FORENSIC FALCON FAQ
Contents
1. AyiTcube FORENSIC FALCON FAQ What operating system does Falcon use Falcon uses a Linux based operating system A Linux based operating system provides increased stability and security over Windows based systems What file format does Falcon use when formatting destination drives Falcon supports formatting destination drives as EXT4 or NT file system NTFS format NTFS formatting is available with software update version 2 0 What drive interfaces are supported with Falcon Built in support is provided for SAS SATA USB and Firewire drives and enclosures 1 8 2 5 3 5 IDE 1 8 IDE ZIF and microSATA type drives are supported with adapters that are included with Falcon The Falcon also supports SCSI source and destination drives with an optional SCSI module available in spring 2014 The SCSI module connects directly to the Falcon providing one SCSI source port and one SCSI destination port Optional adapters are also available for eSATA mSATA and flash drives Does the Falcon have optional interface modules The Falcon has built in support for the majority of drive interfaces An optional SCSI module is available to support SCSI drives These modules connect directly to the bottom of the Falcon for seamless connectivity Additional modules may be released in the future to address new technologies as they come to market How fast is the Forensic Falcon Our tests results show that the Falcon can perform up to 20GB min when2. MODULE SCSI MODULE 2 6 PIN SAS SATA 5 USB Firewire SAS SATA Pbai on FAQ Rev 1 S SIPOWERPORT 68 PIN SCSI DATA PORT S1 ogi FCF 19755 MordhoffPl Chatsworth CA 91311 tel 1 818 700 8488 fax 1 818 435 0088 www logicube com iirube FORENSIC FALCON FAQ Falcon FAQ Rev 1 2 1 14 Logicube Inc 19755 Nordhoff PI Chatsworth CA 91311 tel 1 818 700 8488 fax 1 818 435 0088 www logicube com ririrube FORENSIC FALCON FAQ How many destination drives can have connected to Falcon at the same time The Falcon has 2 SAS SATA destination ports 2 USB 3 0 destination ports and 1 Firewire destination port built in a SCSI port is available with the optional SCSI module for a total of 6 destination ports The USB 3 0 ports can be converted to SATA using a USB to SATA adapter available from Logicube for a total of 4 SATA destination ports All destination ports can be utilized at the same time if the power consumption of the connected drives permits FALCON WITH SCSI MODULE PA DESTINATION PORTS RIGHT SIDE DESTINATION VIEW FALCON FALCON SCSI MODULE SCSI MODULE 6 PIN 68 PIN SCSI DATA PORT SAS SATA D2 02 S USB D1 SAS SATA D1 SCSI POWER PORT POWER USB D2 How many separate tasks can you have running concurrently You can have up to five separate tasks running concurrently For example Task 1 Image from SAS or SATA drive S1 to a SAS or SATA destination drive D1 Task 2 Image from a USB 3 0 storage
3. etc which files they want to image The files will be sorted by path based on where the file is located on the Source If a hash method is selected each file will be hashed Does the Falcon provide log files Yes each operation task produces a log file The log file is viewable on the Falcon screen or remotely on a PC in an HTML format The log files can be exported to a thumb drive the Falcon can export in XML HTML and PDF format XML log files can be customized using XML editors The log files are stored on the internal hard drive within Falcon and are accessible by pressing the log file icon from the left side navigation bar on the Falcon screen How do delete log files Log files can be deleted from the Falcon GUI Log files can be deleted one at a time or an option is available to delete all log files Log files can also be deleted via the CLI Command Line Interface LOG FILES LOGS LOG FILE NAME DATE CREATED F TUE NOV 12 14 39 23 WIPE 73 2013 Can remove the internal hard drive for secure locations or SCIFs Often investigators must work in a sensitive compartmentalized information facility SCIF These secure areas have very stringent requirements regarding the use of electronic devices to ensure sensitive information does not leave the confines of the SCIF The Falcon has been designed with a removable internal hard drive The Falcon s operating system system settings and log files are all stored on this inte
4. method than simply copying and pasting files to an analysis computer Additionally users can select to verify the file transfer to ensure data integrity A log file containing each file pushed is generated for each push operation What is Parallel Imaging Parallel Imaging allows you to image from the same source drive to multiple destinations using different formats image to a network location using e01 image to one destination drive using dd format and image to a 2 destination drive using native mirror format This is useful when there are multiple teams of investigators one in a lab and one at another location but connected to a network and you also need to provide a copy of the suspect hard drive to those that require an exact mirror image for example to an attorney Parallel Imaging ocation 4 oo oo ep na Image directly to destination drive s at the same time dd format SAN native mirror format SOURCE DRIVE DESTINATION DRIVES Falcon FAQ Rev 1 2 1 14 Logicube Inc 19755 Nordhoff PI Chatsworth CA 91311 tel 1 818 700 8488 fax 1 818 435 0088 www logicube com AyiTcube FORENSIC FALCON FAQ What is a filter based file copy In many cases investigators want to image only specific file types on a suspect s hard drive this can be useful to shorten the imaging process The Falcon s file mode allows users to specify by extension type e g joeg pdf mov xls
