keys and Select button to navigate the directories Loading DD Image files into Encase Once the DD Image files are captured to a Destination drive they can be easily loaded into a Forensic Investigative tool like EncaseTM NOTE These instructions are for Encase by Guidance Software Other Investigative software products may follow a similar procedure Consult your software s manual for more information 1 Attach the Talon to the PC via the USB Port please refer to the procedure for Destination Drive Analysis on page 27 Open Encase and start a new case Go to File Add Raw Image The Add Raw Image Window will come up Add Raw Image Name wiN2000 Capture Image Type Bytes per sector None 512 Disk Component Files Volume CD ROM G WINZOOO WINZ000 002 G WIN2000 WIN2000 003 G WINZD00 WINZO00 004 G WINZo00 WINZO00 005 OK Cancel 4 Set Image Type to Disk and leave Bytes per Sector at 512 5 Right click in the Component Files box Choose New Insert 6 Browse to the location
75. not be identified Do you wish to continue Choose Yes to continue with the Capture or choose No to abort If the capture is continued then the error message will not show up on the final capture report A chunk of the source drive is then copied to the destination drive at the speed previously set in the calibration procedure Every byte of every sector copied is then compared on the source and destination drives If the data on both drives match then the software will exit the Integrity check and continue the capture process If the data does not match the transfer speed is lowered to the next available setting The process is then repeated until the data is identical on each drive NOTE If a match does not occur the unit will fail with an error Erase WipeClean Forensic Talon User s Manual This is used to erase all data on the target drives prior to a capture to remove any previously written data on those drives It is highly recommended that the destination drive be erased in the lab before attempting a capture From an evidential point of view it removes doubt whether old data was leftover from a previous capture Only the drive INSIDE the Forensic Talon unit can be erased 81 REFERENCE Erase Procedure Power up and Initialization The Power up and Initialization procedure for the erase process is identical to the Capture process except if the source drive is not detected
76. of your DD Image files they should be in the drive labeled Forensic Talon User s Manual OTHER MODES 10 Printing a report Logicube_dd and located in a folder with the case name that you entered during the Talon capture process Select all DD Image files this way Select the last file then hold down the SHIFT key while clicking the fist file Click OK to add the files to the Add Raw Image box You may need to click and drag the files up and down in order to put them in descending order i e 001 002 003 etc Click OK Encase will then put the files back together into a complete image of the disk At completion of a capture you might want to print a report You must keep the Forensic Talon powered on in order for it to retain the report information from the last session NOTE Logicube Talon Forensic Kits include a Brother MW 120 portable thermal printer Printing with the included Brother thermal Printer Forensic Talon User s Manual Connect the Brother printer to the Forensic Talon using the special serial cable included with the kit Power the printer using the printer power adapter CAUTION Don t confuse this power adapter with the Forensic Talon power adapter Press the power button on the printer until it lights up 27 OTHER MODES 3 Make sure that the printer is loaded with A7 size thermal paper See the Brother User Manual for paper
77. onnecting a Source drive to the Logicube Talon through 9 data power cables 4 Connect the Source drive to these cables Note The internal drive is always referred to as the Destination or Evidence drive and the outside drive is always referred to as the Source or Suspect drive 5 Connect the external power supply to the Logicube Talon and power up the unit In 2 3 seconds the main Splash screen appears Forensic Talon User Manual 12 GETTING STARTED IT Tub Figure 2 Connecting an IDE parallel Destination Drive 5 IDE DRIVE POWER CABLE IDE OR ATA DRIVE ALSO CALLED PARALLEL DRIVE 5 IDE DRIVE UDMA CABLE LOGICUBE TALON OPEN Figure 3 Connecting an IDE parallel Source Drive Forensic Talon User s Manual 13 GETTING STARTED 9 IDE DRIVE POWER CABLE Parallel Port LOGICUBE TALON 9 IDE DRIVE UDMA CABLE IDE OR ATA DRIVE ALSO CALLED PARALLEL DRIVE The parallel port on the side of the Talon serves two main purposes It downloads software updates via DOS and it also allows connectivity of the Talon to peripheral devices like the Portable Forensic Lab PFL or GPStamp Connecting a Serial ATA SATA Drive 1 Open the Logicube Talon by pressing on the two latches at the base of the unit and lifting the top You will notice three connections One for a flat cable the drive data cable and another for a small drive pow
