cru wiebetech ditto dx forensic fieldstation protecting your digital assets tm ditto dx forensic...

Protecting Your Digital AssetsTM

Wiebetech Branding

2c85m76yPMS 711C

66c7m7yPMS 299C

Product Name:Univers 73 Black Extended

abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ

CRU® WiebeTech® Ditto® DX Forensic FieldStationUser Manual

Features

• Createlocal,remote,ornetworkeddiskclonesandimages

• ConfigureandmanageDittoDXviaaVPN,network,orontheunititself

• TimesavinglogicalimagingtwiceasfastastheoriginalDittoForensicFieldStation

• Nativelysupportswrite-blockedSATA,eSATA,PATA,andUSB3.0/2.0

• Write to dual destinations simultaneously -Any combination of eSATA,USB 3.0, orGigabitEthernet

• OutputimagestoportableRAIDenclosures,NASunits,andothernetworkdestinations

• Dataacquisitionmodes–Clone,DD,E01,L01,andsimultaneousclone&image

• Hashtypes–MD5,SHA-1,MD5+SHA-1,SHA-256,MD5+SHA-256

• Securelysanitizedriveswithpreseterasemodesorauserconfigurablepattern

• StealthModeavailableforusewithnightvisiongoggles(notincluded)

2


Ditto DX Forensic FieldStation User Manual

TABLE OF CONTENTS1GeneralInformation 3

1.1PackageContents 3

1.2IdentifyingParts 3

1.3LightbarStatus 4

1.4ThermalManagement 4

2Setup 4

3BrowserInterface 5

3.1AccessingtheBrowserInterface 5

3.2IconsUsedintheBrowserInterface 7

3.3UserAccounts 8

4HomeScreen 8

4.1Action 9

4.1.1CloneSourceDisk 9

4.1.2PhysicalImageSourceDisk 9

4.1.3LogicalImageSourceDisk 10

4.1.4CloneandImageSourceDisk 12

4.1.5RestorePhysicalImage 13

4.1.6EraseDestinationDisk 14

4.1.7HashDisk 14

4.1.8SnapshotDisk 15

4.1.9NetViewScan 15

4.2InvestigationInfo 15

4.3SystemSettings 16

4.4CurrentStatus 16

4.5Disks 16

4.5.1PreviewingandBrowsingDisks 17

4.5.2ViewHexidecimalData 18

4.5.3ViewSnapshotData 18

4.6SystemLog 18

5ConfigureScreen 19

5.1System 19

5.2Network 21

5.3Clone 25

5.4PhysicalImage 25

5.5LogicalImage 27

5.6Restore 28

5.7Erase 28

5.8Hash 30

5.9Naming 30

5.10QuickStart 31

6AdminScreen 31

6.1UserAccounts 31

6.2Permissions 31

6.3AddingaNewUser 32

6.4EditinganExistingUser 32

6.5DeletingaUser 33

7LogsScreen 33

8UtilitiesScreen 34

9UsingtheFrontPanelInterfaceinStandaloneMode 35

10StealthMode 40

11AdvancedFeaturesandFunctions 41

11.1NetviewScan 41

11.2TargetMode:RemotelyAccessDisksAttachedtotheDittoDXForensicFieldStationwithThirdPartySoftware

43

11.3UsingiSCSIDevices 44

11.4UsingNFSandSMB(Samba)Shares 47

11.5AddingaNewAutoSelectLogicalImageProfile 48

12UpgradingFirmware 49

13TechnicalSpecifications 51

3



1 GENERAL INFORMATION

1.1 PACKAGE CONTENTS

Thefollowing listcontains the itemsthatare included in the

completeconfigurationforthisdevice.PleasecontactCRUif

anyitemsaremissingordamaged:

DittoDXForensicFieldStationUnit 1

UnitizedSAS-to-eSATA+Mini-Fitpowercable 3

IDEcable 1

12Vpowersupply 1

Powercord 1

Legacypower-to-Mini-Fitcable 1

Ethernetcable(RJ45) 1

Poweradapter,legacy-to-SATA 1

Velcrocablewrap 6

eSATAcable 2

8GBSDcard(pre-installed) 1

1.2 IDENTIFYING PARTS

Take amoment to familiarize yourself with the parts of the

Ditto DX Forensic FieldStation.This will help you to better

understandthefollowinginstructions.

SOURCE INPUTS(allinputsarewrite-blocked)

DESTINATION OUTPUTS

CONTROL INTERFACE

TOP OF UNIT

4



1.3 LIGHTBAR STATUS

COLOR STATE DESCRIPTION

Teal Solid Idle

Magenta Solid Anactionisinprogress

Green Solid Anactionhassuccessfullycompleted

Red Solid Anerrorhasbeendetectedortherunningactionhasbeenabortedbytheuser

Amber

Solid Theprocessorisclosetoreachingitsrecommendedthermallimit.CRUsuggeststhatyouusetheDittoDXexternalfan(soldseparately).

BlinkingThecurrentlyrunningactionhasbeensuspendedbytheDittoDXForensicFieldStation’sthermalmanagementandwillautomaticallyresumefromwhereitleftoffwhentemperatureshavesufficientlylowered.

1.4 THERMAL MANAGEMENT

TheDittoDXForensicFieldStationisapassivelycooledsystemthatpullsheatoutoftheprocessorandother

electronicsintothealuminumhousingwhereitdissipates.TheheatgeneratedbytheDittoDXForensicField-

Stationisanintendeddesignfeaturethateliminatestheneedofanoisyinternalcoolingfananddrastically

reducestheamountofparticulatesthatarepulledthroughthesystem.

Thepassivelycooledsystemincludesautomaticthermalmonitoringandprotection.IftheDittoDXForensic

FieldStationdetectsthattheinternaltemperatureisreachingaspecificthreshold,theLightbarwillchange

toamberandamessagewillbepresentedonthefrontpanelLCDsuggestingthatanexternalfanmaybe

required.Ifthetemperaturecontinuestoincreaseandreachesthesecondarythreshold,theDittoDXForensic

FieldStationwillsuspendanycurrentlyrunningactionandtheLightbarwillbeginblinkingamber.Oncethe

internaltemperaturelowers,theactionwillresumeautomaticallyfromwhereitleftoff.

IfyouareoperatingtheDittoDXForensicFieldStationinanenvironmentwarmerthan95°F/35°C,CRUrec-

ommendstheuseofanexternalfan(verylittleairmovementisrequired).CRUofferssuchafanspecifically

designedforusewithDittoDX(PartNumber:30000-0100-0001).TheDittoDXfanispoweredfromoneofthe

USB2portsonthecontrolinterfaceandoperatesveryquietly.

2 SETUPTheControl InterfacesideoftheDittoDXForensicFieldStationhasapowerswitchand12Vinputfortheincluded

powersupply,anSDcardslot,twoUSB2.0portsforusewithakeyboardorwifiadapter,anRJ45gigabitEthernet

porttoallownetworkaccesstotheDittoDX’sbrowserinterface(seeSection3),andastealthswitchthatwillturn

offallexternallightsandenablenightvisionmode(seeSection10).

Plugthe“suspect”disksordevicesintotheSource InputssideoftheDittoDXForensicFieldStation.Allsource

inputsarewrite-blockedtopreventalteration.ThesourceinputsincludeaUSB3.0portforUSBdevices,anRJ45

gigabitEthernetport,anIDE/PATAdiskport,aneSATAportforSATAdisksoraneSATAdevice,andaPCIex4

portwhichcanbeusedwiththeDittoDXPCIeAdapterBundle,andtheSASandFireWireexpansionmodules,

allsoldseparately.

UsetheDestination OutputssideoftheDittoDXForensicFieldStationtostoreacquireddata.Thedestination

outputconnectionsincludetwoUSB3.0portsforUSBdevices,anRJ45gigabitEthernetport,atwoeSATAports

forSATAdisksoreSATAdevices,andaPCIex4portwhichcanalsobeusedwiththeabovementionedPCIe

adapterbundleandexpansionmodules.

CRUrecommendsthatyouswitchthepowerofftotheDittoDXwhenyouaddorremoveadevicefromitinordertoavoiddiskdamageanddatacorruption.

NOTE

5



3 BROWSER INTERFACETheDittoDXForensicFieldStationcanbeconfiguredandoperatedeither fromtheFront

Panel(seeSection9)orthroughawebbrowser.

3.1 ACCESSING THE BROWSER INTERFACE

3.1.1 Accessing Via Network

a. PluganEthernetcableintotheEthernetportonthe“ControlInterface”sideof

theDittoDXForensicFieldStation.

b. ConnecttheotherendoftheEthernetcabletoyournetwork.Thisusuallymeans

pluggingitintoarouterorhub.Inanofficeenvironment,youmayhaveanetwork

jackbuiltintoyourofficewall.

c. ConnectthepowercabletotherearoftheDittoDXForensicFieldStationandto

theprovidedACadapter.

d. TurnontheDittoDXForensicFieldStation’spowerusingtheswitchontherear

panel.(0=off,1=on)

e. IfyouhavepreviouslyconfiguredtheDittoDXandyouknowtheIPaddressit

uses,godowntothelaststepofthissection.IfyouhavenotconfiguredtheDitto

DX,useoneofthetwofollowingwaystoconfigureit.

Configure Ditto to Use DHCP

DHCPis theprotocolusedbymostnetworkenvironmentstoday.Unlessyour

networkadministratordirectsotherwise,youshouldprobablyfollowthesesteps.

a. PresstheDownnavigationbuttonontheDittoDXForensicFieldStationuntil

youreachthe“Settings”menu(seeFigure1).ThenpresstheRight naviga-

tionbuttontoviewtheSettings.

b. PressUporDownuntilyoureachthe“CtlNetworkSettings”screenshown

inFigure2andpressRight.

c. PressUporDownuntilyoureachthe“CtlNetwork”screenshowninFigure

3.

d. Ifthetextonthesecondlinesays“Disabled”,presstheRightbuttontoedit

thesetting.PressUponceandthenRighttocommitthechange.Ifthetext

says“Enabled”,continuetothenextstep.

e. PressUporDownuntilyoureachthe“CtlNetworkMode”screenshown

inFigure4.

f. Ifthetextonthesecondlinesaysanythingotherthan“Client(DHCP)”,press

Righttoeditthesetting.PressUpuntilthesecondlinesays“Client(DHCP)”

andthenpressRighttocommitthechange.Ifthetextalreadysays“Client

(DHCP)”,continueontothenextstep.

g. PressUp orDown until you reach the“Ctl IPAddress” screen shown in

Figure5.

h. ContinuetoStepGbelowtologintothebrowserinterface.

CtlNetworkSettings

View/Edit>

Figure 2. A depiction of the “Ctl Network Settings”screenontheDittoDXForensicFieldStation.

CtlNetworkMode:

Client(StaticIP)

Edit>

Figure 4. A depiction of the “Ctl Network Mode”screenontheDittoDXForensicFieldStation.

CtlIPAddress:

10.10.0.1

Edit>

Figure 5.Adepictionofthe“CtlIPAddress”screenontheDittoDXForensicFieldStation.

CtlNetwork:

Disabled

Edit>

Figure 3.Adepictionofthe“CtlNetwork”screenontheDittoDXForensicFieldStation.

Settings

View/Edit>

Figure 1.A depiction of the“Settings”menu on theDittoDXForensicFieldStation.

6



Configure Ditto to Use a Static IP Address

IfyournetworkadministratordirectsyoutouseastaticIPaddress,followthesesteps.

a. PresstheDownnavigationbuttonontheDittoDXForensicFieldStationuntilyoureachthe“Set-

tings”menu(seeFigure1).ThenpresstheRight navigationbuttontoviewtheSettings.

b. PressUporDownuntilyoureachthe“CtlNetworkSettings”screenshowninFigure2andpress

Right.

c. PressUporDownuntilyoureachthe“CtlNetwork”screenshowninFigure3.

d. Ifthetextonthesecondlinesays“Disabled”,presstheRightbuttontoeditthesetting.PressUp

onceandthenRighttocommitthechange.Ifthetextsays“Enabled”,continuetothenextstep.

e. PressUporDownuntilyoureachthe“CtlNetworkMode”screenshowninFigure4.

f. Ifthetextonthesecondlinesaysanythingotherthan“Client(StaticIP)”,pressRighttoeditthe

setting.PressUpuntilthesecondlinesays“Client(StaticIP)”andthenpressRighttocommitthe

change.Ifthetextalreadysays“Client(StaticIP)”,continueontothenextstep.

g. PressUporDownuntilyoureachthe“CtlIPAddress”screenshowninFigure5.

h. PressRighttoedittheIPaddress.Youcanuseakeyboardthatyou’veattachedtotheUSB2.0

portsonthe“ControlInterface”sideoftheDittoDXtoenterthestaticIPaddressyournetwork

administratorgaveyou.

Ifyoudonothaveakeyboard,pressRightandLefttoscrollthecursorrightandleft,andpressUp

orDowntoincreaseordecreasethenumberhighlightedbythecursor.

Whenyouhavefinished,pressRight tocommitthechanges.

f. TypetheIPaddressshownintoyourwebbrowser.

g. Logintothebrowserinterface(thedefaultusernameandpasswordfortheadministratoraccountare

both“admin”).

CRUrecommendsthatyouchangetheadminaccountpasswordandcreateuseraccountsforindividualusersasbestdatamanagementpractices.

Youarenowreadytousethebrowserinterfacetoconfiguresettingsandpreview,image,orcloneattached

disks.

3.1.2 Accessing Via Direct Connection to Your Computer

a. PluganEthernetcableintotheEthernetportonthe“ControlInterface”sideoftheDittoDXForensic

FieldStation.

b. ConnecttheotherendoftheEthernetcabletoyourcomputer’sEthernetport.

ThecontrolEthernetportcanbeconfiguredtoactasaserver.AttachingaDittoDXForensicFieldStationactingasaservertoanexistingnetworkthroughthecontrolEthernetportwillcausenetworkconflicts.ThereforeitisimportanttoattachtheDittoDXForensicFieldStationdirectlytoyourcomputerinstead.TochangethissettingsothattheDittoDXForensicFieldStationnolongeractsasaserver,seeSection5.2.3.

NOTE

STOP!

7



c. Connect thepowercable to the rearof theDittoDXForensicFieldStationand to theprovidedAC

adapter.

d. TurnontheDittoDXForensicFieldStation’spowerusingtheswitchontherearpanel.(0=off,1=on)

e. PresstheDownnavigationbuttonontheDittoDXForensicFieldStationuntilyoureachthe“Settings”

menu(seeFigure1).ThenpresstheRight navigationbuttontoviewtheSettings.

f. PressUporDownuntilyoureachthe“CtlNetworkSettings”screenshowninFigure2andpress

Right.

g. PressUporDownuntilyoureachthe“CtlNetwork”screenshowninFigure3.

h. Ifthetextonthesecondlinesays“Disabled”,presstheRightbuttontoeditthesetting.PressUponce

andthenRighttocommitthechange.Ifthetextsays“Enabled”,continuetothenextstep.

i. PressUporDownuntilyoureachthe“CtlNetworkMode”screenshowninFigure4.

j. Ifthetextonthesecondlinesaysanythingotherthan“Server”,pressRighttoeditthesetting.Press

Upuntilthesecondlinesays“Server”andthenpressRighttocommitthechange.Ifthetextalready

says“Server,continueontothenextstep.

k. PressUporDownuntilyoureachthe“CtlIPAddress”screenshowninFigure5.

l. ThedefaultIPaddressforthecontrolEthernetportis10.10.0.1.Ifyouwishtochangetheaddress,

pressRighttodoso.OtherwiseproceedtoStepN.

m. Youcanuseakeyboardthatyou’veattachedtotheUSB2.0portsonthe“ControlInterface”sideof

theDittoDXtoenterthestaticIPaddressyournetworkadministratorgaveyou.

Ifyoudonothaveakeyboard,pressRightandLefttoscrollthecursorrightandleft,andpressUpor

Downtoincreaseordecreasethenumberhighlightedbythecursor.

Whenyouhavefinished,pressRight tocommitthechanges.

n. TypetheDittoDXForensicFieldStation’scontrolIPaddressintoyourwebbrowser.

o. Logintothebrowserinterface(thedefaultusernameandpasswordfortheadministratoraccountare

both“admin”).

CRUrecommendsthatyouchangetheadminaccountpasswordandcreateuseraccountsforindividualusersasbestdatamanagementpractices.

Youarenowreadytousethebrowserinterfacetoconfiguresettingsandpreview,image,orcloneattached

disks.

