Forensic Falcon™ User`s Manual
Contents
1. cccccnccccccnnnooonnonncnnnnnnnncnnnnnnnnonnnnnnnnonanonnnnnnnnnononos 91 6 0 11 2 2 Forgotten password or config lock key coococccccconooonooconnccnnccnnnnnonononnnnnanononcncccnnnnnonnnonos 93 SOLL ENG pon SEEN SA a a a ee 94 GOTA LONGUGGC TIMEZONE A A A aie 95 COLLAT Lancia eE AE E R AAA O EAE 95 COILA TA A N E N AE 96 CULT DIS DIA a a a a a 97 00 12 NetWork Set Sirana da dic 97 COL ES A RO ee Sere 98 SI ATIP PEO Ore ee PR OCT EET TT Se ROD Rea ean Te Lee PEON E SEP oe Pn ee 98 A PS CIV A A ANE AT A EE 99 0501222 Username ASS nOn aeea tt oe si oca 99 50 15 Sotware Update ind A A 100 GeO IAD Power O eree A ects hula E dl 100 7 VIEWING EXT4 FORMATTED DESTINATION DRIVES IN WINDOWG cceceees 102 FO INTRODUCTION ias 102 7 0 1 Step by step instructions Using Ext2tsd cccoocccnccnoccnnonaccnnnnanonnnnnaccnnonaronnonanonnnonaso 102 8 DRIVE ENCRYPTION AND DECRYPTION csccccsccscesccccsccscescccccccscescescsccsceecs 105 SOMINTRODU CHO Natal illa 105 Sit ENCRYPTING A DESTINATION otitis 106 8 14 1 SED sDY StCD MSERUICEIONS s avscuhctoaticda gil Gus cte hehe Men a 106 Logicube Forensic Falcon User s Manual 8 1 2 Using previously encrypted Destination drives occcconcccnnocnnnnannnonannnnancnonarononanononoso 107 8 2 DECRYPTING A FALCON ENCRYPTED DESTINATION DRIVE WITH A FALCON ccecceeceeceeeeeceeceececeeceecs 107 8 2 1 Step by step INSTFUCTIONS cccccccssse2. Connections made here will be added to the list of Favorite Targets and an attempt to restore them will be made every time this computer restarts Discovered targets Name ign 2012 05 com iogicube export sas s1 iqn 20 12 05 com logicube export sas s2 iqn 2012 05 com logicube export usb s 1 Progress report There are multiple Targets discovered Please select a single Target for Login using Quick Connect Logicube Forensic Falcon User s Manual 131 VIEWING SOURCE DRIVES OVER A NETWORK If only one drive is connected to the Falcon the iSCSI initiator will automatically connect the drive and step 3 is not necessary 3 The selected drive status will change to Connected Repeat step 2 for all other drives to be viewed Click Done when finished Discovered targets Name Status ign 20 12 05 com logicube export sas s 1 ign 20 12 05 com logicube export sas s2 ign 20 12 05 com logicube export usb s 1 4 Windows will attempt to mount the drive If it contains a file system recognized by Windows it will automatically assign a drive letter for each recognized partition and the contents can be viewed in Windows This process may take several minutes depending on several factors including drive size computer specifications and network speeds gt AutoPlay gt ea _ Local Disk E e General options Open folder to view files id using Windows Explorer Use this drive for backup t
3. 1 Turn the Falcon on Make sure the previously encrypted Destination drive is not connected Logicube Forensic Falcon User s Manual 107 DRIVE ENCRYPTION amp DECRYPTION 2 Fromthe main menu select System Settings from the types of operations on the left side 3 Tap the Encryption Settings tab Set the Cipher Mode Cipher IV Generation and Password These should be set to the same values as to how the drive was encrypted If the values are incorrect the drive will not be decrypted properly and the data will be unrecognizable 5 Connect the previously encrypted Destination drive to one of the Destination ports 6 Select USB Device from the types of operation on the left side When this type of operating is selected the following screen will appear SELECT DRIVES FOR USB EAPORT 7 Choose the drive to be viewed then tap the ENGAGE icon The DRIVE STATUS for the selected drive will change to ENGAGED and the ENGAGE icon will change to DISENGAGE At this point connect a USB cable between the computer and the Falcon SELECT DRIVES FOR USB EXPORT pai wate moose i 8 Connect a USB cable A to B USB cable one was included with the Falcon between the computer and the Falcon Connect the USB B connector to the Falcon s USB Device Port located on the back panel of the Falcon Connect the USB A connector to an available USB port on the computer When using this type of operation use the USB Device por
4. 7 The Falcon can now be configured or managed via the command line interface 10 4 Zero Configuration Networking Zeroconf The Falcon has the capabilities for Zero Configuration Networking Zeroconf Zeroconf allows devices to automatically create a usable computer network based on the Internet Protocol Suite TCP IP For example when the Falcon is connected connected via a network cable directly to a Windows based computer that is DHCP enabled both the Falcon and the Windows based computer will automatically configure themselves to be seen by each other using TCP IP 10 5 Configuring the Falcon with a static IP address The Falcon is DHCP enabled by default Some networks do not support DHCP and require a static IP address The Falcon can be configured with a static IP address and needs to be connected to a network with DHCP first 10 5 1 Step by step instructions Static IP address 1 Connect the Falcon to a network with DHCP 2 Turn the Falcon on The Falcon should automatically assign itself an IP address that the Windows computer can see Go to the Statistics screen on the Falcon and take a look at the HostName and IPAddress 3 Using Telnet or SSH connect to the Falcon Instructions on how to connect via Telnet or SSH can be found in Section 10 3 1 or 10 3 2 4 Once logged in to the Falcon via CLI follow these steps to set the IP address to a static IP a From the main prompt type command then press t
5. 8 3 3 Decrypting using FreeOTFE Requirements e FreeOTFE properly installed e A drive encrypted by the Falcon using the CBC or ECB cipher mode connected to the computer with FreeOTFE Logicube Forensic Falcon User s Manual 113 DRIVE ENCRYPTION amp DECRYPTION Open FreeOTFE In the main window click File then Linux volume then Mount partition FreeOTFE Lo x View Tools Help D New x a Da lay Mount file Ctri M unt partition Dist Portable mode O Mount partition Ctrl P eS Drivers Linux volume New file Mount file Mount partition we Dump LUKS details to human readable file Mount Linux partition 2 Select the encrypted disk to mount in this example it is Disk 5 Place 3 a check mark on the Entire disk option FreeOTFE cannot read the partition table on the drive since it is encrypted at this time P a Select Partition Please select from the following disks partitions Disk 0 Disk 1 lt Entire disk 1 gt Show CD DVD drives V Entire disk Cancel In the Key tab enter the Key password and make sure the Hash is set to RIPEMD 160 FreeOTFE Linux Key Entry mero Key Encryption File options Mount options Key XXXXXXXX Key processing Seed Hash RIPEMD 160 Linux Twic J Hash with A s if hash output is too short n GAJ gt AES 256 bit CBC
6. Volume Properties Volume Tools Logicube Forensic Falcon User s Manual 112 DRIVE ENCRYPTION amp DECRYPTION Tube 6 The Destination drive should now be accessible in Windows Ue Go de Computer REPOSITORY E DDCapture Organize v Include in library Share with Fani Name Date modified Type She DDCapture 001 11 19 2013 12 09 001 File 4 063 232 KB A Libraries DDCapture 002 11 19 2013 12 10 002 File 4 063 232 KB DDCapture 003 11 19 2013 12 11 003 File 4 063 232 KB 4 Computer _ DDCapture 004 11 19 2013 12 12 004 File 4 063 232 KB EL Local Disk C DDCapture 005 11 19 2013 12 13 005 File 4 063 232 KB 4 y REPOSITORY E DDCapture 006 11 19 2013 12 13 006 File 4 063 232 KB de DDCapture DDCapture007 11 19 201312 14 007 File 4 063 232 KB If the Destination drive was formatted with the EXT4 file system and Ext2Fsd is not installed the following messages may appear in Windows Make sure Ext2Fsd is installed if the Destination drive was formatted with the EXT4 file system Microsoft Windows You need to format the disk in drive E before you can use it Do you want to format it Format disk 7 Location is not available X E is not accessible The volume does not contain a recognized file system Please make sure that all required file system drivers are loaded and that the volume is not corrupted
7. Tap File Filter to input the filter Input the file extension filter desired for example jpg FILE FILTER 92 IMAGING Multiple files can be specified by using a comma and no spaces for example jpg zip mov mp3 5 0 4 Destination Image File Tap the Destination or Image File icon to DESTINATION ff IMAGE FILE eee select the Destination drive or Image File Falcon will list all the drives connected to the Destination position s and any repository configured as a Destination When Drive to Drive mode is selected the Destination screen will show all drives connected to the Destination positions SELECT DESTINATIONS DRIVE PORT DRIVE INFORMATION DRIVE STATUS ST33000651AS SAS_D1 3 0 TB AVAILABLE ST32000641AS SAS_D2 2 0 TB AVAILABLE ST31000524AS 1 0 TB AVAILABLE USB_D1 When Drive to File or File to File mode is selected the Destination screen will show all drives connected to the Destination positions and any repository added with the Destination role Destination or Both Source and Destination SELECT REPOSITORY REPOSITORY LOCATION OF FILES f FREE SPACE FORMAT PARTITION 1 ON BAY SAS_D1 SAS D1 2 55 TB PARTITION 1 ON BAY SAS_D2 SAS D2 1 82 TB PARTITION 1 ON BAY USB_D1 USB_D1 N A NOT MOUNTED 192 168 1 157 ACQUI SITIONS NETWORKSHARE 365 82 GB Logicube Forensic Falcon User s Manual 93 IMAGING For DD E01 Ex01 and File to File mode the Falcon us
8. s SCSI module For information on how to connect other types of drives directly to the Falcon and not through the SCSI module please see Section 2 2 Connecting Various Drive Types 13 3 1 Connecting SCSI Source and Destination Drives SCSI Source drives must be connected to the left side of the SCSI module SCSI Destination drives must be connected to the right side of the SCSI module Two cables are required to connect one standard 68 pin SCSI drive e 68 pin data cable e Drive power cable CBL EXT PWR 04 Simply connect the two cables to the SCSI module and connect the other side of the cables to the SCSI drive SCSI SOURCE LEFT SIDE SCSI MODULE SCSI MODULE 6 PIN SCSI POWER PORT 68 PIN SCSI DATA PORT SCSI DESTINATION RIGHT SIDE SCSI MODULE SCSI MODULE 68 PIN SCSI DATA PORT 6 PIN SCSI POWER PORT Logicube Forensic Falcon User s Manual T OPTIONAL ADAPTERS 50 pin and 80 pin adapters are available Please contact Logicube Sales to purchase these adapters For 50 pin drives connect the 50 pin adapter between the 68 pin data cable and the drive To power 50 pin drives connect the drive power cable directly to the drive For 80 pin drives connect the 80 pin adapter between the 68 pin data cable and the 80 pin drive To power 80 pin drives connect the drive power cable to the 80 pin adapter The 80 pin drive has a Single Connector Attachment SCA which provides the transmission of both data and po
9. 4 Hard Disk Drives 3 Local Disk Local Disk D 7 202 GB free of 391 GB Y 32 6 GB free of 74 4 GB REPOSITORY Js lt A 293 GB free of 298 GB Logicube Forensic Falcon User s Manual 104 8 Drive Encryption and Decryption 8 0 Introduction The Forensic Falcon allows imaging drives onto a Destination or Repository where the data on the Destination drive is encrypted There are two different modes where Encryption is supported Drive to File and File to File e Drive to File Images the Source to any of the following image output formats DD E01 and EX01 This will have a partition level encryption where only the partition on the Destination or Repository where the images are created will be encrypted e File to File Image specific files by filename extension etc The files will be sorted by path based on where the file is located on the Source and each file will be hashed This will have a partition level encryption where only the partition on the Destination or Repository where the images are created will be encrypted Falcon can also decrypt drives that were encrypted using the Falcon Alternatively third party utilities can be used to decrypt a drive encrypted by the Falcon TrueCrypt and FreeOTFE In the System Settings screen there is an Encryption Settings tab used to configure the Falcon for encryption There are four 4 parameters that must be configured before encryption can be used These pa
10. PLEASE READ THE TERMS OF THIS AGREEMENT CAREFULLY BY INSTALLING OR USING LOGICUBE PRODUCTS YOU AGREE TO BE BOUND BY THIS AGREEMENT IN NO EVENT WILL LOGICUBE BE LIABLE WHETHER UNDER THIS AGREEMENT RESULTING FROM THE PERFORMANCE OR USE OF LOGICUBE PRODUCTS OR OTHERWISE FOR ANY AMOUNTS REPRESENTING LOSS OF PROFITS LOSS OR INACCURACY OF DATA LOSS OR DELAYS OF BUSINESS LOSS OF TIME COSTS OF PROCUREMENT OF SUBSTITUTE GOODS SERVICES OR TECHNOLOGY PROPERTY DAMAGE OR INDIRECT CONSEQUENTIAL OR PUNITIVE DAMAGES OF A PURCHASER OR USER OF LOGICUBE PRODUCTS OR ANY THIRD PARTY LOGICUBE S AGGREGATE LIABILITY IN CONTRACT TORT OR OTHERWISE WHETHER UNDER THIS AGREEMENT RESULTING FROM THE PERFORMANCE OR USE OF LOGICUBE PRODUCTS OR OTHERWISE TO A PURCHASER OR USER OF LOGICUBE PRODUCTS SHALL BE LIMITED TO THE AMOUNT PAID BY THE PURCHASER FOR THE LOGICUBE PRODUCT THIS LIMITATION OF LIABILITY WILL BE EFFECTIVE EVEN IF LOGICUBE HAS BEEN ADVISED OF THE POSSIBILITY OF ANY SUCH DAMAGES LOGICUBE MAKES EVERY EFFORT TO ENSURE PROPER OPERATION OF ITS PRODUCTS HOWEVER THE PURCHASER IS RESPONSIBLE FOR VERIFYING THAT THE OUTPUT OF A LOGICUBE PRODUCT MEETS THE Logicube Forensic Falcon User Manual PURCHASER S REQUIREMENTS THE PURCHASER FURTHER ACKNOWLEDGES THAT IMPROPER OPERATION OF LOGICUBE PRODUCTS CAN CAUSE LOSS OF DATA DEFECTIVE FORMATTING OR DEFECTIVE DATA LOADING LOGICUBE WILL MAKE EFFORTS TO SOLVE OR REPAIR ANY PROBLEMS IDENTIFIED BY PUR
11. User s Manual 13 3 Quick Start 3 0 Quick Start Guide This chapter gives a basic overview and steps on how to perform different types of operations using the Falcon Image Hash Wipe etc Complete details on each operation menu or selection and the different screens can be found in Chapter 5 Imaging and Chapter 6 Types of Operation The Falcon can perform up to five 5 tasks per mode of operation specifically Image Hash and or Wipe 3 1 Imaging This type of operation allows the imaging of a Source drive to one or more Destinations There are three 3 different imaging modes and several settings to choose from These selections should be performed in order from left to right e Drive to Drive Performs a bit for bit copy of the Source producing an exact duplicate of the Source drive This is also known as a native copy or mirror copy e Drive to File Images the Source to any of the following image output file formats DD E01 or EX01 Compression is available for E01 and EX01 formats E01 and EX01 files created on the Destination may be smaller than the selected Segment Size if compression is used For example if 4GB segment size selected some files may be less than 4GB This occurs when there is a lot of blank space on the Source drive e File to File Image specific files by filename extension etc The files will be sorted by path based on where the file is located on the Source If a
12. allowing information to be entered After entering the information tap the OK icon to go back to the previous screen Logicube Forensic Falcon User s Manual 70 TYPES OF OPERATIONS CASE FILE NAME The Falcon will convert any non POSIX portable characters used in Case File Name field to underscores _ when creating the log or file names POSIX portable characters are Uppercase A to Z Period Lowercase atoz Underscore _ Numbers 0 to 9 Hyphen Dash 6 0 4 Push The network Push feature gives users the ability to push evidence files from destination drives connected to the Falcon or from a Falcon repository to a network location or a Destination drive connected to the Falcon The Push feature provides a more secure method than simply copying and pasting to the analysis computer by performing an MD5 or SHA hash during the push process Users can also select to verify the file transfer to ensure data integrity The Falcon will create a log file for each push process There are three selections when performing a push e Source e Settings e Destination PUSH 1 SOURCE SETTINGS DESTINATION Logicube Forensic Falcon User s Manual 71 TYPES OF OPERATIONS To push files to a network location a network repository must be set up Details on how to add a repository can be found in Section 6 0 10 1 6 0 4 1 Source SOURCE Tap this icon to select the drive or repository where the files are t
13. 0 12 2 1 Server Tap the Server icon to set the IP address or server name and port of the proxy server SERVER 6 0 12 2 2 Username Password If the proxy server requires a username and password for authentication tap the Username Password icon to set this information USERNAME PASSWORD Logicube Forensic Falcon User s Manual 99 iiTtcube TYPES OF OPERATIONS 6 0 13 Software Update New and improved software will be released from time to time There are two ways to update the software on the SOFTWARE Falcon From the web via a network connection or from a USB UPDATES drive SOFTWARE UPDATES Your Falcon Software Version 2 4 CHECK FOR NEW SOFTWARE RELEASES a FROM NETWORK a FROM USB DRIVE For the latest step by step instructions on how to update the Falcon software please read the Falcon Software readme file located on the following site http www logicube com knowledge forensic falcon In depth information on updating the Falcon software can be found in Chapter 9 Updating the Falcon Software 6 0 14 Power Off l There are two tabs in the Power Off screen Ar gt POWER OFF POWER OFF The Falcon can be remotely turned off by going to this tab Additionally the Graphical User Interface GUI can be refreshed DRIVE POWER Inactive drives connected to the Falcon can be set to go to standby mode in this tab The default is set to O minutes OFF Logicube For
14. 1953525168 LogicalSectors 1953525168 LogicalSectorsSize 512 Cylinders 56065 Heads 255 Sectors 63 SAMPLE DESTINATION DRIVE AFTER DRIVE TRIM Bay SAS_D1 Role Target Model WDC _WD10EZEX 08M2NA0 SerialNumber WD WCC3F0914869 Size 120034123776 PhysicalSectors 234441648 LogicalSectors 234441648 LogicalSectorsSize S12 Cylinders 14593 Heads 259 Sectors 63 Q Drive Trim is only available in Drive to Drive mode and by default is set to NO Drive Trim only works with ATA drives and will not work with USB external drives or drives connected via USB SAS or SCSI drives Restoring a trimmed drive To restore a trimmed drive to its original capacity perform a custom wipe single pass and set the WIPE DCO and WIPE HPA settings to YES Logicube Forensic Falcon User s Manual 47 iiTtcube IMAGING RESTORING A TRIMMED DRIVE Select the drive to restore SELECT DESTINATIONS DRIVE PORT DRIVE INFORMATION DRIVE STATUS E WDC_WD10EZEX 08M2NA0 SAS_D1 120 0 GB SELECTED IN THE WIPE SETTINGS Set Secure Erase to OFF Set Wipe Patterns to e Mode Custom e HPA DCO YES TRUE e LBAS Edit to 1 LBA e PASSES Edit the number of passes to any value for 1 pass WIPE SETTINGS Secure Erase Wipe Patterns MODE HPA DCO PASSES ee e Format SETTINGS eS To set the LBA to 1 go to LBAS then tap the edit Q icon and enter the value 1 LBAS 1 Start the wipe task The task should finis
15. 5 8 2014 9 35 PM tal il ache 11 24 2013 4 58 PM R Ri MSOCach Logicube Forensic Falcon User s Manual 130 iTcube VIEWING SOURCE DRIVES OVER A NETWORK 11 2 Viewing Source drives over the network using iSCSI An SCSI initiator must be configured to view the contents of Source drives over a network Although there are many iSCSI initiators available these next sections will discuss configuring Microsoft s iSCSI initiator in Windows 11 2 1 Configuring the iSCSI initiator Windows 7 8 and 8 1 1 Open the iSCSI initiator In the Target tab enter the Falcon s host name or IP address in the Target field Click the Quick Connect button to continue iSCSI Initiator Properties Targets Discovery Favorite Targets Volumes and Devices RADIUS Configuration Quick Connect To discover and log on to a target using a basic connection type the IP address or DNS name of the target and then dick Quick Connect Target falcon 132505 Kp Nosa PLL DION INLEDS OB E O ONEA porn hob tt ap Lo AT 9A 2 The Quick Connect window will appear and any drives connected to the Source ports of the Falcon will appear on the list of discovered targets Highlight the drive to view then click Connect Quick Connect Targets that are available for connection at the IP address or DNS name that you provided are listed below If multiple targets are available you need to connect to each target individually
16. Logicube Forensic Falcon User s Manual i i ss i lt A DRIVE ENCRYPTION amp DECRYPTION iTcube In the Encryption tab set the Cipher to AES 256 bit CBC Set the Initialization Vector IV generation method to match what was used in the IV Generation on the Falcon In this example plain64 was used In the Sector zero location choose Start of adaa Aeka aata FreeOTFE Linux Key Entry Key Encryption File options Mount options 4 Encryption options Cypher AES 256 bit CBC 2 PY Generation Sector Is 64 bit sector ID z Sector zero location gt Start of host file Start of encrypted data MDS AES 256 bit CBC Cancel 5 Inthe File options tab set the Offset to 1048576 Since the Falcon uses the EXT4 file system the offset is at 2048 sectors or 1048576 bytes FreeOTFE Linux Key Entry Key Encryption File options Mount options File options Offset 1048576 bytes 0 Sizelimit 0 E bytes x Es 0 indicates no sizelimit Cancel Logicube Forensic Falcon User s Manual DRIVE ENCRYPTION amp DECRYPTION OPTIONAL In the Mount options tab the disk can also be mounted with write protection To do so make sure the Mount readonly option is checked Windows may not mount the drive if this option is checked If this is the case use a write protect device and uncheck the Mount readonly option Fre
17. OPERATIONS SERVICES NETWORK SERVICES DESCRIPTION 6 0 12 1 Services There are 7 services that can be disabled enabled by default e SSH Disabling this will block Secure Shell SSH traffic e Telnet Disabling this will block Telnet traffic e HTTP Disabling this will block web browser connections to the Falcon e CIFS NETBIOS Disabling this will block any CIFS or NETBIOS connection to the Falcon for example Windows Explorer e iSCSI Disabling this will block SCSI connections e Iperf Disabling this will block Iperf traffic a network tool to measure bandwidth performance e Ping Disabling this will block ping access to the Falcon Disabling any of the services above will disallow the types of communication controlled by those services For example if HTTP is disabled users will not be able to see the Falcon through a web browser over the network Please contact your Network or Systems Administrator before changing any of these services 6 0 12 2 HTTP Proxy If the network the Falcon is connected to uses an HTTP proxy server to access the Internet a proxy settings may need to be set in order for the Falcon to be able to update software from a network over the internet This typically includes a server or IP address a host port a username and password Logicube Forensic Falcon User s Manual 98 TYPES OF OPERATIONS HTTP PROXY SERVER USERNAME PASSWORD 6
18. SELECT SOURCE DRIVE PORT DRIVE INFORMATION DRIVE STATUS KINGSTON _SH10053120G aaa al 120 0 GB AVAILABLE MAX3036RC SAS_52 36 8 GB AVAILABLE l MINI USB2BU USB_S1 4 0 GB AVAILABLE When File to File mode is selected the Source window will show all drives connected to the Source positions and any repository added with the Source role Source or Both Source and Destination SELECT SOURCE DRIVE PORT DRIVE INFORMATION DRIVE STATUS REPOSITORY LOCATION OF FILES KING5TON_5H100531206G ANA SA 120 0 GB AVAILABLE MAX3036RC SAS_52 36 8 GB AVAILABLE MINI USB2BU USB_51 4 0 GB AVAILABLE NETWORKSHARE 192 168 1 157 TESTSHAR E Logicube Forensic Falcon User s Manual 40 IMAGING The More Info icon displays more information on the drive The drive details window will appear showing information about the drive DRIVE DETAILS 5 0 3 Settings SETTINGS Tap the Settings icon to change the image settings Depending on what Mode was selected Drive to Drive Drive to File or File to File different screens will appear COMMON SETTINGS The following settings are found on all three modes e Case Info e HPA DCO e Error Handling Error Granularity e Hash Verification Method O SHA 256 verification is only available when using Drive to Drive mode 5 0 3 1 Case Info Common Setting Case Info allows users to enter information about the case This is optional and is not
19. Security Erase Unit command For SATA drives that support Enhanced Security Erase Unit commands the enhanced command will be sent For questions on how each drive supports these features or what the drive will do with these commands please contact the drive manufacturer If errors appear when performing Secure Erase contact the drive manufacturer to check if the drive supports Secure Erase For Secure Erase specifications what happens when the drive receives the Secure Erase command contact the drive manufacturer 6 0 3 2 2 Wipe Patterns This setting allows the user to Wipe Patterns er set a specific wipe pattern or patterns to use for wiping the drive The number of passes is customizable up to 7 passes along with the type of data written for each pass In addition a 7 pass DoD wipe can be set with pre selected pass values There are 4 selections when setting a wipe pattern e MODE e HPA DCO 65 Logicube Forensic Falcon User s Manual TYPES OF OPERATIONS eo LBAS e PASSES It is recommended to use the same Capacity drive per task When smaller Capacity drives are wiped together with larger capacity drives the smaller drives will finish first However the drive bays will not be available until the entire task is finished MODE Selecting this will open the Wipe Mode screen showing 3 options WIPE MODE NONE e NONE Choosing this will instruct the Fal