78. ords found You Forensic Talon User s Manual 64 KEYWORD SEARCHING can then print one or both Keyword Search reports e Print Search Detail This report lists every keyword found and the sector where it resides e Print Search Text This report lists every keyword and the surrounding line of text NOTE The DD Image Capture Report will not automatically list keywords We suggest running the Search Detail report after the Capture Session to list any keywords found NOTE Please refer to Printing a Report on page 20 for more printing options Keyword Search Settings Modify Lists Forensic Talon User s Manual On Match This setting determines the behavior of the unit if a Keyword is found Three settings are available Log Default This setting writes the Keyword and location to the Compact Flash Card The file created is called Listfile txt Print Automatically prints Keyword hits as they are found Pause The unit pauses with a message on the display This setting is useful to determine if a drive has keywords in the first place NOTE As of this writing Log is the only setting available The other settings will be accessible in later versions of the software Please contact Logicube for availability This menu contains settings that allow you to Add remove or edit lists from inside the Talon unit 65 KEYWORD SEARCHING itself Itis also possible to add keywords
79. peClean Dest This is used to erase all data on the destination drives prior to a Native Capture This mode is described in Chapter 4 Other Modes Calculate HASH This is used to compute SHA 256 or MD5 values of the source or destination drive at extreme speeds and is useful for an after the fact verification of a drive This mode is described in Chapter 4 Other Modes e USB Drive Mode This mode needs to be engaged when attempting a USB capture through the integral USB port This mode is described in Chapter 6 Using the USB Write PROtect Adapter e Keyword Search Used to perform a binary keyword search on a given drive This mode is described in Chapter 5 Keyword Search DD capture 650 MB This mode of Capturing creates a sub directory per drive captured with DD style files of size 650 MB each These files are directly accessible by popular Forensic analysis software tools such as Encase FTK and ILook 650MB size is designed to allow archiving onto CD R s Forensic Talon User s Manual 20 OTHER MODES Capturing a Drive IDE Plug Forensic Talon User s Manual DD capture 2 GB Same as above except each file is 2GB large This size is compatible with archiving onto Jaz drives DD capture 4 GB Same as above except each file is 4GB in size This size is compatible with archiving onto DVD R s Audit Trail This mode is used to verify the authen
80. ppears Scroll to Capture and press Select again Scroll through the optional preferences Verify On Error and Speed and modify them as needed using the Select button to toggle between the different settings for each NOTE See the Optional Preference Settings section of this chapter for more information on these preference settings Press the START STOP button twice The Talon will access the CF Drive then the following message will appear KEYPAD ENTRY Enter Log file name Press Select when done Use the alphanumeric keypad to enter a Log file name of 8 characters or less Press the Select button when finished If the Destination drive has not been erased with the Wipeclean Dest Mode the unit will ask if you wish to erase the Destination drive Press the Select button for Yes or the Back button for No If Yes is chosen the unit will completely wipe the destination drive before it begins to capture data NOTE The final capture report will state whether or not the Destination drive has been properly erased The unit will Mirror Clone all of the data from the Suspect drive to the Destination drive After the data has been captured if the destination drive was not erased the unit will ask if you wish to erase the remainder of the Destination drive Press the Select button for Yes or the Back button for No If Yes is chosen the unit will completely wipe the rest of the de
81. r will attempt to recover as many bytes of data as possible from each bad sector that is encountered NOTE Data in any skipped sectors will NOT be copied to the destination drive The corresponding sector of the Destination drive will instead be padded with zeroes The padded sector will then be included in the Final SHA 256 or MD5 Value NOTE The absolute location of each skipped sector will also be listed on the final Capture Report The first 200 bad sectors will be recorded after which the unit will continue to skip bad sectors but it will not record their absolute locations The final capture report will show the total number of sectors skipped Table 1 Error settings Forensic Talon User s Manual 32 OTHER MODES Time to Option Action complete Abort A bad sector aborts the cloning Immediate operation Skip default Skips the bad sector Fast Attempts several retries to recover data of sector then skips Slower Attempts a full blown recovery algorithm then skips Very slow Note When capturing a Source drive that is known to have many bad sectors the speed should be set to PIO AUTO Also if the drive is captured or scanned multiple times the SHA 256 MD5 Hash value of each session could differ This is because some bad sectors will read intermittenily Capturing Data from HPA and DCO Configurations Forensic Talon User s Manual Some PC manufacturers