3.2 ICONS USED IN THE BROWSER INTERFACE

Thebrowserinterfaceusesseveraliconsthatmaybeclickedontoperformcertainactions.

ICON ACTION

InformationOpensawindowwithabriefdescriptionofthesettingtheinformationiconappearsnextto.

Refresh Refreshesthefieldthattheiconappearsnexttoinordertogiveupdatedinformation.

Moreiconsaredetailedonthenextpage.

NOTE

8



Icons Used in the Browser Interface, continued...

ICON ACTION

Reset LoadsthedefaultsforthesettingthattheRefreshiconappearsnextto.

Add Addsauserdefinedfieldtoalistofitems.

Remove Removesauserdefinedfieldfromalistofitems.

3.3 USER ACCOUNTS

TheDittoDXForensic FieldStation employs a user account system to control access to its features.The

“Login”screenpresentsyouwiththeabilitytologinthroughhttp,oryoucanclicktheSecure Login (HTTPS)

linktologinsecurely.Acceptthecertificateand/orcontinuetothewebsite,evenifyourbrowsertellsyouit

doesnotrecognizeit.

ThedefaultusernameandpasswordfortheAdministratoraccountareboth“admin”.CRUrecommendsthat

youchangetheadminaccountpasswordandcreateuseraccountsforindividualusersasbestdatamanage-

mentpractices.

ClickontheLog Out buttonatthetoprightofthebrowserinterfacetologout.

4 HOME SCREENThe“Home”screeniswhereyouwillperformmostofyouroperationswiththeDittoDXForensicFieldStation,

andisthedefaultscreentoloaduponloggingintothebrowserinterface.ClickontheHome tabtoaccessthe

“Home”sceenfromanyotherareaofthebrowserinterface.

Figure 6. The“Home”screen.

9



4.1 ACTION

The“Action”panelletsyoustart,abort,anddocumentthefollowingactions.The“Start”buttonbeginsthe

action.The“Abort”buttonstopstheactioninprogress.ClicktheComment buttontowriteanotethatwill

beappendedtothelog.ClicktheConfigure buttontomodifythedefaultsettingsforeachaction,whichcan

alsobemodifiedonthe“Configure”screen(SeeSection5).

4.1.1 Clone Source Disk

TheDittoDXForensicFieldStationmakesanexactduplicateofthesourcediskononeortwodestination

disks.

Whilecloningthesourcedisk,theDittoDXForensicFieldStationcanalsohashthesourcediskusingtheMD5,SHA-1,SHA-256,MD5&SHA-1,orMD5&SHA-256algorithms.Selectthehashtypeunderthe“SystemSettings”panelonthe“Home”screen.SeeSection4.3.

Toclone,followthesesteps:

a. Usingthebrowserinterface,selectClone Source Diskfromthe“ActiontoPerform”drop-downbox.

b. Selectthesourcedisktoclonefromthe“Source”drop-downbox.

c. Selectthedestinationdiskfromthe“Destination”drop-downbox.

Destinationdisksdonothavetobethesamephysicalmediaasthesourcedisk,buteachmustbelargerthanthesourcedisk.

d. ClicktheStart button.A“Completed”messageboxwillpopupwhentheactionhasfinished.Click

onthemessagetocontinue.

Youcanincreasetheperformanceoftheoperationbyclickingoffofthebrowserinterfacewindowsothatitisnotcontinuallyupdated.

Youcanviewtheresultsofthecloneactionbyscrollingdowntothe“SystemLog”panelonthe“Home”

screen.Findandclickonthelatestlink,whichwillbedenotedbyafilenamewithadate/timestampformat:

“S_yyyymmddhhmmss”.Alternatively,youcanclickontheLogs button fromthetopmenubar.

4.1.2 Physical Image Source Disk

TheDittoDXForensicFieldStationcreatesanE01orDDimageofthesourcediskononeortwodestina-

tiondisks.

Whileimagingthesourcedisk,theDittoDXForensicFieldStationcanalsohashthesourcediskusingtheMD5,SHA-1,SHA-256,MD5&SHA-1,orMD5&SHA-256algorithms.Selectthehashtypeunderthe“SystemSettings”panelonthe“Home”screen.SeeSection4.3.

Figure 7. The“Action”sectiononthe“Home”screen,showingtheoptionsavailableforthe“CloneSourceDisk”action.

Figure 8.The“Action”sectiononthe“Home”screen,showingtheoptionsavailableforthe“PhysicalImageSourceDisk”action.

NOTE

NOTE

NOTE

10



Forthefastestperformance,werecommendutilizinganNTFSfilesystemforWindows,HFS+forMac,or

XFSforLinuxmachines.Tocreateaphysicalimage,followthesesteps:

a. Usingthebrowserinterface,selectPhysical Image Source Disk fromthe“ActiontoPerform”drop-

downbox.

b. Selectwhichtypeofphysical imageyouwouldliketocreatefromthe“PhysicalImageType”drop-

downbox.The imagetypesavailableareE01orDD.Youcanmodifywhich imagetypeappearsby

defaultinthedrop-downboxonthe“Home”screen’s“SystemSettings”section(seeSection4.3),or

onthe“Configure”screen’s“System”tab(seeSection5.1).

c. Selectthesourcedisktoimagefromthe“Source”drop-downbox.

d. Selectwhichpartition(s)toimagefromthe“Partition”drop-downbox.ChooseAlltoimagetheentire

sourcedisk.

e. Selectthedestinationdiskfromthe“Destination”drop-downbox.

Toimagetotwodestinationdisksatthesametime,“DualDestinations”mustbeenabledinthe“Con-

figure”screen→“System”tab→“AdvancedSettings”section.Onceenabled,thefirstdestination

diskanditspartitioncanbechosenfromthe“Destination”and“Partition”drop-downboxes,andthe

seconddestinationanditspartitioncanbechosenfromthe“Destination2”and“Partition2”drop-

downboxes.

Destinationdisksdonothavetobethesamephysicalmediaasthesourcedisk,buteachmustbelargerthanthesourcedisk.UsingE01compressioncanhelp.

f. ClicktheStart button.A“Completed”messageboxwillpopupwhentheactionhasfinished.Click


Youcanincreasetheperformanceoftheoperationbyclickingoffofthebrowserinterfacewindowsothatitisnotcontinuallyupdated.

Youcanviewtheresultsoftheimageactionbyscrollingdowntothe“SystemLog”panelonthe“Home”


“S_yyyymmddhhmmss”.Alternatively,youcanclickontheLogs buttonfromthetopmenubar.

4.1.3 Logical Image Source Disk

Logicalimagingallowsaninvestigatortoquicklyscanthecontentsofaharddiskandimageonlythefiles

andfoldersrelevanttotheinvestigationintoanL01,ZIP,TAR,orLISTfileformat.Datacanbeimagedto

oneortwodestinationdisks.Tocreatealogicalimage,followthesesteps:

a. SelectLogical Image Source Diskfromthe“ActiontoPerform”drop-downbox.

NOTE

NOTE

Figure 9.The“Action” sectionon the“Home”screen, showingtheoptionsavailableforthe“LogicalImageSourceDisk”action.

11



b. Selectwhichtypeoflogicalimageyouwouldliketocreatefromthe“LogicalImageType”drop-down

box.TheformatoptionsavailableareL01,TAR,ZIP,orLIST.(Youcanmodifywhichlogicalimagetype

appearsbydefaultinthedrop-downboxonthe“Configure”screen’s“System”tab.SeeSection5.1.)

“LogicalImageSourceDisk”actionscreateareportofdirectoriesandfileschosenfromthesourcediskaswellastheirfilesizesandanyerrormessagesencountered.ThisreportcanbeviewedfromwithinthebrowserinterfaceandcanbeexportedasanExcelspreadsheet.SeeSection7.1.4.

c. SelecttheLogicalImageModefromthe“LogicalImageMode”drop-downbox.Seethelistoflogical

imagemodesattheendofthissubsectionforinformationonwhateachmodedoes.

d. Selectthesourcedisktoimagefromthe“Source”drop-downbox,thenchoosewhichpartition(s)to

imagefromthe“Partition”drop-downboxunderneaththe“Source”drop-downbox.Ifyouselect“All”,

partitionswillbeimagedsequentially.

e. Selectthedestinationdiskforthelogicalimagefromthe“Destination”drop-downbox,thenchoose

thedestinationdiskpartitionfromthe“Partition”drop-downboxunderneath.

f. IfyouchoseanyotherLogicalImageModebesides“ManualSelect”,clicktheStart buttonatthetop

ofActionsection.A“Completed”messageboxwillpopupwhentheactionhasfinished.Clickonthe

messagetocontinue.

Ifyouchose“ManualSelect”,followthesesteps:

i. ClickonSelect Files & Dirs.Adialogboxwillopen.

ii. Usethenavigationtreetoselectthefilesandfoldersyouwishtoimage(seeFigure10).

iii. ClicktheStart button atthebottomofthedialogbox.A“Completed”messageboxwillpopup

whentheactionhasfinished.Clickonthemessagetocontinue.

Youcanview the resultsof the logical imageactionbyscrollingdown to the“SystemLog”panelon

the“Home”screen.Findandclickonthelatest link,whichwillbedenotedbyafilenamewithadate/

timestampformat:“S_yyyymmddhhmmss”.Alternatively,youcanclickontheLogs buttonfromthetop

menubar.

Figure 10.Thefilenavigationtree.

NOTE

12



Logical Image Modes

TheLogicalImageactioncanautomaticallysearchforfilesthatfitthefollowingLogicalImageModes.

TheactionwillsearchforspecificfileextensionsspecifiedbytheLogicalImageMode.

• Manual Select: Enablesthe“SelectFiles&Dirs”buttonsothatyoucanmanuallyselectwhich

filestologicallyimage.

• All Files and Dirs: Imagesallfilesanddirectories.

• All Except Windows: ImagesallfilesanddirectoriesexceptfortheWindowsdirectory.

• All Except Windows and Programs: ImagesallfilesanddirectoriesexceptfortheWindows,

ProgramFiles,ProgramFiles(x86),andProgramDatadirectories.

• All Users - Windows: ImagestheWindows“Users”directory.

• All Temporary - Windows: ImagestheWindows/TempandTempdirectories.

• All Except Swap and Hibernate:Imagesallfilesanddirectoriesexceptfilesnamedhiberfil.sys,

pagefile.sys,Win386.swp,and386part.par.

• All Media Files: Imagesall.avi,.jpeg,.jpg,.wav,and.movfiles,aswellasallfileswithexten-

sionsbeginningin“.mp”(.mpeg,.mp4,.mp3,etc.)andallfileswithextensionsbeginningin“.m4”

(.m4a,.m4v,etc.).

• All Office Files: Imagesall.txtand.pdffiles,aswellasallfileswithextensionsbeginningin“.doc”,

“.xls”,“.ppt”(.doc,.docx,.xlsx,.pptx,etc.).

• All Financial Files:Imagesall.ifx,.ofx,.qfx,.qif,and.taxfiles.

Youmayalsoaddyourowncustomizedlogicalimagemodeprofilestothisdrop-downlist.Todoso,

seeSection11.5.

4.1.4 Clone and Image Source Disk

Thisactionsimultaneouslycreatesacloneofthesourcediskononedestinationdiskandcreatesanimage

onaseconddestinationdisk.Two destination disks are required for this action.

Whilecloningandimagingthesourcedisk,theDittoDXForensicFieldStationcanalsohashthesourcediskusingtheMD5,SHA-1,SHA-256,MD5&SHA-1,orMD5&SHA-256algorithms.Selectthehashtypeunderthe“SystemSettings”panelonthe“Home”screen.SeeSection4.3.

Tosimultaneouslycreateacloneandaphysicalimageofthesourcedisk,followthesesteps:

a. SelectClone & Image Source Diskfromthe“ActiontoPerform”drop-downbox.

b. Selectthesourcedisktocloneandimagefromthe“Source”drop-downbox.

Figure 11. The“Action”sectiononthe“Home”screen,showingtheoptionsavailableforthe“Clone&ImageSourceDisk”action.

NOTE

13



c. Selectthedestinationdiskfortheclonefromthe“CloneDestination”drop-downboxandthedestina-

tiondiskfortheimagefromthe“ImageDestination”drop-downbox.

Destinationdisksdonothavetobethesamephysicalmediaasthesourcedisk,buteachmustbelargerthanthesourcedisk.

d. Selectthedestinationdiskpartitiononwhichtosavetheimagefilefromthe“ImagePartition”drop-

downbox.

e. Selectwhichtypeofphysical imageyouwouldliketocreatefromthe“PhysicalImageType”drop-

downbox.TheimagetypesavailableareE01orDD.(Youcanmodifywhichimagetypeappearsby

defaultinthedrop-downboxonthe“Configure”screen’s“System”tab.SeeSection5.1.)

f. ClicktheStart button.A“Completed”messageboxwillpopupwhentheactionhasfinished.Click


Youcanviewtheresultsofthecloneandimageactionbyscrollingdowntothe“SystemLog”panelon

the“Home”screen.Findandclickonthelatestlinks,whichwillbedenotedbyafilenamewithadate/

timestampformat:“S_yyyymmddhhmmss”.Alternatively,youcanclickontheLogs buttonfromthetop

menubar.

4.1.5 Restore Physical Image

Imagefilesofanentirediskorpartitioncanberestoredtoanewdiskusingthisaction.Theimagefile

mustbeineitherE01orDDformat.Imagefilesofasinglepartitionwillberestoredasiftheoriginalhad

nopartitions.Thedestinationdiskmustalsobethesamesizeasorlargerthantheoriginal.

Torestoreaphysicalimage,followthesesteps:

a. SelectRestore Physical Imagefromthe“ActiontoPerform”drop-downbox.

b. From the“Source” drop-downbox, select the source diskwhere the physical image youwish to

restoreresides.

c. Fromthe“Partition”drop-downbox,choosethepartitiononthesourcediskwherethephysicalimage

resides.

d. Selectthedestinationdiskfortheimagefromthe“Destination”drop-downbox.

Destinationdisksmustbelargerthanthesourceimage.

e. ClicktheSelect Image to Restorebutton,navigatetothephysicalimageyouwishtorestore,select

theimagefiletorestore.

Figure 12.The“Action”sectiononthe“Home”screen,showingtheoptionsavailableforthe“RestorePhysicalImage”action.

NOTE

NOTE

14



Iftheimagewasoriginallycreatedasasetoffiles,selectthefirstfileintheset.

f. ClicktheStart Restorebutton.TheDittoDXwillbeingrestoringtheimagetothedestinationdisk.

4.1.6 Erase Destination Disk

TheDittoDXForensicFieldStationerasesthedestinationdiskusingyourpreferredEraseMode.TheErase

ModesavailableareClearPartitionTable,QuickErase,LBA/OffsetPattern,CustomErase,SecureErase

Normal,SecureEraseEnhanced,DODClear,DODSanitize,NIST800-88Clear,andNIST800-88Purge.

Toeraseadisk,followthesesteps:

a. SelectErase Destination Diskfromthe“ActiontoPerform”drop-downbox.

b. SelecttheEraseModetousefromthe“EraseMode”drop-downbox.(Youcanmodifywhicherase

modeappearsbydefaultinthedrop-downboxonthe“Configure”screen’s“System”tab.SeeSec-

tion5.1.)

c. Selectthetargetdestinationdisk(s)fromthe“Target”drop-downbox.

d. ClicktheStart button.A“Completed”messageboxwillpopupwhentheactionhasfinished.Click


Youcanviewtheresultsoftheerasureactionbyscrollingdowntothe“SystemLog”panelonthe“Home”



Format After Erase

YoucanconfiguretheDittoDXForensicFieldStationtoautomaticallyformatadiskafteryoueraseit.

ClickontheConfigure tabtogotothe“Configure”screen.ThenclickontheErase tabmakesurethat

“FormatAfterErase”ischeckedforeachoftheerasemodesonwhichyou’dliketoenablethissetting.

4.1.7 Hash Disk

TheDittoDXForensicFieldStationwillhashanysourceoradestinationdiskusingyourpreferredalgo-

rithm.HashvaluesaresavedintheSystemLog.TheavailablealgorithmsareMD5,SHA-1,SHA-256,MD5

&SHA-1,orMD5&SHA-256.

Tohashadisk,followthesesteps:

a. SelectHash Disk fromthe“ActiontoPerform”drop-downbox.

b. Selectyourpreferredhashalgorithmfromthe“HashType”drop-downbox. (Youcanmodifywhich

hashalgorithmappearsbydefaultinthedrop-downboxonthe“Configure”screen’s“System”tab.