5. 5 Image from SAS 2 to a network location Task 4 Image from USB S1 to USB D1 STATISTICS 4 I want to set a password protected profile for specific users Can do that using Falcon Yes the Falcon allows you to set up a profile for a specified user The profile can be password protected Similar to our Task Macro feature in that the administrator can set up a specified configuration or profile that includes all of the imaging tasks or other operations that are routinely used or are part of the lab protocol for data collection Can I encrypt my evidence drives using the Falcon How do I decrypt drives encrypted with Falcon The Falcon provides AES 256 whole drive encryption Users can choose between CBC or ECB cypher modes and can set their own password key for the encrypted drive Users can decrypt a drive that was encrypted with Falcon by using the Falcon to decrypt or by using a free open source utility program Logicube has tested and recommends using TrueCrypt http www truecrypt org Support for TrueCrypt decryption software was added to the Falcon effective with software update version 2 0 FreeOTFE which can be downloaded here http sourceforge net projects freeotfe mirror or Please note that support for TrueCrypt and OTFE is only available for decryption of drives that were encrypted using the Falcon Neither of these software programs are built in to the Falcon for encrypting drives nor can you decryp
6. Yes Falcon can image to external storage devices The external device can be connected to Falcon via the Gigabit Ethernet or via the destination ports USB 3 0 or the SAS SATA built into Falcon If the external storage device has a RAID configuration it will require that it be configured as a single drive Any source drive connected to Falcon can be imaged directly to the external storage device How do I update the software on the Falcon New and improved software will be released from time to time and will always be available on the Falcon support page at http www logicube com knowledge forensic falcon There are two ways to update the software on the Falcon From the web via a network connection or from a USB drive When using a network connection the Falcon will automatically search to determine if there is updated software available and prompt the user to update if required Users can also download the software from the website and then upload to the Falcon via a USB drive Falcon FAQ Rev 1 2 1 14 Logicube Inc 19755 Nordhoff PI Chatsworth CA 91311 tel 1 818 700 8488 fax 1 818 435 0088 www logicube com
7. device USB 1 to a USB 3 0 destination device USB D1 Task 3 Image from a SAS or SATA drive S2 to a network repository Task 4 Wipe a SATA destination drive D2 Task 5 Hash a destination drive USB D2 FORENSIC 5 tasks running F llele p simultaneously CLONE 1 SOURCE SETTINGS DESTINATION IMAGING Falcon FAQ Rev 1 2 1 14 Logicube Inc 19755 Nordhoff PI Chatsworth CA 91311 tel 1 818 700 8488 fax 1 818 435 0088 www logicube com AyiTcube FORENSIC FALCON FAQ Can schedule or automate tasks Falcon features the ability to create up to 5 separate Tasks Macros Each macro allows you to set up to 9 operations to be performed sequentially For example if your routine procedure is to wipe a drive before you begin imaging then image a drive using e01 mode S1 to D1 then hash S1 you can add these operations to a Macro and from the Falcon GUI select the Macro and the Falcon will perform the specified tasks operations in the sequence you have defined The user can save the Macro to use in future imaging sessions Administrators can set up Macros to provide an easier method for novice users or first responders to image suspect drives in the field TASK MACRO Automate your tasks Be commu Configure a Macro to set a maximum of 5 tasks to perform sequentially TASK MACRO Gigabit Ethernet rad TT ube A Task 1 Wipe SAS D1 Task 3 Hash SAS D1 USB DEVICE USB D1 s Task