82. rds and other functions Indicator Lights The POWER indicator light remains on while the Logicube Talon is receiving power The STATUS indicator is lit during cloning operations and any operation that accesses the Source or Destination drive It will flash as data is transferred from one drive to the other The ERROR light will come on if a problem is encountered during cloning or any other operation If this occurs check the screen for an error message and instructions on what to do next Figure 6 Buttons and Interface UP AND DOWN ARROW BUTTONS SELECT BUTTON SET BUTTON START STOP BUTTON Forensic Talon User s Manual 18 3 Drive Capture Modes and Settings Main Screen The main menu screen appears when the Logicube is first powered up It displays the Title Screen and two menu options About and Drives About Screen Select the About Screen by pressing the Back button It will display the serial number of your unit along with the software and firmware versions that are loaded In addition the About screen provides contact information for Logicube Technical Support To return to the main menu simply press the Back button at any time Drive Info Select the Drive Info screen by pressing the Select button Another screen will come up asking you to select either the Source or Dest drive use the soft buttons to make your choice The unit will then access the drive selected an
83. ritten to the CF Drive It includes among other things the SHA 256 MD5 Hash values of all captured DD files or the entire Source Drive Refer to the Special Settings section below If the Printer was set to Yes the user will be prompted to connect the printer and make sure that it is powered up and online Press SELECT to print or BACK to skip printing NOTE Please refer to Printing a Report on page 20 for more printing options The capture ends with a Capture Successful message Special Settings for DD Image Capture Mode Verify Disk or File For DD Image Capture Mode the Verify Setting has some optional settings that are not available in any other mode The settings available are 256 File This is the default setting for verification and uses special hardware to compute SHA 256 values for each individual DD Image file Forensic Talon User s Manual 24 OTHER MODES Forensic Talon User s Manual 256 File V This setting behaves like 256 File except that it also reads back captured data and compares it to the Source drive 256 Disk This setting uses special hardware to compute the SHA 256 value for the entire Source drive 256 Disk V This setting behaves like 256 Disk except that it also reads back captured data and compares it to the Source drive MD5 File This setting uses special hardware to compute MD5 values for each individual DD Image file MD5 File
84. rive erase i a a a ab di ak an ali e ak a a ab ad a a a d a di a ai dad ad a d k db t b b b t a ba bi a da i a Bi a B SOURCE DHIVE WarkbshuhhikTUTE GBG amp dbhbbhkhrhheses i b ab a a a ab Ba a ab E BB BB BB BB BB BB ab ab da ab da ali da ali i da l dn ab dr dar dr a dr d db dl di d 171172222444 xx Physical Characteristics xn n QE E RE E KE GEL AE BL JL JEL EI E BE UC UD om CN tone L Prive Model QUANTUM FIREBALL EX6 4A Serial 276832824724 Cylinders Heada Sectors Total Sectors Drive Size 13328 15 53 125584560 6 0 GB Computed amp 256 Value CCDBT DODZSIMIHB ESAEEFI47T29DTEFASCS4A025HFCAZEAEEOIDERGBFFCFDIKCS31 Skipped Sectors 78 a i a i i a i i a li Bi li amp li i a Bi lli 8i l E Bi BB IE BI l lai JB T PA li b l b i bi t d d Se B db Bi BB E a PHP BE 8B BB 8 SHC ba a a al a EB BB BB BB E DESTI NATION DRIVE bb bd eee db a tb b bi b ba d B a n a dab ba i ab a a al a al al a di a al a k ad Bi di d db db b b d db db db bd ab De ee ee ee RO
85. s connected to the host PC via the supplied parallel cable 1 Press and hold the START STOP button on the Logicube Talon while inserting the power cord into the Logicube Talon to bring up the Setup menu Scroll to the Load SW from P Port option in the menu Press SELECT to UPDATE software and then follow the LCD on screen prompts The update will run for one to three minutes after which the Logicube will restart Press the ABOUT button to verify that the expected software version has been loaded Forensic Talon User s Manual 74 12 Reference Further Notes Modes Available for the Forensic Talon Capture Native or DD image This process captures all data from the source drive to the destination drive See the Anatomy of a Drive Capture section below for more information Drive Defect Scan The Drive Defect Scan operation performs a surface scan of the drive media using the drive controller to verify the media This is done without transferring any data from the drive and results in extremely fast operation at the maximum media speed of the drive This is typically faster than the maximum sustained transfer speed of the drive The media is scanned in blocks of 256 sectors If a block fails to verify it is retried once at the block level If it fails again each of the 256 sectors is scanned individually Each sector is scanned up to ten times If a sector fails immediately itis