SeeSection5.1.)

c. Selectthetargetdiskfromthe“Target”drop-downbox.

Figure 14. The“Action”sectiononthe“Home”screen,showingtheoptionsavailableforthe“HashDisk”action.

Figure 13.The“Action”sectiononthe“Home”screen,showingtheoptionsavailableforthe“EraseDestinationDisk”action.

NOTE

15



d. Selectthepartitionyouwanttohashfromthe“Partition”drop-downbox.

e. ClicktheStart button.A“Completed”messageboxwillpopupwhentheactionhasfinished.Click


Youcanviewtheresultsofthehashactionbyscrollingdowntothe“SystemLog”panelonthe“Home”



4.1.8 Snapshot Disk

TheDittoDXForensicFieldStationprovidesS.M.A.R.T.andhdparminformationforanysourceordestina-

tiondiskconnectedtoitself.Nocloneorimagerequestneedstobedone.

Tocreateasnapshotofadisk,followthesesteps:

a. SelectSnapshot Disk fromthe“ActiontoPerform”drop-downbox.

b. Selectthetargetdiskfromthe“Target”drop-downbox.

c. ClicktheStart button.A“Completed”messageboxwillpopupwhentheactionhasfinished.Click


Youcanview the resultsof thesnapshotactionbyscrollingdown to the“SystemLog”panelon the

“Home”screen.Findandclickonthelatestlink,whichwillbedenotedbyafilenamewithadate/time-

stampformat:“S_yyyymmddhhmmss”.Alternatively,youcanclickontheLogs buttonfromthetopmenu

bar.

Scrollto“eSATAExtendedDiskInfo”toseerecordeddata,includingS.M.A.R.T.andhdparminformation.

4.1.9 NetView Scan

NetViewisanetworktoolthatcanbeusedtodiscovermachinesonanetworkand

evenprobethemforspecificservicesthattheymayberunning.Thiscapabilitycan

helpaninvestigatorlocatephysicallyhiddencomputersorquicklydeterminewhether

amachineisactingasadatastoragedevicethattheDittoDXForensicFieldStation

canimage.

SeeSection11.1formoreinformationabouttheNetViewScanfeature.

4.2 INVESTIGATION INFO

TheInvestigationInfopanelgroupsrelatedinformationthatmayalsobeusedincreating

customdirectoriesandfilenames (seeSection5.9).The“Hide”buttonallowsyouto

minimizethepanel.

ClicktheEdit buttontoenterinformationabouttheInvestigator,CaseNumber,EvidenceNumber,Descrip-

tion,Notes,Basedirectoryprefix,andaBasefilenameprefixforanE01orDDimage.

Figure 15.The“Action”sectiononthe“Home”screen,showingtheoptionsavailable for the“NetviewScan”action.

Figure 16. The“Action”sectiononthe“Home”screen,showingtheoptionsavailableforthe“SnapshotDisk”action.

16



Eachfield isfilteredtoblocknon-printableASCIIcharacters.Anycharactersat thefile

systemlevelthatmaynotbesafeforadirectorynameorfilenamewillbefilteredout

andreplacedwithanunderscore.OnlyprintableASCIIcharactersarecurrentlyallowed

fordirectoryandfilenames.Multipleunderscoreswillalsobereducedtoasingleunder-

scorepernamingitem.

TheDittoDXForensicFieldStationwillgenerateanerrormessageifyouenteranon-

printableASCIIcharacterorifyourmessageexceedsthe58characterlimit.Additionally,

whenthefinaldirectoryorfilenamethatusesanyofthesefieldsiscreated,anotherlevel

offilteringisapplied.

Usingapostrophes(‘)inthenamefieldswillcauseanerrorwhenthefileorfoldernameiscreated.TheyshouldnotbeusedintheInvestigationInfofields.

4.2.1 User Defined Fields

Clickonthegreen plus sign icontoopenthe“AddUserDefinedField”window(see

Figure18).Youmayaddasmanyuserdefinedfieldsasyouwish.Eachuserdefined

fieldmusthaveatitle,XMLtag,andvalue.

ThetitleidentifiesthevalueintheDittoDXForensicFieldStation’sbrowserandLCD

interfaces,andtheXMLtagonlyappearsintheconfigurationandlogfiles.

Toremoveauserdefinedfield,clickonthegreen minus sign icon.

4.3 SYSTEM SETTINGS

DisplaysthemostcommonlyusedconfigurationsettingsoftheDittoDXForensicField-

Station.Thesesettingsareloadedasthedefaultsettingsfortheactionsyouperformin

the“Action”panel.The“Hide”buttonallowsyoutominimizethepanel.ClicktheEdit

buttontocustomizethesesettingsaswellasadditionaladvancedsettings.SeeSection

5.1fordetailsoneachoption.

4.4 CURRENT STATUS

Reportseitheras“Idle”ordisplaysinfoabouttheactionthattheDittoDXForensicField-

Stationiscurrentlyperforming.

4.5 DISKS

DisplaysinformationabouttheattatcheddisksthatarecurrentlyconnectedtotheDitto

DXForensicFieldStation.The“Hide”buttonallowsyoutominimizethepanel.Toseethe

availablespaceadiskhas,clickthegreen double arrow iconnextinthe“Used”column

header(seeFigure21).Thediskusagewillrefreshandgiveanupdatedamount.

The“TargetMode” button allows you to present the disks attached to theDittoDX

ForensicFieldStationasiSCSIdisksonanetwork.Thisisusefulifyouwishtousethird

partydataacquisition toolsagainst thediskswithoutcreatingan image.The“Source

Network”and“SourceDestination”buttonsareusedformountingiSCSIdevicesaswell

asNFSandSMBsharestotheDittoDXForensicFieldStation.Formoreinformation,see

Section11.

Figure 20. The“CurrentStatus”section,displayingathestatusofaPhysicalImageaction.

Figure 19.The“SystemSettings”section.

Figure 18. The“AddUserDefinedField”window.

Figure 21. Clickingthegreendoublearrowicondisplaysandupdatesamountofspacecurrentlyusedandavail-able.

STOP!

Figure 17. The“InvestigationInfo”section.

17



4.5.1 Previewing and Browsing Disks

Tobrowseordownloaddiskdata,ortoselectfilesandfoldersfor logical imaging,clickonapartition’s

numberunderthedisk’s“Partition”columnandthenselectPreview(seeFigure23).Thisopensupafile

explorerwindowwhereyoucannavigatethroughthefilesandfoldersonthedisk.

Directory Toolbar and Right-Click Context Menu Items

ICON ACTION

CollapseFolderTreeCollapsestheentirefoldertreesothatonlythepreviewedpartition’sfolderisvisible.

Refresh Refreshesthefoldercontentsinordertogiveupdatedinformation.

Up Movesuptotheparentfolder.

Back Movesbacktothepreviouslyviewedfolder.

Folders Toggleswhetherfoldersaredisplayedinthecontentspanel.

SelectMode Togglestheabilitytoselectindividualfilesforlogicalimaging.

DetailView/ListViewToggleswhethertheSize,Type,DateCreated,DateModfied,andDateAccessedcolumnsarevisible.

SizeFormatChangeswhetherfilesizesinthe“Size”columnaremeasuredasbytesorasmegabytes,gigabytes,etc.

ViewOpenstheselectedfile.ImagesandPDFfileswillopeninapreviewwindow.Otherfileswillopenadialogboxtodownloadthefiletoyourcomputer.

Download Opensadialogboxtodownloadtheselectedfiletoyourcomputer.

HashOpensaninfowindowwiththeselectedfile’sname,MD5hash,andfilesizeinbytes.

HexViewOpensthefileintheDittoDXForensicFieldStation’sbuilt-inhexadeci-malviewer.

Figure 22. The“Disks”sectiononthe“Home”screen.

18



Logically Image Data

Tologicallyimagedatausingthe“Preview”window,clickontheSelect Mode buttonandthencheck

theboxnexttoeachfileorfolderyouwantto logically image.Whenyouarefinished,clickonthe

Stage buttoninthelowerrightcornerofthe“Preview”window.Youwillbetakenbacktothe“Home”

screen.Usethe“Action”controlpanelasdirectedinSection4.1.3.Whenyouclickon“SelectFiles&

Dirs”,youwillbeaskedtoconfirmwhethertologicallyimagethefilesandfoldersyouhaveselected,

ortoselectnewfilesandfolders.

4.5.2 View Hexidecimal Data

Toviewadisk’shexidecimaldata,clickonthedisknameunderthe“Port”column

andthenselectHexView. Toviewadiskpartition’shexidecimaldata,clickonthe

partition’snumberunderthedisk’s“Partition”columnandthenselectHexView (see

Figure23).

4.5.3 View Snapshot Data

Toviewadisk’ssnapshotinformation,clickonthedisknameunderthe“Port”columnandthenselect

Snapshot.

4.6 SYSTEM LOG

ShowstheactionsthattheDittoDXForensicFieldStationhasperformed(seeFigure24).The“Hide”button

allowsyoutominimizethepanel.The“Comment”buttonallowsyoutowriteanotethatisappendedtothe

Systemlog.

IfthereisnoSDcardpresentintheSDcardslot,thispaneldisplaysthelogsthathavebeenstoredinvolatile

memorysincetheDittoDXForensicFieldStation’slastpowercycle.TheselogsaredeletedwhentheDitto

DXForensicFieldStationispowereddown.IfthereisanSDcardpresent,thispaneldisplaysallactionssaved

ontheSDCard.

Toviewthe logdetailsofaparticularaction,clickonthe linkunderthe“Message”column.whichwillbe

denotedbyafilenamewithadate/timestampformat:“S_yyyymmddhhmmss”.Alternatively,youcanclickon

theLogs buttonfromthetopmenubar.

Figure 24. The“SystemLogs”sectiononthe“Home”screen.

Figure 23. Drop-down menus for a disk (left) and adisk’spartition(right).

19



5 CONFIGURE SCREENThe“Configure”screenallowsyoutomodifythewaytheDittoDXForensicFieldStationfunctionstosuityour

specificneeds.ClickontheConfigure tabtoaccessthe“Configure”screenfromthebrowserinterface.

5.1 SYSTEM

The“System”taballowsyoutoviewandcustomizethefollowingsettings.Thisinformationisalsodisplayed

inthe“SystemSettings”panelonthe“Home”screen.Whenyouarefinished,clicktheCommit Changes

buttontosavethechanges.

5.1.1 Typical Settings

• Default Format: Thisisthedefaultfilesystemthatwillbeusedtoformatdestinationdiskswhen

theyareusedinactionsthattheDittoDXForensicFieldStationperforms.

• Physical Image Type: Setsthedefaultphysicalimagetypeforallactionsthatcreateaphysicalimage.

• Logical Image Type: Setsthedefaultlogicalimagetypeforthe“LogicalImageSourceDisk”action.

• Verify Single: Determineswhetherindividualdestinationdisksarehashedandcomparedtothehash

valueofthesourcedisk.

• Verify Dual: Requiresthatthe“DualDestinations”optionbelowisenabled(seeSection5.1.2).Com-

paresthehashvalueofbothdestinationstothehashvalueofthesource.Youcanchoosetoverify

Destination1orDestination2individually,both,ornone.Destination1andDestination2areselected

fromthe“Action”sectionofthe“Home”screen.

• Verify Clone & Image: Determineswhetherclonedandimageddisksarehashedandcomparedto

thehashvalueofthesourcedisk’shashvalueduringa“Clone&ImageSourceDisk”action.Youcan

choosetoverifytheclone,theimage,both,ornone.

• Hash Type: Setsthedefaulthashalgorithmthatwillbeusedfordiskverificationandthe“HashDisk”

action.TheavailablealgorithmsareNone,MD5,SHA-1,SHA-256,MD5&SHA-1,orMD5&SHA-256.

Moresettingsareavailableonthenextpage.

Figure 25. The“Configure”screen,showingthe“System”tab.

20



Typical Settings, continued...

• Erase Mode: Setsthedefaulterasemodethatwillbeusedforallactionsthatrequireerasingdisks.

• Logical Image Mode:SetsthedefaultLogical ImageModefor the“Logical ImageSourceDisk”

action.

• Stealth Mode: Turns off all LEDs and LCDs on theDittoDX Forensic FieldStation.The physical

“StealthMode”Switchservesthesamepurpose(seeSection1.2).IfStealthModeisenabledfrom

thebrowserinterface,thephysicalswitchcannotoverrideit.

• LCD/LED Brightness:SetstherelativebrightnessoftheLCDsandLEDsonthefaceoftheDitto

DXForensicFieldStationonascaleof0to6.Settingavalueof“0”willturnoffallLCDsandLEDs

ontheunit.

• Audible Buzzer: Alerts theuser to various actions that occurwhenusing theDittoDXForensic

FieldStation.

5.1.2 Advanced Settings

• CPU Speed: SetsthespeedoftheDittoDXForensicFieldStation’sCPU.Theavailablesettingsfrom

fastesttoslowestareTurbo,Default,Economy,andPowerSaver.

• Dual Destinations: Enablessoftwaremirroringmodetowritethesamedatatotwodestinationsat

thesametime.

• Log Disk Info: DetermineswhetherS.M.A.R.T.andhdparmdiskinformationisloggedbeforerunning

anaction,afterrunninganaction,both,ornotatall.CRUrecommendsthatyoulogdiskinformation

beforeandafteranaction.

• HTML Logging: Logsarealwayssavedin.XMLformat.ThisoptioncausestheDittoDXForensic

FieldStationtosavelogsinHTMLformataswell.

• DiskView Logging: Logsanyactiontopreviewadiskoractionsperformedwhilepreviewingadisk

(i.e.startingorfinishingapreviewofadisk,startingorfinishingaHexViewaction).

• Lightbar Mode: EnablesordisablesthelightbaronthefaceoftheDittoDXForensicFieldStation.

TheavailablesettingsareOffandColor.

• Quick Start: Enablesthe“QuickStart”screenontheLCDthatappearsafteryoubootorrebootthe

DittoDXForensicFieldStation.Thesettingsforthismodemaybemodifiedinthe“QuickStart”tab.

SeeSection5.10.

• Prompt Invest. Info: Opens a“Configure Investigation Info”window after the user has hit the

“Start”buttoninthe“Action”sectiononthe“Home”screen.Thisallowstheusertocustomizethe

Investigator,CaseNumber,EvidenceNumber,Description,Notes,BaseDirectoryName,and the

BaseFileNameinformationpriortoperformingtherequestedaction.

• LCD Prompt Case: Fiveoptionsmaybechosentomodifythecasenumberspecifiedinthe“Investi-

gationInfo”sectionofthe“Home”screen.Thecasenumberisincludedinthelogfortherequested

action.“Disabled”leavesthecasenumberasitis.“Inc/Dec”allowsyoutomanuallyincrementthe

casenumberupordownusingthenavigationbuttonsonthefaceoftheDittoDXForensicField-

Station.“AutoInc” automatically increments the case number, and“AutoInc/Pause” automatically

incrementsthecasenumber,butdisplaysaconfirmationprompttheLCDscreenbeforebeginning

21



therequestedaction.TheseoptionsrequireanumbertobepresentontheendoftheCaseNumber

specifiedinthe“InvestigationInfo”section.

• LCD Prompt Evidence: Fiveoptionsmaybechosentomodifytheevidencenumberspecifiedinthe

“InvestigationInfo”sectionofthe“Home”screen.Theevidencenumberisincludedinthelogforthe

requestedaction.“Disabled”leavestheevidencenumberasitis.“Inc/Dec”allowsyoutomanually

incrementtheevidencenumberupordownusingthenavigationbuttonsonthefaceoftheDitto

DXForensicFieldStation.“AutoInc”automatically incrementstheevidencenumber,and“AutoInc/

Pause”automaticallyincrementstheevidencenumber,butdisplaysaconfirmationprompttheLCD

screenbeforebeginningtherequestedaction.Theseoptionsrequireanumbertobepresentonthe

endoftheEvidenceNumberspecifiedinthe“InvestigationInfo”section.

5.2 NETWORK

The“Network”taballowsyoutoviewandcustomizethefollowingsettings.Ifyouareunsureorhaveques-

tionsaboutchangingyournetworksettings,contactyournetworkadministrator.Whenyouarefinished,click

theCommit Changes buttontosavethechanges.

5.2.1 Host Name

AllowsyoutochangewhatnamefortheDittoDXForensicFieldStationwillbedisplayedonanetwork.