20. USB ATO MICRO B QTY 1 QTY 1 SASISATA CABLE MINI B ADAPTER CONVERTER CABLE USB Nr Ay H CABLE USB 3 0 DEVICE CABLE FIREWIRE CABLE 1 3 Options The following options are available for the Forensic Falcon e SCSI Module provides 1 write protected source port and 1 destination port Built in support for 68 pin SCSI drives e 50 pin SCSI adapter for use with SCSI Module e 80 pin SCSI adapter for use with SCSI Module e eSATA cable e mSATA adapter e Flash Media Reader for compact flash cards e SD cards and other flash media e USB 3 0 to SATA Adapter e USB 3 0 4 port Hub 1 4 Specifications Net Weight Relative Dimensions Humidity Power Consumption Power Requirements Operating Temperature Agency Approvals 12 VDC lt 140W with drives 0to 40 C 20 to 80 2 4lbs 1 09k 8 5 W X 3 H X6 25 D RoHs compliant 12 Amp 32 to 104 F 9lbs 4 3k with 21 6cm X 7 6cm X15 9cm FCC Part 15 Class A case amp shipping box CE Logicube Forensic Falcon User s Manual 4 iTcube INTRODUCTION A WARNINGS A Never connect a suspect drive to the Destination ports of the Forensic Falcon as data may be overwritten Incorrectly connecting the suspect drive to the system can result in data on the suspect drive to be lost forever Avoid dropping the Logicube Forensic Falcon or subjecting it to sharp jolts When in use place it on a flat surface Keep the unit dry If the Forensic Fa
21. and operations available on the Falcon will be available on the browser On some browsers or Operating Systems the Falcon will need to be accessed by browsing to http Falcon XXXXXX local The Falcon can be controlled by clicking on the icons appearing on the browser window Logicube Forensic Falcon User s Manual 123 REMOTE OPERATION Tube 10 2 Command Line Interface CLI The Falcon also has a CLI or Command Line Interface This interface has no graphical content and is all command line text based and is for advanced users who have knowledge of command line functions This type of connection requires a Telnet or SSH client There are several telnet and SSH clients available from different software companies Microsoft Windows also has a built in Telnet client that can be used Windows XP has a built in Telnet client Windows Vista 7 8 and 8 1 have a built in Telnet client but is not installed by default Installing the Telnet client may require the assistance of a Network or Systems Administrator Other third party Telnet programs are available All versions of Windows do not have a built in SSH client The instructions in this manual only refer to the clients that come with Windows There are many third party Telnet or SSH clients available For instructions and support for third party clients please contact the software manufacturer 10 3 Installing the Telnet client in Windows Vista 7 8 or 8 1 By
22. between the computer and the Falcon SELECT DRIVES FOR USB EXPORT DRIVE BAY DRIVE INFORMATION DRIVE STATUS ORE 5 ST3000DMO01 1CH1 ENGAGED 3 TB DC WD30EZRX 00D 3 TB AVAILABLE HITACHI HDS72303 3 TB AVAILABLE Connect a USB cable A Male to B Male USB cable one was included with the Falcon between the computer and the Falcon Connect the USB B connector to the Falcon s USB Device Port located on the back panel of the Falcon Connect the USB A connector to an available USB port on the computer After a few moments Windows should assign a drive letter to the selected drive The contents of the drive should now be accessible in Windows Logicube Forensic Falcon User s Manual 77 TYPES OF OPERATIONS When finished tap the DISENGAGE icon to disengage the USB mode The USB cable can now be disconnected from the computer and the Falcon Only one drive can be engaged at a time 6 0 7 File Browser The contents of all connected Source or Destination drives on the Falcon can be viewed using the Falcon s file browser The Falcon will show the partitions and the contents of each SEA partition Note that only some files can be opened by the Falcon For Destination drives only drives formatted by the Falcon can be previewed Contents of Destination drives that were used in a Drive to Drive image will not be seen Drives connected to the Source ports SAS _S1 SAS _S2 A USB_S1 and FW_S
23. cum LAL Aman Arde ar Ka using Windows Backup View more AutoPlay options in Control Panel If Windows does not recognize the file system on the drive EXT HFS etc it will not be mounted and no drive letter will be assigned If the drive is greater than 2TB Windows may not properly recognize the drive or its contents For more information please see Microsoft KB Article ID 2581408 Windows support for hard disks that are larger than 2 TB This can also be searched with the keyword KB2581408 Logicube Forensic Falcon User s Manual 132 iTcube VIEWING SOURCE DRIVES OVER A NETWORK 11 2 2 Configuring the iSCSI initiator Windows XP 1 Open the iSCSI initiator In the Discovery tab click the Add button iSCSI Initiator Properties E General Discovery Targets Persistent Targets Bound Yolumes Devices Target Portals Address Port Adapter IP Addr 2 The Add Target Portal window will appear Enter the Falcon s hostname or IP address Leave the port set to 3260 then click OK Add Target Portal Type the IP address or DNS name and socket number of the portal you wank to add Click Advanced to select specific settings for the discovery session to the portal IP address or DNS name Port Falcon 132505 3260 3 The Falcon will be added to the Target Portals list Click the Targets tab to select which drive to view iSCSI Initiator Properties General Discovery Targe
24. downloaded the computer needs to have software that can open a Word document 6 0 7 2 Important notes about using the File Browser When using the Falcon s File Browser there are several things to take note of e Drives connected to the Source positions are write protected e When using the Falcon on screen GUI opening a file will not alter the forensic integrity of the Source drive connected to the Falcon e When using the web interface opening a file or saving a file to a computer will not alter the forensic integrity of the Source drive connected to the Falcon e The Falcon file browser is not able to open every file to preview When a file cannot be opened directly on the Falcon the file can be saved on a computer by connecting to the Falcon s web interface see Section 6 0 7 1 for more information on viewing files from the web interface 6 0 8 Logs The Falcon keeps logs of all imaging hash wipe format and push operations Logs can be viewed directly on the Falcon or from a computer s browser if the Falcon is connected to a network When using Drive to File mode DD E01 or EX01 log files are also stored in the Destination drive in the same folder as the image files The log files in the Destination drive are available in PDF HTML and XML formats In addition to viewing the logs can be exported to an external USB location such as a USB flash drive Logs are exported in PDF HTML and XML forma
25. eicce tc facet di eta ad 136 12 1 MSA TLAAMINESATA DRIVES di A il 136 A O aay ue es cee a eae i a canes Sd ean eae a cet Oat ea 136 TS FASHMEMORY READER aciei dat 137 124 USB 320 TO SATA ADAPTE R arta a ad 137 T25 USB3 O UB a a 138 13 SCS MODULE ia ati 139 ISO ANTRODUCTO Na A 139 Logicube Forensic Falcon User s Manual 13 1 INSTRUCTIONS HOW TO ATTACH THE SCSI MODULE cccccececcccecsceccscecescsceacsceatacseeacsceaeacenes 141 13 2 TURNING THE FALCON WITH SCSI MODULE ON AND OFF ccececcececcccececeacsccccscecsacecsaceceesaceeeacs 142 T33 CONNECTING DRIVES cansadas a ddr dat 144 13 3 1 Connecting SCSI Source and Destination Drives cccccceccssescceeceenectenseeeeseeeeseens 144 14 FORENSIC USB BOOT CLIENT cccccccccccccccccccccccccccccccccccccccccccccccccccccsccecs 146 15 FREQUENTLY ASKED QUESTIONS cccccccccccccccccccccccccccccccccccccccccccccccsccecs 147 AO NODS o e a co A 147 VG INI A y O A 150 TECHNICAL SUPPORT INFORMATION a A is 151 SOERWARE ATRIBUTO N lt td a as did 151 Logicube Forensic Falcon User s Manual SaaS OOo 1 Introduction 1 0 Introduction to the Logicube Falcon Welcome to the Logicube Forensic Falcon Falcon sets a new standard in digital forensic imaging Without exception the fastest and most technologically advanced forensic imaging solution available Feature packed power rich performance in a space saving footprint that provides expanda
26. gt gt HASH Types of Operations WIPE FORMAT 1 IMAGING Performs an image from a Source to a Destination There are three modes available a Drive to Drive Performs a bit for bit copy of the Source producing an exact duplicate of the Source drive b Drive to File Images the Source to any of the following image output formats DD E01 EX01 or File Compression is available for E01 and EX01 formats c File to File Image specific files by filename extension etc The files will be sorted by path based on where the file is located on the Source and each file will be hashed Details on the different screens found in the Imaging operation can be found in Chapter 5 Imaging 2 HASH Perform a SHA1 SHA 256 or MD5 hash of a drive This can also verify the hash of the drive by entering an expected value for the hash Logicube Forensic Falcon User s Manual 96 TYPES OF OPERATIONS Tube 3 WIPE This type of operation is used to erase wipe and or format drives There are three main settings e Secure Erase Sends a command to the drive instructing it to perform a secure erase based on the drive manufacturer s specifications e Wipe Patterns Allows the user to set a specific pattern to use for wiping the drive The number of passes is customizable up to 7 passes along with the type of data written for each pass In addition a 7 pass DoD wipe can be set e Format Formats th
27. network repository location please see Section 6 0 10 of this manual 3 2 Hash A hash operation can be performed to any drive connected to the Falcon Performing a hash task will instruct the Falcon to calculate the hash for the specified drive or validate the hash value for that drive Each hash task is Logical Block Address LBA based and will hash drives based on the number of LBAs If multiple drives are selected to be hashed the Falcon will hash up to the LBA value of the smallest capacity drive If drives with different capacities need to be hashed it is recommended to start one task per drive Logicube Forensic Falcon User s Manual 20 iiTtcube QUICK START 3 2 1 Step by step instructions Hash HASH 1 A yA DRIVES SETTINGS CASE INFO 1 Select Hash from the types of operation on the left side 2 Tapthe Drives icon and select the drive s to be hashed then tap the OK Icon 3 Tap the Settings icon to select the hash method or algorithm Choose from SHA 1 SHA 256 or MD5 SHA 1 or SHA 256 are the recommended algorithms 4 Leave the expected value at zeros to hash the drive If the drive needs to be verified against a known expected hash change the expected value by tapping the O edit icon Tap the OK icon to continue 5 Change any of the optional settings LBA settings or percentage of the drive to be hashed if needed 6 Optional Tap Case Info to set the Case File Name Case ID Exa
28. partition See Section 11 2 for details on how to view Source drives over the network using iSCSI Logicube Forensic Falcon User s Manual 38 5 IMAGING 5 0 Imaging This type of operation allows the imaging of a Source drive to a Destination There are three different imaging modes and several settings to choose from These selections should be performed in order from left to right There are four selections when performing an image e Mode e Source e Settings e Destination 5 0 1 Mode MODE Tap this icon to choose between the following three imaging modes SELECT MODE DRIVE TO DRIVE e Drive to Drive Performs a bit for bit copy of the Source producing an exact duplicate of the Source drive Logicube Forensic Falcon User s Manual 39 iiTtcube IMAGING e Drive to File Images the Source to any of the following image output file formats DD E01 or EX01 Compression is available for E01 and EX01 modes e File to File Image specific files by filename extension etc The files will be sorted by path based on where the file is located on the Source If a hash method is selected each file will be hashed 5 0 2 Source SOURCE Tap this icon to select the Source drive to be imaged Falcon will list all the drives connected to the Source position s When Drive to Drive or Drive to File mode is selected the Source window will show all drives connected to the Source positions
29. required to start an imaging operation Information entered here will appear in the logs In addition some forensic analysis software can import the information when the image files are opened Logicube Forensic Falcon User s Manual 41 IMAGING ENTER CASE INFORMATION CASE FILE NAME CASE ID EXAMINER EVIDENCE ID Tap any of the boxes and an on screen keyboard will appear allowing information to be entered After entering the information tap the OK icon to go back to the previous screen CASE FILE NAME Log names and file names can be customized by entering a Case File Name For example if a DD or E01 image is performed and the Case File Name is set to TestCase the log name and file name will be called TestCase Subsequent Case File Names that are the same will be identified with a dash then the next image number for example TestCase 1 TestCase 2 etc The Falcon will convert any non POSIX portable characters used in Case File Name field to underscores _ when creating the log or file names POSIX portable characters are Uppercase A to Z Period Lowercase atoz Underscore _ Numbers 0 to 9 Hyphen Dash Logicube Forensic Falcon User s Manual 42 IMAGING 5 0 3 2 HPA DCO Common Setting and Drive Trim Some computer manufacturers will use a utility that creates an HPA or DCO configuration on a hard drive These configurations are designed to change drive characteristics such a
30. s Manual 63 TYPES OF OPERATIONS SELECT DESTINATIONS DRIVE PORT DRIVE INFORMATION DRIVE STATUS MURE 6 0 3 2 Settings SETTINGS Tap this icon to choose a drive to set the wipe settings The Wipe Settings screen will appear There are three sections in the Settings screen e Secure Erase e Wipe Patterns e Format WIPE SETTINGS Secure Erase Wi pe Patterns MODE HPA DCO PASSES Format SETTINGS The Falcon will perform each of the settings sequentially For example if Secure Erase is set to ON a Wipe Pattern mode is specified and Format is set to On the Falcon will first secure erase the drive then wipe the drive according to the mode specified then format the drive 6 0 3 2 1 Secure Erase s E Choose ON to Secure Erase SS the selected Destination drive s Most drives support this function Logicube Forensic Falcon User s Manual 64 Logicube Forensic Falcon User s Manual TYPES OF OPERATIONS Secure Erase will send a command to the drive instructing it to reset itself to the specifications the drive manufacturer has set For information on what happens when the Secure Erase command is sent please contact the drive manufacturer If the secure erase process fails contact the drive manufacturer to find out if Secure Erase is supported on that specific drive For SAS Serial Attached SCSI drives Secure Erase sends a Format command For SATA Serial ATA drives Secure Erase sends a
31. select to verify the file transfer to ensure data integrity The Falcon will generate a log file for each push process 3 4 1 Step by step instructions Push PUSH 1 SOURCE SETTINGS DESTINATION To push files to a network location a network repository must be set up Details on how to add a repository can be found in Section 6 0 10 1 Follow these steps to set up a Push operation 1 Select Push from the types of operation on the left side 2 Tapthe Source icon and select the drive that contains the files to be pushed then tap the OK icon The Source selection will only show drives connected to the Destination ports or locations set up as a repository 3 A Select Cases screen will appear showing each case name located on the selected source Select one or more cases by tapping each case name When finished tap the OK icon 4 Tapthe Settings icon to select the hash method or algorithm Choose from NONE SHA 1 or MD5 and choose whether to verify the data or not YES or NO Tap the OK icon to continue Logicube Forensic Falcon User s Manual 25 QUICK START 5 Optional Tap Case Info to set the Case File Name Case ID Examiner Evidence ID or Case Notes Verify the settings then tap the OK icon to continue Tap the Destination icon and select the destination or repository to push the images to Tap the OK icon to continue Tap the Start icon to start the push task 9 When finished the stat
32. software installed In addition the Statistics screen has an Advanced Drive Statistics tab that shows raw S M A R T data on any drive connected to the Falcon 10 MANAGE REPOSITORIES Allows the user to add a network location as a repository that can be used as a Destination for imaging or pushing images or a Source when using the File to File mode 11 SYSTEM SETTINGS This mode allows changes to the system settings on the Falcon which include the following e User profiles configurations Allows the user to create save apply or delete user profiles configurations e Passwords Allows the user to set a password to lock the Falcon from any configuration changes e Encryption Settings Sets the cipher mode TC XTS CBC or ECB Cipher IV Generation and the encryption password e Language Time Zone Sets the language on the Falcon s menu and change the system s Time Zone e Display Sets the Falcon s display screen brightness and enable disable Stealth Mode Logicube Forensic Falcon User s Manual 57 TYPES OF OPERATIONS ube 12 NETWORK SETTINGS Allows certain services to be enabled or disabled Also allows the user to set proxy settings if required by their network 13 SOFTWARE UPDATES Perform software updates on the Falcon Software can be updated over an internet connection from network or from a USB flash drive 14 POWER OFF Allows the user to turn the Falcon unit off by using
33. storage device has a RAID configuration it will require that it be configured as a single drive Any source drive connected to Falcon can be imaged directly to the external storage device Logicube Forensic Falcon User s Manual 149 BIOS 41 Brightness Display 95 Browser Compatibility 121 Case Info 39 Config Lock 88 Connecting via SSH 123 Connecting via Telnet 122 Decrypting 105 Destination 51 Destination Drives 8 Disclaimer Liability Limitation Disk Control Overlay DCO 41 Display LCD 10 DoD wipe 20 Drive Encryption and Decryption 103 Drive to Drive 43 Drive to File 47 Drive Trim 41 DRIVE TRIM 44 drive types 7 Drives MSATA 134 140 Encryption Encryption Settings 92 EU EUROPEAN UNION III Ext2fsd 100 Falcon 1 FAQs 144 Features 1 File Browser 34 35 76 File to File 50 Flash memory cards 135 Format 67 Hash 18 19 56 Hash Verification Method 42 Host Protected Area HPA 41 HPA DCO 41 Image 56 Image Verify 13 Imaging 12 37 Imaging Mode 37 IP Settings Proxy settings 95 iSCSI 85 Language 93 Logs 26 27 79 Logicube Forensic Falcon User s Manual 16 Index Manage Repositories Network 81 Mirror Settings 43 network connection 121 Network Services Disabling 96 Network Settings 32 Optional Adapters 134 137 Overview 5 Parallel Imaging 13 Previewing Drives 33 Proxy Settings 96 Push 23 69 Quick Start 12 14
34. the expected value set O Each hash task is Logical Block Address LBA based and will hash drives based on the number of LBAs If multiple drives are selected to be hashed the Falcon will hash up to the LBA value of the smallest capacity drive If drives with different capacities need to be hashed it is recommended to start one task per drive Logicube Forensic Falcon User s Manual 99 TYPES OF OPERATIONS HASH VALUES Hash Method EXPECTED VALUE Hash Values ESA Select one of the following hash methods e SHA 1 Select this to hash or verify the Target drives using the SHA 1 algorithm e SHA 256 Select this to hash or verify the Target drives using the SHA 256 algorithm e MD5 Select this to verify the Target drives using the MD5 algorithm O The recommended method is SHA 1 or SHA 256 By default this value will have Os zeros If this is not changed or no value is entered this will instruct the Falcon to hash the drive using the selected algorithm in the previous step If a value is entered the Falcon will hash the selected drive and verify hash with the value entered edited To set the expected value tap the edit icon The on screen keyboard will appear and the expected hash value can be set ENTER HASH VALUES oo oo oo oo 00 00 00 00 00 foo 00 00 00 00 foo 00 00 J 00 oo oo 00 00 00 00 00 00 00 00 00 00
35. the Graphical User Interface GUI Also allows a drive timeout to be set powering down drives when not in use 6 0 1 Imaging This type of operation allows the imaging of a Source to a Destination There are three different imaging modes and several settings to choose from These selections should be performed in order from left to right In depth details on the different screens found in the Imaging operation can be found in Chapter 5 Imaging 6 0 2 Hash This type of operation allows the hashing of any connected drive using one of the following algorithms e SHA 1 e SHA 256 e MD5 There are three selections when performing a hash Drives Settings and Case Info HASH 1 DRIVES SETTINGS CASE INFO Logicube Forensic Falcon User s Manual 98 TYPES OF OPERATIONS 6 0 2 1 Drives DRIVES Tap this icon to choose a drive to hash Falcon will show all connected Source and Destination drives Tap the drive to be hashed then tap OK SELECT DRIVES DRIVE PORT DRIVE INFORMATION DRIVE status J MORE y 6 0 2 2 Settings SETTINGS Tap this icon to choose a drive to adjust the hash settings The Hash Settings screen will appear HASH SETTINGS HASH VALUES Tap this icon to set the hash method SHA 1 HASH VALUES SHA 256 or MDS and to set the expected hash value if desired Setting the expected hash value instructs the Falcon to hash the drive then verify the hash with
36. the drive may take up to two minutes Tap the OK icon to continue For in depth information regarding drive encryption please see Chapter 8 Drive Encryption and Decryption 6 Tap the Start icon to start the imaging task 7 A progress bar will appear at the bottom of the screen showing the bytes processed the rate speed elapsed time and time remaining 8 When finished the status will show COMPLETED At this point it is recommended to tap Reset Task to reset the task and also to delete the task in order for the drive bays to be properly reset and not show as being used or assigned for other tasks to be configured The number of bytes shown on the progress bar is not the actual size of the drive This is the actual data being processed When Verify is set to Yes the reported number will double in size For parallel imaging prior to starting the first task users must set all other tasks that need to be run in parallel When all other tasks to be run in parallel are set a confirmation screen will appear stating there are multiple tasks setup with the same Source drive 3 1 1 1 Drive Spanning Falcon can automatically span to two or more Destination drives when using Drive to File mode DD E01 EX01 When the task is started and there may not be enough space on the Destination drive the following prompt will appear warning that there might not be sufficient space on the Destination Lo
37. uses a TrueCrypt friendly format and does not use TrueCrypt to encrypt the drive The encryption key is not stored on the Destination drive 7 Optional Tap Case Info to set the Case File Name Case ID Examiner Evidence ID or Case Notes The Falcon will convert any non POSIX portable characters used in Case File Name field to underscores _ when creating the log or file names POSIX portable characters are Uppercase Ato Z Period Lowercase ato z Underscore _ Numbers 0 to 9 Hyphen Dash 8 Tap the Start icon to start the wipe task The Falcon will perform a Secure Erase first if selected then a Wipe Pattern if selected then finally a Format if selected 9 When finished the status will show COMPLETED At this point it is recommended to tap Reset Task to reset the task and also to delete the task in order for the drive bays to be properly reset and not show as being used or assigned for other tasks to be configured Logicube Forensic Falcon User s Manual 24 iiTtcube QUICK START 3 4 Push The network Push operation gives users the ability to push Falcon created evidence files from destination drives connected to the Falcon or from a Falcon repository to a network location or another connected destination drive The Push feature provides a more secure method than simply copying files through a computer by performing an SHA 1 or MD5 hash during the push process Additionally users can