86. sh value for a given drive Source or Destination It can also scan individual files on the Destination Drive When using this mode hard drives attached to the Source position outside will hash at PIO AUTO speeds Hard drives attached to the Destination position inside will hash at UDMA 4 speeds Procedure 1 From anywhere in the menu system press the Set button to enter the Settings menu Scroll to the top item called Mode and press the Select button The Mode screen appears Scroll to Calc HASH and press Select again Set the Speed and Printer settings if necessary Set the Method setting to SHA 256 or MD5 Set the Drive setting to scan the Source drive Destination Drive or a single file If a certain number of sectors need to be scanned go to the Size setting Press the SELECT button You can then use the ARROW lt SELECT gt keys to choose the correct size of the drive Press the lt START STOP gt button to begin the scan The Talon will access the CF Drive then the following message will appear KEYPAD ENTRY Enter Log file name Press Select when done Forensic Talon User s Manual 38 OTHER MODES 10 Use the alphanumeric keypad to enter a Log file name of 8 characters or less Press the Select button when finished NOTE The operation will abort with an error if bad sectors are found on the drive 11 When finished
87. stination drive NOTE The final capture report will state whether or not the Destination drive has been properly erased Forensic Talon User s Manual 22 OTHER MODES 12 13 14 If the Printer was set to Yes the user will be prompted to connect the printer and make sure that it is powered up and online Press SELECT to print or BACK to skip printing NOTE Please refer to Printing a Heport on page 20 for more printing options A copy of the Final Capture Report is written to the CF Drive It is titled Log file name gt LOG The report can be accessed and printed from Windows if the Talon unit is connected to a PC via USB NOTE Please refer to Connecting the CF Drive to Windows via USB on page 36 The capture ends with a Capture Successful message It also displays the SHA 256 or MD5 Hash value for the Source and Destination drives together To Perform a DD image Capture Forensic Talon User s Manual 1 From anywhere in the menu system press the Set button to enter the Settings menu Scroll to the top item called Mode and press the Select button The Mode screen appears Scroll to one of the DD imaging options and press Select again One of three file sizes can be selected 650MB 2GB or 4GB Scroll through the optional preferences Verify On Error and Speed and modify them as needed using the Select button to toggle between the different settings for eac
88. t Destination Drive 1 and 2 to the appropriate connectors on either side of the RAID Adapter Note A Destination drive can be connected to either position on the RAID I O Adapter if only one Destination drive is to be used 4 Connect the Source drive to the outside of the Talon if using the RAID I O Adapter in a 1 to 2 configuration 5 Connect the external power supply to the Logicube Talon and power up the unit In 2 3 seconds the main Splash screen appears Cloning with the RAID I O Adapter in 1 to 2 Mode Both Native Capture and DD Image Capture Modes work with one or two Destination drives The procedure for cloning is exactly the same as cloning to a single Destination drive without the RAID I O Adapter Both drives will appear in the final capture report Verification Modes Drive Defect Scan Mode WipeClean Destination Mode Calc MD5 SHA 256 Mode and Keyword Search Mode can only work with one Destination drive attached to the RAID I O Adapter The drive can be in either position If two destination drives are attached the selected operation will be performed only to the drive attached to position 1 USB Mode is not compatible with the RAID Adapter at this time This incompatibility also extends to USB cloning Cloning with the RAID I O Adapter in 2 to 1 Mode Once the RAID 2 to 1 option is unlocked on the Talon The RAID I O Adapter can clone two RAID drives to a single Destination