Hostnamesarenotcasesensitive,butmustbeginwithanyletter“A-Z”.Theycancontainthetheletters

Figure 26. The“Network”tabonthe“Configure”screen,showingthe“SourceNetwork”,“Destination Network”, “Control Network” and“Wifi Network” settings.The“Wifi Net-work”sectiononlyappearswhenaUSBwirelessnetworkadapterhasbeenpluggedin.

22



A-Z,numbers0-9,underscore“_”,anddash“-”characters.Hostnamesmustalsobelimitedto64char-

acters.

5.2.2 Source Network

The“SourceNetwork”sectiondisplaysthesourceEthernetport’sMACAddressaswellasitsnetwork

mode.Youcanenableordisableitusingthecheckbox.

Tosetthenetworkmode,chooseeither“DHCP(AutoConfig)”or“StaticIP(ManualSettings)”fromthe

topdrop-downbox.

The“RemoteAccessibility”drop-downboxallowsyoutochoosewhetherornottheDittoDXForensic

FieldStationrespondstoanynetworktrafficviathesourceEthernetport.

5.2.3 Destination Network

The“DestinationNetwork”sectiondisplaysthedestinationEthernetport’sMACAddressaswellasits

networkmode.Youcanenableordisableitusingthecheckbox.

Tosetthenetworkmode,chooseeither“Server”,“Client(DHCP)”,or“Client(StaticIP)”fromthedrop-

downbox.

Server

“Server”allowsyoutoconfiguretheDittoDXForensicFieldStationforuseasaserver.Thiscanbe

helpfulifyouareconnectinganiSCSIdevicetothedestinationEthernetport,forexample(seeSec-

tion11.3.2),oryouareconnectingDittoDXdirectlytoyourcomputerinsteadofthroughyouroffice

network.Thedefaultsettingsbelowwillworkformostenvironments.Thisisanadvancedoption,so

donotcustomizethedefaultserverconfigurationbelowunlessdirectedtodosobyyournetwork

administrator.

IP Address: 10.10.10.1

Subnet Mask: 255.255.255.0

DHCP Server: Enabled

DHCP Start Address: 10.10.10.100

DHCP End Address: 10.10.10.199

DNS Server: Enabled

DNS Domain Name: ditto.local

NTP Server: Enabled

NAT Gateway: Disabled

DonotconnecttheDittoDXForensicFieldStationtoanothernetworkwhileitisconfiguredasaserver.Doingsowillcausenetworkconflictsandmaydisruptnetworktraffic.

Client (DHCP)

ThisoptionautomaticallyconfiguresthedestinationEthernetporttoconnecttotheattachednetwork.

Client (Static IP)

ThisoptionallowsyoutomanuallyconfigurethedestinationEthernetporttoconnecttotheattached

network.

STOP!

23



5.2.4 Control Network

The“ControlNetwork”sectiondisplaysthecontrolEthernetport’sMACAddressaswellasitsnetwork

mode.Youcanenableordisableitusingthecheckbox.

Tosetthenetworkmode,chooseeither“Server”,“Client(DHCP)”,or“Client(StaticIP)”fromthedrop-

downbox.

Server

“Server”allowsyoutoconfiguretheDittoDXForensicFieldStationforuseasaserversothatyoucan

connecttheDittoDXForensicFieldStationdirectlytoyourcomputer insteadofthroughyouroffice

network.Thedefaultsettingsbelowwillworkformostenvironments.Thisisanadvancedoption,so

donotcustomizethedefaultserverconfigurationbelowunlessdirectedtodosobyyournetwork

administrator.


Subnet Mask: 255.255.255.0




DNS Server: Enabled

DNS Domain Name: dittoctl.local

NTP Server: Enabled


DonotconnecttheDittoDXForensicFieldStationtoanothernetworkwhileitisconfiguredasaserver.Doingsowillcausenetworkconflictsandmaydisruptnetworktraffic.

Client (DHCP)

ThisoptionautomaticallyconfiguresthecontrolEthernetporttoconnecttotheattachednetwork.

Client (Static IP)

Thisoptionallowsyou tomanually configure thecontrolEthernetport to connect to theattached

network.

5.2.5 Wifi Network

The“WifiNetwork”sectionallowsyoutoconfigureathirdpartyUSBwifinetworkadapterthat’sbeen

pluggedintooneofthe“ControlInterface”USBports.Youcanenableordisableitusingthecheckbox.

Thissectionalsodisplaysthatport’sMACAddress.AdapterswithanAtheroschipsetandsomeadapters

withRealtekchipsetsarecompatible.

“WifiMode”allowsyoutodeterminewhethertheDittoDXForensicFieldStationconnectstoawifinet-

workoractsasawifihotspotitself.HotSpotModeishelpfulifyouareworkinginaseparatelocation

fromtheDittoDXForensicFieldStationthatisstillwithinrangeofawirelessnetwork,orifthereisno

hardwirednetworkavailableinthelocation.

Choose“ClientMode”toconnecttoanexistingwifinetworkor“HotSpotMode”tomaketheDittoDX

ForensicFieldStationintoawifihotspot.

STOP!

24



Client Mode

Check“Status:AutoStart”ifyouwanttheDittoDXForensicFieldStationtoconnecttothespecified

wirelessnetworkautomatically.

Toselecttheclientmode’snetworkingmode,youcanchooseeither“Client(DHCP)”or“Client(Static

IP)fromthedrop-downboxunderneaththeMACAddress.“Client(DHCP)”automaticallyconfigures

theUSBwifinetworkadaptertoconnecttoawifinetwork.“Client(StaticIP)”allowsyoutomanually

configuretheconnection.

Hot Spot Mode

Check“Status:AutoStart”ifyouwanttheDittoDXForensicFieldStationtobeginbroadcastingasa

hotspotautomaticallywheneverawifiadapterispluggedin.

Thedefaultsettingsbelowwillworkformostenvironments,withseveralexceptions.

InputyourownkeytoensurethatyourDittoDXForensicFieldStationremainssecure.

Youmayberequiredtoconformtoyourcountry’s lawsandregulationsregardingwirelessradiofre-quencyusage.Selectyourtwo-digitcountrycodefromthe“RegulatoryDomain”dropdownlist,andtheDittoDXForensicFieldStationwill limitthefrequenciesitmaybroadcastontoonlythoseinthepermittedrange(s).

DonotconnecttheDittoDXForensicFieldStationtoawirednetworkwhileitisconfiguredasahotspot.Doingsowillcausenetworkconflictsandmaydisruptnetworktraffic.

SSID: {HostName}-wifi

Regulatory Domain: Global

Band: G-2.4GHz

Channel: Auto

Broadcast: Checked

Security: WPA2Personal

Key: ditto123

Show Key: Unchecked


Subnet Mask: 255.255.255.0




DNS Server: Enabled

DNS Domain Name: dittowifi.local

NTP Server: Enabled


STOP!

STOP!

STOP!

25



5.3 CLONE

The“Clone”taballowsyoutoviewandcustomizethefollowingsettingsfordiskcloningactions,including

the“Clone&ImageSourceDisk”action.Whenyouarefinished,clicktheCommit Changes buttontosave

thechanges.


• Source HPA/DCO: SetswhetherthecloningactionshouldindicateinthelogthatthereisanHPA

(hostprotectedarea)orDCO(deviceconfigurationoverlay)present, temporarilybypasstheHPA,

permanentlyunhidetheHPA,orpermanentlyunhideboththeHPAandDCO.

• Fill to End of Disk: Checkthisboxtoenablezeroestobewrittentotheendofthedisk.

• Reset After Fill: ChoosewhetheranHPAorDCOissetonthedestinationdisksothatthecapacity

ofthedestinationdiskbecomesidenticaltothecapacityonthesourcedisk.


Theadvancedsettingsmaybehidden.ClicktheShow buttontorevealthem.

• Buffer Size: Sets the thebuffersizeusedby theDittoDXForensicFieldStationduringacloning

action.Theminimumsizeis512K(kilobytes).Thedefaultsizeof1M(megabyte)worksbestformost

uses.Themaximumsizeislimitedbythetargetfilesystem.

• Exit when a bad sector is encountered: AbortsthecloningactioniftheDittoDXForensicFieldSta-

tionencountersabadsectoronthesourcedisk.

5.4 PHYSICAL IMAGE

The“PhysicalImage”taballowsyoutoviewandcustomizethefollowingsettingsforphysicalimagingactions,

includingthe“Clone&ImageSourceDisk”action.Thereareseparateoptionsavailableforboththe“E01”and

“DD”imagetypes.Whenyouarefinished,clicktheCommit Changes buttontosavethechanges.

5.4.1 E01

ClickontheE01 tab torevealtheE01imagesettings.

Typical Settings

• Image File Segment Size: Allowsyoutospecifythesizeinbytesthat imagefilesegments

shouldbe.Theminimumsizeis1M(megabyte).Themaximumsizeislimitedbythetargetfile

system.Ifthisfieldisleftblank,themaximumsizewillbeused.Clickthe“I”informationicon

formoreinformation.

• Source HPA/DCO: Setswhetherthephysicalimageactionshouldindicateinthelogthatthere

is an HPA (host protected area) or DCO (device configuration overlay) present, temporarily

bypasstheHPA,permanentlyunhidetheHPA,orpermanentlyunhideboththeHPAandDCO.

• Compression Type: Setswhethertheactionshoulduseemptyblockcompressionornocom-

pression.

• EWF File Format: ChoosewhichEnCaseimagefileformatshouldbeusedduringE01physical

images.CRUrecommendsusing“encase6”formostacquisitions.

26



Advanced Settings


• Buffer Size: SetsthethebuffersizeusedbytheDittoDXForensicFieldStationduringanE01

physicalimageaction.Theminimumsizeis512K(kilobytes).Thedefaultsizeof1M(megabyte)

worksbestformostuses.Themaximumsizeislimitedbythetargetfilesystem.

• Error Granularity: Determineshowmanysectorsareignoredonareaderror.Theminimum

sizeis512bytes.ThedefaultsizeistheBufferSize.Themaximumsizeislimitedbythetarget

filesystem.

• Swap Byte Pairs of the Media Data (endian conversion): Check this box if you need to

convertfrombig-endiantolittle-endianorvice-versa,whichmaybenecessaryfordisksusedin

olderx86orPowerPC-basedsystems.

• Wipe Sectors on Read Error (mimic EnCase-like behavior): Ifareaderror isencountered

duringanE01physicalimageaction,theDittoDXForensicFieldStationwillwriteoutzeroesto

fillthesector.

• Read Error Retries: SpecifiesthenumberoftriestheDittoDXForensicFieldStationwilltryto

readasectorbeforemovingontothenextsector.

5.4.2 DD

ClickontheDD tab toconfiguretheDDimagesettings.

Typical Settings




formoreinformation.

• Source HPA/DCO: SetswhetherthephysicalimageactionshouldindicatethatthereisanHPA

(host protected area) orDCO (device configurationoverlay) present, temporarily bypass the

HPA,permanentlyunhidetheHPA,orpermanentlyunhideboththeHPAandDCO.

Advanced Settings

Theadvancedsettingsmaybehidden.ClicktheShow button torevealthem.

• Buffer Size: SetsthethebuffersizeusedbytheDittoDXForensicFieldStationduringaDD

physicalimageaction.Theminimumsizeis512K(kilobytes).Thedefaultsizeof1M(megabyte)


• Exit when a bad sector is encountered: AbortstheDDphysicalimageactioniftheDittoDX

ForensicFieldStationencountersabadsectoronthesourcedisk.

27



5.5 LOGICAL IMAGE

The“Logical Image” tab allowsyou to viewand customize the following settings for the“Logical Image

SourceDisk”action.TherearedifferentoptionsavailableforeachoftheL01,ZIP,TAR,andLISTfiletypes.

Whenyouarefinished,clicktheCommit Changes buttontosavethechanges.

5.5.1 L01

ClickontheL01 tab toconfiguretheL01imagesettings.

Typical Settings




formoreinformation.

• Log File Access/Modify/Change Times: Checkthisboxtologtheaccess,modify,andchange

timestampsoffilesanddirectoriesduringanL01logicalimageaction.

• Compression Type: Setswhethertheactionshoulduseemptyblockcompressionornocom-

pression.

• Per File Hash Type: Setsthedefaulthashalgorithmthatwillbeusedforindividualfileverifica-

tion.TheavailablealgorithmsareMD5orSHA-1.Thedefaultsettingis“None”.

Advanced Settings

Theadvancedsettingsmaybehidden.ClicktheShow button torevealthem.

• Buffer Size: SetsthethebuffersizeusedbytheDittoDXForensicFieldStationduringanL01

logicalimageaction.Theminimumsizeis512K(kilobytes).Thedefaultsizeof1M(megabyte)


• Read Error Retries: SpecifiesthenumberoftriestheDittoDXForensicFieldStationwilltryto

readasectorbeforemovingontothenextsector.

5.5.2 ZIP and TAR Settings

ClickontheZIP or TAR tabtoconfigurethesettingsforeitherofthoselogicalimagetypes.

• Log File Access/Modify/Change Times: Check this box to log the access,modify, and change

timestampsoffilesanddirectoriesduringthelogicalimageaction.Thissettingisformat-dependent.

5.5.3 LIST Settings

ClickontheLIST tabtoconfiguretheLISTimagesettings.

• Log File Access/Modify/Change Times: Check this box to log the access,modify, and change

timestampsoffilesanddirectoriesduringthelogicalimageaction.Thissettingisformat-dependent.

• Validate File Extensions: UsesMIMEtomakesure that thefileheadersof thefileswithin the

newlycreatedlogicalimagelistmatchtheirfileextensions.Anyquestionablefilesarehighlightedin

theLogicalImageReport.

28



5.6 RESTORE

The“Restore”taballowsyoutoviewandcustomizethefollowingsettingsforthe“RestorePhysicalImage”

action.Whenyouarefinished,clicktheCommit Changes buttontosavethechanges.


• Fill to End of Disk: Checkthisboxtoenablezeroestobewrittentotheendofthedisk.

• Reset After Fill: ChoosewhetheranHPAorDCOissetonthedestinationdisksothatthecapacity

ofthedestinationdiskbecomesidenticaltothecapacityonthesourcedisk.



• Buffer Size: Sets the thebuffersizeusedby theDittoDXForensicFieldStationduringa restore

action.Theminimumsizeis512K(kilobytes).Thedefaultsizeof1M(megabyte)worksbestformost

uses.Themaximumsizeislimitedbythetargetfilesystem.

5.7 ERASE

TheDittoDXForensicFieldStationallowsyoutoviewandcustomizesettingsforhowtheDittoDXForensic

FieldStationerasesdisks.

5.7.1 Available Erase Modes

ERASE MODE EXPLANATION

ClearPartitionTable Removesthepartitiontableonthedisk.

QuickErase Performsasinglepasswritingallzeroes.

MoreEraseModesareavailableonthenextpage.

Figure 27. The“Erase”tabonthe“Configure”screen,showingallavailableerasemodesandtheircustomizablesettings.

29



Available Erase Modes, continued...

ERASE MODE EXPLANATION

LBA/OffsetPattern Writesbyte/LBAinfotoeachsector.Each512bytesectoriswrittenwith:B_XXXXXXXXXXXXXXL_DDDDDDDDDDDD‘XXXXXXXXXXXXXX’istheByteoffsetasahexadecimalstring,and‘DDDDDDDDDDDD’istheLBAnumberasadecimalstring.Theremainderofthesectorisfilledwithzero.

CustomErase Performs1-99passes,overwritingthediskwithzeroesorauser-selectedpattern.

SecureEraseNormal Initiatesthedisk’sbuilt-inSecureEraseNormalfunction.

SecureEraseEnhanced Initiatesthedisk’sbuilt-inSecureEraseEnhancedfunction.

DODClear PerformstheU.S.DepartmentofDefense“Clear”standardbywritingallzeroestothediskinonepass.

DODSanitize PerformstheU.S.DepartmentofDefense“Sanitize”standardbyusinga0xAAAAAAApattern,thenitscomplement,andthenanotherunclassifiedpattern.

NIST800-88Clear Performsthe“Clear”standarddefinedbyNISTspecialpublication800-88bywritingallzeroestothedrive.

NIST800-88Purge Performsthe“Purge”standarddefinedbyNISTspecialpublication800-88.byinitiatingthedrive’sbuilt-inSecureErase(Normal)command.

5.7.2 Customizable Settings

SomeEraseModesrequireseveralofthefollowingsettingstobeconfiguredacertainwayaspartoftheir

standard.Inthesecases,thesettingscannotbemodified.

• Mode Name: Thenameoftheerasemode.