38. will be encrypted e File to File Image specific files by filename extension etc The files will be sorted by path based on where the file is located on the Source and each file will be hashed This will have a partition level encryption where only the partition on the Destination or Repository where the images are created will be encrypted There are many articles on the Internet about AES 256 encryption and the different modes and settings that come with encryption 6 0 11 4 Language Time Zone The Falcon s menu system s language can be changed At this time the available languages are English Chinese PX Korean F 3 04 and Japanese A 2558 This screen also allows the time zone to be set SET LANGUAGE ENGLISH TIME ZONE TIME ZONE 6 0 11 4 1 Language Four languages are available at this time Select English Chinese PX Korean 07 or Logicube Forensic Falcon User s Manual 95 TYPES OF OPERATIONS Japanese A 2554 to change the language displayed As soon as the selection is made the Falcon s screen or the computer s Internet browser will automatically refresh and display the selected language The Custom button is reserved for future language releases 6 0 11 4 2 Time Zone The Falcon utilizes NTP Network Time Protocol Each time the Falcon is connected to a network with internet access it will automatically check for the correct time using NTP and adj
39. wiped or formatted using the Falcon A Logicube recommends using the Falcon to wipe or format Destination drives The Falcon logs all wipe and format operations Q Canthe Falcon image Linux partitions A Yes Falcon can image Linux partitions Q Can the Falcon image a Hierarchical File System HFS A Yes Falcon can image HFS Q How does the Falcon handle bad sectors found on the Source drive A Falcon will retry the bad sector 7 times After the 7 attempt if the sector still cannot be read it will skip that sector and list the sector in the log file Q What operating system does Falcon use A Falcon uses a Linux based operating system A Linux based operating system provides increased stability and security over Windows based systems Q What file format does Falcon use when formatting destination drives A Falcon can format destination drives using the NT File System NTFS or EXT4 file system Q Does imaging performance slow down when multiple drives are imaged at the same time A Performance is limited by the slowest drive in the configuration however there should not be any significant speed penalty when imaging multiple drives Q How many separate tasks can you have running concurrently Logicube Forensic Falcon User s Manual 147 Q A gt p gt p gt p gt p gt O iTcube FAQs A You can have up to five separate tasks running concurrently Can schedule or automate tasks F
40. www logicube com knowledge forensic falcon 1 Download the zip file from the download page 2 Extract the contents of the downloaded zip file to the root of the USB flash drive the file must not be in any folder Do not connect the USB flash drive yet The Falcon will display a message when to connect the USB drive If the computer being used to extract the contents of the downloaded zip file has the software WinZip or other third party zip software please review Section 9 1 2 1 before proceeding Logicube Forensic Falcon User s Manual 119 UPDATING FALCON SOFTWARE 3 From the main screen tap the Software Updates icon 4 Select From USB Drive The Falcon will prompt for the USB drive to be connected to USB _S1 5 Connect the USB drive to USB_S1 Falcon will then check for the version of the software on the USB drive and will display that version on the box next to the selected location SAS SATA 54 USB Firewire SAS SATA Power S1 power Si si S2 6 Tap the Update icon to begin the update A confirmation screen will appear Tap Yes to continue the update Do not interrupt the update process It may take several minutes Once completed a Successful screen will appear 7 Reboot the Falcon by turning the unit off then back on using the Power switch in the back of the unit 8 Verify the software version at the top of the Software Updates screen 9 1 2 1 Extracting the software download on a comput
41. 0 specifications This adapter and other USB 3 0 enclosures may experience communication disruption between devices If the adapter is not detected properly we have found that using a USB 3 0 hub may stabilize and regulate the communication between the Adapter or USB 3 0 enclosure and the Falcon allowing the device to be detected properly For information on the USB 3 0 hub please see Section 12 5 Logicube Forensic Falcon User s Manual 137 OPTIONAL ADAPTERS Tube 12 5 USB 3 0 Hub a Some USB 3 0 is a new technology and USB 3 0 controller manufacturers may have variations in device designs that have inconsistent adherence to USB 3 0 specification This may result in non detection of the USB 3 0 device on certain equipment including desktops laptops or the Falcon If a USB 3 0 device cannot be detected on the Falcon USB ports we have found that using a USB 3 0 hub may stabilize and regulate the communication between the USB 3 0 device and the Falcon allowing the device to be detected properly We have identified and qualified a USB 3 0 hub which is available as an option Logicube Forensic Falcon User s Manual 138 oo KI ena 13 SCSI Module 13 0 Introduction The optional Falcon SCSI Module expands the capability of the Falcon by providing support for imaging from and to SCSI hard drives The SCSI module can connect to 68 pin SCSI drives natively Optional adapters are available for use with 80 pin and 50 pin SCSI dri
42. 1 Drives connected to the Source ports are always write protected Using the File Browser function will not alter the drive or its contents in any way Drives connected to the Destination ports SAS _ D1 SAS D2 USB_D1 and USB_D2 Drives connected to the Destination ports are not write protected The File Browser function only opens a file and does not modify the contents of the file The only change to the contents of the destination drive will be the file s accessed date and time In the File Browser screen select the drive to view TASK MACRO ia USB DEVICE FILE BROWSER Logicube Forensic Falcon User s Manual 78 TYPES OF OPERATIONS iube Select the partition to view A EEE NAME SIZE MODIFIED MW partn 1_ntfs 10 months ago MW partn 2_ntfs 9 months ago 2 folders SAS_352 partn 2_ntfs MODIFIED 10 months ago la Documents and Settings 10 months ago la MSOCache 1 year ago la PerfLogs 1 year ago PortableApps 1 year ago Legend ISAS S2Ipartn 2 ntfs Users All Users Documents N ME SIZE MODIFIED A B C A Home Tap the Home icon to bring you to the top level of the drive B Up One Level Tap this icon to go up one level one folder directory C Path Displays the current path to the folder directory being viewed Falcon can open and preview certain files Some of the files it can preview are jpg txt g
43. 2 Remote Operation 121 Remote operation CLI 122 Remote Operation Web Interface 121 RoHS Directive 2002 95 EC III S M A R T Self Monitoring Analysis and Reporting Technology 81 Screen Touch 10 Secure Erase 20 61 62 Settings 39 SMB 36 Software Update 98 Software Updates 116 Source 7 38 142 Spanning 16 Statistics 81 System Settings 86 Task Macro 71 Task Macros 24 Technical Support Logicube Ill 148 Telnet 122 123 Time Zone 93 Touch Screen 10 Types of Operation 54 USB Device 25 74 User interface UI 10 User Profiles Configurations 86 Warranty Parts and Labor Ill Website Logicube III Windows Vista 122 Windows XP 122 Wipe 20 21 60 64 Wipe Patterns 61 63 150 Technical Support Information For further assistance please contact Logicube Technical Support at 001 818 700 8488 7am 5pm PST M F excluding US legal holidays or by email to techsupport logicube com Software Attribution Ubuntu 12 04 LTS http www ubuntu com Linux Kernel 3 2 48 GPL v2 http www kernel org modified libcli 1 9 5 LGPL v2 1 https github com dparrish libcli modified monitorix 3 2 1 GPL v2 http www monitorix org modified Logicube Forensic Falcon User s Manual 151
44. AC address 00 1f f2 09 73 f2 Logicube 19755 Nordhoff Place FC Chatsworth CA 91311 e 818 700 8488 i Fax 818 700 8466 www logicube com Logicube Forensic Falcon User s Manual 141 OPTIONAL ADAPTERS Tube 3 Carefully align the Falcon over the SCSI module With the left side slightly lower about a 15 degree angle connect the left side latch of the SCSI module to the left side of the Falcon and align the left side mating connector to the open expansion slot on the Falcon Next slowly lower the right side and connect the right side latch to the Falcon FALCON SCSI MODULE LEFT SIDE MATING CONNECTOR a RIGHT SIDE LEFT SIDE LATCH LATCH lt gt 4 While holding the Falcon with SCSI module together carefully turn the entire unit Falcon and SCSI module upside down Insert the two 2 5 screws on each front and back side and tighten the screws so the Falcon unit and SCSI module are securely connected 13 2 Turning the Falcon with SCSI module on and off The Falcon and SCSI module each come with a 12V 12 5A output DC power supply that connects to each device Attach one of the included power supplies to the left side of the SCSI module The power supply has a notch to guide the connection The notch should be guided to face the top side of the power port Logicube Forensic Falcon User s Manual 142 OPTIONAL ADAPTERS Tube Attach the other included power supply to the Falcon s power
45. BSOLETE OR IS NO LONGER SUPPORTED BY LOGICUBE THE PRODUCT MAY BE REPLACED WITH AN EQUIVALENT OR SUCCESSOR PRODUCT AT LOGICUBE S DISCRETION THIS WARRANTY EXTENDS ONLY TO THE END PURCHASER OF LOGICUBE PRODUCTS THIS WARRANTY DOES NOT APPLY TO AND IS NOT FOR THE BENEFIT OF RESELLERS OR DISTRIBUTORS OF LOGICUBE PRODUCTS UNLESS OTHERWISE AGREED IN WRITING BY LOGICUBE NO WARRANTY IS PROVIDED TO RESELLERS OR DISTRIBUTORS OF LOGICUBE PRODUCTS IN ORDER TO RECEIVE WARRANTY SERVICES CONTACT LOGICUBE S TECHNICAL SUPPORT DEPARTMENT VIA PHONE OR E MAIL PRODUCTS RETURNED TO LOGICUBE FOR REPAIR UNDER WARRANTY MUST REFERENCE A LOGICUBE RETURN MATERIAL AUTHORIZATION NUMBER RMA ANY PRODUCT RECEIVED BY LOGICUBE WITHOUT AN RMA WILL BE REFUSED AND RETURNED TO PURCHASER THE PURCHASER MUST CONTACT LOGICUBE S TECHNICAL SUPPORT DEPARTMENT VIA E MAIL SUPPORT LOGICUBE COM OR VIA PHONE AT 1 818 700 8488 OPT 3 TO OBTAIN A VALID RMA THE PURCHASER MAY BE REQUIRED TO PERFORM CERTAIN DIAGNOSTIC TESTS ON A PRODUCT PRIOR TO LOGICUBE ISSUING AN RMA THE PURCHASER MUST PROVIDE THE PRODUCT MODEL SERIAL NUMBER PURCHASER NAME AND ADDRESS EMAIL ADDRESS AND A DESCRIPTION OF THE PROBLEM WITH AS MUCH DETAIL AS POSSIBLE AT LOGICUBE S SOLE AND ABSOLUTE DISCRETION REASONABLE TELEPHONE AND EMAIL SUPPORT MAY ALSO BE AVAILABLE FOR THE LIFE OF THE PRODUCT AS DEFINED BY LOGICUBE EXCEPT AS OTHERWISE SPECIFICALLY PROVIDED IN THIS AGREEMENT LOGICUBE PRODUCTS ARE PROVID
46. CHASER EITHER UNDER THE WARRANTY SET FORTH BELOW OR ON A TIME AND MATERIALS BASIS LIMITED WARRANTY FOR ONE YEAR FROM THE DATE OF SALE THE WARRANTY PERIOD LOGICUBE WARRANTS THAT THE PRODUCT EXCLUDING CABLES ADAPTERS AND OTHER CONSUMABLE ITEMS IS FREE FROM MANUFACTURING DEFECTS IN MATERIAL AND WORKMANSHIP THIS LIMITED WARRANTY COVERS DEFECTS ENCOUNTERED IN THE NORMAL USE OF THE PRODUCT DURING THE WARRANTY PERIOD AND DOES NOT APPLY TO PRODUCTS DAMAGED DUE TO PHYSICAL ABUSE MISHANDLING ACCIDENT NEGLIGENCE OR FAILURE TO FOLLOW ALL OPERATING INSTRUCTIONS CONTAINED IN THE OPERATING MANUAL PRODUCTS WHICH ARE MODIFIED PRODUCTS WHICH ARE USED IN ANY MANNER OTHER THAN THE MANNER FOR WHICH THEY WERE INTENDED AS SET FORTH IN THE OPERATING MANUAL PRODUCTS WHICH ARE DAMAGED OR DEFECTS CAUSED BY THE USE OF UNAUTHORIZED PARTS OR BY UNAUTHORIZED SERVICE PRODUCTS DAMAGED DUE TO UNSUITABLE OPERATING OR PHYSICAL CONDITIONS DIFFERING FROM THOSE RECOMMENDED IN THE OPERATING MANUAL OR PRODUCT SPECIFICATIONS PROVIDED BY LOGICUBE ANY PRODUCT WHICH HAS HAD ANY OF ITS SERIAL NUMBERS ALTERED OR REMOVED OR ANY PRODUCT DAMAGED DUE TO IMPROPER PACKAGING OF THE WARRANTY RETURN TO LOGICUBE AT LOGICUBE S OPTION ANY PRODUCT PROVEN TO BE DEFECTIVE WITHIN THE WARRANTY PERIOD WILL EITHER BE REPAIRED OR REPLACED USING NEW OR REFURBISHED COMPONENTS AT NO COST THIS WARRANTY IS THE SOLE AND EXCLUSIVE REMEDY FOR DEFECTIVE PRODUCTS IF A PRODUCT IS HAS BECOME O
47. E DRIVES OVER A NETWORK 3 Awindow may appear asking you to enter password to connect to the Falcon Enter the following information a User name it b Password it Windows Security Enter Network Password Enter your password to connect to falcom 132506 C Remernber roy credentials ox conca 4 A folder called bays will be shown in Windows Explorer ki gt Network falcon 132505 Organize y Search active directory Network and Sharing Center View remote printers VY Far mC de c auditlog bays destinations internal_repo 5 Go into the bays folder and select the connected Destination drive For example sas d2 4 Network falcon 132505 bays gt Organize y Burn New folder Ar Fa Name j Date modified Type Mic SASD1 4 6 2015 2 32 PM File folder BC Ji SAS D2 3 26 2015 8 37 AM File folder ER di SAS S1 4 1 2015 3 42 PM File folder c Dasa 4 6 2015 2 47 PM File folder d P J USB S1 4 1 2015 10 16AM File folder 6 The contents of the drive will be shown Je gt Network falcon 132505 bays SAS S1 gt eon Network falcon 132505 bays SAS S1 partn 2_ntfs Organize v Burn New folder Organize v Burn New folder X Fa Name Date modified Type Siz X Fa Name Date modified MIC partn 1_ntfs 5 17 2014 4 48 PM Filefolder WEC J SRecycle Bin 5 8 2014 5 55 PM Je E di partn 2_ntfs 6 25 2014 7 40 AM File folder de C de Documents and Settings
48. E o e 13 00 AA A eccossecsserstesecteseccees 14 SO AUTE STA TOUDE iio 14 A A 14 3 1 1 Step by step instructions IMABING ccccoooccnncnnoncncnnncnnnnnannnnonanonnnonaronnonaronnonanonnnnnnoss 16 31 1 Drive SOONG arrancada NN 18 312 Imaging toor irom a NetWork insano adas 20 S PA e o UE gn AP A 20 5 241 Step by step Instructions Has Musicas 21 353 WWIPE FORMAT onto Seance eet prono artcon nacieron localice cateo 22 3 3 1 Step by step instructions Wipe ForMat cccccccccnnnnnnnnnancccnoncnanananononononononananaconononanons 23 Logicube Forensic Falcon User Manual ee US Flt cpa OE o o a a e coer shavecsesmesanesnateademescesene 25 3 4 1 Step by step instructions PUSH ccccoocccnnonncnnncnnncnnnonaconnnnnocnnonanonnnonaronnonarnnnonanonnnnnnoss 25 ED SII CRO PPP o a oo O 26 3 5 1 Step by step instructions Task MIaCroOS ooccccccncccnconaconnnonocononanonnnonaronnonarnnnonanonnnnanoss 26 3 6 USB DEVICE VIEWING DRIVE CONTENTS IN WINDOWS cccccccccceeesssecceceeeeeeesseeecceeeeeaeeeseeeeeeeeeas 27 3 6 1 Step by step instructions USB DeviC oooccccccncccnccnocnnnnnnconnonanonnnonaronnnnarrnnonanonnnnnnoss 27 O A O ta sea uct rae ssmaentoncus doeacacete pase E 28 3 7 1 Step by step instructions File Browser ccccccesseccccessececeesececeeececeeeeeceeeeecessueeees 28 O A A A 29 3 8 1 Step by step instructions Viewing or exporting lOgS ccccoocccnconocnnnnnaconnonan
49. ED AS IS AND AS AVAILABLE AND LOGICUBE DISCLAIMS ANY AND ALL OTHER WARRANTIES WHETHER EXPRESS IMPLIED OR STATUTORY INCLUDING WITHOUT LIMITATION ANY WARRANTIES OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE OR NONINFRINGEMENT OF THIRD PARTY RIGHTS SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES OR LIMITATIONS ON HOW LONG AN IMPLIED WARRANTY LASTS SO THE ABOVE LIMITATIONS OR EXCLUSIONS MAY NOT APPLY TO YOU THIS WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS AND YOU MAY HAVE OTHER RIGHTS WHICH VARY FROM JURISDICTION TO JURISDICTION Logicube Forensic Falcon User s Manual II ROHS Certificate of Compliance LOGICUBE PRODUCTS COMPLY WITH THE EUROPEAN UNION RESTRICTION OF THE USE OF CERTAIN HAZARDOUS SUBSTANCES IN ELECTRONIC EQUIPMENT ROHS DIRECTIVE 2002 95 EC THE ROHS DIRECTIVE PROHIBITS THE SALE OF CERTAIN ELECTRONIC EQUIPMENT CONTAINING SOME HAZARDOUS SUBSTANCES SUCH AS MERCURY LEAD CADMIUM HEXAVALENT CHROMIUM AND CERTAIN FLAME RETARDANTS IN THE EUROPEAN UNION THIS DIRECTIVE APPLIES TO ELECTRONIC PRODUCTS PLACED ON THE EU MARKET AFTER JULY 1 2006 Logicube Technical Support Contact Information 1 By website www logicube com By email techsupport logicube com 3 Bytelephone 1 818 700 8488 ext 3 between the hours of 7am 5pm PST Monday through Friday excluding U S legal holidays dd Logicube Forensic Falcon User s Manual SSS ae Table of Conte
50. EXT4 file system and Ext2Fsd is not installed the following messages may appear in Windows Make sure Ext2Fsd is installed if the Destination drive was formatted with the EXT4 file system You need to format the disk in drive E before you can use It Do you want to format 1t Location is not available x E is not accessible The volume does not contain a recognized file system Please make sure that all required file system drivers are loaded and that the volume is not corrupted Logicube Forensic Falcon User s Manual 117 9 Updating the Falcon Software 9 0 Loading New Software New and improved software will be released from time to time and will always be available on the Falcon support page at http www logicube com knowledge forensic falcon SOFTWARE UPDATES Your Falcon Software Version 2 4 CHECK FOR NEW SOFTWARE RELEASES a FROM NETWORK a FROM USB DRIVE 9 1 Software Loading Instructions There are two methods of how to update the Falcon software A FROM NETWORK Via the Internet through a network connection B FROM USB DRIVE Via software file download onto a USB drive flash The actual software installation will take about 5 minutes If FROM NETWORK was chosen the total time can exceed 10 to 20 minutes or longer depending on Internet speeds and Internet traffic Falcon s support page at http www logicube com knowledge forensic falcon O The most up to date instructions o
51. Enter the log file deletion password Tap the OK icon to delete the single log file or all the log files depending on which was selected The password can be set in the Systems Settings More information about the log file deletion password can be found in Section 6 0 11 2 Logicube Forensic Falcon User s Manual 31 iTcube QUICK START 3 8 3 Accessing the logs over a network The log files can also be accessed through a network on a computer if the Falcon is connected on the same network 1 Open Windows Explorer or a similar window and browse to the hostname or the IP address found in the Statistics screen See Section 6 0 9 for more information on the Statistics screen y wL E falcon 132505 Organize Search active directory De Faunrites a 2 A Windows security screen will appear prompting to enter a User name and Password to connect to the Falcon Login with the following credentials e Username it e Password it Windows Security Enter Network Password Enter your password to connect to falcon 132505 User name Password l Domain LG Remember my credentials Xx Logon failure unknown user name or bad password ox Cancel 3 Once connected an auditlog folder will appear Open the auditlog folder CONE Network falcon 132505 Organize Search active directory Network and Shar Jir Favorites 4 Share 1 ENE auditlo Libraries J macs g 4 The aud
52. OMPLETED At this point it is recommended to tap Reset Task to reset the task and also to delete the task in order for the drive bays to be properly reset and not show as being used or assigned for other tasks to be configured The number of bytes shown on the progress bar is not the actual size of the drive This is the actual data being processed When Verify is set to Yes the reported number will double in size For parallel imaging prior to starting the first task users must set all other tasks that need to be run in parallel When all other tasks to be run in parallel are set a confirmation screen will appear stating there are multiple tasks setup with the same Source drive Falcon can automatically span to two or more Destination drives when using Drive to File mode DD E01 EX01 When the Destination drive is full and the remaining data to be imaged will not fit Falcon will prompt for another drive Information on Drive Spanning can be found in Section 3 1 1 1 Logicube Forensic Falcon User s Manual 99 6 Types of Operations 6 0 Types of Operations There are thirteen 14 types of operation available on the Falcon The left side of the screen shows the different operation types that can be set Detailed information on all of the different operations and their screens can be found in this section FORENSIC Falcon IMAGE 1 _ o E sj O MODE SOURCE SETTINGS DESTINATION IMAGING A
53. PM _File folder JBC J Documents and Settings 5 8 2014 9 35 PM File folder EIR J MSOCache 11 24 2013 4 58 PM File folder J c Ji Perflogs 8 22 20138 22AM_ File folder J P by PortableApps 12 4 2013 10 57PM_ File folder bP hy Program Files 6 16 2014 7 06 AM File folder J amp B e Program Files x86 6 25 2014 7 35AM Filefolder wc de ProgramData 5 17 2014 6 04 PM File folder de System Volume Information 1 20 2015 8 34 AM File folder A Lib Users 5 8 2014 9 35 PM File folder JE y Windows 6 16 2014 7 06 AM File folder ah bootmgr 8 21 2013 10 31 PM File 418 KB P BOOTNXT 6 18 2013 5 18 AM File 1 KB Vv a hiberfil sys 6 25 2014 7 22AM System file 3 270 264 KB a pagefile sys 6 25 2014 7 22 AM System file 720 896 KB Co 2 swapfile sys 6 25 2014 7 22 AM System file 16 384 KB a 4 5 SCSI Another way to access Source drives from a computer through a direct network cable connection or through a network is through the iSCSI protocol This method allows both physical and logical access to the drives but may require additional software installed and configured on the computer To use the SCSI protocol an SCSI initiator must be installed and configured to view the contents of drives connected to the Falcon over a network Like using SMB some advantages of using this method are e The contents of the drive are searchable using the Operating System s search functions e Third party analysis tools and software can be used with the logical
54. PROFILES CONFIGURATIONS DELETE 6 0 11 3 Encryption Settings The Falcon allows imaging drives onto a Destination where the data on the Destination drive is encrypted Destination drives that are encrypted by the Falcon can be decrypted by using the Falcon or third party software TrueCrypt or FreeOTFE For in depth information on encrypting and decrypting a drive using the Falcon or decrypting a drive using TrueCrypt or FreeOTFE please see Chapter 8 Drive Encryption and Decryption There are 4 parameters that must be configured before encryption can be used These 4 parameters are necessary to decrypt and read the Destination drive properly e Cipher Mode Users can choose between TC XTS CBC cbc plain64 or ECB cbc essiv sha256 cipher modes e Cipher At this time only the AES 256 cipher is supported Logicube Forensic Falcon User s Manual 94 TYPES OF OPERATIONS e IV Generation Unavailable when TC XTS cipher mode is selected If CBC or ECB cipher mode is selected users can choose between PLAIN64 and ESSIV SHA256 e Encryption Password or Key Users must choose their own encryption password key There are 2 imaging modes in which encryption can be used e Drive to File Images the Source to any of the following image output formats DD E01 and EX01 This will have a partition level encryption where only the partition on the Destination or Repository where the images are created
55. SATA mini SATA drives can be connected using the adapter shown above This mSATA adapter has a standard SATA connector that can connect to the Falcon using the standard SATA cables included 12 2 eSATA Drives F CABLE ESATA 6 PIN POWER PLUG eSATA drives can be connected using Logicube s eSATA cable Connect the SATA end of the eSATA cable to the Falcon and connect the eSATA end of the cable to the eSATA drive Power to the eSATA drive should come with the drive typically some type of external AC adapter or power cable Logicube Forensic Falcon User s Manual 136 OPTIONAL ADAPTERS Tube 12 3 Flash Memory Reader Flash memory cards can be connected using the adapter shown above O Third party multi card readers are not supported and may not work with the Falcon The multi card reader supports the following formats e CF CompactFlash e SD SDXC MMC e Micro SD e Memory Stick MS e Memory Stick Duo M2 e X Card O Attach only one flash memory card to the multi card reader at a time 12 4 USB 3 0 to SATA Adapter USB TO SATA ADAPTER F ADP USB2SATAU Logicube has qualified a USB 3 0 to SATA Adapter for use with the Falcon This adapter provides the capability to connect SATA drives to the USB 3 0 ports on the Falcon and uses a USB 3 0 to SATA converter USB 3 0 is a new technology and USB 3 0 controller manufacturers may have variations in device designs that have inconsistent adherence to USB 3