89. t Logicube s technical support at techsupport logicube com for help Remove the floppy drive with the PCMCIA card Insert the Perform the cloning session Reboot the laptop 43 USING THE CLONE CARD C Other laptops require USB floppy drive to boot Improving Speed of Transfer Several settings in the CMOS setup screens can potentially improve the speed of transfer 1 Supported chip sets PCI latency timer Try to reduce the value of this number as much as possible PCI write buffer Set to enable to improve writing speed to the local drive PCI zero wait states Enable to decrease PCI cycle time PCI delay transaction Disable to decrease PCI cycle time PCI dynamic bursting Set to yes Enable 32 bit access to hard drive We test for that and if available we use it to improve transfer speed so no action is required on behalf of the user NOTE Some of these settings may not be present on your machine Also some of these settings may cause other peripherals to not function properly so use with caution and always change one setting at a time Below is a partial list of supported chip set manufacturers Ricoh Texas Instruments Sony Databook Vadem Cirrus logic Intel Toshiba Forensic Talon User s Manual 44 6 Using the USB Port Introduction The integral USB port on your Logicube Talon provides connectiv
90. tence of a DCO and if it was unlocked and captured It also lists the maximum LBA size and speed setting of the DCO The report looks something like this SESSION SETTINGS Seeds Zeck Operating Capture Address Mode LBA Verify MD5 Speed UDMA 4 Connection Direct DCO ON SOURCE Maximum LBA 78000000 Size 124999 Speed UDMA6 X x X X X 2 100 MIRROR COPY COMPLETED 2CO WAS UNLOCKED amp CAPTURED Operator declined FULL and remainder Destination Drive erase KKK KK K KKK K K K KKK KK KKK K KKK KK KKK KK KKK KK KKK K KKK KKK KK KKK KK OK KK EK OK OK KOK OK OK OK KOK SOURCE DRIVE FRA A A AK AK RK K K KK OK KK KKK KK KK KK KEKEKE KE KK KK KKK KKK KKK KKK KK KKK KK KK KKK KKK KK KKK KK KKK KKK KK KKK KK KKK KK KK KK KEK K KKK x 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 i 1 Drive Model WDC WD400BD 75LRA0 Serial WD WMAMC4980088 Cylinders Heads Sectors Total Sectors Drive Size 7
91. the erase process will continue instead of aborting Erase process with a source drive present The software first scans the source drive for a chunk of zero filled sectors to use as a data source for erasing sectors on the destination drive If a chunk larger than 16 sectors is found then the software will continue to erase the destination drive by streaming the zero filled chunk of sectors from the source drive to the entire destination drive If the software fails to find an acceptable chunk of zero filled sectors on the source drive then the software will inform the user and ask to continue the erase process without a source drive If the user declines then the erase process will abort Erase process without a source drive present The software will write zero filled sectors directly to the entire destination drive using programmed l O This is the slowest and least desirable mode of operation Security Erase Process The Talon accesses the Destination drive and determines whether or not it supports Security erase Mode If supported the Talon will send Security AT commands to the Destination drive instead of copying a pattern of zeroes This procedure runs at cloning speed and supports writing the Signature During a Security Erase the progress bar will show time elapsed as well as time remaining NOTE Security Erase mode can only be used in WipeClean Dest Mode It is not supported in Native Capture mode
92. ticity of a report that is stored on the Compact Flash drive Connect the drives as previously described Make sure the target drive is equal to or larger in capacity to the suspect drive source drive Note In order for a capture to work most drives must be configured as a master drive If you are going to capture a drive that is used as a slave move the jumper to the master position Before moving a jumper note its position so you can return the suspect drive to its original state when the capture operation has been completed Note There are several drives that do not follow the requirement stated above Those drives are Western Digital Most Western Digital drives require that the jumpers be removed for a capture to work The exception to this requirement is for the Western Digital Xpert series hard drives an older manufactured version where the jumper is set to the master position Quantum The jumper must be placed in the DS position The DS position is adjacent to the IDE plug see figure 4 Figure 4 DS Position DS Position viii nna 21 OTHER MODES To perform a Native Capture 1 10 11 Make sure that the Source and Destination drives are attached to the unit and power is applied From anywhere in the menu system press the Set button to enter the Settings menu Scroll to the top item called Mode and press the Select button The Mode screen a