• HPA/DCO Handling: SetshoweraseactionsusingthespecifiederasemodeshouldhandleHPAs

andDCOs.ItcanindicateinthelogthatthereisanHPA(hostprotectedarea)orDCO(deviceconfig-

urationoverlay)present,temporarilybypasstheHPA,permanentlyunhidetheHPA,orpermanently

unhideboththeHPAandDCO.

• Passes: Forthe“CustomErase”settingonly,thisallowsyoutospecifythenumberofpassesthe

diskisoverwrittenduringtheeraseaction.Youcanspecifybetween1and99passes.

• Overwrite Method: Forthe“CustomErase”settingonly,youcanspecifyapatternforthediskto

writerepeatedlyacrosstheentiredisk.If“text”isselectedfromthedrop-downbox,the“Pattern”

fieldmustcontainoneormoreASCIIcharacters.If“hex”isselected,the“Pattern”fieldmustcon-

tainanevennumberofASCIIcharactersrepresentinghexadecimaldigits(e.g.17a64F).Leavingthe

“Pattern”fieldblanktellstheDittoDXForensicFieldStationtousezeroes.

• Verify: Thisisaplannedfeaturethatisnotcurrentlyimplemented.The“Verify”drop-downboxwill

allowyoutoverifytheeraseddiskafterithasbeenfullyerased.If“Quick”isselected,thebeginning,

middle,andendofthediskwillbereadtoensurethatthelastpatternwasactuallywritten.If“Full”

isselected,theentirediskwillbereadtoensurethatthelastpatternwasactuallywritten.If“None”

isselected,noverificationwillbeperformed.

• Format After Erase: Checkthisboxtoformatthediskwiththedefaultformat.Thedefaultformatcan

besetinthe“System”tabonthe“Configure”screen(seeSection5.1).

30



5.8 HASH

The“Hash”taballowsyoutoviewandcustomizethefollowingsettingsforallhashactions.Whenyouare

finished,clicktheCommit Changesbuttontosavethechanges.


• Buffer Size: SetsthethebuffersizeusedbytheDittoDXForensicFieldStationduringahashaction.

Theminimumsizeis512K(kilobytes).Thedefaultsizeof1M(megabyte)worksbestformostuses.

Themaximumsizeislimitedbythetargetfilesystem.

• Exit when a bad sector is encountered: AbortsthehashdiskactioniftheDittoDXForensicField-

Stationencountersabadsectoronthetargetdisk.

5.9 NAMING

The“Naming” tab allows you to customize how the Ditto DX Forensic FieldStation

names directories and files during imaging actions.When you are finished, click the

Commit Changes button tosavethechanges.

AsshowninFigure28,thefiledirectoryusedinimagingactionscanbeanamethatcon-

tainsuptosixuser-selectablefields,andthefilenameusedinimagingactionscancon-

tainuptofouruser-selectablefields.Asyoucustomizethesefields,the“DirectoryName

Template”,“FinalDirectoryName”,“FileNameTemplate”,and“FinalFileName”fieldswill

update.Thetemplatefieldsshowtheorderofvariableswillappearinthename,whereas

thefinalnamefieldsdisplaythedirectoryorfilenameusingtheactualinformationfrom

the“InvestigationInfo”panelonthe“Home”screenandthesourcedisk.

5.9.1 Variables

Tomodifytheanyoftheuser-customizablevariables,navigatetothe“Investigation

Info”panelonthe“Home”screen(seeSection4.2).

• Timestamp/{Timestamp}: Displaysthetimestamp.Thetimestampisrequired

tobeincludedinalldirectorynames,butitisoptionalforfilenames.

• Base Filename: Displaysthebasefilename.Thisoptionisthedefaultfirstvari-

ableforfilenames,butmaybechanged.Usercustomizable.

• Case Number: Displaysthecasenumber.Usercustomizable.

• Description: Displaysthedescriptionfield.Usercustomizable.

• Evidence Number: Displaystheevidencenumber.Usercustomizable.

• Investigator: Displaystheinvestigator.Usercustomizable.

• Source Drive Model Type: Displaysthemodelnumberofthesourcedisk.

• Source Drive Unique ID: DisplaystheuniqueIDnumberofthesourcedisk.

5.10 QUICK START

The“QuickStart”taballowsyoutocustomizethequickstartmodethatappearsontheLCDoftheDittoDX

ForensicFieldStationwhenthe“QuickStart”optionisenabledinthe“System”tab.Manyofthesettingson

Figure 28. The “Naming” tab on the “Configure”screen.

31



thenextpagearevisibleonlywhencertaintypesofactionsareselectedinthe“Actiontoperform”drop-down

box.

Quick Start Settings

• Action to perform: Setstheactionthatisperformedbythequickstartmode.

• Allowed Sources: PlaceacheckmarknexttoeachsourcewhereyouwanttheDittoDXForensicField-

Stationtosearchforaconnectedsource.

• Allowed Targets: PlaceacheckmarknexttoeachtargetwhereyouwanttheDittoDXForensicFieldSta-

tiontosearchforaconnectedtarget.

• Clone Destination: Forthe“CloneSourceDisk”and“Clone&ImageSourceDisk”actionsonly.Speci-

fiesthetargetdestinationwherethesourcediskwillbecloned.

• Source Partition: Determineswhichpartition(s)will be imaged from thesourcedisk.ChooseAll to

imagetheentiresourcedisk.

• Image Destination: Specifiesthetargetdestinationwheretheimagewillbeplaced.

• Image Partition: Specifiesthepartitiononthetargetdestinationwheretheimagewillbeplaced.

• Action Target: Forthe“EraseDestinationDisk”actiononly.Specifieswhichtargetvolumewillbeerased.

6 ADMIN SCREENThe“Admin”screenallowstheadministratortomanageuseraccountsandassignpermis-

sionlevelsforeachuser.ClickontheAdmin tabtoaccessthe“Admin”screenfromthe

browserinterface.

6.1 USER ACCOUNTS

The Ditto DX Forensic FieldStation contains two permanent accounts; “admin” and

“panel”.The“admin”accountistheAdministratoraccount,andonlytheFullNameand

passwordmaybemodified.The“panel”accountistheFrontPanelaccount,andmodi-

fiesaccesspermissionsforfunctionalitythatcanbeaccessedthroughtheLCDscreen

andnavigationbuttonsontheDittoDXForensicFieldStation.

6.2 PERMISSIONS

6.2.1 Permission Levels

Permissionlevelsonthebrowserinterfacearedisplayedas“FULL”,“AUTH”,orasa

hyphen,andas“FullAccess,“MustAuthenticate”,and“None”, respectively,when

editingorcreatingauser.“FULL”and“FullAccess”indicatethattheuserhascom-

pleteaccesstothefeaturesgovernedbythatpermissionandisnotrequiredtoenter

apassword.“AUTH”and“MustAuthenticate”indicatethattheusermustauthenti-

catehiscredentialswithapasswordinordertochangeasettingorperformanaction

thatthatpermissiongoverns.Ahyphenor“None”indicatesthattheuserdoesnot

haveaccesstothefeaturesgovernedbythatpermission.

Figure 29. The“Admin”screen.

32



6.2.2 Configurable Permissions

The following listofpermissionsspecifieswhateachcontrols,andcanbeconfiguredwhenaddingor

editingauseraccount.SomepermissionsfortheAdministratorandFrontPanelaccountswillbegreyed

outbydefault.

• Admin: “None”allowsaccesstomodifytheUserNameandFullNameoftheAdministrator,Front

Panel, and the user’s own account, and allows the user to change his or her ownpassword, but

blockstheuserfromviewinganyaccount’spermissionlevels.“ModifyUsers”enablestheusertobe

abletomodifyuseraccounts,passwords,andpermissions(exceptforthe“Admin”permission).“Full

Access”additionallyenablestheabilitytocreateanddeleteusersandassignthe“Admin”permission.

• Config: Governsallnon-networkconfigurationsettings, including those found in the“SystemSet-

tings”panelonthe“Home”screenandonalltabsonthe“Configure”screen.

• NetSettings: Controlsaccesstothenetworksettingsonthe“Configure”screen.

• Clone: Controlsaccesstothe“CloneSourceDisk”and“Clone&ImageSourceDisk”actions.

• Physical Image: Controlsaccesstothe“PhysicalImageSourceDisk”and“Clone&ImageSource

Disk”actions.

• Logical Image: Controlsaccesstothe“LogicalImageSourceDisk”action.

• Restore Image: Controlsaccesstothe“RestorePhysicalImage”action.

• Erase: Controlsaccesstothe“EraseDestinationDisk”action.

• Hash: Controlsaccesstothe“HashDisk”action.

• Snapshot: Controlsaccesstothe“SnapshotDisk”action.

• Netview: Controlsaccesstothe“NetviewScan”action.

• Abort: Controlsaccesstotheabilitytoabortactionsinprogress.

• Note: Controlsaccesstothe“Comment”buttonsinthe“Action”and“SystemLog”panelsonthe

“Home”screen.

• Logs: Controlstheabilitytodeletelogfilesfromthe“Logs”screen.

• DiskView: Controlstheabilitytopreviewanddownloadfilesfromthesuspectdriveviathe“Disks”

panelonthe“Home”screen.

6.3 ADDING A NEW USER

Toaddanewuser,clicktheAdd User button,entertheuser’sinformation,andsetthepermissionlevels.

Whenfinished,clickontheCommit Add button.

6.4 EDITING AN EXISTING USER

Toupdateauser’sname,password,orpermissions,clickontheuseraccountunderthe“UserName”column,

updatetheinformation,andthenclicktheCommit Edits button.

6.5 DELETING A USER

Todeleteauser,clickon theuseraccountunder the“UserName”columnandclickon theDelete User

button.Donotclickthisbuttonunlessyouareabsolutelycertainyouwishtodeletetheaccount.

33



7 LOGS SCREENThe“Logs”screenprovidesinformationabouttheDittoDXForensicFieldStation’sactions.ClickontheLogs tab

toaccessthe“Logs”screenfromthebrowserinterface.

Actionlogsshowthetimestamp,thetypeofactionperformed,theuserwhoperformedtheaction,andalinkto

the“ActionLog”screenthatprovidesmoreinformationabouttheperformedaction.

7.1 ACTION LOG

7.1.1 Settings

DisplaysthesettingsoftheDittoDXForensicFieldStationthatwereactivewhentheparticularactionwas

performed.

7.1.2 User Permissions

Displaysthepermissionsoftheuserthatwereinplacewhentheparticularactionwasperformed.

7.1.3 Extended Disk Info

Thisreportdisplaystheinformationofthediskused(whichisnotedinthetitleofthisreport)intheaction,

includingtheinterface,model,serialnumber,capacity,thepresenceofHPAs(hostprotectedareas)or

DCOs(deviceconfigurationoverlays),partitioninformation,hdparminformation,andS.M.A.R.Tinforma-

tion.Ifmultipledisksareusedintheaction,thenmultiplereportsarecreated.

7.1.4 Logical Image Report

Thisreportappearsinactionlogsof“LogicalImageSourceDisk”actionsanddisplayseachdirectoryand

filethatwasimaged,alongwiththeirsizeandanyerrormessagesthatweregenerated.If“ValidateFile

Extensions”isenabledforLISTlogicalimagesinthe“Configure”screen,itwillalsologanyfilesinLIST

logicalimagesthathaveamismatchedfileheaderandextension(seeSection5.5.3).ClickontheExport

buttontosaveacopyofthelogasanExcelspreadsheet.ClickontheExport Suspects buttontosavea

copyofallofthesuspectfileswherethereisamismatchbetweenthefile’sMIMEtypeandfileextension.

Figure 30. The“Logs”screen.

34



7.1.5 Netview Report

Thisreportappearsinactionlogsof“NetviewScan”actionsanddisplayssummariesofthediscovered

hosts,includingtheIPaddress,MACaddress,andthemanufacturerassociatedwiththeMACaddress

ifthatinformationcanbedetermined.The“Hostname”willbeblankifaDNSlookupcouldnotassociate

thehost’sIPaddresstoaname.

8 UTILITIES SCREENThe“Utilities”screenallowsyou toperformvariousmiscellaneous functions, including theability toupgrade

firmware,importcustomizedconfigurations,remotelyreboottheDittoDXForensicFieldStation,modifydateand

timesettings,andperformafactoryreset.ClickontheUtilities tabtoaccessthe“Utilities”screenfromthe

browserinterface.

8.1 SYSTEM MAINTENANCE

8.1.1 Firmware Upgrade

Forinformationonhowtoupgradethefirmware,seeSection12.

8.1.2 Configuration

YoucansaveandloadconfigurationsfortheDittoDXForensicFieldStation.Thefilegeneratedsavesa

copyofeverycustomizablesettingfortheunit.

Save Configuration

Tosaveaconfiguration,clickontheSave Config button.Namethefile,andthenclickContinueto

openaSaveAsdialogboxandsavethefiletoyourcomputer.

Load Configuration

a. ClickontheLoad Config button,browsetothe.xmlconfigurationfileyouwanttoload,highlight

it,andclickOpen.

b. The“ConfirmImport”windowwillopen.Placeachecknexttoeachsettingyouwanttoload,and

thenclick Continue.Byselectingthesesettings,youwillbeoverwritingtheexistingsettings,so

besuretosavethecurrentconfigurationfirst.

c. TheDittoDXForensicFieldStationwill importtheconfigurationsettings.ClickOKwhenit’sfin-

ished.

Figure 31. The“Utilities”screen.

35



8.1.3 Other Buttons

• Reboot: OpensaconfirmationtoreboottheDittoDXForensicFieldStation.

• Date & Time: Allowsyoutosetthecurrentdate,time,andtimezone.ClicktheSynchronize button

tosyncthesesettingswithyourbrowser’soperatingsystem.

• Factory Reset: OpensaconfirmationdialogtoreturntheDittoDXForensicFieldStationtofactoryset-

tings.CheckthePurge Ditto SD card log files boxtoremovealllogfilesfromtheSDcardintheunit.

YoucanalsousetheFrontPaneltoperformafactoryreset.SeeSection9.3.

• System Verify: VerifiesthattheDittoDXForensicFieldStation’soperatingsystemfileshavenotbeen

modifiedandplacesastatementinthesystemlog.Iftheverificationfails,thedetailscanbeviewed

byexportingtheSystemDiagnostics.

• Diagnostics: ExportsadiagnosticslogfileinHTMLformat.Thediagnosticslogcontainsinformation

abouttheDittoDXForensicFieldStation’scurrentconfiguration,includinguseraccounts,kernelmes-

sages,logs,processinformation,disks,PHPerrors,andsystemverifyresults.

8.2 UPGRADE LOG MESSAGES

Thissectiondisplaysthestatuslogoffirmwareupgradesandisonlyvisibleafterafirmwareupgradehasbeen

performed.

8.3 IMPORT LOG MESSAGES

Thissectiondisplaysthestatuslogofconfigurationfileexportsandimportsandisonlyvisibleafteraconfigu-

rationfilehasbeenloaded.

9 USING THE FRONT PANEL INTERFACE IN STANDALONE MODE TheDittoDXForensicFieldStationcanworkasastandalonedevicewithnoadditionalcomputerrequired,which

canbeusefulwhenworkingwithevidencedisksinthefield.

TheFrontPanelinterfaceallowsyoutoclone,physicallyimage,performalogicalimageusingaLogicalImage

Mode,simultaneouslycloneandimage,erase,hashadisk,orperformasnapshotofadisk.Youcanalsoadjust

settings, view information about attached disks, or check on theDittoDX Forensic FieldStation’s operational

status.TheadministratoraccountcanassignaccesspermissionstotheFrontPanel’sactionsandsettingsusing

thebrowserinterface.

9.1 HOW TO NAVIGATE

9.1.1 Using the Navigation Buttons

ThenavigationbuttonsonthefrontoftheDittoDXForensicFieldStationallowyoutonavigatethrough

themenu. UpandDownallowyoutoscrollthroughtheavailableoptionsontheFrontPanel,whileRight

selectstheoptionandLeftgoesbacktothepreviousscreen.IfQuickStartModeisenabled,pressLeft

toexitit.

9.1.2 Using a Keyboard

PlugaPCUSBkeyboardintoaUSBportonthe“ControlInterface”sideoftheDittoDXForensicFieldSta-

tion.Youcannavigateusingthearrowkeys.PressEnter or the Right Arrow keys toselectamenuoption.

Pressthe Left Arrow keytobackoutofamenuorsetting.IfQuickStartModeisenabled,youcanpress

theEscape keytoexitit.