56. al size Used size Codepage Partition type Basic NTFS 4 GE 41GB HPFSYNTFS Basic NTFS 391 GB 188 GB HPFS N TFS Basic EaT2 296 GB AGE utig VOLUME D NTFS Device HarddiskVolume2 Jun 21 2013 12 03 12 4 Double click the drive Alternatively the drive can be highlighted then from the menu system go to Tools then Ext2 Volume Management The following screen will appear Make sure that there is a check mark next to Automatically mount via Ext2Mgr Also make sure there is a drive letter assigned to the right of this option If not assign an available drive letter Click the Apply button Logicube Forensic Falcon User s Manual 103 VIEWING EXT4 IN WINDOWS Estes Volume Settings Yolume attribute Lodepage Mount volume in readonly mode utta Mount point driver letter Automatically mount via Ext2h gr li Mountpoint for fited disk need reboot Hiding filter patterns Hiding files with prefix Hiding files with suffis toe Do not uncheck the Mount volume in readonly mode unless it is absolutely certain that the mounted drive needs to be over written or erased whether partially or fully 5 The following confirmation screen will appear Click OK to continue Ext2Mgr O Ext2 volume settings updated successfully 6 Close the Ext2fsd Volume Manager program Windows should now see the drive and assign it a drive letter with the volume name REPOSITORY
57. alcon login screen should appear Note On some Operating Systems the Falcon will need to be accessed by opening Falcon XXXXXX local Login with the username it without the quotes and the password it without the quotes The following prompt should appear in the Telnet window The Falcon can now be configured or managed via the command line interface 10 3 2 Connecting via SSH Connecting to the Falcon via SSH Secure Shell is very similar to connecting via Telnet Since Windows does not have a built in SSH client a third party SSH client will need to be downloaded and installed to connect via SSH For instructions and support on how to use third party SSH clients please contact the SSH clients manufacturer 1 Connect the Falcon to the network by attaching a network cable CAT 6 type to the RJ45 connector in the back of the Falcon Turn the Falcon on and allow it to boot up completely Open the SSH client and select an SSH connection Connect to the Falcon either by IP address or by name The name of the Falcon will be Falcon XXXXXX where XXXXXX is the serial number of the Falcon On some Operating Systems the Falcon will need to be accessed by opening Falcon XXXXXX local Login with the username it without the quotes and the password it without the quotes The following prompt should appear in the SSH window Logicube Forensic Falcon User s Manual 125 REMOTE OPERATION
58. alcon features the ability to create up to 5 separate Tasks Macros Each macro allows you to set up to 9 operations to be performed sequentially For example if your routine procedure is to wipe a drive before you begin imaging then image a drive using e01 mode S1 to D1 then hash S1 you can add these operations to a Macro and from the Falcon GUI select the Macro and the Falcon will perform the specified tasks operations in the sequence you have defined The user can save the Macro to use in future imaging sessions Administrators can set up Macros to provide an easier method for novice users or first responders to image suspect drives in the field Can encrypt my evidence drives using the Falcon How do decrypt drives encrypted with Falcon The Falcon provides AES 256 whole drive encryption Users can choose between three different cipher modes and can set their own password key for the encrypted drive Users can decrypt a drive that was encrypted with Falcon by using the Falcon to decrypt or by using TrueCrypt or FreeOTFE Can the Falcon image to or from a network destination Yes The Falcon includes a gigabit network connection Users can designate a network share as a source or destination repository using CIFS Common Internet File System or iSCSI Internet Small Computer System Interface protocols What is Parallel Imaging Parallel Imaging allows you to image from the same source drive to multiple destinations using di
59. ation on see Chapter 9 Updating the Falcon Software 3 14 Power Off There are two tabs in the Power Off screen POWER OFF The Falcon can be remotely turned off by going to this tab POWER OFF DRIVE POWER Inactive drives connected to the Falcon can be set to go to standby mode in this tab The default is set to O minutes OFF For more detailed screen shots see Section 6 0 14 of this manual Logicube Forensic Falcon User s Manual 34 4 Previewing Drives 4 0 Previewing Drives Drives connected to both Source and Destination ports can be previewed There are 5 different methods available to preview drive contents with the Falcon e Falcon s native File Browser e Acomputer Falcon s File Browser e USB connection to a computer e SMB protocol Using a file explorer e iSCSI protocol Source drives only Using a file explorer Drives connected to the Source ports SAS_S1 SAS S2 USB_S1 and FW_S1 Drives connected to the Source ports are always write protected Previewing the contents of these drives will not alter the drive or its contents in any way Use of Physical Logical Access Concurrent Third Access to Concurrent i Part AA ACCESS S Destination Multi User Muti i tothe Source EN Ee Drive Analysis Drives Access Tools or Software One file at a time must be downloaded to the computer before it can be analyzed Logicube Forensic Falcon User s Manual 35 File Brow
60. bility to meet future technology advances This unparalleled solution is designed for demanding forensic imaging tasks and sets a new Standard of excellence in digital forensic data imaging solutions 1 1 Features e The Falcon is the fastest forensic imaging solution available achieving speeds of 23GB min and meets future hard drive speed improvements with SAS SATA 3 6GB s maximum rated speed of 37GB min e Image and verify to the following formats native copy dd image e01 ex01 and file based copy Compression available for E01 Ex01 formats Uses SHA1 SHA256 or MD5 authentication e 4Source and 5 Destination ports Write protected source ports include 2 SAS SATA 1 USB 3 0 and 1 FireWire Destination ports include 2 SAS SATA 2 USB 3 0 and 1 FireWire A Gigabit Ethernet port for network connectivity is also available USB source and destination can be converted to SATA using a USB to SATA converter e Built in support for SAS SATA USB FireWire storage devices Adapters are included with Falcon to support 1 8 2 5 3 5 IDE and 1 8 ZIF and microSATA drive interfaces Optional adapter are available for eSATA mSATA and CompactFlash drives An optional SCSI module provides support for 1 SCSI source and 1 Destination drive Logicube Forensic Falcon User s Manual 1 iTcube INTRODUCTION e Image to or from a network location Use the falcon to image to a network location using CIFS protocol and or image from a network loca
61. ccccesecceceesececseseceeeeeseceesusecesseeeceesensecessunecetseges 107 8 3 DECRYPTING THE DRIVE WITHOUT A FALCON scceccsecsecsecsececcuccuccucceccsecseeseeeeesetseeseeeeeeeseuseeceess 109 8 3 1 Which decryption software tO USE c cccseccccsssececeenececceeseceeaeseceseueeceeseeecessunecesseees 110 8 3 2 Decrypting USING TrueCrypt cccceeccseccssccesccesccescceseceeeceueceeeeeceaeceeceseeeeeeseeenseenes 110 8 3 3 Decrypting using Fre OTFE cccecceeccsecssccsecsccseceuceseceuseseceuceseceueeseceuceseseueeeeeueeees 113 9 UPDATING THE FALCON SOFTWARE sion aan 118 930 FORDINGINEW SOFTWAR E See et ae a ehh ate Stns eld eet ald oo 118 9 1 SOFTWARE LOADING INSTRUCTIONS ii 2 a a UA te tics a ale Gotan Moe ee ati ols oe 118 9 1 1 From Network Vid TNE Web ca di 119 9 1 2 From USB Drive Via software download ooccccocccnncccnnccnncccnnanonaccnonoconaccnnacnnncnnnanos 119 9 1 2 1 Extracting the software download on a computer with WinZip or other third Pary ZOO WI i 120 9 2 FIRMWARE LOADING INSTRUCTIONS inneni A Orca E ye tet iol og 122 107 REMOTE OPERATION nai 123 TOO INTRODUCTION sei eo acca doses Raita erie oe eene saat a caeratiaae lie ecu tated aeesatus es 123 LOT WEBINTERFACE il de 123 10 2 COMMAND LINE INTERFACE Cll a ae luabineeees 124 10 3 INSTALLING THE TELNET CLIENT IN WINDOWS VISTA 7 8 OR 8 1 voc ccccceccecesceceseecnseeseseususeseuseees 124 1O3 Ae Connectine via Teleton 124 10 352 Conn
62. con has a built in file browser The built in browser allows the user to view each of the drive s partitions and its contents The file browser can also open several types of image files including jpg png gif txt html and pdf This method can be very useful when the Falcon is out on the field and there are no computers to analyze or triage the contents of drives Using the Falcon s 7 touch screen one drive at a time can be viewed See Section 6 0 7 for details on how to use the File Browser TASK MACRO gt USB DEVICE FILE BROWSER LOGS 7 ISAS_S2 Logicube Forensic Falcon User s Manual 36 iTcube QUICK START 4 2 Computer File Browser The Falcon can be accessed from a computer through a direct network cable connection or through a network Using a computer with the Falcon s file browser allows more files to be previewed by using the computer s Operating System and installed software This can be useful when the Falcon is out on the field and there is an available laptop Connecting the two devices directly together with a network cable and using the Falcon s web interface See Section 10 1 for more information on the web interface allows the user to be able to open files that the Falcon cannot open using the file browser alone See Section 6 0 7 1 for details on how to use the File Browser using the web interface 4 3 USB The Falcon can also be connected to a computer throug
63. con not to perform a wipe using Wipe Mode e DOD Choosing this will instruct the Falcon to perform a 7 pass wipe conforming to the DoD M 5220 standards e CUSTOM Choosing this will allow the user to specify how many wipe passes will be performed and what values each pass will be written on each of the passes selected This will open the HPA DCO HPA DCO option for wiping If the drive to be wiped has HPA and or DCO that needs to be wiped select Yes for the corresponding option 66 TYPES OF OPERATIONS WIPE HPA WIPE DCO By default this is set to 100 which will wipe all Logical Block Addresses LBAs and will wipe the entire drive 100 This Wipe Setting will change PASSES depending on the Wipe Pattern Mode selected LBA e f None was selected this is not selectable e f DoD was selected the first six pass values will be filled automatically by default It is mandatory that the user enter the 7 pass value by tapping the edit icon or the operation will fail e f Custom was selected no passes will be filled out It is mandatory that the user set the value for at least one pass or the wipe operation will fail The pass value can be set by tapping the edit icon Passes screen when DOD is selected Logicube Forensic Falcon User s Manual 67 TYPES OF OPERATIONS The Falcon automatically enters default values for pass numbers 1 through 6 It is mandatory tha
64. cube Forensic Falcon User s Manual Logicube Inc Chatsworth CA 91311 USA Phone 818 700 8488 Fax 818 700 8466 Version 2 4 2 Date 07 24 15 MAN FALCON Logicube Forensic Falcon Y User Manual eee Limitation of Liability and Warranty Information Logicube Disclaimer LOGICUBE IS NOT LIABLE FOR ANY INCIDENTAL OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROPERTY DAMAGE LOSS OF TIME OR DATA FROM USE OF A LOGICUBE PRODUCT OR ANY OTHER DAMAGES RESULTING FROM PRODUCT MALFUNCTION OR FAILURE OF INCLUDING WITHOUT LIMITATION THOSE RESULTING FROM 1 RELIANCE ON THE MATERIALS PRESENTED 2 COSTS OF REPLACEMENT GOODS 3 LOSS OF USE DATA OR PROFITS 4 DELAYS OR BUSINESS INTERRUPTIONS 5 AND ANY THEORY OF LIABILITY ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OR FROM DELAYS IN SERVICING OR INABILITY TO RENDER SERVICE ON ANY LOGICUBE PRODUCT LOGICUBE MAKES EVERY EFFORT TO ENSURE PROPER OPERATION OF ALL PRODUCTS HOWEVER THE CUSTOMER IS RESPONSIBLE TO VERIFY THAT THE OUTPUT OF LOGICUBE PRODUCT MEETS THE CUSTOMER S QUALITY REQUIREMENT THE CUSTOMER FURTHER ACKNOWLEDGES THAT IMPROPER OPERATION OF LOGICUBE PRODUCT AND OR SOFTWARE OR HARDWARE PROBLEMS CAN CAUSE LOSS OF DATA DEFECTIVE FORMATTING OR DATA LOADING LOGICUBE WILL MAKE EFFORTS TO SOLVE OR REPAIR ANY PROBLEMS IDENTIFIED BY CUSTOMER EITHER UNDER WARRANTY OR ON A TIME AND MATERIALS BASIS Warranty DISCLAIMER IMIPORTANT
65. d changes are saved Do not highlight and save over the INITIAL DB configuration This is the default configuration of the Falcon and is used to reset the Falcon to the factory default settings 6 0 11 2 Passwords There are two sets of passwords that can be entered on the Falcon e Log File Deletion Password A password can be set as an extra layer of protection when deleting log files If this password is set Falcon will prompt for the password before any log files can be deleted e Config Lock The Falcon can be configured to lock out any configuration changes When this is enabled changes to the different types of operations cannot be made without entering the correct key or password Different types of operations can still be started For example when the Falcon is locked and it is configured for Drive to Image Imaging mode the user will be unable to change this mode to Drive to Drive or File to File but can start the Drive to Image task PASSWORDS LOG FILE DELETION PASSWORD a PASSWORD CONFIG LOCK AUTO LOCK Logicube Forensic Falcon User s Manual 90 TYPES OF OPERATIONS Tap Password or Key to enter a log file deletion password or a config lock key The following screen will appear DISABLE Tap the Enable icon to enter a password or key The available characters are O through 9 and A through F 6 0 11 2 1 Additional information for Config Lock Tap the Auto Lock ic
66. d eee cee etaeaes 49 IDO Special Series Tor Fleto Pla caia 52 504 Destination Mage lead 53 5 1 STARTING THE IMAGING OPERATION is asa 54 6 TYPES OF OPERATIONS swasdacecacacsceniescedidacdetsiaadideowastaracasseecateanstwarteuniaedvaseuseraniausececs 56 6 0 TYPES OP OPERATIONS tica 56 SUL IM Mamadas aaa 58 A TAS A A A A A A 58 COAT A ae ee ee 59 Logicube Forensic Falcon User s Manual BOF 2 SUNOS andador 59 6 0 2 3 COSO italiana iaa 61 o VND G cto 62 60 30h DESNO ist nata 63 IAS A o o 0 RO esau eeenchaseaee ea 64 A E A RS ER 64 US ole Pato 11 Sa di on detal 65 0 320 ROM O A A 69 6033 COSO ii a aca ee ey 70 O 71 GOAL SOUCO Adalid 72 00 42 SCCUINGS en a a a 72 6 0543 DCSEINOUION nire iaa a EA E T Salata 73 60 5 Task MIO e ho a di od O Es OS 73 O TOS 73 00 6 USB DEV ICG ns its aos cias 76 50 PHO BROW SOM atada 78 6 0 7 1 Viewing files from the web INCCrfACe scccccsessecccesececsseeseceeseceeesecsssusecsssunsess 80 6 0 7 2 Important notes about using the File Browser ooooncccccocnncnconocnnnnncconnnanononnnnoss 81 O 81 A A O O 83 6 0 10 Manage REDOSILOMGS critic dia aaa aaa iaa 83 6 0 10 1 AAA RCMOVE cceesccccssssccccssseccnssseccesssecscssssesccsssesensusecscuussssssnssesceuusecsssseesesaunsess 83 60 102 FSCS A O 87 GOLL System Sete Sonia parara a 88 6 0 11 1 User Profiles CONTIGUrOtiONS serrera E A 88 OOR POSS WOTO Sr E A 90 6 0 11 2 1 Additional information for Config Lock
67. de after a specified idle time drive spanning large 7 color touch screen display on screen keyboard two USB 2 0 host ports for keyboard mouse or printer connectivity and an HDMI port to connect a projector or monitor The falcon achieves 23GB min imaging speed using solid state drives in native copy and in e01 Ex01 image format Your results may vary depending on the specification and condition of the hard drive used as well as the mode image format and settings used during the imaging process 1 2 In the Box The complete Falcon system includes the following The Logicube Falcon unit AC adapter Power supply and power cable 1 CAT6 Network cable 4 SAS SATA cables 1 USB 3 0 type A cable 1 USB 3 0 device cable 1 USB A Female to USB Mini B 5 Pin Male adapter 1 USB 3 0 A Female to Micro B Male USB 3 0 cable 1 8 microSATA adapter 1 8 IDE ZIF to SATA adapter 2 5 3 5 IDE to SATA adapter 1 8 IDE to SATA adapter 4 6 Pin Power plugs 1 FireWire cable CD ROM containing the user s manual Carrying case Logicube Forensic Falcon User s Manual 3 INTRODUCTION Forensic Falcon The Falcon is shipped in a carrying case with the items listed below Also included but not pictured is a power supply amp power cord and a CD ROM with users manual 4 QTY 1 TY 1 QTY 1 TY 1 QTY 1 Qt en Si TOSRTA Ma pucecRitA 2 5 E 1 8 IDE ZIF 6 PIN PWR PLUG CAT6 NETWORK CABLE gt m O USB ATOUSB
68. default the Telnet Client is not installed with Windows but it can be installed it by following the steps below 1 Open Control Panel and select either Programs amp Features or Programs 2 Click Turn Windows features on or off If a prompt for an administrator password or confirmation type the administrator password or provide confirmation A Network or Systems Administrator may be required for administrator access 3 Inthe Windows Features dialog box select the Telnet Client check box 4 Click OK The installation might take several minutes 10 3 1 Connecting via Telnet Once the Telnet client is installed follow the steps below to connect using the Windows Telnet client 1 Connect the Falcon to the network by attaching a network cable CAT 6 type to the RJ45 connector in the back of the Falcon 2 Turn the Falcon on and allow it to boot up completely 3 Open the Telnet client a For Windows XP click Start gt Run The Run window should appear Type telnet in the Open field and press Enter The Telnet window should appear Logicube Forensic Falcon User s Manual 124 iiTtcube 7 REMOTE OPERATION b For Windows Vista or 7 click Start and in the Search field type Telnet Telnet should appear in search results Type open followed by the IP address or name of the Falcon For example open 192 168 1 100 or open Falcon XXXXXX where XXXXXX is the 6 digit serial number of the Falcon then press Enter The F
69. e Destination ports or locations set up as a repository where the DD E01 or EX01 images will be pushed to 6 0 5 Task Macro ee This operation allows up to five 5 macros that can be set iron Each macro can run up to nine 9 tasks sequentially one after another For example a macro can be set to perform these tasks in order Wipe image hash push then wipe again TASK MACRO Each of the five macros can be set by tapping on the Macro number as seen in the next picture MACRO 1 Each task or operation must be set up before setting up the macro For example to set up a Task Macro that will perform a wipe then image users must first set up both the wipe and image tasks Once the wipe for example Wipe 1 and image for example Image 1 has been set up the Task Macro can be set 6 0 5 1 Tasks ee oei ionaowstheusertoset ii specific tasks for each macro The following window will appear Logicube Forensic Falcon User s Manual 73 TYPES OF OPERATIONS SELECT OPERATION OPERATION 1 OPERATION 2 OPERATION 3 OPERATION 4 OPERATION 5 OPERATION 6 OPERATION 7 OPERATION 8 OPERATION 9 Tap Operation 1 to set the first operation in the macro The following screen will appear allowing the user to choose the task Tap the OK icon to continue SELECT TASK FOR OPERATION 1 IMAGE 1 WIPE 1 HASH 1 PUSH 1 Continue adding operations desired Each operation added will appear o
70. e Destination using the EXT4 file system or NT file system NTFS either with or without AES 256 encryption 4 PUSH The network Push feature gives users the ability to push evidence files from destination drives connected to the Falcon or from a Falcon repository to a network location The Push feature provides a more secure method than simply copying and pasting to the analysis computer by performing an MD5 or SHA hash during the push process Additionally users can select to verify the file transfer to ensure data integrity Network users can then quickly preview data or copy data to a local drive or to any other directory on the network The Falcon will create a log file for each push process 5 TASK MACRO Set up to nine 9 different tasks to perform sequentially one after another For example a macro can be set to perform these tasks in order Wipe image hash push then wipe again 6 USB DEVICE Allows the user to view the contents of any drive connected to the Falcon from a computer connected via USB When using this type of operation all drives connected to the Falcon are write protected 7 FILE BROWSER Preview the contents of all connected Source or Destination drives on the Falcon The Falcon will show all viewable partitions and the contents of each partition LOGS Display logs of each task that has been performed on the Falcon STATISTICS This will display information about the Falcon including the current
71. e and input the role for the iSCSI server then tap OK Logicube Forensic Falcon User s Manual 87 TYPES OF OPERATIONS Tube 6 0 11 System Settings The System Settings screen allows users to configure five different settings for the Falcon SYSTEM SETTINGS e User Profiles Configurations e Passwords e Encryption Settings e Language Time Zone e Display 6 0 11 1 User Profiles Configurations This screen shows all user profiles configurations for the Falcon There are three options in this screen e New Allows the user to create a new profile configuration name e Save Saves the selected profile configuration e Load Loads the selected profile configuration USER PROFILES CONFIGURATIONS USER PROFILES CONFIGURATIONS DELETE The Falcon will boot with the profile configuration that has an asterisk next to the name User Profiles Configurations can be copied from one Falcon to another using the Command Line Interface Profiles Configurations can also be backed up to a USB flash drive and restored if needed More information including detailed step by step instructions can be found in Section 10 6 Logicube Forensic Falcon User s Manual 88 TYPES OF OPERATIONS Profiles configurations allow users to create different profiles or configurations The profile configuration can then be saved When a profile configuration is loaded using the Load icon the Falcon will load that configurati
72. e see Section 12 5 2 2 4 Using USB FireWire eSATA enclosures When using USB FireWire and or eSATA enclosures it is highly recommended to leave the drive inside the enclosure USB enclosures typically have an on board controller that may be necessary to read the drive properly Taking the drive out of the enclosure could cause any device including computers not to read the drive contents properly 2 2 5 Connecting SATA Drives using a USB to SATA adapter Logicube has qualified a USB 3 0 to SATA adapter for use with the Falcon This adapter provides the capability to connect SATA drives to the USB 3 0 ports on the Falcon and uses a USB 3 0 to SATA converter USB 3 0 is a new technology and USB 3 0 controller manufacturers may have variations in device designs that have inconsistent adherence to USB 3 0 specifications This adapter and other USB 3 0 enclosures may experience communication disruption between devices If the adapter is not detected properly we have found that using a USB 3 0 hub may stabilize and regulate the communication between the Adapter or USB 3 0 enclosure and the Falcon allowing the device to be detected properly We have Logicube Forensic Falcon User s Manual 11 GETTING STARTED ube identified and qualified a USB 3 0 hub which is available as an option For more information on the USB 3 0 to SATA adapter please see Section 12 4 For more information on the USB 3 0 hub please see Section 12 5 2 3 The u
73. e selected Source hash 5 0 3 5 Special Settings The Settings screen changes depending on which of the three Modes Drive to Drive Drive to File or File to File is selected Each of the three modes has their own different Settings screen 5 0 3 5 1 Special Settings for Drive to Drive When Drive to Drive mode is selected Mirror Settings will appear on the top right of the Logicube Forensic Falcon User s Manual 45 IMAGING Settings screen SELECT SETTINGS CASE INFO CLONE METHOD SETTINGS HPA DCO TRIM ERROR HANDLING HASH VERIFICATION METHOD DRIVE TRIM Software 2 3 and above include a feature called Drive Trim Destination Drive Trim This user selectable function allows the Falcon to manipulate the Device Configuration Overlay DCO and Host Protected Area HPA of the destination drive using the Device Configuration Set command for DCO and Set Max Address command for HPA so that the Destination drive s total native capacity matches the Source drive For example if the Source drive is a 120GB drive and the Destination drive is a 500GB drive the Falcon will limit the Destination drive s capacity to 120GB to match the Source drive exactly SAMPLE SOURCE DRIVE Logicube Forensic Falcon User s Manual 46 iTcube IMAGING SAMPLE DESTINATION DRIVE PRIOR TO DRIVE TRIM Bay SAS D1 Role Target Model WDC_WD10EZEX 08M2NAO SerialNumber WD WCC3F0914869 Size 1000204886016 PhysicalSectors
74. eOTFE Linux Key Entry Key Encryption File options Mount options Mount options Drive Use default v Mount as Fixed disk 7 Mount readonly Z Mount for all users Cancel 6 Click the OK button The following warning screen may appear Click the Yes button to continue Warning A The password you entered has less than 20 characters and may not be compatible with some Linux volumes Do you wish to proceed a 7 FreeOTFE will mount the drive and assign a drive letter Information O Your Free OTFE volume has been mounted as drive F Logicube Forensic Falcon User s Manual 116 DRIVE ENCRYPTION amp DECRYPTION Tube 8 Click the OK button to continue The drive should appear in the FreeOTFE window FreeOTFE File View Tools Help 7 gt y New Mount file Mount partition In Dismount all Portable mode Drive Volume y F Device Harddisk1 Partition 1 drive mounted 9 The Destination drive should now be accessible in Windows ee A G Computer F gt Organize Include in library y Share with New folder OP Pande Name Date Type Size Length d 01Capture 9 6 2013 8 37 AM File folder gt dl Libraries de lost found 9 6 20138 24AM File folder a E Computer amp Local Disk C a Local Disk D a Removable Disk E gt y REPOSITORY F If the Destination drive was formatted with the