93. tion drive to the inside of the Talon You cannot use more than RAID Adapter on the Talon at a time Connect the external power supply to the Logicube Talon and power up the unit In 2 3 seconds the main Splash screen appears Forensic Talon User s Manual 56 USING THE RAID ADAPTER Cloning with the RAID I O Adapter in 2 to 1 Mode Drive Model WDC WD400BD 22JMAO Drive Info will give information on each Source drive as well as the type of RAID Controller used i e Adaptec LSI etc and the type of RAID configuration RAID 0 RAID 1 JBOD If the configuration is RAID 0 then Drive Info will also show the stripe size i e 128KB This information will also appear on the final capture report as seen RAID Manufacturer AMCC 3 Ware RAID Type RAID_1 Maximum Virtual Sectors 78163312 Reserve Sectors s 0 1 Computed MD5 Value 4701E466 99E1C230 16D8ADC1 DF5DCDA8 Serial WD WMAM92665729 Cylinders Heads Sectors Total Sectors Drive Size 77545 16 63 78165360 37 3 T Second Source Drive ki Drive Model WDC WD400BD 22JMA0 ki Serial WD WMAMC2644889 Cylinders Heads Sectors Total Sectors Drive Size 77545 16 63 78165360 37 3 T Characteristics below Figure 10 Final Capture Report with RAID 2 to 1 Forensic Talon User s Manual Both Native Capture a
94. to the printer Make sure that the shiny side of the paper faces down The printer will engage and advance the paper slightly NOTE The Pentax printer cannot use plain paper It uses thermal paper only On the Forensic Talon press the Set button to go to the Settings menu Scroll down to the Printer option and press the lt Select gt button Scroll to the Select reports item and press the Select button Scroll to the Print Last Session item and press the Select button A prompt will come up asking the user which printer is connected to the unit Choose PENTAX NOTE Once a printer is chosen the user will not be prompted again until the unit is rebooted Follow the instructions on the screen A report should now print NOTE If you cannot determine the shiny side of the thermal paper from sight drag your fingernail along both sides of the paper It will leave a groove on the shiny side Every operation performed with the Talon also writes a copy of the report to the CF Drive This report can be easily accessed in Windows and printed from a text editor like Notepad Printing with a Standard non thermal Printer Forensic Talon User s Manual The Talon is capable of printing to any ASCII printer To do so 1 Connect the printer to the Forensic Talon using a parallel cable that is compatible with the printer Power the printer using the printer power adapter CAUTIO
95. u system press the Set button to enter the Settings menu 11 Scroll to the Enable Option menu item and press the Select button 12 Enter the RAID 2 to 1 activation code you received from Logicube 13 If all symbols have been entered correctly the Logicube Talon will reboot to the main menu 14 To verify that the option has been activated select About press the Back button from the main menu You will now see RAID 2 to 1 listed as an installed option NOTE Once the license key is entered an optional software package is permanently enabled The key will not need to be entered again unless the Firmware or the BIOS are changed on the Logicube Talon itself NOTE Loading new software updates will not disable any unlocked options Forensic Talon User Manual 71 SOFTWARE LOADING INSTRUCTIONS Logicube Talon Software Updating Procedures New and improved software will appear from time to time on our web site at www logicube com It is possible to update the operating software in the field by a user Two common ways are available 1 Using the Compact Flash card 2 Using a parallel port connection NOTE Logicube provides a CD ROM that contains a backup copy of the Logicube Talon software This software is already loaded on your unit Loading Software Using the Compact Flash The new software a single file always called forensic h86 has to be placed on the root directory of the Compact
96. ve The only addition is the Drive setting This setting allows the Keyword Search to run from the Source or Destination drive NOTE If the Source drive is chosen for a Keyword Search then the speed will drop to PIO AUTO Forensic Talon User s Manual 66 10 Compact Flash Introduction The Logicube comes with a 64 Compact Flash CF Drive that is inserted in a CF slot at the bottom of the unit This little drive is used mostly for loading software on the Logicube Talon storing Keyword Search lists and storing session reports NOTE Please check our website periodically at www logicube com any new CF functions will be posted there To load new software from the CF Drive please refer to the procedure Loading Software Using the Compact Flash which is found in Chapter 11 Software loading Instructions Inserting and Removing the Compact Flash Please refer to Figure 10 below 1 At the bottom of the Logicube Talon is a Compact Flash CF slot Make sure that it is clear 2 Hold the CF Drive so that the Logicube label faces up 3 Slide the CF Drive into the CF slot As it slides into place the eject button will slide out 4 To remove the CF Drive simply press in the eject button The drive will slide out Figure 15 Compact Flash CF Port Detail Forensic Talon User Manual 67 FLASH CARD Connecting the Drive to Windo