8. e port located at the rear of the unit Connect a USB cable from the Falcon s device port to a computer and view any drive connected to the Falcon In this mode all drives connected are write protected Falcon formats drives using the EXT4 file system or NT file system NTFS Support for NTFS format was added in software update version 2 0 EXT4 formatted drives are viewable in any Linux based or MAC based computer To view EXT4 formatted drives on Windows based PCs there is a free utility driver ext2FSD that allow EXT partitions to be viewable in Windows NTFS formatted drives can be viewed natively on Windows based PCs Refer to the Falcon User Manual for more information ON OFF FALCON REAR VIEW SWITCH USB 3 0 GIGABIT HDMI POWER on DEVICE PORT NO Ue NeT Falcon FAQ Rev 1 2 1 14 Logicube Inc 19755 Nordhoff PI Chatsworth CA 91311 tel 1 818 700 8488 fax 1 818 435 0088 www logicube com imi tube FORENSIC FALCON FAQ If I am imaging to or from USB enclosures will the Falcon s USB ports power my devices or will an additional power source be required Each of the Falcon s USB ports meets the standard specification of up to 5V of power If your USB device has higher power requirements an external power source will be necessary Check with the manufacturer of your USB device to determine the exact power requirements Can the Falcon image to an external storage device such as a NAS Network Attached Storage
9. rnal drive If an investigation requires that the Falcon must be removed from the SCIF or be transported to another location the internal drive can be removed prior to leaving the facility It is a good practice to always make a back up copy of the hard drive prior to entering a secure location Can I use a keyboard and a mouse with Falcon The Falcon includes 2 USB 2 0 host ports for keyboard mouse or printer connectivity The Falcon also includes an HDMI port to connect to a projector Falcon FAQ Rev 1 2 1 14 Logicube Inc 19755 Nordhoff PI Chatsworth CA 91311 tel 1 818 700 8488 fax 1 818 435 0088 www logicube com riritrube FORENSIC FALCON FAQ Can operate the Falcon remotely Yes you can manage all operations from a remote computer using a web browser such as Google Chrome Simply connect the Falcon to your network using the supplied Gigabit Ethernet cable Any remote computer on that same network can access the Falcon using the IP address assigned to the Falcon The web based user interface features automatic page scaling for iPad type devices Falcon _ S E 192 168 1 XXX r4 EN T P FORENSIC Falcon J CLONE 1 aen A SOURCE SILLEN DESTINATION IMAGING Does the Falcon include a carrying case The Falcon standard unit is packed in a soft sided carrying case Can I preview hard drives connected to Falcon Can I preview drives in Windows Yes the Falcon has a write blocked USB 3 0 devic
10. t drives using the Falcon if the drives were encrypted using these or other software encryption programs What is Concurrent Image Verify The Falcon provides a patent pending method whereby the verification process is performed concurrently with the imaging process Typical hardware duplicators complete the image of the source drive first and then read the entire drive again to verify doubling the process time to complete the operation The Falcon verifies as it is imaging taking advantage of destination hard drives that may be faster than the source drive The duration of the total image process time may be reduced by up to one half Falcon FAQ Rev 1 2 1 14 Logicube Inc 19755 Nordhoff PI Chatsworth CA 91311 tel 1 818 700 8488 fax 1 818 435 0088 www logicube com ririrube FORENSIC FALCON FAQ Can the Falcon image to or from a network destination Yes The Falcon includes a gigabit network connection Users can designate a network share as a source or destination repository using CIFS Common Internet File System or iSCSI Internet Small Computer System Interface protocols ADD REMOVE REPOSITORIES FILE FREE NAME LOCATION SYSTEMI SPACE DELETE What is the Network Push Feature This feature allows you to push evidence files from destination drives connected to the Falcon or from a Falcon repository to a network location MD5 or SHA hashing can be performed during the push process to provide a more secure
11. using high performance solid state drives and in a native mirror mode or using e01 or eX01 modes Of course performance will vary depending on the type and condition of the drive used Check the technical specifications for the model drive you are using to confirm the maximum rated transfer speed for that drive Using fast healthy SATA destination drives using e01 or eX01 we expect speeds of around 12 14GB min We recommend that for the best performance use SHA 1 verification for all modes set Verify to Yes and use the default compression setting when using e01 or eX01 mode Does imaging performance slow down when multiple drives are imaged at the same time Performance is limited by the slowest drive in the configuration however there should not be any significant speed penalty when imaging multiple drives How many source drives can have connected to Falcon at the same time The Falcon has 2 SAS SATA source ports 1 USB 3 0 source port and 1 Firewire source port built in a SCSI port is available with the optional SCSI module for a total of 5 source ports All source ports are write protected Users can convert the USB 3 0 port to a SATA with a USB to SATA adapter for a total of 3 SATA source ports All source ports can be utilized at the same time if the power consumption of the connected drives permits FALCON LEFT SIDE VIEW SOURCE WRITE PROTECTED PORTS FALCON WITH SCSI MODULE L LEFT SIDE SOURCE VIEW FALCON FALCON SCSI
Download Pdf Manuals
Related Search