75. ecting Vidi gt Hess aia 125 10 4 ZERO CONFIGURATION NETWORKING ZEROCONEF ooocccccccnnncccnnnononacnnnnononoconononanoccnnnonanaconnnonnns 126 10 5 CONFIGURING THE FALCON WITH A STATIC IP ADDRESS oococccccncccoccncconcnconcnnconnonconconconconcnncnnnnnanos 126 10 5 1 Step by step instructions Static IP AUUTESS ccooccncnnocnnonanononannnnacnnnnarononarinonanons 126 10 6 COPYING USER PROFILES CONFIGURATIONS FROM ONE FALCON TO ANOTHER 2sccceeeeceeeeeceeeeees 127 10 6 1 Step by step Copying User Profiles Configurations cccccccnnonncccnnnnnnnnnnnacinonananoss 127 11 VIEWING SOURCE AND DESTINATION DRIVES OVER A NETWORK sceeee 129 TEO SERN Ne oscar o Pd te certian eett cag At alee de ead ostacantgdee cane E ate otetattosea tana 129 11 1 VIEWING SOURCE OR DESTINATION DRIVES OVER THE NETWORK USING SMB 0cceeceeceeeeeeeeees 129 11 1 1 Step by step Viewing Source or Destination driVES ooccccccnccnnonnocnnnonaronnnnnnonnos 129 11 2 VIEWING SOURCE DRIVES OVER THE NETWORK USING ISCSI cccsecssccseceecseeseeseeseeseceeeeeseeceeces 131 11 2 1 Configuring the iSCSI initiator Windows 7 8 ANC 8 1 oocccccnnccnncnncccnnnnaconnnnnnonnos 131 11 2 2 Configuring the iSCSI initiator Windows XP ccsccccessscceceesececeeseceeeeeeceeeeeeeeeeas 133 12 OPTIONAL ADAPTERS scccacdicanccnscavapsnectcsdecacavepeesnapnnuninavepeacueesuveassenpesenaanccnavevenses 136 LLANTO UIC TO Ness
76. elected two tabs are available at the top of the screen MANAGE REPOSITORIES e Add Remove using the SMB Server Message Block and CIFS Common Internet File System protocols e iSCSI Internet Small Computer System Interface protocol Networks are configured differently and may require the assistance of a Network or Systems Administrator 6 0 10 1 Add Remove A list of repositories will be shown including local Destination drives and networked repositories The user has the option of adding or deleting a repository Logicube Forensic Falcon User s Manual 83 TYPES OF OPERATIONS ADD REMOVE SCSI CONFIGURATION REPOSITORIES LOCATION PARTITION 1 ON BAY SAS_D1 SAS_D2 192 168 1 108 TEST Tap Add Repository to add a repository The Add Repository window will appear ADD REPOSITORY NETWORK SETTINGS Tap Name to set the name of the repository Tap the OK icon when finished REPOSITORY NAME Tap Drive to select a drive or network share to set as a repository Tap the OK icon when finished Logicube Forensic Falcon User s Manual 84 TYPES OF OPERATIONS SELECT DRIVE DRIVE Tap Network Settings to enter the network settings See the example below Tap the OK icon when finished NETWORK SETTINGS For the path enter the IP address or hostname followed by a slash then the share name For example ip_or_hostname sharename Hidden Samba network shares shares
77. ending with can be mounted by adding the at the end of the share name For example ip_or_hostname sharenames Tap Role and input the role for this repository Tap OK when finished Logicube Forensic Falcon User s Manual 85 TYPES OF OPERATIONS The repository will only appear as a Source when File to File imaging is chosen ADD REMOVE REPOSITORIES To edit a repository tap the edit icon This will allow changes to the path domain username or password To delete a repository tap the Uv delete icon A confirmation screen will appear Tap Yes to permanently delete the repository from the list In order for a repository to remain configured when the Falcon is turned off the changes must be saved and loaded to a configuration file Details on configuration files can be found in Section 6 0 11 1 Logicube Forensic Falcon User s Manual 86 TYPES OF OPERATIONS 6 0 10 2 iSCSI This screen allows a user to add a repository using the SCSI protocol To add a repository using the iSCSI protocol an iSCSI Target must be setup on the remote system Since networks are configured differently a Systems Administrator or Network Administrator may be needed to set up the iSCSI protocol Once the iSCSI Target has been setup tap Settings NETWORK SETTINGS Input the iSCSI target portal username and password Tap the OK icon when finished NETWORK SETTINGS Tap Rol
78. ens when the drive receives the Secure Erase command contact the drive manufacturer e Wipe Patterns Allows the user to set a specific pattern to use for wiping the drive The number of passes is customizable up to 7 passes along with the type of data written for each pass In addition a 7 pass DoD wipe can be set with pre selected pass values It is recommended to use the same capacity drive per task When smaller O capacity drives are wiped together with larger capacity drives the smaller drives will finish first However the drive bays will not be available until the entire task is finished e Format Instructs the Falcon to format a drive with or without encryption The Falcon will format the drive using the EXT4 file system or NT file system NTFS To simply format a drive without wiping set Secure Erase to Off and set the Wipe Patterns to None 8 Drive Encryption and Decryption Step by step instructions on how to encrypt a drive can be found in Section 8 1 1 O For in depth information regarding drive encryption please see Chapter Logicube Forensic Falcon User s Manual 22 iiTtcube QUICK START 3 3 1 Step by step instructions Wipe Format WIPE 1 DESTINATION SETTINGS CASE INFO 1 Select Wipe from the types of operation on the left side 2 Tapthe Destination icon and select one or more drives then tap the OK icon It is recommended to use the same capacity drive per task Whe
79. ensic Falcon User s Manual 100 TYPES OF OPERATIONS Tube Power Off screen Tita DRIVEPOWER POWEROFF M r REFRESH A confirmation screen will appear Select Yes to confirm the selection NO_ ARE YOU SURE YOU WANT TO POWER OFF FALCON ALL TASKS IN PROGRESS WILL ABORT Drive Power screen F POWER OFF uiaivasni ii y DRIVE INACTIVITY TIMER Logicube Forensic Falcon User s Manual 101 7 Viewing EXT4 formatted Destination drives in Windows 7 0 Introduction The Falcon formats Destination drives using the NT File System NTFS or EXT4 file system Linux Operating Systems have native support for EXT4 file systems Windows however does not have native support for viewing the EXT4 file system There are several utilities that allow viewing of the EXT4 file system in Windows Ext2Fsd http www ext2fsd com is a free open source utility driver allows EXT3 and EXT4 partitions to be viewable in Windows O The Falcon labels the formatted Destination drive as REPOSITORY Logicube does not provide full support for Ext2fsd We provide basic instructions on how to make this utility work in our scenario For Ext2fsd support please visit their website above 7 0 1 Step by step instructions Using Ext2fsd 1 Download and install Ext2fsd from the website above If Ext2fsd is already installed skip to step 2 O After installing Ext2fsd reboot the computer 2 Connect the Destinatio
80. eparate download for the SCSI initiator for Windows XP and can be found by searching Microsoft s website for iscsi initiator No data can be written or deleted to the drives Contents of a Destination drive can be viewed over a network using built in file explorers viewers Contents of Destination drives viewed over a network are write protected 11 1 Viewing Source or Destination drives over the network using SMB Contents of a Source or Destination drive can be viewed over a network using built in file explorers viewers like Windows Explorer Contents of Source drives viewed over a network are write protected Drives connected to the Source ports SAS _S1 SAS S2 USB_S1 and FW_S1 Drives connected to the Source ports are always write protected Using the File Browser function will not alter the drive or its contents in any way 11 1 1 Step by step Viewing Source or Destination drives 1 Connect the Falcon directly to a computer using a network cable or to a network 2 Onthe computer on the same network open Windows Explorer and open the Falcon s IP address or the hostname of the Falcon with its serial number Both IP address and serial number can be found by going to the Statistics screen on the Falcon For example browse to 192 168 1 100 or falcon XXXXXX where XXXXX is the 6 digit serial number of the Falcon A Falcon 132505 Logicube Forensic Falcon User s Manual 129 iTcube VIEWING SOURC
81. er with WinZip or other third party zip software WinZip and other third party zip software may improperly extract the files required for the software update There are compressed files within the download that need to stay compressed If the computer being used to extract the software download has WinZip or other third party zip software it is highly recommended to use the built in utility in Windows Logicube Forensic Falcon User s Manual 120 UPDATING FALCON SOFTWARE If the downloaded zip file is highlighted and WinZip is installed there will be an option to Open with WinZip lt S aA Computer Local Disk C Downloads Print New folder Date modified Type S Falcon_V2 0 zip 10 18 2013 9 14 AM WinZip File A computer without WinZip installed will have an option to Open when the file is highlighted a r Favorites lame Date modified Type 4 Falcon_V2 0 zip 10 18 2013 9 14 AM Compressed zipp a If WinZip is installed highlight the downloaded zip file then click the arrow pointing downward next to Open with WinZip A drop down menu will appear Select Windows Explorer Je Computer Local Disk C Downloads Organize E Open with WinZip Print New folder Windows Explorer Sl WinZip Ur Favorites Type 9 14 AM WinZip File Libraries Choose default program Windows Explorer will open the zip file and the files can be extracted usin
82. er key This will show all the profiles configurations to on this Falcon unit Make sure that these are the profiles configurations that need to be copied to the other Falcons 8 Type db push xxx xxx xxx xxx where xxx is the IP address of the Falcon that the profiles configurations will be copied to for example db push 192 168 1 101 then press the Enter key The profiles configurations on the first Falcon will be copied to the other Falcon This may take a few minutes depending on network speeds and the number of configurations to copy When the process is finished the screen will show Done and the CLI prompt will appear 9 Repeat step 8 to copy the profiles configurations to other Falcon units 10 When finished reboot all the Falcons where the profiles configurations were copied to They should boot up with the same profiles configuration set to load and all other saved profiles configurations Logicube Forensic Falcon User s Manual 128 HA 11 Viewing Source and Destination Drives over a Network 11 0 Overview The contents of drives connected to any Source or Destination position on the Falcon can be viewed over a network To view Source the contents of a Source drive over a network an SCSI initiator is required Windows Vista 7 8 and 8 1 have a built in iSCSI initiator located in the Administrative Tools section of the Control Panel Windows XP does not have a built in SCSI initiator Microsoft has a s
83. es the EXT4 file system or NT file system NTFS to format drives If the Destination drive is not formatted properly the Location will appear as NOT_MOUNTED and a format icon will appear in the Format column Tap the Format icon the Destination drive For Drive to File or File to File the Falcon will display drives connected to the Destination ports and any added repository Encrypted drives will have the following symbol in the Format column When formatting the drive from this screen a prompt will appear to format the drive Select which file system to use EXT4 or NTFS and whether to format with encryption ON or without encryption OFF Details on encryption can be found in Chapter 8 of the Falcon User s Manual For details on formatting a drive see Section 6 0 3 2 3 Formatting the drive may take up to two minutes Tap the OK icon to continue For in depth information regarding drive encryption please see Chapter 8 Drive Encryption and Decryption 5 1 Starting the Imaging Operation Once all the settings and options have been selected or set tap the INE Start icon to begin the imaging A confirmation screen will appear Tap the Yes icon to continue Logicube Forensic Falcon User s Manual 54 iTcube IMAGING A progress bar will appear at the bottom of the screen showing the bytes processed the rate speed elapsed time and time remaining When finished the status will change to C
84. fferent formats image to a network location using e01 image to one destination drive using dd format and image to a 2nd destination drive using native mirror format This is useful when there are multiple teams of investigators one in a lab and one at another location but connected to a network and you also need to provide a copy of the suspect hard drive to those that require an exact mirror image for example to an attorney What is a filter based file copy In many cases investigators want to image only specific file types on a suspect s hard drive this can be useful to shorten the imaging process The Falcon s file mode allows users to specify by extension type e g peg pdf mov xls etc which files they want to image The files will be sorted by path based on where the file is located on the Source If a hash method is selected each file will be hashed Does the Falcon provide log files Yes each operation task produces a log file The log file is viewable on the Falcon screen or remotely on a PC in an HTML format The log files can be exported to a thumb drive the Falcon will export in XML HTML and PDF XML log files can be customized using XML editors The log files are stored on the internal hard drive within Falcon and are accessible by pressing the log file icon from the left side navigation bar on the Falcon screen Can remove the internal hard drive for secure locations or SCIFs Often investigato
85. foo 00 Logicube Forensic Falcon User s Manual 60 TYPES OF OPERATIONS IBA The LBA icon will bring up the LBA settings screen On this screen the user can adjust the percentage or the number of blocks of the drive to hash and also where to start the hash By default the length is set to 100 whole drive and the starting percentage is set to 0 start of the drive LBA SETTINGS O PY os KE y When the Falcon finishes hashing the drive the following screen will appear showing the task completed Tap the Info icon on the left of the completed screen to see both the expected hash value and the computed hash value TASK INFO 6 0 2 3 Case Info The Case Info setting allows users to enter CASE INFO P some information about the case This is optional and is not required to start a Hash operation Logicube Forensic Falcon User s Manual 61 TYPES OF OPERATIONS Information entered here will appear in the logs More information on the Case Info screen can be found in Section 5 0 3 1 ENTER CASE INFORMATION CASE FILE NAME EXAMINER EVIDENCE ID CASE NOTES Tap any of the boxes and an on screen keyboard will appear allowing information to be entered After entering the information tap the OK icon to go back to the previous screen CASE FILE NAME The Falcon will convert any non POSIX portable characters used in Case File Name field to underscores _ when creating the l
86. g Lock key is forgotten the Falcon will need to be reset using the Command Line Interface CLI See Section 10 2 for more information on how to connect to the Falcon using the CLI Once connected to the CLI 1 Login with the username it without the quotes and the password it without the quotes From the main prompt type command then press the enter key Type config then press the enter key Type db list then press the enter key This will show a list of databases or configurations saved The example below shows two databases the default initial db and Lock db The db that shows an asterisk before the name is the current database or configuration being loaded each time the Falcon is turned on Type db load initial db then press the Enter key to load the default database There should be a response showing Command DbManagement Successful 93 TYPES OF OPERATIONS 6 Type db list again and there should be an asterisk on initial db 7 Turn the Falcon off using the power switch located in the back of the device and close the Telnet SSH application 8 Wait for the Falcon to completely turn off then turn it back on When the Falcon boots up it will load the default configuration The default configuration can be checked by going to System Settings and looking at the User Profiles Configurations tab INITIAL DB should have an asterisk next to it as seen below USER
87. g the Extract all files function to the USB flash drive This will bypass WinZip and use the built in utility in Windows es Computer Local Disk C Downloads Falcon_V2 0 zip Organize Extract all files Y E Marne Extract all files Type Logicube Forensic Falcon User s Manual 121 UPDATING FALCON SOFTWARE iube 9 2 Firmware Loading Instructions FIRMWARE UPDATE FIRMWARE UPGRADE AVAILABLE Some software releases may contain a firmware upgrade The steps below outline how to check if the Falcon requires a firmware upgrade 1 After the software is updated on the Falcon from the main menu tap the down arrow twice then tap the Software Updates icon 2 Tap the Firmware Update page One of two screens will appear a FIRMWARE UPGRADE AVAILABE Tap the Update icon A message will appear FIRMWARE UPDATE COULD TAKE UP TO A FEW MINUTES TO COMPLETE PLEASE DO NOT INTERRUPT POWER DURING THIS TIME ON COMPLETION THE UNIT WILL AUTO RESTART AND CONFIRM THE UPDATE Tap the OK icon to start the firmware update process When the OK icon is tapped the screen may appear to do nothing Do not keep tapping the OK icon The firmware update will take no more than 60 seconds When the firmware update finishes the Falcon will reboot automatically b FIRMWARE UPGRADE NOT AVAILABLE This message will appear if the device does not require a firmware update No further action is necessary if this me
88. gicube Forensic Falcon User s Manual 18 QUICK START drive NO WARNING DESTINATION REPOSITORY SAS_D1 MIGHT NOT HAVE SUFFICIENT FREE SPACE START IMAGE 1 ARE YOU SURE When the Destination drive is full and the remaining data to be will not fit Falcon will prompt for another drive DESTINATION SAS D1 DOES NOT HAVE ENOUGH SPACE SELECT NEW DESTINATION When the screen above appears tap the OK icon and the Select Repository screen will appear The Destination drive that is full can be disconnected and replaced with another drive or a different Destination drive port or repository can be selected After selecting the next Destination Repository to be used tap the OK icon O If the next Destination drive selected requires formatting the Falcon will show the g format icon allowing the drive to be formatted Logicube Forensic Falcon User s Manual 19 QUICK START SELECT REPOSITORY REPOSITORY LOCATION When the imaging operation is finished all subsequent Destinations Repositories used will contain the same Case File name and the next DD E01 or EX01 file For example if the last file on the first Destination used is E23 the next Destination Repository used will start with file E24 3 1 2 Imaging to or from a network A network repository or location must be set in order for the Falcon to be able to image to or from a network repository location For details on how to add a
89. gine at the end of each segment file which the Falcon can use to catch transfer errors and re try if needed Sample Log File viewed on screen Auto Zoom Audit Log Vendor Logicube Product Falcor Sottware Version 24 Build Date Mar 26 2015 S POT Unit Serial Number 132505 Timo Local 0 Time UTC Date Mar 27 2015 Operation Parameters Mode Drive ToFite Source Logical Sector Size 512 Segment Size 4Gb Compression Level Detau Hash Enabled T Verify Hash False Uniock HPA T Unlock DCO Drive Trim Error Granutarity Result Duration Hash Information Hash Type LBA Count Source Mash Case Information a Logicube Forensic Falcon User s Manual 29 iTcube QUICK START 3 8 1 Step by step instructions Viewing or exporting logs LOG FILES LOGS LOG FILE NAME DATE CREATED HIS_IS_THE_CASE_ NAM MON AUG 25 12 28 18 201 4 MON AUG 25 11 14 41 201 MIRRORCLONE 4 EO1CAPTURE 3 FRI AUG 22 13 37 11 2014 1 Select Logs from the types of operation on the left side A list of log files will appear sorted by date newest on top 2 Select the log file to view by tapping the name of the log file This will highlight the log file chosen 3 Tap the View icon to view the log file on screen The log files can also be exported to a USB drive To export the log files a Connect a USB drive USB flash drive or USB external drive to one of the two USB ports located on the fr
90. ging using Drive to File or File to File Tap this icon to set the Falcon SETTINGS to format the drive with or without encryption Three settings are available e Format When set to ON the Falcon will format the Destination drive with or without encryption The drive will be formatted with the EXT4 file system or NT file system NTFS depending on which file system is chosen When set to OFF the Falcon will not format or encrypt the selected drive e File System Select EXT4 to format the Destination using the EXT4 file system 69 TYPES OF OPERATIONS Select NTFS to format using the NT file system NTFS e Encryption Select ON to format the drive with encryption The drive will be formatted with the EXT4 file system or NT file system NTFS and encrypted with the AES 256 algorithm FORMAT SETTINGS Format Settings File System Encryption For more information on encrypted Destination drives please see Chapter 8 Drive Encryption and Decryption 6 0 3 3 Case Info The Case Info setting allows users to enter CASE INFO some information about the case This is optional and is not required to start a Wipe operation Information entered here will appear in the logs More information on the Case Info screen can be found in Section 5 0 3 1 ENTER CASE INFORMATION CASE FILE NAME LAS J EXAMINER EVIDENCE ID CASE NOTES Tap any of the boxes and an on screen keyboard will appear
91. h USB the USB 3 0 port is located in the back of the Falcon To use this method a drive must be engaged from the Falcon using the USB Device mode of operation The entire drive will be available to be previewed from the computer Partitions will be viewable For example in Windows Explorer and the drive will also appear in Disk Management Using a USB connection may be useful for times when the Falcon cannot be connected over a network connection See Section 3 6 and 6 0 6 for details on how to use the USB Device feature EXPORT SELECT DRIVES FOR USB EXPORT DRIVE INFORMATION Logicube Forensic Falcon User s Manual 37 MiTcube QUICK START 4 4 SMB The Falcon can be accessed from a computer through a direct network cable connection or through a network One of the ways to access Source or Destination drives over the network is to use the SMB protocol When using this method all viewable compatible partitions will be viewable on the computer This method will give a logical access to the contents of the drive See Section 11 1 for details on how to view Source or Destination drives over the network using SMB Some advantages of using this method are e The contents of the drive are searchable using the Operating System s search functions e Third party analysis tools and software can be used with the logical partition X Fav Name Date modified Type ize MEC SRecycle Bin 5 8 2014 5 55
92. h quickly as it is resetting just wiping the HPA DCO and 1 LBA Logicube Forensic Falcon User s Manual 48 Logicube Forensic Falcon User s Manual IMAGING Tap Mirror Settings and the following screen will appear MIRROR CLONE ADVANCED SETTINGS omame PY RS Length Set the percentage or number of blocks to clone For forensic purposes this is typically set to 100 of the Source Master Start Set the percentage or number of blocks from the start of the Source Master For forensic purposes this is typically set to 0 or the beginning of the Source Master Target Start Set the percentage or number of blocks from the start of the Destination Target For forensic purposes this is typically set to 0 or the beginning of the Destination Target Alternatively the specific number of blocks can be set for each of the options by tapping the edit icon 5 0 3 5 2 Special Settings for Drive to File When Drive to File mode is selected File Image Method Settings will appear on the top right of the Settings screen SELECT SETTINGS FILE IMAGE METHOD SETTINGS HASH WERIFICATION METHOD 49 Logicube Forensic Falcon User s Manual IMAGING Tap File Image Method Settings and the following screen will appear when DD is selected FILE IMAGE METHOD SETTINGS The following screen will appear when E01 or EXO1 is selected a One of three different i