36



9.2 MENU SCREENS

TheDittoDXForensicFieldStationmenuconsistsofthefollowingscreens:

9.2.1 Status

Thestatusscreenisthedefaultscreen.Itshowstheprogressofanycurrentpro-

cesses.WhentheDittoDXForensicFieldStationis“Idle”,thecurrentfirmwareofthe

unitisalsolistedonthisscreen.AnexampleofastatusscreenisshowninFigure32.

9.2.2 Perform Action

Afteryouadjustsettings toyourspecifications,youare ready toput theDittoDX

ForensicFieldStationtowork.The“PerformAction”screenletsyoustartorabortany

oftheDittoDXForensicFieldStation’sactionsusingthecurrentsettings.

a. Onthe“PerformAction”screen,usetheUpandDownbuttonstocyclethroughtheavailableactions.

PressRighttoselecttheoneyouwant.

b. Cyclethroughtheavailablesettingsfortheaction.PressRightifyouwishtomodifythem.

c. Whenyouarefinishedmodifyingsettings,scrolldowntooptionthatasksyoutostarttheaction(ex.

“StartPhysicalImage?”.PressRighttobegin.

ThestatusandremainingtimewillbedisplayedontheLCDscreenastheDittoDXForensicFieldStation

performstheaction.Toabortanaction,presstheLeft.TheLCDscreenwillaskifyouwishtoabortthe

action.PressRighttoconfirm,orLefttocanceltheabortrequest.

9.2.3 Investigation Info

The“InvestigationInfo”liststhecurrentsettingsthatcanbemodifiedinthe“Investi-

gationInfo”sectiononthe“Home”screenofthebrowserinterface.Tomodifythese

settingsfromthebrowserinterface,seeSection4.2.

Editing Fields With A Keyboard

Onthe“InvestigationInfo”menu,an“Edit(Keyboard)”menuitemwillappear

when a keyboard is detected (see Figure 33).You can edit the field currently

displayedontheLCDbypressingtheRight buttononthefaceoftheDittoDX

ForensicFieldStationorbypressingEnter or the Right Arrow keysonthekey-

board,andthenusingthekeystotype.

Usingapostrophes(‘)inthenamefieldswillcauseanerrorwhenthefileorfoldernameiscreated.TheyshouldnotbeusedintheInvestigationInfofields.

Stringslongerthan20charactersaredisplayedwithanellipsescharacter(...)attherightsideofthestring.

TheDittoDXForensicFieldStationcanhandlemultipleUSBdevicesthroughaUSBhubattachedtotheUSBportonthe“SourceInputs”sideoftheForensicFieldStation.However,ifmultiplekeyboardsareconnected,keystrokesfromallkeyboardsareprocessed.

NOTE

STOP!

Ditto-####:IdleVersion:2016Jun01a

2016Jun093:23:02pm(Up/DnforMenu)

Figure 32. The“Status”screenontheFrontPanelLCD.

Investigator:C.Walker

Edit(Keyboard)

Figure 33. The“Investigator”fieldinthe“InvestigationInfo”menuontheFrontPanelLCD,whenaUSBkey-boardisattachedtotheDittoForensicFieldStation.

NOTE

37



Hereisatableofthemostcommonkeyboardcommands:

KEY COMMAND

Escape Cancelsanedit.

Enter Beginsaneditonauser-editablestringorselectsthecurrently-visiblemenuoption.Whenpressedwhileeditingastring,itconfirmstheedit.

Home/End Wheneditingastring,thesekeysmovethecursortothebeginning/endofthestring,respectively.

Up/Down Movesthroughthemenuoptions.Wheneditingastring,theymovethecursortothebeginning/endofthestring,respectively.

Delete Deletesthecharactercurrentlyhighlightedbythecursor.

Backspace Deletesthecharacterimmediatelybehindthecursor.

NumLock Forcesthenumberedarrowkeystotypenumberswhenpressed.

CapsLock Forcesallletterkeystotypecapitalletters.

Tab/Shift+Tab/PageUp/PageDown/Function/Alt/Windows/Control/Insert

Nothandled.

9.2.4 Settings

The“Settings”screenallowsyoutoviewandcustomizethefollowingsettings,whicharegroupedinto

threesubsections.Thesesettingswillbethedefaultsettingsusedinanyactionsperformed.

TheSystemSettingsbelowcannotbemodifiediftheFrontPaneluseraccountdoesnothavefullaccesstothe“Config”permission,andtheSrc,Dst,andCtlNetworkSettingscannotbemodifiediftheFrontPaneluseraccountdoesnothaveaccesstothe“NetSettings”permission.SeeSection6forinforma-tiononhowtocustomizetheFrontPaneluseraccount.

System Settings

• Physical Image Type: Setsthedefaultphysicalimagetypeforallactionsthatcreateaphysical

image.TheimagetypesavailableareE01orDD.

• Logical Image Type: Setsthedefaultlogicalimagetypeforallactionsthatcreatealogicalimage.

ThelogicalimagetypesavailableareL01,TAR,ZIP,andLIST.

• Logical Image Mode: Setsthedefault logical imagemode.Thelogical imagemodesavailable

areAllFilesandDirs,AllExceptWindows,AllExceptWindowsPrograms (abbreviatedas“All

ExceptW...ndPrograms”),AllUsers-Windows,AllTemporary-Windows,AllExceptSwapand

Hibernate(abbreviatedas“AllExceptS..dandHibernate”),AllMediaFiles,AllOfficeFiles,andAll

FinancialFiles.SeeSection4.1.3under“LogicalImageModes”foradescriptionofeachmode.

• Hash Type: Setsthedefaulthashalgorithmthatwillbeusedfordiskverificationandthe“Hash

Disk”action.TheavailableoptionsareNone,MD5,SHA-1,SHA-256,MD5&SHA-1,orMD5&

SHA-256.

• Erase Mode: Setsthedefaulterasemodethatwillbeusedforallactionsthatrequireerasing

disks.TheavailablemodesareClearPartitionTable,QuickErase,LBA/OffsetPattern,Custom

Erase,SecureEraseNormal, SecureEraseEnhanced,DODClear,DODSanitize,NIST800-88

Clear,andNIST800-88Purge.


NOTE

38



System Settings, continued...

• Default Format: Thisisthedefaultfilesystemthatwillbeusedtoformatdestinationdiskswhen

theyareusedinactionsthattheDittoDXForensicFieldStationperforms.Theavailableformats

areHFS+,FAT32,NTFS,EXT2,EXT3,EXT4,andXFS.

• HTML Logging: Logsarealwayssavedin.XMLformat.ThisoptioncausestheDittoDXForensic

FieldStationtosavelogsinHTMLformataswell.TheavailableoptionsareOffandOn.

• DiskView Logging: Logsanyactiontopreviewadiskoractionsperformedwhilepreviewinga

disk(i.e.startingorfinishingapreviewofadisk,startingorfinishingaHexViewaction).Theavail-

ableoptionsareOffandOn.

• LCD/LED Brightness: SetstherelativebrightnessoftheLCDsandLEDsonthefaceoftheDitto

DXForensicFieldStationonascaleof0to6.

• Buzzer: Thisisaplannedfeaturethatisnotcurrentlyimplemented.Theaudiblebuzzerwillalert

theusertovariousactionsthatoccurwhenusingtheDittoDXForensicFieldStation.

• Performance:SetsthespeedoftheDittoDXForensicFieldStation’sCPU.Theavailablesettings

fromfastesttoslowestareTurbo,Default,Economy,andPowerSaver.

• Lightbar Mode: EnablesordisablesthelightbaronthefaceoftheDittoDXForensicFieldStation.

TheavailablesettingsareOffandColor.

• Dual Destinations:Enablessoftwaremirroringmodetowritethesamedatatotwodestination

disksatthesametime.

• Prompt Case: Fiveoptionsmaybechosentomodifythecasenumberspecifiedinthe“Investiga-

tionInfo”sectionofthe“Home”screeninthebrowserinterface.Thecasenumberisincluded

inthelogfortherequestedaction.“Disabled”leavesthecasenumberasitis.“Inc/Dec”allows

you tomanually increment thecasenumberupordownusing thenavigationbuttonson the

faceoftheDittoDXForensicFieldStation.“AutoInc”automaticallyincrementsthecasenumber,

and “AutoInc/Pause” automatically increments the case number, but displays a confirmation

prompttheLCDscreenbeforebeginningtherequestedaction.Theseoptionsrequireanumber

tobepresentontheendoftheCaseNumberspecifiedinthe“InvestigationInfo”sectionofthe

“Home”screeninthebrowserinterface.

• Prompt Evidence: Fiveoptionsmaybechosentomodifytheevidencenumberspecifiedinthe

“InvestigationInfo”sectionofthe“Home”screen.Theevidencenumberisincludedinthelog

fortherequestedaction.“Disabled”leavestheevidencenumberasitis.“Inc/Dec”allowsyou

tomanuallyincrementtheevidencenumberupordownusingthenavigationbuttonsontheface

oftheDittoDXForensicFieldStation.“AutoInc”automaticallyincrementstheevidencenumber,

and“AutoInc/Pause”automaticallyincrementstheevidencenumber,butdisplaysaconfirmation

prompttheLCDscreenbeforebeginningtherequestedaction.Theseoptionsrequireanumber

tobepresentontheendoftheEvidenceNumberspecifiedinthe“InvestigationInfo”sectionof

the“Home”screeninthebrowserinterface.


39



System Settings, continued...

• Quick Start: Enablesthe“QuickStart”screenontheLCDthatappearsafteryoubootorreboot

theDittoDXForensicFieldStation.Thesettings for thismodemaybemodified in the“Quick

Start”tabofthe“Configure”screenonthebrowserinterface.SeeSection5.10.

• Verify Single: Determineswhetherindividualdestinationdiskarehashedandcomparedtothe

hashvalueofthesourcedisk’shashvalue.TheavailableoptionsareYesandNo.

• Verify Dual:Requiresthatthe“DualDestinations”optionaboveisenabled.Determineswhether

mirroreddestinationdisksarehashedandcomparedtothehashvalueofthesourcedisk’shash

value(s).YoucanchoosetoverifyDestination1orDestination2individually,bothdisks,ornone.

Destination1andDestination2areselectedwhensettinguptheactiontobeperformed.

• Verify Clone & Image: Determineswhetherclonedandimageddisksarehashedandcompared

tothehashvalueofthesourcedisk’shashvalueduringa“Clone&ImageSourceDisk”action.

Youcanchoosetoverifynodisks,theclone,theimage,orboth.

• Log Disk Info: DetermineswhetherS.M.A.R.T.andhdparmdisk information is loggedbefore

runninganaction,afterrunninganaction,both,ornotatall.

Src (Source) Network Settings

• Src Network: EnableordisablethesourcenetworkEthernetconnection.

• Src MAC Address: DisplaysthesourceEthernetport’sMACaddress.

• Src IP Assignment:Displays thesourceEthernetport’s IPassignmentmethod.Theavailable

optionsareDHCPorStatic.AnIPaddresscanbemanuallyconfiguringinthebrowserinterface

(seeSection5.2.2).

• Src Network Access: AllowsyoutochoosewhetherornottheDittoDXForensicFieldStation

respondstoanynetworktrafficviathesourceEthernetport.

• Src IP Address: DisplaystheIPaddressassignedtothesourceEthernetport.

• Src Subnet Mask: DisplaysthesubnetmaskaddressassignedtothedestinationEthernetport.

Itisonlyvisibleifthe“SrcIPAssignment”issetto“Static”.

Dst (Destination) Network Settings

• Dst Network: EnableordisablethedestinationnetworkEthernetconnection.

• Dst MAC Address: DisplaysthedestinationEthernetport’sMACaddress.

• Dst Network Mode: Displays thedestinationEthernetport’snetworkingmode.Theavailable

optionsareServer,Client(DHCP),orClient(StaticIP).“Server”allowsyoutoconnecttheDitto

DXForensicFieldStationdirectlytoacomputerwithouttheuseofanintermediarynetwork.The

networkmodecanbefurtherconfiguredinthebrowserinterface(seeSection5.2.3).

• Dst IP Address: DisplaystheIPaddressassignedtothedestinationEthernetport.

• Dst Subnet Mask: DisplaysthesubnetmaskaddressassignedtothedestinationEthernetport.

Itisonlyvisibleif“DstNetworkMode”issetto“Client(StaticIP)”or“Server”.

40



Ctl (Control) Network Settings

• Ctl Network: EnableordisablethecontrolnetworkEthernetconnection.

• Ctl MAC Address: DisplaysthecontrolEthernetport’sMACaddress.

• Ctl Network Mode: DisplaysthecontrolEthernetport’snetworkingmode.Theavailableoptions

are Server, Client (DHCP), or Client (Static IP).“Server” allows you to connect theDittoDX

ForensicFieldStationdirectly toacomputerwithout theuseof an intermediarynetwork.The

networkmodecanbefurtherconfiguredinthebrowserinterface(seeSection5.2.4).

• Ctl IP Address: DisplaystheIPaddressassignedtothecontrolEthernetport.

• Ctl Subnet Mask: DisplaysthesubnetmaskaddressassignedtothecontrolEthernetport.Itis

onlyvisibleif“DstNetworkMode”issetto“Client(StaticIP)”or“Server”.

Date & Time

• Date:Displaysthedate.

• Time:Displaysthetime.

• Timezone:Displaysthetimezone.

9.2.5 Disk Info

The“Disk Info”screen(Figure34)showsallavailabledisksattachedtoeitherthe

sourceordestinationports.Portsareshownonlyifadiskisconnectedthere.Press

RightandthenUporDowntoscrollthroughthefollowinginformationabouteach

connecteddisk:

• Modelnumber

• Diskcapacity

• Filesystem

9.3 FACTORY RESET

ToresettheDittoDXForensicFieldStation’ssettingsbacktotheirfactorydefaults,press

andholdtheUp,Right,andDownnavigationbuttonswhilepoweringtheuniton.The

DittoDXForensicFieldStationwillstartupandthendisplaythetext,“PreparingFactory

Reset”(seeFigure35).

YouwillthenbepromptedtoconfirmyourchoicetoresettheDittoDX.PressRightto

continueorLefttocancel.

Youcanalsousethebrowserinterfacetoperformafactoryreset.SeeSection8.1.3.

10 STEALTH MODEStealthModeturnsoffallLEDsandLCDsontheDittoDXForensicFieldStation.YoucanenableStealthModeby

flippingthephysical“StealthMode”switchontheControlInterfacesideoftheDittoDXForensicFieldStation

(seeSection1.2).

Youcanalsoenableitfromthebrowserinterface.ClickontheConfigure tab,andthenunderthe“System”tab

changethe“StealthMode”drop-downboxto“Enabled.”ThenclickCommit Changes.

IfStealthModeisenabledfromthebrowserinterface,thephysicalswitchcannotoverrideit.

****DITTO****Initializing...

PreparingFactoryReset

Figure 35. The“Preparing Factory Reset” screen ontheFrontPanelLCD.

SourceeSATA:HTS5410806XXXXX79.8GB

Nofilesystem

Figure 34. The“Disk Info”screenon theFrontPanelLCD.

NOTE

41



11 ADVANCED FEATURES AND FUNCTIONS

11.1 NETVIEW SCAN

Thistypeofnetworkprobingisvery noisyandmaytriggeranyITrelatedIntrusionDetectionDevices(IDSs)on

thenetwork.Pleasebesuretorunthisactioninaverycontrolledandisolatedenvironment.

a. SelectNetview Scan fromthe“ActiontoPerform”drop-downbox.

b. Configuretheavailableoptions,whicharedetailedbelowinSection11.1.1.

c. Whenyouarefinished,presstheStart button.Youshouldseeupdateseveryfewsecondsthatdescribe

the current scan being executed, the number of hosts discovered, and the progress of the current

scan.Pleasenotethatprogressestimatesarecrudeandarestillbeingdeveloped.A“Completed”mes-

sageboxwillpopupwhentheactionhasfinished.Clickonthemessagetocontinue.

YoucanviewtheresultsoftheNetviewScanactionbyscrollingdowntothe“SystemLog”panelonthe

“Home”screen.Findandclickonthelatestlink,whichwillbedenotedbyafilenamewithadate/timestamp

format:“S_yyyymmddhhmmss”.Alternatively,youcanclickonthe Logs buttonfromthetopmenubar.

The“NetviewReport”sectioncontainssummariesofthediscoveredhosts,includingtheIPaddress,MAC

address,andthemanufacturerassociatedwiththeMACaddressifthatinformationcanbedetermined.The

“Hostname”willbeblankifaDNSlookupcouldnotassociatethehost’sIPaddresstoaname.