97. ve at the end of the session DD Image 650M V The Master drive is broken up into 650 M byte files and a MD5 hash is computed on every file The destination drive is 49 USING THE USB then read back 5 hash is computed on it and compared with the Master hash This requires the drive to be formatted with a FAT32 file system partition A log file is generated and saved in the destination drive at the end of the session DD Image 2G The Master drive is broken up into 2 G byte files and a MD5 hash is computed on every file This requires the drive to be formatted with a FAT32 file system partition There is a log generated and saved in the destination drive at the end of the session DD Image 2G V The Master drive is broken up into 2 G byte files and a MD5 hash is computed on every file The destination drive is then read back an MD5 hash is computed on it and compared with the Master hash This requires the drive to be formatted with a FAT32 file system partition A log file is generated and saved in the destination drive at the end of the session DD Image 4G The Master drive is broken up into 4 G byte files and a MD5 hash is computed on every file This requires the drive to be formatted with a FAT32 file system partition There is a log generated and saved in the destination drive at the end of the session DD Image 4G V The Master drive is broken up into 4 G byte files
98. will automatically be mounted and drive letters assigned to all recognizable partitions 12 If running 98 98SE you will be prompted to install drivers At the have disk prompt please point the PC at the drivers CD ROM provided and the installation should complete smoothly The CF Drive is now visible on Windows as an external drive You can copy software update files or anything else to from the drive Connecting Through the Software Setup Menu Forensic Talon User s Manual If the software on your Logicube Talon is corrupt or missing USB connectivity is still available for the CF drive through the Software Setup Menu This menu resides in the unit s Firmware and is not affected by the software 1 Make sure your PC is running in Windows 98 or above 2 Connect the USB cable provided to a PC USB slot on one end Do not attach the other end to the Talon yet 3 Boot The Logicube Talon while holding down the START STOP button The unit will boot to the Software Setup Menu 4 Scroll down to Engage CF to USB Press the SELECT button 5 A prompt will appear saying that it is safe to attach the USB Cable 6 Attach the USB cable to the Logicube Talon You should now see some activity on your PC screen which depends on the operating system 69 FLASH CARD 7 If running ME 2000 XP your drive will automatically be mounted and a drive letter will be assigned to it
99. with a source drive present EL nennen KK KK ARK 82 Erase process without a source drive 82 Sectirity Erase 82 Write a unique signature to the destination 82 Verify ETASUTE M 83 Capture Source Drive Data To Destination Drive eese eene 63 Check for Erasure of Unused Portion of Destination Drive eese 83 Print Final Capture Report 64 Information P 84 Example of Hardcopy 88 13 FREQUENTLY ASKED QUESTIONS AND 8 8 89 14 1 91 Forensic User s Manual 1 Introduction to the Forensic Talon Introduction Thank you for purchasing the Logicube Forensic Talon Kit With proper use this kit will provide you with accurate HDD capturing for years to come The Logicube Forensic Talon is a drive to drive duplication device Typically a suspect hard drive and a destination drive will be connected to the unit Within minutes of starting the process the contents of the suspect drive are accurately copied over to the destination drive for further ex
100. ws This is necessary to load new software files to the CF Drive There are two methods to connect the Compact Flash CF Drive to Windows through the USB Port One is via USB Mode and the other is through the Software Setup Menu NOTE Unlike the Destination drive the CF drive is NOT Write Protected when it is accessed through USB This is so new files like software updates new keywords etc can be written to the CF Drive Connecting Through USB Mode 1 2 sure your is Windows 98 above Connect the USB cable provided to the USB port on the Talon and to a PC USB slot on the other end Set the Forensic Talon to USB mode Press the SET button on the unit Scroll up to the MODE entry Press SELECT Scroll down to the USB DRIVE MODE entry Press SELECT again Forensic Talon User s Manual 68 FLASH CARD 7 Atthe first prompt press the Select button to choose lt gt 8 A second prompt will come up asking if the unit is connected to a Forensic Dock Choose YES if itis connected to a Portable Forensic Lab otherwise choose NO NOTE Please refer to the Logicube Portable Forensic Lab User Manual if one is in use 9 The Forensic Talon will now power up the CF drive 10 You should now see some activity on your PC screen which depends on the operating system 11 If running ME 2000 XP your drive
Download Pdf Manuals
Related Search