93. hash method is selected each file will be hashed Definition Source Destination Repository A Source Destination or Repository can be a drive Hard Disk Drive Solid State Drive USB drive etc Flash media SD card CF card etc or network location Logicube Forensic Falcon User s Manual 14 iTcube QUICK START Falcon uses a concurrent Image Verify process Patent pending When Verify is set the Falcon images and verifies concurrently and takes advantage of destination hard drives that may be faster than the source hard drive Duration of total image process time may be reduced by up to half Falcon can also perform Parallel Imaging A user can simultaneously perform multiple imaging tasks from the same source drive to multiple destinations using different imaging formats For example image to a network location or a destination drive using the E01 format while imaging to a different destination drive using native mirror or DD format Parallel Imaging Network Location p Image to a network location ona of fol 01 e A a _ Image directly to destination drive s at the same time i dd format native mirror format SOURCE DRIVE DESTINATION DRIVES The Falcon imaging hash and wipe speeds are determined by several factors including the following The manufacturer specifications of the drive s being used The age of the drive manufactured date How often that dr
94. he computer and connect the B connector side of the cable to the back panel of the Falcon ON OFF FALCON REAR VIEW FANS SWITCH AN DC PCle USB 3 0 HDMI POWER pevice PORT utureuso GIRAR 4 Windows will automatically detect the drive install the drive s drivers if necessary and should assign it a drive letter 5 The new drive letter will contain the contents of the selected drive and is write protected 6 When finished tap the Disengage icon on the Falcon The USB cable can then be disconnected from the Falcon and the computer Windows may look like changes can be made to the drive However no changes are actually made For example if a file is written copied to the drive or a file is deleted from the drive Windows may show that the file was written copied or deleted from the drive However if the drive is disconnected then reconnected Windows will show the original files showing no changes were actually made 3 7 File Browser The contents of all connected Source and Destination drives on the Falcon can be previewed using the Falcon s file browser The Falcon will show the partitions and the contents of each partition Note that only some files can be FILE BROWSER opened by the Falcon Files opened by the file browser will not alter the drive in any way If a file cannot be previewed the following message will appear 3 7 1 Step by step instructions File Browser 1 From the File Browse
95. he enter key b Type config then press the enter key c Type net del n eth0 to delete the current network configuration Logicube Forensic Falcon User s Manual 126 REMOTE OPERATION d The following information is required a static IP the netmask network gateway the network nameserver the domain For example i IP Address 192 168 1 123 li Netmask 255 255 255 0 iii Gateway 192 168 1 10 iv Nameserver 192 168 1 10 typically the same as the gateway unless the network has a specific nameserver IP V Domain LG Networks are configured differently and the necessary settings may require the assistance of a Network or Systems Administrator e Based on the info above the example for this line will be to type case sensitive net add n ethoO t static a 192 168 1 143 m 255 255 255 0 g 192 168 1 1 N 192 168 1 1 d lg then press the enter key f The Falcon should respond with the following Command DbNetworkConfig Successful g Now we need to save the configuration Type db save staticip db then press the enter key A Successful message should appear h Type db load staticip db to load the database configuration i Perform a full shut down on the Falcon Wait about 30 seconds then turn the Falcon back on The Falcon should load the new configuration The IP address can be checked by going to the Statistics screen 10 6 Copying User Profiles Configurations from one Falcon to anot
96. he storage devices for that target Click details to see information about the sessions connections and devices for that target Targets Name Status iqn 2012 05 com logicube export sas s1 Connected iqn 201 2 05 com logicube export sas s2 Inactive iqn 2012 05 com logicube export usb s1 Inactive Logicube Forensic Falcon User s Manual 134 VIEWING SOURCE DRIVES OVER A NETWORK 7 Windows will attempt to mount the drive If it contains a file system recognized by Windows it will automatically assign a drive letter for each recognized partition and the contents can be viewed in Windows This process may take several minutes depending on several factors including drive size computer specifications and network speeds If Windows does not recognize the file system on the drive EXT HFS etc it will not be mounted and no drive letter will be assigned If the drive is greater than 2TB Windows may not properly recognize the drive or its contents For more information please see Microsoft KB Article ID 2581408 Windows support for hard disks that are larger than 2 TB This can also be searched with the keyword KB2581408 Logicube Forensic Falcon User s Manual 135 12 Optional Adapters 12 0 Introduction Logicube has many different adapters that allow the imaging of almost any drive This chapter lists the available optional adapters that can be used with the Falcon 12 1 mSATA mini SATA Drives m
97. her User profiles can be copied from one Falcon to another using the Command Line Interface CLI The Falcon units must be on the same network and all User Profiles Configurations will be copied over This can be useful when non default profiles configurations are setup and multiple Falcons need to have the same profiles configurations Instead of configuring each Falcon one at a time all Falcons can have the same profiles configurations with a few simple commands 10 6 1 Step by step Copying User Profiles Configurations 1 Set up any or all User Profiles Configurations on one Falcon Make sure each profile configuration is saved and load the profile configuration that should be loaded during each time the Falcon is turned on Logicube Forensic Falcon User s Manual 127 VIEWING SOURCE DRIVES OVER A NETWORK 2 Connect two or more Falcons to a network with DHCP One of the Falcons connected should be the one with the profiles configurations already set up 3 Using Telnet or SSH to the Falcon with the profiles configurations already set up connect to the Falcon s Command Line Interface CLI via Telnet or SSH see sections 10 3 1 and 10 3 2 for more information on connecting via Telnet or SSH 4 Once connected via CLI log in with the following credentials a Username it b Password it From the main prompt type command then press the Enter key Type config then press the Enter key Type db list then press the Ent
98. if pdf png html Logicube Forensic Falcon User s Manual 79 TYPES OF OPERATIONS If the Falcon cannot preview a file a message will appear stating File viewer cannot view file type USB 51 PARTN 1 FAT32 FALCON ZIP 6 0 7 1 Viewing files from the web interface The Falcon s File Browser can also be used from the web interface Using the web interface gives the ability to open files that the Falcon cannot preview by downloading the file to a computer where the Falcon is being browsed from 1 Using a compatible web browser connect to the Falcon s web interface see Section 10 1 for more information on how to connect to the Falcon s web interface 2 From the Falcon s web interface navigate to File Browser 3 Select the drive to view 4 Navigate through the file browser and locate the file to download and open 5 From the File Browser screen right click on the file and select Save link as and save the file to the local computer Open link in new tab Open link in new window Open link in incognito window Save hnk as Copy link address amp Clip bookmark a IE Tab Options LastPass Inspect element 6 The file can then be opened on the computer where it was downloaded to Logicube Forensic Falcon User s Manual 80 TYPES OF OPERATIONS Your computer will need to be able to open the type of file that was downloaded For example if a Word document was
99. itlog folder contains the HTML PDF and XML files for each of the log files There will be two folders html and pdf that contain either the HTML or PDF versions of the log files The XML files can be used with Logicube Forensic Falcon User s Manual 32 iTcube QUICK START any XML viewer which allows for some customization on how the information can be viewed Organize New folder ae ee Name Date modified Type SIZE de html 12 17 2013 3 28 PM File folder Libraries di pdf 12 17 2013 3 28 PM File folder E01 Capture xml 11 12 2013 3 55 PM XAML Document 2 KB E Computer E01 Capture_sign xml 11 12 2013 3 55PM XML Document 3 KB E01 Capture 1 xml 11 13 2013 6 06 AM AML Document 2 KB th Network E01 Capture 1_sign xml 11 13 2013 6 06 AM XML Document 3 KB 3 9 Statistics Falcon and drive statistics This will display two tabs About and Adv Drive Statistics FORENSIC Falcon STATISTICS The About screen will show information about the Forensic Falcon including the current software installed The Adv Drive Statistics tab displays S M A R T information taken directly from what the drive is reporting For more information on the Statistics screen see Section 6 0 9 of this manual 3 10 Manage Repositories Repositories can be added to the Falcon in this operation When Manage Repositories is selected a list of repositories will be shown The user has the option of adding or deleting a repo
100. ive has been used For example a 2 TB drive with 64MB of cache produced by the manufacturer 2 years ago is most likely slower than a 2 TB drive that the same manufacturer just released this year even though they are both 7200RPM with 64MB of cache and are both SATA III Logicube Forensic Falcon User s Manual 15 iiTtcube QUICK START 3 1 1 Step by step instructions Imaging IMAGE 1 MODE SOURCE SETTINGS DESTINATION Details on each selectable option on the Image screen can be found in Section 5 0 Imaging 1 Select Imaging from the types of operation on the left side 2 Tap the Mode icon and select Drive to Drive Drive to File or File to File then tap the OK icon 3 Tapthe Source icon and choose the source from the list of connected drives then tap the OK icon 4 Tapthe Settings icon and adjust the settings as needed Case Info File Image Method Settings or Mirror Settings HPA DCO Error Handling Hash Verification Method etc then tap the OK icon The Settings screen will be different for each of the three modes Details on the different Settings screens can be found in Chapter 5 Imaging Log file names can be set in Settings in the Case Info screen by entering a Case File name See Section 5 0 3 1 for more information The Falcon will convert any non POSIX portable characters used in Case File Name field to underscores _ when creating the log or file names POSIX portable character
101. l different ways can be found by searching the Internet for install unsigned drivers If the Destination drive was formatted with the EXT4 file system please read Chapter 7 for information on how to view EXT4 in Windows Logicube Forensic Falcon User s Manual 109 DRIVE ENCRYPTION amp DECRYPTION 8 3 1 Which decryption software to use The decryption software to use TrueCrypt or FreeOTFE depends on how the Destination drive was encrypted e TrueCrypt Use this software if the Destination drive was encrypted with the TC XTS cipher mode e FreeOTFE Use this software if the Destination drive was encrypted with the CBC or ECB cipher mode 8 3 2 Decrypting using TrueCrypt Requirements e TrueCrypt properly installed e A drive encrypted by the Falcon using the TC XTS cipher mode connected to the computer with TrueCrypt 1 Open TrueCrypt and select Volumes from the menu system then click Select Device Ed TrueCrypt gt Le asas System Favorites Tools Settings Help Homepage Size Encryption algorithm Type Select Device Resume Interrupted Process Mount Volume Mount Volume with Options Auto Mount All Device Hosted Volumes Dismount Volume Dismount All Mounted Volumes Change Volume Password Add Remove Keyfiles to from Volume Remove All Keyfiles from Volume Set Header Key Derivation Algorithm Select File e Tool
102. lcon needs to be cleaned use a lightly damp lint free cloth Avoid using soap or other cleaning agents particularly those containing bleach ammonia alcohol or other harsh chemicals Do not attempt to service or open the Logicube Forensic Falcon Doing so may void the warranty If the unit requires service please contact Logicube Technical Support for assistance Logicube Forensic Falcon User s Manual 5 2 Getting Started 2 0 Overview of the Falcon Q A Special Icons Throughout this manual there are two icons that can be seen Please pay close attention when any of these two icons are found These icons highlight additional information or important warnings on specific topics FALCON FRONT VIEW 7 COLOR CAPACITIVE Falcon TOUCH SCREEN DISPLAY USB HOST PORTS ON OFF FALCON REAR VIEW FANS SWITCH A DC PCle USB 3 0 HDMI diii DEVICE PORT tin ET Logicube Forensic Falcon User s Manual 7 GETTING STARTED ube FALCON LEFT SIDE VIEW SOURCE WRITE PROTECTED PORTS SAS SATA s4 USB Firewire SAS SATA Power S1 POWER S1 S1 S2 FALCON RIGHT SIDE VIEW DESTINATION PORTS a ES FIREWIRE AS SATA D2 D2 USB D1 SAS SATA D1 SAS 2 POWER Di USB D2 Logicube Forensic Falcon User s Manual 8 GETTING STARTED ube 2 1 Turning the Falcon on and off The Falcon comes with a 12V 12 5A output DC power supply that connects to the back of the device Attach the included power supply
103. mages methods can be selected e DD Uncompressed raw image files readable by many forensic programs e E01 Compressed or uncompressed EnCase legacy evidence file format e EX01 Compressed or uncompressed EnCase evidence file format SEGMENT SIZE Available for DD E01 and EX01 Allows the user to set the output segment size file size Choose from 2 GB 4 GB 8 GB or 16 GB A Whole Disk option is available for DD only 50 Logicube Forensic Falcon User s Manual IMAGING E01 and EX01 Segment Size options SEGMENT SIZE DD Segment Size Options SEGMENT SIZE 4GB COMPRESSION Available for E01 and EX01 only Sets the compression level for E01 or EXO1 imaging When selecting Compression the following screen will appear Use the slider bar to adjust the desired compression level COMPRESSION 91 Logicube Forensic Falcon User s Manual IMAGING The higher the compression level the longer it will take to image the Source drive The Default compression setting first setting as seen in the picture above is recommended when compression is used 5 0 3 5 3 Special Settings for File to File When File to File mode is selected File Image Method Settings will appear on the top right of the Settings screen FILE IMAGE METHOD SETTINGS HASH WERE PCT DCR PIE HLI Tap File Image Method Settings and the following screen will appear FILE IMAGE METHOD SETTINGS
104. miner Evidence ID or Case Notes The Falcon will convert any non POSIX portable characters used in Case File Name field to underscores _ when creating the log or file names POSIX portable characters are Uppercase Ato Z Period Lowercase a toz Underscore _ Numbers 0 to 9 Hyphen Dash 7 Tap the Start icon to start the hash task 8 When finished the status will show COMPLETED At this point it is recommended to tap Reset Task to reset the task and also to delete the task in order for the drive bays to be properly reset and not show as being used or assigned for other tasks to be configured Logicube Forensic Falcon User s Manual 21 iTcube QUICK START 3 3 Wipe Format Destination drives can be wiped and formatted using the Falcon When a drive is wiped there will be no file system on the Destination drive The Destination drive must be formatted in order for it to have a valid file system so it can be used as a Destination drive when using the Drive to File or File to File modes of imaging The following methods are available in the Wipe menu WIPE FORMAT e Secure Erase Sends a command to the drive instructing it to wipe the drive based on the hard drive manufacturer s specifications for the Secure Erase command If errors appear when performing Secure Erase contact the drive manufacturer to check if the drive supports Secure Erase For Secure Erase specifications what happ
105. n smaller capacity drives are wiped together with larger capacity drives the smaller drives will finish first However the drive bays will not be available until the entire task is finished 3 Tap the Settings icon and choose the type of wipe to be performed Secure Erase and or Wipe Patterns If Wipe Patterns is selected choose the type of Wipe Pattern to perform DoD or Custom 4 Ifthe drive has an HPA or DCO area that needs to be wiped tap the HPA DCO icon and select Yes to wipe the HPA DCO area of the drive 5 Tap the Passes icon to edit the number of passes and what gets written on each pass If Custom was selected at least one pass must be edited and chosen If DoD was selected a 7 pass value must be edited entered 6 Ifthe drive needs to be formatted tap the Settings icon to change the Format settings then tap the OK icon Logicube Forensic Falcon User s Manual 23 QUICK START FORMAT SETTINGS Format Settings File System Encryption e FORMAT Select ON or OFF to format the drive e FILE SYSTEM Select whether the Falcon will format the drive with the EXT4 or NT File System NTFS e ENCRYPTION Select whether to encrypt the drive ON or not OFF For more information on encrypted Destination drives please see Chapter 8 Drive Encryption and Decryption The Falcon encrypts drives using AES 256 encryption regardless of what cipher mode is used If TC XTS is used Falcon
106. n drive to the computer The Falcon can be used to view the Destination drive See Sections 3 6 and 6 0 6 for more information Alternatively other methods can be used to connect the drive to the computer e g a write block device There are times when Windows will auto assign a drive letter to the drive If it auto assigns a drive letter at this point continue with the analysis process There is no need to follow the other steps in these instructions If Windows does not auto assign a drive letter open Ext2fsd s Ext2 Volume Manager program 3 Locate the Destination drive The Destination drive should have a RAW Partition type Logicube Forensic Falcon User s Manual 102 VIEWING EXT4 IN WINDOWS iube NOTE Here is a close up screen shot of what the Destination drive will look like in the Ext2 Volume Manager program Note the Partition type is set to RAW Type File systern Total size Used size Codepage Partition type DISK 1 EX Basic NTFS r4 GE 41 GB HFFS NTFS Basic NTFS 391 GE loo GE HPFS NTFS Basic Es T2 290 GE 4GB ute Here is a screen shot of the full Volume Manager window ext Ext Volume Manager a im File Edit Tools Help Yolume Type File system Total size Used size Codepage Physical object e D Basic NTFS 4 GB 41 GB Device HarddiskWolume e C Basic NTFS 391 GB 188 GB Device HarddiskWolumes e Basic EsTa 298 GB 4 GB Devices HarddiskWolume r Type File system Tot
107. n the list To delete an operation tap the X to the right of the operation SELECT OPERATION OPERATION 1 OPERATION 2 OPERATION 3 OPERATION 4 OPERATION 5 OPERATION 6 OPERATION OPERATION amp OPERATION 9 Logicube Forensic Falcon User s Manual 74 TYPES OF OPERATIONS When finished tap the OK icon A summary of the macro will be seen MACRO 1 To start the macro and have the Falcon perform all the operations on the task list tap the Start icon Example Setting up a Macro for a Wipe using Secure Erase then perform a Drive to Drive Image To set a macro to perform a Wipe using Secure Erase on SAS_D1 immediately followed by performing a Drive to Drive image from SAS_S1 to the newly wiped secure erased SAS_D1 the Wipe and Imaging Tasks first need to be set up 1 First set the Wipe task Select SAS_D1 as the Destination and change the setting to perform a Secure Erase Wipe Patterns and Format set to off Do not start this task WIPE 1 DESTINATION SETTINGS CASE INFO 2 Next set the Imaging task Select Drive to Drive as the Mode Select SAS_S1 as the Source Change the settings as needed Select SAS_D1 as the Destination Do not start this task Logicube Forensic Falcon User s Manual 19 TYPES OF OPERATIONS IMAGE 1 MODE SOURCE SETTINGS DESTINATION 3 Choose Task Macro from the list of operations on the left side 4 Tap the Tasks icon to select the different tasks f
108. n updating the software can be found on the Logicube Forensic Falcon User s Manual 118 UPDATING FALCON SOFTWARE Tube 9 1 1 From Network Via the web 1 Connect the Falcon to a network with Internet access Set the proxy settings IP settings if necessary Attach a network cable to the back of the Falcon O The Falcon is DHCP enabled by default 2 From the main menu on the Falcon tap the down arrow twice then tap the Software Updates icon A screen will appear showing the current version of software installed towards the top of the screen 3 Select From Network The Falcon will check for a newer version on the web If one is found it will display the version on the screen and the Update icon will be selectable 4 Tap the Update icon to begin the update A confirmation screen will appear Tap Yes to continue the update 5 Do not interrupt the update process It may take several minutes Once completed a Successful screen will appear 6 Reboot the Falcon by turning the unit off then back on using the Power switch in the back of the unit 7 Verify the software version at the top of the Software Updates screen 9 1 2 From USB Drive Via software download The latest software can also be downloaded from Logicube s website and be placed onto a USB flash drive It is recommended to use an empty USB flash drive Download the latest software from the Falcon product support page at http
109. nts FORENSIC FALCON USER S MANUAL cccscscscscscscsccccccccccccccccscscscscsccscscscecececccscececs LIMITATION OF LIABILITY AND WARRANTY INFORMATION ccccsccscsccsccscesccccsccsces LOGICUBE DISCLAIME Nasca tetitas WARRANTY A A ROHS CERTIFICATE OF COMPLIANCE si nseresudavacseusonderstineessievoasnnsnsiiuwsdedsnbonnoUuteassieveedeeyeiaiwededoeretenoaeuentes III LOGICUBE TECHNICAL SUPPORT CONTACT INFORMATION s sssssssssssssssrssrerrsreeresrrerrerroresrreseereoseoseesresreseee III TABLE OFCONTEN ES sra E AEE OEE E O Ll INTRODUCTION cias 1 1 0 INTRODUCTION TO THE LOGICUBE FALCON wseiasivcseicsavessndsssossiadesmaenedincdatensensuntideneatostewwnseniscosetecesesens 1 CE Pe UES ea A UE E E A 1 L INTE BO o E E E E 3 To CUP TION e A E onan aacates 4 tA SPE IRCA ON acotada 4 25 GEMINS STARTED coste E A E 7 20 OVERVIEW OF THE FALCON cerrara coartada 7 2 1 TURNING THE FALCON ON AND OFF ositos risa 9 2 2 CONNECTING VARIOUS DRIVE TV PES varia 9 ZIA C nn cting SOURCE DIV SS arce 9 2 2 2 Connecting Destination DIIVES ccccscccseccseccseccsecceucceccucceuccseecsuceseceeuceeueeeseeaseeaaes 10 22 5 COnnectine USB 30 DIV Simancas 11 2 2 4 Using USB FireWire eSATA enclosures oocccccccccnnnnnnccnnnnncnonnnanocononnnononananononanonononanicinns 11 2 2 5 Connecting SATA Drives using a USB to SATA adapter ccccocccccnccnonnconenacononocononanononoss 11 Za IAE USER INTER CE oa 12 2A TOURS CREEN cra 12 A e a En
110. o be pushed from where the files to push are located This will only show drives connected to the Destination ports or locations set up as a repository where the DD E01 or EX01 images are located After selecting the Source a list of cases found on the drive will be displayed Select one or more cases to push then tap the OK button to continue If no cases are selected all cases found on the drive or repository will be pushed SELECT CASE S CASE 6 0 4 2 Settings SETTINGS Optional Tap this icon to enter case info set a hash method and to set the verify option The case info screen is similar to previous case info screens There are four hash methods available for this operation e None No hash will be performed e SHA 1 The SHA 1 algorithm will be performed on each file from the source location e MD5 The MD5 algorithm will be performed on each file from the source location O SHA 1 is the recommended method Logicube Forensic Falcon User s Manual 72 TYPES OF OPERATIONS There are two verify settings available e Yes Each file that was copied on the Destination location will be verified using the selected hash method algorithm selected e No No verification will be made 6 0 4 3 Destination Tap this icon to select the drive or repository where the files are to be pushed to where the files to push will be pushed copied to This will only show drives connected to th
111. og or file names POSIX portable characters are Uppercase A to Z Period Lowercase a to z Underscore _ Numbers 0 to 9 Hyphen Dash 6 0 3 Wipe This type of operation allows the user to erase wipe and or format one or more Destination drives There are three main settings Secure Erase Wipe Mode and Format Logicube Forensic Falcon User s Manual 62 TYPES OF OPERATIONS e Secure Erase Sends a command to the drive instructing it to perform a secure erase based on the drive manufacturer s specifications for the secure erase command e Wipe Patterns Allows the user to set a specific pattern to use for wiping the drive The number of passes is customizable up to 7 passes along with the type of data written for each pass In addition a 7 pass DoD wipe can be set with pre selected pass values e Format Formats the Destination drive with an EXT4 file system or NT file system NTFS with or without AES 256 encryption More information on encryption can be found in Chapter 8 There are three selections when performing a wipe Destination Settings and Case Info WIPE 1 DESTINATION SETTINGS CASEINFO 6 0 3 1 Destination Tap this icon to choose a drive to erase wipe DESTINATION and or format A screen will appear allowing the selection of one or more destinations Tap the drive s to be erased wiped and or formatted then tap OK Logicube Forensic Falcon User