11.1.1 Netview Scan Configuration Options

ThefollowingoptionscanbeconfiguredbeforerunningaNetviewScan:

Interface Selection

The“Interface”drop-downboxallowsyoutotelltheDittoDXForensicFieldStationwhichEthernet

connectiontouseduringtheNetviewScan.YoucanchooseeithertheSource,Destination,orCon-

trolEthernetports.

Theselectedinterfacewillbeusedwhenthescanisstarted.Thismaycreateaheavynetworktrafficloadanddependingonthe“Timing”settinginthe“DiscoveryOptions”subsection,mayalertyourITdepartmentthatthenetworkisundersomesortofthreat.Ensurethattheselectedinterfaceisattachedtoacontrolledandisolatednetwork.

Figure 36. The“Action”sectiononthe“Home”screen,showingtheoptionsavailableforthe“NetviewScan”action.

STOP!

42



IP Scan Range

BydefaultthelastoctetoftheIPaddressoftheselectedinterfacewillbescanned.Youmaychange

thisvalueandenteralistofIPaddress,arangeofIPaddresses,oracombinationofboth.Clickthe

“Reset”icontoresettheIPScanRangebacktoitsdefaultvalue.

Examples:

1. Range:10.10.10.0-255

• Scanstheaddresses10.10.10.0through10.10.10.255.

2. Range2:10.10.10-12.0-255

• Scansaddresses10.10.10.0-255,10.10.11.0-255,and10.10.12.0-255.

3. List:10.10.10.1

• WillonlyscanIPaddress10.10.10.1

4. List2:10.10.10.2,10.10.10.3

• Willscanonlyhosts10.10.10.2and10.10.10.3

5. Combo:10.10.10.1,10.10.10.2,10.10.10.50-100

• Willscanhosts10.10.10.1,10.10.10.2andhosts10.10.10.50through10.10.10.100.

Discovery Options

Therearethreeoptionalhost(machine)discoveryoptionsandone“NoPing”portscanoptionavail-

able.Bydefault,the“PingEcho”optionisenabledandwillsufficeformostusecases.Somemachines

maybeconfiguredtoignorepingsandnotrespond,sotherearetwootherspecializedPingoptions

whichmaybeuseful.Clickthe“Reset”icontoreloadthedefaultsettings.

• Ping Echo: SendsastandardICMPechorequesttoeachIPaddress.

• Ping Timestamp: SendsarequestforatimestampedICMPpacket.

• Ping Netmask: Sendsarequestforthedestination’ssubnetmaskusinganICMPpacket.

• No Ping: Skipshostdiscoveryandforcesaportscan,whichisusefulwhenthehostsappear

tobedown.

• Timing: Selects a timing interval for scanning a network.“3” is the default setting. Lower

numbersareslowerandwillhelpyouavoidtriggeringanintrusiondetectionalert,andhigher

numbersarefasterbutmaybelessaccurate,andmaycauseintrusiondetectionalerts.

TCP Options

NetViewcanoptionallyscan thespecifiedhosts foropenTCPports.Bydefault, this feature isnot

enabled.Checktheboxnextto“TCPOptions”toenablethisfeatureandexpandmoreoptions.Click

the“Reset”icontoresetallTCPOptionsbacktotheirdefaultvalues.

• Ports: Bydefault,TCPportsforcommonlyusedservicesaswellasservicestowhichtheDitto

DXForensicFieldStationmaybeabletoconnectareenteredintothistextbox,includingports

forNFS,iSCSI,andSamba.Onlyportsenteredintothistextboxwillbescanned.NetViewIP

portrangesmaybespecifiedasanycombinationof listsandranges.Validportnumbersare

43



between1and65535(inclusive).Alistisintheform:80,22,23.Arangeisintheform:1-40.

Bothmaybecombinedtoform:22,23,40-50,80,90-91.

• Syn Scan: SynScanisselectedbydefaultandisappropriateformostusecases.TheDittoDX

ForensicFieldStationgeneratesrawIPpacketsandmonitorsforresponses.Thistypeofscanis

alsoknownas“half-openscanning”sinceitdoesnotopenafullTCPconnection.

• Connect Scan: TheDittoDXForensicFieldStationusesafullsystem-levelTCPconnectionin

ordertodeterminewhatportsareavailableonthehostnetwork.Thisscanshouldonlybeper-

formedbyadvancedusers.

Themoreportsbeingscanned,thelongerthescanwilltake.

UDP Options

NetViewcanoptionallyscanthespecifiedhostsforopenUDPports.Bydefault,thisfeature isnot

enabled.Checktheboxnextto“UDPOptions”toenablethisfeature.Clickthe“Reset”icontoreset

theUDPoptionbacktoitsdefaultvalues.

Ports: Bydefault,UDPportsforcommonlyusedservicesaswellasservicestowhichtheDittoDX

ForensicFieldStationmaybeabletoconnectareenteredintothistextbox,includingNFS,iSCSI,and

Samba.Onlyportsenteredintothistextboxwillbescanned.NetViewIPportrangesmaybespeci-

fiedasanycombinationoflistsandranges.Validportnumbersarebetween1and65535(inclusive).

Alistisintheform:80,22,23.Arangeisintheform:1-40.Bothmaybecombinedtoform:22,23,40-

50,80,90-91.

UDPportscanningtakesmuchlongerthanTCPportscanningduetothefactthatopenandfilteredportsdonot typically respond toqueries.Therefore,anyUDPportscannerwill spend time retrans-mittingitsqueryincasethequeryorresponsewaslost.Furthermore,whileclosedportsdousuallyrespondwith ICMPportunreachablemessages,hoststendto limit thenumberofthosemessagessentpersecond,resultinginfurtherdelay.

Netview Tips

1. SeeNmap.orgforgeneralinformationaboutnetworkscanning.

2. KeepyourIPaddresslists/rangesshort.Thiswillmeanfasterscansandlessnetworktraffic.

3. Keepyourportlists/rangesshort.Thiswillalsomeanfasterscansandlessnetworktraffic.

4. StartbydeselectingtheTCPandUDPscans.Justscanningforthepresenceofhostsismuch

quickerthanrunningTCPandUDPscansonanetworkwithanunknownnumberofmachines.

Onceyouhavealistofdiscoveredmachines,thenyoucandecidewhethertoTCPand/orUDP

scanthemallorscanonlyasubsetatatime.

5. TCPscanningmustbeenabledinordertodetectthetarget’soperatingsystem.

11.2 TARGET MODE: REMOTELY ACCESS DISKS ATTACHED TO THE DITTO DX FORENSIC FIELDSTATION WITH THIRD PARTY SOFTWARE

DisksattachedtoDittoDXForensicFieldStationmaybemountedonyourcomputerasiSCSIdevicesforuse

withthirdpartydataacquisitiontools.Themachinethissoftwareisinstalledondoesnothavetobephysically

connectedtotheDittoDXForensicFieldStation,butratherthesoftwaremayberunremotelyfromaseparate

NOTE

NOTE

www.nmap.org

44



locationwithinthesamenetwork.Todoso,youwillneedtoputtheDittoDXForensic

FieldStationintoTargetMode.

a. On the“Home” Screen, navigate down to the bottom of the“Disks” panel and

selecttheTarget Mode button.

b. ChecktheboxesintheiSCSIcolumnnexttothedisk(s)thatyouwishtomounton

yourcomputerasiSCSIdevice(s).

c. CheckEnable iSCSI and SMB authenticationifyouwishtorequireauthentication

inorderforiSCSIinitiatorsoftwaretoconnecttotheselecteddisk(s).Theninputyour

desiredcredentials.

d. Pressthe OK button.

Youcannowmountthedisk(s)youselectedinthestepsabovetoyourcomputer.

UsetheDittoDXForensicFieldStation’sIPaddressinyouriSCSIinitiatorsoftwarein

ordertoattachtoit.Initiatorscanvary,buttypicallyyou’lladdtheIPaddresstothe

“Discovery”sectionofyourinitiator.

11.3 USING ISCSI DEVICES

11.3.1 Remotely Access an iSCSI Device

ToconnecttoaniSCSIdevicethatexistsonyournetwork,followthesedirections.

a. EnsurethattheEthernetportthroughwhichtheDittoDXForensicFieldStationisconnectedtoyour

networkisproperlyconfiguredforusewithyournetwork(seeSection5.2).Unlessyouhavemanually

configuredtheDittoDXForensicFieldStation’snetworksettingsbefore,youmostlikelydonothaveto

changeanything.IfyouaredirectlyconnectingtheiSCSIdevicetotheDittoDXForensicFieldStation,

thenseeSection11.3.2.

b. Onthe“Home”Screen,navigatedowntothebottomofthe“Disks”panel.

c. Click theSource Network button if youwant toattach the iSCSIdevice to theDittoDXForensic

FieldStationasawrite-blockedsourcedevice,orclickthe Destination Network buttonifyouwantto

attachtheiSCSIdeviceasaread/write-enableddestination.

d. Clickonthe iSCSI tabifitisnotalreadyselected.

e. TypetheiSCSIdevice’sIPaddressintothe“TargetHost”textfield.

f. TypeintheportnumberofthetargetiSCSIvolumeintothe“Port”textfieldifthenumberisdifferent

thanthedefaultvalueof‘3260’.Ifyoudon’tknowtheportnumber,leaveitasthedefaultvalue.

g. ClicktheDiscover button.TheDittoDXForensicFieldStationwilldetectanyIQNs(iSCSIQualified

Names)attachedtotheIPaddress.

h. SelecttheIQNyouwishtoattachtotheDittoDXForensicFieldStationfromthedrop-downbox.

i. IfauthenticationisrequiredtoconnecttotheIQN,clicktheAdvanced... buttonandinputtheappro-

priatecredentials,includingtheusername,password,anddomain.Otherwise,continuetoStepJ.

Figure 37. The“TargetMode”windowisusedtoallowcomputers and third party software to remotely con-nectviaiSCSItodisksconnectedtoDitto.

45



j. ClicktheAdd button.TheIQNwillnowappearinthelistbelow.

k. RepeatstepsEthroughJtoaddmoreIQNs.Whenyouarefinished,click Close.

TheiSCSIdisk(s)havenowbeenaddedtothelistofDisks,allowingyoutoperformactionsonthemlike

youwouldanyotherdisk.

11.3.2 Directly Connect an iSCSI Device to the Ditto DX Forensic FieldStation

IfyoudonotwishtoconnectaniSCSIdevicetoyournetwork(forexample,itmaybeasuspectdevice

withunknownproperties),youcandirectlyconnectthedevicetotheDittoDXForensicFieldStationand

isolateitfromtherestofyournetwork.Therearetwomethodsfordoingso.Onceyouhaveconnectedthe

device,continuedowntothethirdsubsection,“AddinganiSCSIDisktothe‘Disks’Panel”.

Connect via the Source Ethernet Port

Followthese instructions if the iSCSIdeviceyouareattachingto theDittoDX

ForensicFieldStationisasuspectdevice.You’llneedtoconnecttheiSCSIdevice

tothesourceEthernetportandmanuallyconfiguretheIPaddressofboththe

DittoDXForensicFieldStationandtheiSCSIdevice.

ManuallysettheDittoDXForensicFieldStation’sIPaddress.

a. ClickontheConfigure tab atthetopofthepage,andthenselecttheNet-

work tab.

b. Inthe“SourceNetwork”section,selectStatic IP fromthedrop-downboxunderneaththeMAC

address(seeFigure38).

c. Type in the desired IP address and subnetmask into the appropriate fields. Do not fill in the

Gateway,PrimaryDNSServer,orSecondaryDNSServerunlessdirectedtodosobyyournetwork

administrator.

d. ClickCommit Changes.

ManuallysettheiSCSIdevice’sIPaddress,subnetmask,andgateway.ThefirstthreeoctetsoftheIP

addressmustbeidenticaltothefirstthreeoctetsoftheDittoDXForensicFieldStation’sIPaddress.

Thefourthoctetmustbedifferent,andmustbeanyothernumberbetween1and255.Thesubnet

maskmustbeidenticaltotheDittoDXForensicFieldStation’ssubnetmask.Thegatewaymustalsobe

setastheDittoDXForensicFieldStation’sIPaddress.

BasedontheIPaddressconfigurationofaDittoDXForensicFieldStationthat’sdisplayedinFigure38,

avalidconfigurationforaniSCSIdevicewouldbeasfollows:

IPaddress:10.10.10.100

Subnetmask:255.255.255.0

Gateway:10.10.10.1

AfterthesesettingsareconfiguredfortheDittoDXForensicFieldStationandtheiSCSIdevice,ensure

thattheiSCSIdeviceisconnectedtothesourceEthernetPort.Thencontinuetothe“AddinganiSCSI

Volumetothe‘Disks’Panel”subsectionbelow.

Figure 38. The“SourceNetwork”sectiononthe“Con-figure”screen’s“Network”tab.

46



Connect via the Destination Ethernet Port

FollowtheseinstructionsifyouwillbetransferringevidenceorotherdatatotheiSCSIdevice.First,

ensurethatthedestinationEthernetportisconfiguredtoactasaserver.

a. ClickontheConfigure tab atthetopofthepage,andthenselecttheNetwork tab.

b. In the“DestinationNetwork” section, selectServer from the drop-down box underneath the

MACaddress.Donotcustomizethedefaultserverconfigurationunlessdirectedtodosobyyour

networkadministrator.

c. Click Commit Changes.

NowconnecttheiSCSIDevicetothedestinationEthernetport.TheiSCSIdevicewillbeassigneda

newIPaddressiftheiSCSIdeviceisconfiguredtoobtainanewIPaddressfromDHCP,whichwillthe

caseformostdevices.IfnoIPaddressisassigned,youwillneedtoconfiguretheiSCSIdevicetouse

DHCP.Ifthatisnotpossible,contactyournetworkadministrator.

Once the iSCSIdevice isassignedan IPaddress,continue to the“Addingan iSCSIVolumeto the

‘Disks’Panel”subsectionbelow.

Adding an iSCSI Disk to the “Disks” Panel

Onthe“Home”Screen,navigatedowntothebottomofthe“Disks”panel.

a. ClicktheSource Network buttonifyouwanttoattachtheiSCSIdevicetothe

DittoDXForensicFieldStationasawrite-blockedsourcedevice,orclickthe

Destination Network buttonifyouwanttoattachtheiSCSIdeviceasaread/

write-enableddestination.

b. Clickonthe iSCSI tabifitisnotalreadyselected.

c. TypetheiSCSIdevice’sIPaddressintothe“TargetHost”textfield.

d. TypeintheportnumberofthetargetiSCSIvolumeintothe“Port”textfieldif

thenumberisdifferentthanthedefaultvalueof‘3260’.Ifyoudon’tknowthe

portnumber,leaveitasthedefaultvalue.

e. ClicktheDiscover button.TheDittoDXForensicFieldStationwilldetectanyIQNs(iSCSIQualified

Names)attachedtotheIPaddress.

f. SelecttheIQNyouwishtoattachtotheDittoDXForensicFieldStationfromthedrop-downbox.

g. Ifauthentication is requiredtoconnect to the IQN,click theAdvanced... button and input the

appropriatecredentials,includingtheusername,password,anddomain.Otherwise,continueto

thenextstep.

h. ClicktheAdd button.TheIQNwillnowappearinthelistbelow.

i. RepeatstepsCthroughHtoaddmoreIQNs.Whenyouarefinished,clickClose.

TheiSCSIdisk(s)havenowbeenaddedtothelistofDisks,allowingyoutousetheDittoDXForensic

Fieldstationtoperformactionsonthemlikeyouwouldanyotherdisk.

Figure 39. The“SourceNetwork”window’siSCSItaballows you to connect iSCSI devices to the Ditto viathe source Ethernet port.The“DestinationNetwork”tablookssimilaranddoesthesameviathedestinationEthernetport.

47



11.3.3 Properly Remove an iSCSI Device

ThisprocesspreventstimeoutissueswheretheDittoDXForensicFieldStationwillattempttoconnectto

iSCSIvolumesthatnolongerareconnectedtoit.Onthe“Home”Screen,navigatedowntothebottom

ofthe“Disks”panel.

a. Clickthe Source Network buttonifyouriSCSIdeviceisconnectedviathesourceEthernetPort,or

clicktheDestination Network buttonifyouriSCSIdeviceisconnectedviathedestinationEthernet

Port.

b. ClickontheiSCSI tab ifitisnotalreadyselected.

c. Under the“iSCSISourceConnections”or the“iSCSIDestinationConnections”section,check the

boxesnexttotheIQN(s)youwanttoremoveandclicktheRemove button.

d. PhysicallydisconnecttheiSCSIdevicefromtheDittoDXForensicFieldStation.