112. on during its boot process For example if the user wants the Falcon to always boot up with the default imaging mode to Drive to File with the setting of E01 with a segment size of 2GB 1 Turn the Falcon off then back on This will reset all settings to its default configuration This is an important step to help ensure only the changes desired will be the changes saved Go to the Imaging screen and set the Mode to Drive to File In the Settings set the image to E01 and set the segment size to 2GB In the System Settings go to User Profiles Configurations and tap the New icon Type a name for this profile For example E01 2GB and tap the OK icon The profile name should appear on the screen Tap the newly saved profile and tap Save A confirmation screen will appear Tap the Yes icon to save the profile Make sure the profile to be loaded during the boot process is highlighted in this case E01 2GB DB and tap the Load icon A confirmation screen will appear Logicube Forensic Falcon User s Manual 89 TYPES OF OPERATIONS 9 The next time the Falcon is turned on it will load the EO01 2GB DB profile To delete a profile tap the a delete icon A confirmation screen will appear Tap the Yes icon to delete the selected profile It is highly recommended that the Falcon is O turned off then back on before making any changes to the profiles configurations This helps ensure that only the desire
113. on to set the time to automatically lock the configuration and require a password By default this is set to 1 minute CONFIG LOCK AAA AUTO LOCK A shortcut and indicator to the config lock can always be seen on the Falcon s screen It is located on the top right of the screen next to the Falcon logo FORENSIC Zz Falcon Falcon While in a locked state the following operations will be affected as follows e Imaging An imaging task can be started but no settings can be changed Additionally no new task can be added and no task can be deleted without the unlock key e Hash A hash task can be started but no settings can be changed Additionally no new task can be added and no task can be deleted without the unlock key e Wipe A wipe task can be started but no settings can be changed Additionally no new task can be added Logicube Forensic Falcon User s Manual 91 Logicube Forensic Falcon User s Manual TYPES OF OPERATIONS and no task can be deleted without the unlock key Task Macro A task macro can be started but no settings can be changed Additionally no new macro can be set or edited without the unlock key USB Device Since there are no settings or configurations for this operation it is not affected by Config Lock File Browser The file browser cannot be accessed without the unlock key Logs Since there are no settings or configurations fo
114. onnnnnnoss 30 3 302 Deleting loe MNCS eosiucin asc Japtocbuevetocevenateaswncds ed denatantaacs aa a a n a 31 3 8 3 Accessing the logs Over a NETWOFK ccccessccccesseccccesecccceesececeesececeuneceseeeeccesauecetsuaeses 32 3 9 STATISTICS FALCON AND DRIVE STATISTICS adds 33 310 MANAGE REPOSITORIES rarene e E 33 RLL OVEM SETTINGS E 5 E A 33 3 12 NETWORK SETTINGS iaa otitis traiciona 34 SiS SOFTWARE UPDATE Soniciin eea a dictada coa 34 Sabo POWER OF A r O A 34 4A PREVIEWING DRIVES criin tinain ina TEn A E VE E TAA 35 AO UPREVIEWING DRIVES a e N 35 AeA FPEEBROWS ER e ba Aa 36 432 COMPUTER FILE BROWSER do NE 37 ES USD a a Tamtowia faves 37 AA SMB rennan tase Ath atae tase n ae As tak aid iid re tA aN 38 A A A iate Tamtowia Saves 38 5 IMAGING coccion ai 39 BO IMAGING 20d a A a a 39 OE MOOC essen a a taken panes eae naan 39 OZ OUE A E ananattemueetatanei eens 40 SO UNS dados 41 5 0 3 1 COSO NTO COMMON SEUA ince E a 41 5 0 3 2 HPA DCO Common Setting and Drive TriM cccccccccseesecccccecsecccccceesecseseeeeeeeseeees 43 5 0 3 3 Error Handling Common Setting oooccccccooocccnnninonaconnnononacononononacononononanononos 43 5 0 3 4 Hash Verification Method Common Setting csccccccccccccccccccccsseeeecesseseeeesssssess 44 50 3 se ale lo o aa 0 AM A O teva capisaghokuadeaeesaaeaea aes 45 30 33 1 Special Settings for Drive to Drive 1 ii ti a E AA EA ar A RA S 45 JS Zo pecial Serum es TOF Dve tE ler ii mnei
115. ont of the Falcon The USB drive must be formatted with the FAT FAT32 NTFS or EXT4 file system b Tap the Export icon to export the log file via USB The log will be exported copied to the attached USB drive and will be in HTML PDF and XML formats Logicube Forensic Falcon User s Manual 30 QUICK START Repeat steps 2 through 4 if other log files need to be exported or viewed To print the log files use the web interface as described in Chapter 10 Remote Operation and click the print icon on the upper right corner of the screen The browser s print menu will appear and the log can be printed to an available printer on configured on the computer 3 8 2 Deleting log files LOG FILES EQICAPTURE 3 FRI AUG 22 13 37 11 2014 Log files can be deleted one at a time or all at once e To delete a single log file tap the log file to highlight the log file to be deleted Tap the Delete icon to delete the selected log file e To delete all the log files tap the Delete All icon A log file deletion password can be set to add a layer of security when deleting log files If a password was set log files cannot be deleted without entering the correct password e lf alog file deletion password was not created a confirmation screen will appear confirming to delete the single log file or all log files e Ifa log file deletion password was created a screen will appear prompting to enter the log file deletion password
116. or 512 Bytes e 4096 Bytes 8 sectors e 64 KIB 128 sectors When a bad sector on the source drive is found by default it will skip that sector Changing the granularity allows more sectors to be skipped A cluster size represents the smallest amount of disk space that can be used to hold a file The most common cluster size for an NTFS volume for example is 4KB 4096 Bytes This means that the smallest amount of space that will be used for a file is 4096 Bytes As an example if 4096 Bytes is chosen and one of the 8 sectors in that cluster size contains a bad sector the Falcon will skip the entire cluster or 4096 bytes or 8 sectors 5 0 3 4 Hash Verification Method Common Setting This setting allows the user to set a hash and or a verification method Hash Will hash the Source drive with the selected method There are two three or four hash algorithm options available Logicube Forensic Falcon User s Manual 44 IMAGING depending on which Imaging mode or File Image Method is selected HASH METHOD NONE VERIFY e None No hash of the Source will be performed e SHA 1 Uses the SHA 1 algorithm to hash the Source e SHA 256 Uses the SHA 256 algorithm to hash the Source This is only available when using the Drive to Drive Imaging mode e MDS5 Uses the MD5 algorithm to hash the Source Verification Method Select YES to hash the Destination and verify that hash with th
117. or the macro 5 Tap the field next to Operation 1 to set the first operation Since the first task to be run is the Wipe task select Wipe 1 then tap OK 6 Tap the field next to Operation 2 to set the second operation Since the second task to be run is the Drive to Drive Imaging task select Image 1 then tap OK 7 The screen should now show Wipe 1 Image 1 as the Tasks for Macro 1 MACRO 1 8 Tap the Start icon to begin the macro The macro will run the Wipe 1 task first then Image 1 6 0 6 USB Device a Connecting the Falcon to a computer via USB will allow the user to view any drive connected to the Falcon In this mode all drives connected to the Falcon are write protected When this type of operating is selected the following screen will USB DEVICE appear Logicube Forensic Falcon User s Manual 76 TYPES OF OPERATIONS SELECT DRIVES FOR USB EXPORT DRIVE INFORMATION DRIVE STATUS T3000DM001 1CH1 AVAILABLE 3 TB DC WD30EZRX 00D 3 TB AVAILABLE iiiaj cla AVAILABLE When using this type of operation use the USB Device port located on the back panel of the Falcon ON OFF FALCON REAR VIEW FANS SWITCH USB HDMI DC PCle POWER pevicE PORT future use Firs Choose the drive to view then tap the ENGAGE icon The DRIVE STATUS for the selected drive will change to ENGAGED and the ENGAGE icon will change to DISENGAGE At this point connect a USB cable
118. ort Logicube Forensic Falcon User s Manual 9 GETTING STARTED SAS SATA si USB Firewire SAS SATA Power S1 POWER S1 S1 S Source drives do not have to be connected in any order For example a single SATA Source drive does not have to be connected to the SAS SATA S1 port It can be connected to the SAS SATA S2 port without having anything connected to the S1 port Never connect a suspect or Source drive to the Destination ports of the Falcon Data may be overwritten if a drive is connected to a Destination port Any combination of drives can be connected up to 4 Source drives For example one SAS drive one SATA drive one USB drive and one FireWire drive can all be connected at the same time 2 2 2 Connecting Destination Drives Destination drives also called evidence drives must be connected to the right side of the Falcon These ports are labeled as follows e SAS D1 SAS SATA data port for the Destination 1 D1 position e SAS D2 SAS SATA data port for the Destination 2 D2 position e PWR power port for either Destination 1 D1 or Destination 2 D2 position e USB D1 2 USB 3 0 Destination port e FW D1 FireWire Destination port FIREWIRE SAS SATA D2 D2 USB D1 SAS SATA D1 POWER P1 USBD2 Destination drives do not have to be connected in order For example a single SATA Destination drive does not have to be connected to the SAS SATA D1 port It can be connected to the SAS SATA D2 port wi
119. ows the user to push evidence files from destination drives connected to the Falcon or from a Falcon repository to a network location A more secure method than simply copying and pasting to the analysis computer the Falcon performs an MD5 or SHA hash during the push process a log file is generated for each push process Logicube Forensic Falcon User s Manual 2 iTcube INTRODUCTION Image to an external storage device such as a NAS using the Gigabit Ethernet USB 3 0 or SAS SATA connection Task Macro feature Set specific tasks to be performed sequentially for example first wipe the destination drive then hash the source drive then image the source drive Set up your Macro press start and all tasks within the Macro will be performed automatically Features an internal removable storage drive that stores OS and audit trail logs The drive is easily removed for secure classified locations Audit Trail Log files provide detailed information on each operation Log files can be viewed on Falcon or via a web browser exported to XML HTML or PDF format to a USB enclosure Users can print the log files directly from their PC when connected to Falcon via a web browser Additional features include HPA DCO capture drive trim feature to manipulate the DCO and HPA areas of destination drives the ability to set password protected user profiles and save configurations drive time out feature automatically puts drives in stand by mo
120. port in the back of the Falcon The power supply has a notch to guide the connection The notch should be guided to face the top side of the power port ON OFF FALCON REAR VIEW FANS DC PCle USB 3 0 HDMI rw ica ronT Mus ETHERNET When using both the Falcon and SCSI module it is important to connect both power supplies to the Falcon and SCSI module before turning the Falcon s momentary switch on To turn the Falcon on press and immediately release the top of the momentary on off switch in the back The Falcon will turn on and you should hear the fans turn on and see the display show the Falcon logo It is normal for the fans to either turn off or slow down after the initial start up sequence There are two ways of turning the Falcon off 1 Press and immediately release the top of the momentary on off switch in the back The Falcon will begin its shut down process and after a few seconds the display and fans will turn off 2 Using the Graphical User Interface GUI either on the touch screen or via a browser through a remote connection navigate to the Power Off screen and tap or click the Power Off icon Once the power is completely off GUI turns off along with the fans it is safe to disconnect the power supplies from both the Falcon and SCSI modules Logicube Forensic Falcon User s Manual 143 OPTIONAL ADAPTERS iube 13 3 Connecting Drives This section shows how to connect SCSI drives to the Falcon
121. r screen select the drive to browse by tapping the corresponding tab at the top of the screen The Falcon will show all the partitions that can be read Logicube Forensic Falcon User s Manual 28 QUICK START 2 Tap the partition to browse The Falcon will show the contents folders directories and files 3 To view a file tap the filename The Falcon will attempt to open the file Ifthe Falcon can open the file it will be displayed on the screen Ifthe Falcon cannot open the file a message will appear stating File viewer cannot view file type For detailed information on how to use the file browser and important notes see Section 6 0 7 of this manual 3 8 Logs The Falcon keeps logs of all imaging hash wipe format and push operations Logs can be viewed directly on the Falcon or from a computer s browser if the Falcon is connected to a network In addition to viewing the logs can be exported to an external USB location such as a USB flash drive Logs are exported in PDF HTML and XML format When using Drive to File mode DD E01 or EX01 log files are also stored in the Destination drive in the same folder as the image files The log files in the Destination drive are available in PDF HTML and XML formats The log files may contain a partial hash This hash is for Falcon s internal purposes only and cannot be validated by any other means The partial hash is a snapshot of the hash en
122. r this operation it is not affected by Config Lock Statistics Since there are no settings or configurations for this operation it is not affected by Config Lock Manage Repositories A managed repository cannot be added without the unlock key At this time a managed repository can be deleted without the unlock key A future software update will require the unlock key to delete a managed repository System Settings This entire section cannot be accessed without the unlock key IP Settings This entire section cannot be accessed without the unlock key Software Updates This entire section cannot be accessed without the unlock key Power Off This entire section cannot be accessed without the unlock key The Passwords can be saved into a user profile configuration and loaded each time the Falcon is turned on See Section 6 0 10 1 for more information on saving and loading a user profile configuration 92 Logicube Forensic Falcon User s Manual TYPES OF OPERATIONS The Falcon can still be turned off without the unlock key by using the power switch located in the back of the Falcon Remember the Config Lock Key If the Falcon is configured to load with the Config Lock set enabled the only way to delete the Config Lock is to reset the Falcon using the Command Line Interface CLI 6 0 11 2 2 Forgotten password or config lock key If the Log File Deletion password or Confi
123. rameters are necessary to decrypt and read the Destination drive and can be configured in the Encryption Settings page on the Falcon e Cipher Mode Users can choose between TC XTS CBC or ECB cipher modes TC XTS cipher mode can be decrypted using the Falcon or TrueCrypt CBC or ECB cipher modes can be decrypted using the Falcon or FreeOTFE The Falcon encrypts drives using AES 256 encryption regardless of what cipher mode is used If TC XTS is used Falcon uses a TrueCrypt friendly format and does not use TrueCrypt to encrypt the drive The encryption key is not stored on the Destination drive e Cipher At this time only the AES 256 cipher is supported e IV Generation Initialization Vector Unavailable when TC XTS cipher mode is selected If CBC or ECB cipher mode is selected users can choose between PLAIN64 and ESSIV SHA256 Encryption Password or Key Users must choose their own encryption password key There are many articles on the Internet about AES 256 Lee and the different modes and Lee that come with encryption Logicube Forensic Falcon User s Manual 105 DRIVE ENCRYPTION amp DECRYPTION Tube 8 1 Encrypting a Destination To encrypt a Destination the Encryption settings must be set and the drive will need to be formatted using the Falcon These steps must be performed prior to an Imaging operation 8 1 1 Step by step Instructions Select System Settings from the types of operation on
124. rs must work in a sensitive compartmentalized information facility SCIF These secure areas have very stringent requirements regarding the use of electronic devices to ensure sensitive information does not leave the confines of the SCIF The Falcon has been designed with a removable internal hard drive The Falcon s operating system system settings and log files are all stored on this internal drive If an investigation requires that the Falcon must be removed from the SCIF or be transported to another location the internal drive can be removed prior to leaving the Logicube Forensic Falcon User s Manual 148 PP iTcube FAQs facility It is a good practice to always make a back up copy of the hard drive prior to entering a secure location If l am imaging to or from USB enclosures will the Falcons USB ports power my devices or will an additional power source be required Each of the Falcon s USB ports meets the standard specification of up to 5V of power If your USB device has higher power requirements an external power source will be necessary Check with the manufacturer of your USB device to determine the exact power requirements Can the Falcon image to an external storage device such as a NAS Network Attached Storage Yes Falcon can image to external storage devices The external device can be connected to Falcon via the Gigabit Ethernet or via the destination ports USB 3 0 or the SAS SATA built into Falcon If the external
125. s Select Device Auto Mount Devices Dismount All Exit Volume Properties Logicube Forensic Falcon User s Manual 110 DRIVE ENCRYPTION amp DECRYPTION Tube 2 The Select a Partition or Device window will appear Select the partition of the drive Do not select the actual drive itself Click OK to continue Select a Partition or Device Removable Disk 0 Device Harddisk0 Partition 1 Harddisk 1 Device Harddisk 1 Partition1 Device Harddisk 1 Partition2 Harddisk 2 Device Harddisk Partition1 3 Verify the Volume shows the correct device and partition Click Mount to continue TrueCrypt Volumes System Favorites Tools Settings Volume Properties Wipe Cache DRIVE ENCRYPTION amp DECRYPTION Tube 4 The password screen will appear Enter the password used to encrypt the drive then click OK to continue Enter password for Device Harddisk2 Partitionl Cache passwords and keyfiles in memory Cancel EE Display password T Use keyfiles Keyfiles TrueCrypt has a setting to mount the drive as read only which is a software write block This setting can be found by clicking Mount Options A hardware write block device may be used instead if needed 5 TrueCrypt will mount the drive and assign it a drive letter Volumes System Favorites Tools Settings Help Homepage Size Encryption algorithm Type Device Harddisk Partition1 L amp TB AES Normal
126. s are Uppercase A to Z Period Lowercase ato z Underscore _ Numbers O to 9 Hyphen Dash Logicube Forensic Falcon User s Manual 16 QUICK START 5 Tap the Destination icon and select the destination s to be used then tap the OK icon SELECT REPOSITORY REPOSITORY LOCATION OF FILES FREE SPACE FORMAT PARTITION 1 ON BAY 2 55 TB ariel SAS_D1 SAS D1 PARTITION 1 ON BAY SAS_D2 PARTITION 1 ON BAY USB_D1 NOT_MOUNTED For DD E01 Ex01 and File to File mode the Falcon uses the NT file system NTFS or EXT4 file systems to format drives If the Destination drive is not formatted properly the Location will appear as NOT_MOUNTED and a format icon will appear in the Format column Tap the Format icon the Destination drive For Drive to File or File to File the Falcon will display drives connected to the Destination ports and any added repository Encrypted drives will have the following symbol in the Format column When formatting the drive from this screen a prompt will appear to format the drive FORMAT REPOSITORY FILE a ms ENCRYPTION nl MC Logicube Forensic Falcon User s Manual 17 QUICK START Select which file system to use EXT4 or NTFS and whether to format with encryption ON or without encryption OFF Details on encryption can be found in Chapter 8 of the Falcon User s Manual For details on formatting a drive see Section 6 0 3 2 3 Formatting
127. s drive capacity speed and other settings as they are reported to the computer s BIOS The HPA DCO setting allows the user to set whether a drive s HPA or DCO is to be unlocked and imaged Select YES to unlock and image a Host Protected Area HPA or Device Configuration Overlay DCO CLONE HPA YES CLONE DCO YES DESTINATION DRIVE TRIM HPA Host Protected Area can limit the size of a hard drive but it can also change many other settings such as speed and S M A R T status DCO Device Configuration Overlay limits the size of a drive only For example a 160GB drive can be made to look like a 100GB drive to a computer Drive Trim is a special setting when the mode is set to Drive to Drive For more information on Drive Trim please see section 6 0 3 5 1 Special Settings for Drive to Drive 5 0 3 3 Error Handling Common Setting When bad sectors are encountered on the Source drive Falcon can either skip the bad sectors or abort the imaging operation This allows flexibility on what to do when bad sectors are found on the Source drive Logicube Forensic Falcon User s Manual 43 IMAGING ERROR HANDLING SKIP ERR GRANULARTY 1 SECTOR When bad sectors are encountered and error handling is set to Skip Falcon will write a zero on the corresponding sector or position in the Destination drive or file Falcon also has a setting for error granularity There are 3 options e 1 sect
128. s internal drive is seen as a source drive Macs with either FireWire or Thunderbolt ports can be connected to the Falcon A Thunderbolt to FireWire adapter is required e Multi task Shorten the evidence collection process with the ability to wipe one destination drive while imaging to another or image from multiple source drives to multiple destinations Perform up to five tasks concurrently e Parallel Imaging Perform multiple imaging tasks from the same source drive to multiple destinations using different imaging formats Clone to a network location or a destination drive in mirror copy format while simultaneously imaging in e01 or dd format to a different destination drive e Concurrent Image Verify patent pending The Falcon takes advantage of destination drives that are faster than the source drive and begins verification while the imaging process is occurring Duration of total image plus verification process time may be reduced by up to half e The Falcon can perform a forensic filter based file copy Filter and then image specific file types by file extension such as PDF doc jpeg mov etc e Secure sensitive evidence data with whole drive AES 256 bit Encryption Decryption can be performed using the Falcon or by using open source software programs such as FreeOTFE or TrueCrypt e Fast Multi pass wipe DoD specifications or use secure erase to wipe drives wipe at speeds of up to 27GB min e The Network Push feature all
129. s will show COMPLETED At this point it is recommended to tap Reset Task to reset the task and also to delete the task in order for the drive bays to be properly reset and not show as being used or assigned for other tasks to be configured 3 6 USB Device Viewing drive contents in Windows Connecting the Falcon to a computer via USB allows the user to view any drive connected to the Falcon In this mode all drives connected to the Falcon are write protected USB DEVICE Falcon formats the drives using the EXT4 file system or NT file system NTFS EXT4 is not natively supported by Windows There are several utilities that allow viewing of the EXT4 file system in Windows Logicube has tested and recommends Ext2Fsd http www ext2fsd com which is a utility driver that allows EXT partitions to be viewable in Windows For detailed instructions on Ext2Fsd please see Chapter 7 NTFS is natively supported by Windows 3 6 1 Step by step instructions USB Device EXPORT SELECT DRIVES FOR USB EXPORT DRIVE PORT DRIVE INFORMATION DRIVE STATUS Select USB Device from the types of operation on the left side A list of drives connected to the Falcon will appear Select a drive then tap the Engage icon 3 Connect a USB 3 0 cable A to B between a computer and the Falcon Connect the A connector side of the cable to an available USB port on Logicube Forensic Falcon User s Manual 27 iTcube QUICK START t
130. ser Computer File Browser Viewable File Types Text PDF HTML and some image files only All files supported by the OS or installed software All files supported by the OS or installed software All files supported by the OS or installed software All files supported by the OS or installed software QUICK START Additional Comments Drives can only be accessed on the Falcon unit itself Drives can be accessed from multiple computers if connected to a network More powerful viewing capabilities through the computer s Operating System compared to using the File Browser alone Drives can only be accessed by the computer the Falcon is connected to Drives will appear in Disk Management and can be accessed on the physical level Partitions are searchable using the Operating System s search functions Third party analysis tools and software can be used easily since partitions are mounted Logical access to partitions viewable by the computer s Operating System Partitions are searchable using the Operating System s search functions Third party analysis tools and software can be used easily since partitions are mounted Requires an iSCSI Target Drives will appear in Disk Management and can be accessed on the physical level Partitions are searchable using the Operating System s search functions Third party analysis tools and software can be used easily since partitions are mounted 4 1 File Browser The Fal
131. ser interface The user interface UI has been designed to quickly and easily input commands It is simple and intuitive showing common icons such as tasks modes of operation and scroll icons on the screen The UI is designed to be easily followed going from left to right across the screen A Bos ass LLL IMAGEZ IMAGES IMAGE y SOURCE DESTINATION ed H siart JUL 21 2015 12 29 PDT 0700 A Operations Tasks currently running displays up to 5 total tasks B Lock indicator shortcut C Operations Tasks D Add or delete tasks E Types of Operations F Up and down scroll arrows G Operations options and settings H Start icon 2 4 Touch screen The Falcon features a 7 color LCD capacitive touch screen that allows the user to quickly input commands The screen is bright and easy to read Logicube Forensic Falcon User s Manual 12 GETTING STARTED ube 2 5 HDMI The Falcon has an HDMI port located in the back panel Simply connect an HDMI cable from the Falcon to an external display that supports HDMI and Falcon will automatically show the display on both the Falcon and the external display To change the display resolution on the external display 1 Connect a wired USB keyboard to one of the front USB host ports 2 Press ALT R An on screen display should appear on the external display that allows the display resolution to be changed Logicube Forensic Falcon
132. sitory MANAGE REPOSITORIES For more information on how to manage repositories see Section 6 0 10 of this manual 3 11 System Settings The System Settings screen allows users to configure five different settings for the Falcon SYSTEM SETTINGS e User Profiles Configurations Logicube Forensic Falcon User s Manual 33 iTcube QUICK START e Passwords e Encryption Settings e Language Time Zone e Display For more information on Falcon s system settings see Section 6 0 11 of this manual 3 12 Network Settings There are two tabs in the Network settings screen a http E y NETWORK SETTINGS e Services The network settings screen allows certain network services to be enabled or disabled e HTTP Proxy In order for the Falcon to be able to update software from a network over the internet a proxy settings may need to be set Networks that have a proxy server for internet access will require proxy settings for devices like the Falcon to connect to the Internet This typically includes a server or IP address a host port a username and password For detailed information on the Network Settings screen see Section 6 0 12 of this manual 3 13 Software Updates j New and improved software will be released from time to time There are two E ways to update the software on the Falcon From the web via a network SOFTWARE connection or from a USB drive UPDATES For more inform
133. ssage appears Logicube Forensic Falcon User s Manual 122 HI 10 Remote Operation 10 0 Introduction The Falcon comes with a gigabit network connection in the back of the unit Connecting the Falcon to a network allows remote access to the Falcon from any computer within the same network The Falcon is configured for DHCP by default See Section 10 5 for instructions on how to configure the Falcon with a Static IP address The Falcon is setup with a Zero Configuration Network Zeroconf There are two ways to access the Falcon e Web interface A graphical interface using an Internet browser where the screens are shown exactly the way they appear on the Falcon e Command Line Interface CLI A text only command line interface that can be accessed one of two ways i Telnet via a network connection ii SSH Secure Shell via a network connection BROWSER COMPATIBILITY Google Chrome Mozilla Firefox and Microsoft Internet Explorer 10 are recommended Other versions of Internet Explorer may not compatible 10 1 Web Interface Using a web browser go to the IP address or the name of the Falcon with its serial number Both IP address and serial number can be found by going to the Statistics screen on the Falcon For example browse to http 192 168 1 100 or http Falcon XXXXXX where XXXXX is the 6 digit serial number of the Falcon The Falcon s web interface will appear on the browser screen All screens
134. t Logicube Forensic Falcon User s Manual 81 TYPES OF OPERATIONS iube From this screen log files can also be deleted one at a time or all at once LOG FILES LOGS LOG FILE NAME DATE CREATED Sample log viewed on screen Audit Log Vendor Logrcube Product Facon Sottware Vernon 2 Bulls Date Mar 26 2015 1456 19 PDT Unit Serisi Number 132505 Time Local 10 16 19 PDT 0700 Time UTC 17 16 19 Dave Agr 01 2015 Operation Parameters DeweToFie E0 Capasze S HA 1 image Path vanrepo sas dc LBA Cownt 234441648 Sowte Logical Sector Site 512 Segment Size 4Gb Compression Level Defaut Hash Enabled T very Hasn Fae Unlock HPA True Uniock OCO True Orive Trim F Ence ramuiarity 1 Result Duration Hash information Mash Type SHA LBA Count 234441648 Sowce Hash 07 See37oded 1ckis0a3t86ad1 74bb2097520231 The log file may contain several sections depending on what settings and options were chosen during the operation including e Information on the Falcon and its settings e Case info if entered e Source and Destination hashes See Section 3 8 1 for instructions on how to export the log files See Section 3 8 2 for instructions on how to delete the log files See Section 3 8 3 for instructions on how to Accessing the logs over a network Logicube Forensic Falcon User s Manual 82 TYPES OF OPERATIONS Tube 6 0 9 Statistics This will display two tabs About and Adv Dri
135. t located on the back panel of the Falcon Logicube Forensic Falcon User s Manual 108 DRIVE ENCRYPTION amp DECRYPTION ON OFF FALCON REAR VIEW FANS SWITCH DC POWER HDMI PCle future use GIGABIT ETHERNET USB 3 0 DEVICE PORT 9 After a few moments Windows should assign a drive letter to the selected drive The contents of the drive should now be accessible in Windows 10 When finished tap the DISENGAGE icon to disengage the USB mode The USB cable can now be disconnected from the computer and the Falcon If the data on the drive is unrecognizable disconnect the drive then double check the encryption settings steps 2 through 4 then re connect the drive 8 3 Decrypting the drive without a Falcon In order to mount and read an encrypted Destination drive in Windows without using a Forensic Falcon Logicube recommends one of two third party utilities called TrueCrypt or Free OTFE Other utilities may work but are not supported or tested by Logicube TrueCrypt can be downloaded from for decryption purposes only http truecrypt sourceforge net FreeOTFE can be downloaded from http sourceforge net projects freeotfe mirror files latest download To install FreeOTFE the verification of signed drivers must be disabled Here is a link that might help en kioskea net faq 3914 windows 7 disable signature verification of drivers There are other ways of installing unsigned drivers Severa
136. t the user enters a value for the 7 pass or the Falcon will not proceed with the wipe operation Values can be changed or added by tapping the O edit icon Passes screen when Custom is selected There is no default value entered for any passes It is mandatory that the user select a value for at least the first pass or the Falcon will not proceed with the wipe operation Values can be changed or added by tapping the O edit icon Editing one or more of the passes in DOD or CUSTOM mode will bring up this screen Logicube Forensic Falcon User s Manual 68 Logicube Forensic Falcon User s Manual TYPES OF OPERATIONS e SKIP Instructs the Falcon to skip the pass e RANDOM Instructs the Falcon to perform a random pattern or value e VALUE Instructs the Falcon to use the specified hex value to be written for the pass The values can range anywhere from 00 to FF 6 0 3 2 3 Format Formats the Destination using tela the EXT4 file system or NT file system NTFS either with or without AES 256 encryption To format the drive with or without encryption tap the Settings icon The Falcon will check the Destination drive for proper formatting prior to being used as a Destination or Repository for Imaging using Drive to File or File to File f it is not properly formatted Destination drive must be formatted using the Falcon prior to being used as a Destination or Repository for Ima
137. the Start icon to start the wipe task The Falcon will perform a Secure Erase first if selected then a Wipe Pattern if selected then finally a Format with encryption 8 1 2 Using previously encrypted Destination drives If a previously encrypted Destination drive is going to be used and the Falcon has been turned off since the last time the encrypted drive was used the encryption settings must be set with the same encryption settings previously used before connecting the drive 1 Turn the Falcon on Make sure the previously encrypted Destination drive is not connected 2 From the main menu select System Settings from the types of operations on the left side 3 Tap the Encryption Settings tab 4 Set the Cipher Mode Cipher IV Generation and Password that was used for the previously encrypted Destination drive 5 Connect the previously encrypted Destination drive to one of the Destination ports 8 2 Decrypting a Falcon encrypted Destination drive with a Falcon Falcon can decrypt a Destination drive encrypted by the Falcon To decrypt the drive using a Falcon the correct encryption settings must be set After the encryption settings are set the drive needs to be connected to the Falcon and the Falcon can then be connected to a computer via USB If the Destination drive was formatted with the EXT4 file system please read Chapter 7 for information on how to view EXT4 in Windows 8 2 1 Step by step Instructions
138. the left side Tap the Encryption Settings tab Set the Cipher Mode Cipher IV Generation and Password Select Wipe from the types of operation on the left side eS E a E Tap the Destination icon and select the Destination drive to be formatted and encrypted 6 Tap the Settings icon If the Destination needs to be wiped choose the type of wipe to be performed Secure Erase and or Wipe Patterns If Wipe Patterns is selected choose the type of Wipe Pattern to perform DoD or Custom If the drive has an HPA or DCO area that needs to be wiped tap the HPA DCO icon and select Yes to wipe the HPA or DCO area of the drive If a Wipe Pattern was selected tap the Passes icon to edit the number of passes and what gets written on each pass If DoD was selected a 7 pass value must be chosen 7 Tap the Format Settings icon to change the Format setting a Set Format to ON b Select the desired File System EXT4 or NTFS c Set Encryption to ON When finished tap the OK icon FORMAT SETTINGS Format Settings File System Encryption Logicube Forensic Falcon User s Manual 106 DRIVE ENCRYPTION amp DECRYPTION The Falcon will perform each of the settings sequentially For example if Secure Erase is set to ON a Wipe Pattern mode is specified and Format is set to On the Falcon will first secure erase the drive then wipe the drive according to the mode specified then format the drive 8 Tap
139. thout having anything connected to the D1 port Any combination of drives can be connected up to 5 Destination drives For example one SAS drive one SATA drive two USB drives and one FireWire drive can all be connected at the same time Logicube Forensic Falcon User s Manual 10 GETTING STARTED The Falcon ports are hot swappable Drives that are not being used in any task image hash wipe etc can be disconnected any time Some drives are not hot swappable Please check with the drive manufacturer to find out if the drive being used does not support hot swapping When disconnecting drives it is very important to make sure the drives are not being used on any task Disconnecting drives while the Falcon is using the drive for a task may cause data loss 2 2 3 Connecting USB 3 0 Drives USB 3 0 is a new technology and USB 3 0 controller manufacturers may have variations in device designs that have inconsistent adherence to USB 3 0 specification This may result in non detection of the USB 3 0 device on certain equipment including desktops laptops or the Falcon If a USB 3 0 device cannot be detected on the Falcon USB ports we have found that using a USB 3 0 hub may stabilize and regulate the communication between the USB 3 0 device and the Falcon allowing the device to be detected properly We have identified and qualified a USB 3 0 hub which is available as an option For more information on the USB 3 0 hub pleas
140. tion using iSCSI Users can use iSCSI as a source or destination drive e Network services Users can disable various network services such as HTTP SSH Telnet CIFS NETBIOS iSCSI Iperf and Ping for security purposes e Preview triage hard drive contents Preview the drive contents directly on the Falcon The file browser feature provides logical access to source or destination drives connected to Falcon Users can view the drive s partitions and contents and view text files jpeg PDF XML HTML files Other file types such as doc and xls can be viewed by connecting Falcon to a network and via a PC download and view The Falcon also allows you to preview suspect source drives or destination drives using the USB connection from the Falcon to a computer or by using the SMB protocol Users can also use the iSCSI protocol to preview Source drives e Use a web browser to manage all operations remotely Easily connect to a networked Falcon from your laptop or desktop using a web browser The interface features automatic page scaling for iPad type devices e Image from a desktop or laptop PC without removing the hard drive Create a forensic bootable USB flash drive that allows the user to image a source drive from a computer on the same network without booting the computer s native operating system e Image from a Mac Image from a Mac system booted in target disk mode using the write blocked FireWire port on falcon The Mac
141. to the Falcon s DC power port in the back To turn the Falcon on press and immediately release the top of the momentary on off switch in the back The Falcon will turn on and start the boot process It is normal for the fans to either turn off or slow down after the initial start up sequence There are two ways of turning the Falcon off 1 Press and immediately release the top of the momentary on off switch in the back The Falcon will begin its shut down process and after a few seconds the display and fans will turn off 2 Using the Graphical User Interface GUI either on the touch screen or via a browser through a remote connection navigate to the Power Off screen and tap or click the Power Off icon 2 2 Connecting various drive types Cables and adapters are available for the following drive types e SAS e SATA e USB e FireWire e 1 8 microSATA e 2 5 and 3 5 PATA IDE e 1 8 ZIF e 1 8 PATA IDE e eSATA optional e mSATA optional e Flash Media optional 2 2 1 Connecting Source Drives Source drives also called suspect drives must be connected to the left side of the Falcon These ports are write protected and are labeled as follows e SAS S1 SAS SATA data port for the Source 1 S1 position e SAS S2 SAS SATA data port for the Source 2 S2 position e PWR power port for either Source 1 S1 or Source 2 S2 position e USBS1 USB 3 0 Source port e FW S1 FireWire Source p
142. ts Persistent Targets Bound Volumes Devices Target Portals Address Port Adapter IP Addr falcon 132505 3260 Default Default a PSS A E pe ff A PARRA po Logicube Forensic Falcon User s Manual 133 VIEWING SOURCE DRIVES OVER A NETWORK iTcube In the Targets tab any drives connected to the Source ports of the 4 Falcon will appear on the list of targets Highlight the drive to view then click LogOn iSCSI Initiator Properties General Discovery Targets Persistent Targets Bound Volumes Devices Select a target and click Log On to access the storage devices for that target Click details to see information about the sessions connections and devices for that target Targets Name iqn 201 2 05 com logicube export sas s1 Inactive iqn 2012 05 com logicube export sas s2 Inactive iqn 201 2 05 com logicube export usb s1 Inactive 5 A Logon to Target window will appear Click OK to continue Log On to Target Target name automatically restore this connection when the system boots Enable multi path Only select this option if iSCSI multi path software is already installed A on your computer 6 The selected drive status will change to Connected Repeat steps 4 and 5 to view other drives Click OK when finished iSCSI Initiator Properties General Discovery Targets Persistent Targets Bound Volumes Devices Select a target and click Log On to access t
143. us will show COMPLETED At this point it is recommended to tap Reset Task to reset the task and also to delete the task in order for the drive bays to be properly reset and not show as being used or assigned for other tasks to be configured O Push speeds will vary depending on network conditions 3 5 Task Macros er This operation allows up to five 5 macros that can be set Each macro can run gt ev up to nine 9 tasks sequentially one after another For example a macro can be set to perform these tasks in order Wipe Image and then Hash TASK MACRO 3 5 1 Step by step instructions Task Macros MACRO 1 Each task or operation must be set up before setting up the macro For example to set up a Task Macro that will perform a wipe then image users must first set up both the wipe and image tasks Once the wipe for example Wipe 1 and image for example Image 1 has been set up the Task Macro can be set 1 Select Task Macro from the types of operation on the left side 2 Select a macro Macro 1 through Macro 5 Logicube Forensic Falcon User s Manual 26 QUICK START 3 Tap the Task icon to select up to nine 9 operations Set up to 9 operations by tapping on each operation in order Operation 1 Operation 2 etc When all the operations have been set tap the OK icon Tap the Start icon to execute the macro and perform all the operations within that macro 7 When finished the statu
144. ust the time as needed The Falcon also has a time zone setting Tap Time Zone to select the time zone region Tap the OK icon to continue After selecting the region select the time zone where the Falcon is located Tap the OK icon to set the time zone Logicube Forensic Falcon User s Manual 96 TYPES OF OPERATIONS 6 0 11 5 Display Brightness The Falcon s screen s brightness may need to be adjusted depending on the user s preference To adjust the brightness use the left or right arrow icons on the screen The screen s brightness will adjust accordingly The screen brightness cannot be saved and loaded as a user profile configuration Each time the Falcon boots the brightness will be reset to 80 Stealth Mode Stealth mode turns the Falcon s screen off allowing privacy so no one can see what the Falcon is doing When Stealth mode is activated currently running operations continue to run To turn Stealth mode on tap ON To turn Stealth mode off and restore the Falcon s display tap anywhere on the screen Stealth mode will not have any effect on the computer s Internet browser 6 0 12 Network Settings enabled or disabled in the Services tab There is also an HTTP E The Network settings screen allows certain services to be K Proxy tab where proxy server information can be entered NETWORK SETTINGS Logicube Forensic Falcon User s Manual 97 TYPES OF
145. ve Statistics The About screen will show information about the Forensic Falcon including the current software installed Some of the information available in the About tab are FORENSIC Falcon STATISTICS e Date The current date e LocalTime The current local time e UTCTime The current UTC time e Version The current software version e BuildDate The build date of the software e KernelVersion The current kernel version e HostName The hostname that can be used when connecting to the Falcon via a network e N W Interfaces Shows Ethernet adapter information such as the IP address MAC address and link speed e SerialNumber The serial number of the Falcon unit e SCSI Option Shows whether the SCSI module is attached or not e Uptime The total time the Falcon has been running since it was last turned on e BIOS Build Date Shows the BIOS build date The Adv Drive Statistics tab shows S M A R T Self Monitoring Analysis and Reporting Technology information taken directly from what the drive is reporting Navigate between drives by using the left and right scroll arrows The up and down scroll arrows scroll through the different information The information shown is the raw value tracked by the drive and is not translated 6 0 10 Manage Repositories Repositories can be added to the Falcon in this operation Repositories can act as a Source or Destination When Manage Repositories is s
146. ves The Falcon SCSI module provides 1 SCSI write protected Source port and 1 SCSI Destination port It supports all of the Falcon features including encryption wipe task macro drive spanning logs parallel imaging concurrent image verify and multi tasking In the box e Power supply power cord e 2SCSI drive data cables CBL 031A e 2 SCSI drive power cables CBL EXT PWR 04 e Optional 50 pin and 80 pin SCSI adapters are available Logicube Forensic Falcon User s Manual 139 FALCON WITH SCSI MODULE LEFT SIDE SOURCE VIEW FALCON FALCON SCSI MODULE SCSI MODULE 6 PIN SCSI POWER PORT 68 PIN SCSI DATA PORT FALCON WITH SCSI MODULE RIGHT SIDE DESTINATION VIEW FALCON FALCON SCSI MODULE SCSI MODULE 6 PIN 68 PIN SCSI DATA PORT SCSI POWER PORT Logicube Forensic Falcon User s Manual OPTIONAL ADAPTERS iube 140 OPTIONAL ADAPTERS iube 13 1 Instructions How to attach the SCSI module Connecting the SCSI module to the Falcon can be performed in just a few steps 1 Turn the Falcon upside down and locate the expansion cover to the right of the sticker EXPANSION COVER F FALCON Serial 133556 Y ER DE JO DA OO AO 0 ON MAC address 00 1f 12 0a bf 14 CE FE Hh wwwlogicube com MT ube Insert a small sturdy tool for example an eyeglass screwdriver as seen below Pry the expansion cover off as shown below F FALCON Serial 132600 Te LA UEM M
147. wer Logicube Forensic Falcon User s Manual 145 AAA eee 14 Forensic USB Boot Client 14 0 Introduction A Forensic Falcon USB iSCSI Boot Client Forensic bootable USB flash drive for use with the Falcon is available The bootable flash drive allows the imaging of a Source drive from a computer on the same network without booting the native Operating System on the computer and can be imaged without having to remove the drive from the computer Details on how to create the forensic USB boot client can be found on the Forensic Falcon s support page at http www logicube com knowledge forensic falcon Logicube Forensic Falcon User s Manual 146 15 FREQUENTLY ASKED QUESTIONS 15 0 FAQs Q Why isit when image a drive the number of bytes shown is twice the size of my Source drive A The number of bytes shown on the progress bar is not the actual size of the drive This is the actual data being processed When Verify is set to Yes the reported number will double in size Q Is there a way to image a drive inside a computer without having to remove it and connect it directly to the Falcon A Yes There is a Forensic USB Boot Client for the Falcon The Application Note and Instructions can be found on the Falcon support page http www logicube com knowledge forensic falcon Q How many concurrent tasks can the Falcon run A The Falcon can run up to 5 concurrent tasks Q Do Destination drives need to be
Download Pdf Manuals
Related Search