11.4 USING NFS AND SMB (SAMBA) SHARES

11.4.1 Connect to NFS and SMB Shares

a. Onthe“Home”Screen,navigatedowntothebottomofthe“Disks”panel.

b. ClicktheSource Network buttoniftheDittoDXForensicFieldStationisconnectedtoyournetwork

viathesourceEthernetPort,orclicktheDestination Network buttonifitisconnectedviathedes-

tinationEthernetPort.

c. ClickontheNFS tab orthe SMB tab,dependingonwhichtypeofshareyouareconnectingto.

d. TypetheservernameintotheServertextfield.

e. IfyouareconnectingtoanSMBshare,selecttheappropriateprotocolfromthe“Protocol”drop-down

box.Ifyoudon’tknowthecorrectprotocol,leaveitasthedefaultvalueof‘SMBv1’.

f. ClicktheShow Shares button.TheDittoDXForensicFieldStationwilldetectanysharesattachedto

theserver.

g. SelecttheshareyouwishtoattachtotheDittoDXForensicFieldStationfromthedrop-downbox.

h. IfyouareconnectingtoanSMBshareandauthenticationisrequired,clicktheAdvanced... button

and inputtheappropriatecredentials, includingtheusername,password,anddomain. If theSMB

sharedoesnotrequireauthenticationoryouareconnectingtoanNFSshare,continuetothenext

step.

i. ClicktheAdd button.Thesharewillnowappearinthelistbelow.

j. RepeatstepsCthroughItoaddmoreshares.Whenyouarefinished,clickClose.

Theshare(s)havenowbeenaddedtothelistofDisks,allowingyoutoperformactionsonthemlikeyou

wouldanyotherdisk.

11.4.2 Remove an NFS or SMB (Samba) Share

a. Onthe“Home”Screen,navigatedowntothebottomofthe“Disks”panel.

b. ClicktheSource Network button iftheDittoDXForensicFieldStationisconnectedtoyournetwork

viathesourceEthernetPort,orclicktheDestination Network buttonifitisconnectedviathedes-

tinationEthernetPort.

48



c. ClickontheNFS taborSMB tab,dependingonthewhichtypeofshareyouareremoving.

d. Under the“iSCSISourceConnections”or the“iSCSIDestinationConnections”section,check the

boxesnexttotheshare(s)youwanttoremoveandthenclicktheRemove button.

11.5 ADDING A NEW AUTOSELECT LOGICAL IMAGE PROFILE

AutoSelect is a feature that allows you to search during a logical image action only for those file types

of interest to you. If you want to add your own AutoSelect Logical Image profile, you must create a

DittoAutoSelectdirectoryonyourSDCardfirst.ThenyoucanaddoneormoreautoselectXMLfilestothat

directory.YoumayalsoaddsubdirectoriesthatcontainoneormoreautoselectXMLfilestotheDittoDXAu-

toSelectdirectory. InserttheSDCard intotheDittoDXForensicFieldStationandyourcustomAutoSelect

profileswillthenbeavailableinthe“LogicalImageMode”drop-downboxwhenconfiguringa“LogicalImage

SourceDisk”action.

11.5.1 Ditto DX AutoSelect XML File Structure<?xml version=”1.0” encoding=”UTF-8”?>



<DittoAutoSelect

xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance”

xsi:noNamespaceSchemaLocation=”autoSelect.xsd”

>

<select title=”Example Title”>

<include path=”*”>

<name>*.jpeg</name>

<name>*.jpg</name>

<name>*.m4*</name> 

</include>

<exclude path=”Windows”/>

</select>

</DittoAutoSelect>

ThenameoftheautoselectXMLfilecanbeanylegalfilenamewitha.xmlfileextension.EachAutoSe-

lectXMLfilemaycontainoneormore<selecttitle=”...”>blocks.Theselectblock’stitlewillappearatthe

bottomofthe“LogicalImageMode”selectionlistprependedwith“SDCard/”followedbythesubdirec-

tory’sname,ifany.

Eachselectblockmaycontainoneormore<includepath=”...”>and/or<excludepath=”...”>blocks.The

include/excludeblock’spath(case-insensitive)maycontainwildcardcharactersandwillbeincludedinor

excludedfromtheautoselection,respectively.

Eachincludeblockmaycontainzeroormore<name>...</name>blocks,whichspecifyafilenametobe

included in theautoselection.Filenamesarecase-insensitiveandmaycontainwildcardcharacters to

specifyasetoffilenames.Excludeblockscannotcontainnameblocks.

YoucannotremoveexistingselectionsfromtheLogicalImageModelist.NOTE

49



TodownloadanXMLSchemathatcanbeusedtovalidateyourautoselectXMLfile,typethefollowinginto

theaddressbarofanInternetbrowser,where<IPAddress>istheIPaddressofyourDittoDXForensic

FieldStation:http://<IPAddress>/data/DittoAutoSelect/autoSelect.xsd

12 UPGRADING FIRMWAREFirmwareupgradesaremadeavailableonCRU’swebsiteatwww.cru-inc.com/support/software-downloads/Ditto-

DX-firmware-updates/.TherearethreemethodstoupgradeyourDittoDXForensicFieldStation’sfirmware.

METHOD 1: COPY AND PASTE A LINK

a. EnsurethattheDittoDXForensicFieldStationisconnectedtoanetworkwithInternetaccess.

b. Gotothefirmwareupdateswebpageandscrolldowntothe“DittoDXFirmwareLinks”section.Copythe

URLofthefirmwareyouwishtousetoupgrade.

c. LogintoyourDittoDXForensicFieldStation’sbrowserinterfaceandnavigatetothe“Utilities”screen.

d. PastethelinkintothetoptextfieldandclicktheFirmware Upgrade button.

e. Whenitasksyoutoconfirmtheretrievaloftheupgradefile,clickContinue.

f. TheDittoDXForensicFieldStationwilldownloadthefileto itself.Oncedownloaded, itwillaskyouto

confirmtheupgrade.ClickContinue.Aftertheupgradeisfinished,clickOK.

g. TheLCDpaneloftheDittoDXForensicFieldStationwillaskyoutoreboot.PresstheRight buttononthe

faceoftheunittoreboot,orclickontheReboot button onthe“Utilities”screen.

METHOD 2: DOWNLOAD TO YOUR COMPUTER

a. Gotothefirmwareupdateswebpageandscrolldowntothe“DittoDXFirmwareLinks”section.

b. Clickonthefirmwareyouwishtousetoupgradetodownloadthefile.Savethefileinaconvenientloca-

tion.

c. LogintoyourDittoDXForensicFieldStation’sbrowserinterface,navigatetothe“Utilities”screen,and

clickonthetopUpload... button.

d. Locatethefirmwarefileyoujustdownloaded,selectit,andclick Open.

e. ClickontheFirmware Upgrade button.

f. TheDittoDXForensicFieldStationwilluploadthefiletoitself.Onceuploaded,itwillaskyoutoconfirm

theupgrade.Click Continue.Aftertheupgradeisfinished,cickOK.

g. TheLCDpaneloftheDittoDXForensicFieldStationwillaskyoutoreboot.PresstheRight buttononthe

faceoftheunittoreboot,orclickontheReboot button onthe“Utilities”screen.

METHOD 3: UPLOAD VIA A USB THUMB DRIVE

a. Gotothefirmwareupdateswebspageandscrolldowntothe“DittoDXFirmwareLinks”section.

b. Clickonthefirmwareyouwishtousetoupgradetodownloadthefile.SavethefiletoaUSBthumbdrive.

c. InsertthethumbdriveintothesourcesideUSBportoftheDittoDXForensicFieldStation.

www.cru-inc.com/support/software-downloads/ditto-firmware-updates/

www.cru-inc.com/support/software-downloads/ditto-firmware-updates/

50



d. TheDittoDXForensicFieldStationwillimmediatelyscanthethumbdriveanddisplayalistontheLCD

screenofallfirmwarefilesfoundonthedrive.Usethenavigationbuttonsonthefaceoftheunittomove

theblinkingcursortothefirmwarethatyouwishtousetoupgrade,andthenpressRight.

e. TheDittoDXForensicFieldStation’sfirmwarewillbeupgraded.TheLCDpaneloftheDittoDXForensic

FieldStationwillaskyoutoreboot.Press Right toreboot.

51



13 TECHNICAL SPECIFICATIONSProductName DittoDXForensicFieldStation

DataInterfaceTypes&Speeds

• eSATA:upto6Gbps• 1000BASE-TEtherNet:upto1Gbps• PATA/IDE:upto133MB/s• USB3.0:upto5Gbps• PCIex4:upto4GB/s

SupportedDiskTypes 2.5”and3.5”rotationalorsolidstateharddisks

SDCardSlotSupport SD,SDHC(MMC,mini-SD,andmicroSDarecompatiblewithadapters)

WifiUSBAdapterSupport WifiadapterswithAtheroschipsets,andsomeRealtekchipsets

DataConnectors

• Three(3)eSATAports• Three(3)1000BASE-TEthernetconnectors• One(1)PATA/IDEconnector• Three(3)USB3.0connectors• One(1)SDCardslot• Two(2)PCIex4DittoExpansionModuleconnectors

Write-BlockedDataInputs eSATA,PATA/IDE,USB3.0,Source-sideEthernetport.OtherinputtypessupportedwithDittoExpansionModulesordriveadapters.

DataOutputs Two(2)eSATAportsoperableassingle,dual,ormirrored.Two(2)USB3.0portsoperableassingle,dual,ormirrored.Bothsource-sideanddestination-side1000BASE-TEthernetports.

SupportedFileSystems ext2,ext3,ext4,FAT32,HFS+,NTFS,XFS

UserInterface• Four-lineLCDcontrolledwithfoursoft-touchmenunavigationbuttonsorUSBkeyboard• Browser-basedDittointerfaceallowsfordirectoperation,remoteoperation,andadministra-

tion

LEDIndicatorsLightbarstatusindicator,powerin5V/12V,USB3,SourceNetwork,IDE,eSATA,SourceExpan-sion,HPA/DCO,DestinationNetwork,eSATAA,eSATAB,USB3A,USB3B,DestinationExpan-sion.

StealthMode Turnsoffalllights(LEDs/LCD)

BrowserCompatibility InternetExplorer,Firefox,Safari,Chrome,Opera

PhysicalImageTypes DD,E01

LogicalImageTypes L01,LIST,TAR,ZIP

Image/CloneOutputModes

Singlediskimage,singlediskclone,imageandclone,imagetomirroreddisks,clonetomirroreddisks,restorephysicalimage,logicalimagetosingledisk,logicalimagetomirroreddisks

HashModes None,MD5,SHA-1,SHA-256,MD5&SHA-1,andMD5&SHA-256,enabledduringimagingandcloningoperations.

EraseModes ClearPartitionTable,QuickErase,CustomErase,SecureEraseNormal,SecureEraseEnhanced,DoDClear,DoDSanitize,NIST800-88Clear,NIST800-88Purge

Externalmaterial All-aluminumconstruction

OperatingHumidity 5%to95%,non-condensing

PowerSwitch 2position:On/Off

PowerInputs 40W12V3.33ADCbarrelconnector(centerpinpositive),15-pinstandardSATApower


For more information, visit the CRU web site.

www.cru-inc.com

Compliance

• EMIStandard:FCCPart15ClassA• CE• EMCStandard:EN55022,EN55024• RCM

ShippingWeight 5lbs(2.3kg)

ProductDimensions 4.92inx6.77inx1.72in(125mmx172mmx43.7mm)

TechnicalSupportYourinvestmentinCRUproductsisbackedupbyourfreetechnicalsupportforthelifetimeoftheproduct.Contactusthroughourwebsite,www.cru-inc.com/supportorcallusat1-800-260-9800or+1-360-816-1800.

©2016CRUAcquisitionGroup,LLC.ALLRIGHTSRESERVED.

ThisUserManualcontainsproprietarycontentofCRUAcquisitionGroup,LLC(“CRU”)whichisprotectedbycopyright,trademark,andotherintellectualpropertyrights.

UseofthisUserManualisgovernedbyalicensegrantedexclusivelybyCRU(the“License”).Thus,exceptasotherwiseexpresslypermittedbythatLicense,nopartofthisUserManualmaybereproduced(byphotocopyingorotherwise),transmitted,stored(inadatabase,retrievalsystem,orotherwise),orotherwiseusedthroughanymeanswithoutthepriorexpresswrittenpermissionofCRU.

UseofthefullDittoForensicFieldStationproduct,including,withoutlimitation,itswebinterface,issubjecttoallofthetemrsandconditionsofthisUserManualandtheabovereferencedLicense.

ThisDittoForensicFieldStationproductandUserManualareprovidedonaRESTRICTEDbasis.Use,duplication,ordisclosurebytheUSGovernmentissubjecttorestrictionssetforthinParagraph(b)oftheCommercialComputerSoftwareLicenseclauseat48CFR42.227-19,asapplicable.

CRU®,Ditto®,andWiebeTech®(collectively,the“Trademarks”)aretrademarksownedbyCRUandareprotectedundertrademarklaw.NmapisaregisteredtrademarkofInsecure.Com,LLCintheUnitedStatesand/orothercountries.ExcelisaregisteredtrademarkofMicrosoftintheUnitedStatesand/orothercountries.EnCaseisaregisteredtrademarkofGuidanceSoftwareintheUnitedStatesand/orothercountries.ThisUserManualdoesnotgrantanyuserofthisdocumentanyrighttouseanyoftheTrademarks.

Product WarrantyCRUwarrantsthisproducttobefreeofsignificantdefectsinmaterialandworkmanshipforaperiodofthreeyearsfromtheoriginaldateofpurchase.CRU’swarrantyisnontransferableandislimitedtotheoriginalpurchaser.

Limitation of LiabilityThewarrantiessetforthinthisagreementreplaceallotherwarranties.CRUexpresslydisclaimsallotherwarranties,includingbutnotlimitedto,theimpliedwarrantiesofmerchantabilityandfitnessforaparticularpurposeandnon-infringementofthird-partyrightswithrespecttothedocumentationandhardware.NoCRUdealer,agent,oremployeeisauthorizedtomakeanymodification,extension,oradditiontothiswarranty.InnoeventwillCRUoritssuppliersbeliableforanycostsofprocurementofsubstituteproductsorservices,lostprofits,lossofinformationordata,computermalfunction,oranyotherspecial,indirect,consequential,orincidentaldamagesarisinginanywayoutofthesaleof,useof,orinabilitytouseanyCRUproductorservice,evenifCRUhasbeenadvisedofthepossibilityofsuchdamages.InnocaseshallCRU’sliabilityexceedtheactualmoneypaidfortheproductsatissue.CRUreservestherighttomakemodificationsandadditionstothisproductwithoutnoticeortakingonadditionalliability.

FCC Compliance Statement: “ThisdevicecomplieswithPart15oftheFCCrules.Operationissubjecttothefollowingtwoconditions:(1)Thisdevicemaynotcauseharmfulinterference,and(2)thisdevicemustacceptanyinterferencereceived,includinginterferencethatmaycauseundesiredoperation.”

ThisequipmenthasbeentestedandfoundtocomplywiththelimitsforaClassAdigitaldevice,pursuanttoPart15oftheFCCRules.Theselimitsaredesignedtoprovidereasonableprotectionagainstharmfulinterferencewhentheequipmentisoperatedinacommercialenvironment.Thisequipmentgenerates,uses,andcanradiateradiofrequencyenergyand,ifnotinstalledandusedinaccordancewiththeinstructionmanual,maycauseharmfulinterferenceinwhichtheuserwillberequiredtocorrecttheinterferenceattheirownexpense.

IntheeventthatyouexperienceRadioFrequencyInterference,youshouldtakethefollowingstepstoresolvetheproblem:1) Ensurethatthecaseofyourattacheddiskisgrounded.2) UseadatacablewithRFIreducingferritesoneachend.3) UseapowersupplywithanRFIreducingferriteapproximately5inchesfromtheDCplug.4) Reorientorrelocatethereceivingantenna.

FOROFFICEORCOMMERCIALUSE

PartNumber:A9-000-0050Rev1.1

www.cru-inc.com/support

cru wiebetech ditto dx forensic fieldstation protecting your digital assets tm ditto dx forensic...

Documents