ditto forensic fieldstation
TRANSCRIPT
Protecting Your Digital AssetsTM
Wiebetech Branding
2c85m76yPMS 711C
66c7m7yPMS 299C
Product Name:Univers 73 Black Extended
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
Ditto Forensic FieldStationUser ManualFeatures
• Sourceinputs(write-blocked)–eSATA(SATA),PATA,USB2.0,PCIex1expansionport,andgigabitnetwork(NFS,iSCSI,SMB)
• Destinationoutputs–DualeSATA(SATA)portstostoreacquireddataononeortwodisks,SDcard,orgigabitnetwork(iSCSI,NFS,SMB)
• Data acquisitionmodes – physical imageDD, physical imageE01with empty blockcompression,logicalimageL01,clone,andsimultaneousclone&image.
• Hashtypes-MD5,SHA-1,MD5+SHA-1
• Remoteusage–Performoperationsusingthewebbrowserinterfacefromanyremotenetworkedlocationintheworld
• SystemconfigurationmanagementviafrontpanelLCDorwebbrowserinterface
• Userprofilescanbepasswordprotectedandassignedspecificpermissionlevels
• Data log captures a completehistory of data acquisitions and canbemanaged andprintedfromwebbrowserorextractedtoauser-specificdocument
• StealthModeavailableforusewithnightvisiongoggles(notincluded)
2
Protecting Your Digital AssetsTM
Ditto Forensic FieldStation User Manual
TABLE OF CONTENTS1Pre-InstallationSteps 2
2Setup 3
3BrowserInterface 3
3.1AccessingtheBrowserInterface 3
3.2IconsUsedintheBrowserInterface 5
3.3UserAccounts 6
4HomeScreen 6
4.1Action 6
4.1.1CloneSourceDisk 7
4.1.2PhysicalImageSourceDisk 7
4.1.3LogicalImageSourceDisk 8
4.1.4CloneandImageSourceDisk 10
4.1.5EraseDestinationDisk 11
4.1.6HashDisk 12
4.1.7SnapshotDisk 12
4.1.8NetViewScan 12
4.2InvestigationInfo 13
4.3SystemSettings 13
4.4CurrentStatus 13
4.5Disks 14
4.6SystemLog 15
5ConfigureScreen 16
6AdminScreen 27
6.1UserAccounts 27
6.2PermissionLevels 27
6.3AddingaNewUser 28
6.4EditinganExistingUser 28
6.5DeletingaUser 28
7LogsScreen 28
8UtilitiesScreen 29
9UsingtheFrontPanelInterfaceinStandaloneMode 31
10StealthMode 35
11AdvancedFeaturesandFunctions 36
11.1NetviewScan 36
11.2TargetMode:RemotelyAccessDisksAttachedtotheDittoForensicFieldStationwithThirdPartySoftware 38
11.3UsingiSCSIDevices 39
11.4UsingNFSandSMB(Samba)Shares 42
11.5AddingaNewLogicalImageMode 42
12UpgradingFirmware 43
13TechnicalSpecifications 45
1 PRE-INSTALLATION STEPS
1.1 PACKAGE CONTENTS
The following listcontains the itemsthatare included in the
completeconfigurationforthisdevice.PleasecontactCRUif
anyitemsaremissingordamaged:
DittoForensicFieldStationUnit 1
UnitizedSAS-to-eSATA+Mini-Fitpowercable 3
IDEcable 1
12Vpowersupply 1
Powercord 1
Legacypower-to-Mini-Fitcable 1
Ethernetcable(RJ45) 1
2.5”IDE-to-3.5”IDEandMini-Fitcable 1
Poweradapter,legacy-to-SATA 1
Velcrocablewrap 6
eSATAcable 2
SDcard(pre-installed) 1
QuickStartGuide 1
1.2 IDENTIFYING PARTS
TakeamomenttofamiliarizeyourselfwiththepartsoftheDitto
ForensicFieldStation.Thiswillhelpyou tobetterunderstand
thefollowinginstructions.
TOP OF UNITPowerAvailableLEDs
LCDMenu
SourceLEDs
DestinationLEDs
NavigationButtonsforLCDMenu
3
Protecting Your Digital AssetsTM
Ditto Forensic FieldStation User Manual
2 SETUPPlugthe“suspect”disksordevicesintotheSource Inputssideof
theDittoForensicFieldStation.Allsourceinputsarewrite-blocked
topreventalteration.ThesourceinputsincludeaUSB2.0connec-
tionforUSBdevices,anRJ45gigabitEthernetconnection,anIDE/
PATAdiskconnection,andaneSATAconnectionforSATAdisksor
aneSATAdevice.Theexpansionmoduleconnectionisusedwith
theSAS,USB3.0,andotherDittoForensicFieldStationexpansion
modules.
UsetheDestination OutputssideoftheDittoForensicFieldSta-
tion to store acquired data.The destination output connections
includetwoeSATAconnectionsforSATAdisksoreSATAdevices
andanRJ45gigabitEthernetconnection.
TherearoftheDittoForensicFieldStationhasanSDcardslotand
two powering options: a 12V input for the power supply, and a
SATApowerconnection.Therearalsohasahookforhangingthe
unitinsidethecomputercaseorworkstation.
CRU recommends that you switch thepoweroff totheDittowhenyouaddorremoveadevicefromitinordertoavoiddiskdamageanddatacorruption.
3 BROWSER INTERFACETheDitto Forensic FieldStation can be configured and operated
either from the Front Panel (see Section 9) or through a web
browser.
3.1 ACCESSING THE BROWSER INTERFACE
3.1.1 Accessing Via A Network
a. Plug an Ethernet cable into the Ethernet port on the
“SourceInputs”sideoftheDittoForensicFieldStation.
b. Connect the other end of theEthernet cable to your
network.Thisusuallymeanspluggingitintoarouteror
hub.Inanofficeenvironment,youmayhaveanetwork
jackbuiltintoyourofficewall.
c. Connect the power cable to the rear of the Ditto
Forensic FieldStation and to the providedAC adapter
ortoSATApower.
d. Turn on theDitto Forensic FieldStation’s power using
theswitchontherearpanel.(0=off,1=on)
SOURCE INPUTS(allinputsarewrite-blocked)
RJ45GigabitEthernetConnection4-pinMini-FitPowerConnection
(DCPowerOutput)
IDE/PATAConnection
USB2.0TypeAConnection
ExpansionModuleConnection
eSATAConnection
DESTINATION OUTPUTSeSATAConnections RJ45GigabitEthernetConnection
StealthModeSwitch4-pinMini-FitPowerConnections
(DCPowerOutput)
REAR OF THE UNIT
HangingHookPowerSwitch(0=off,1=on)
SDCardSlotSATAPowerConnection
PowerInputforACSupply
NOTE
4
Protecting Your Digital AssetsTM
Ditto Forensic FieldStation User Manual
e. Type the Ditto Forensic FieldStation’s source IP address into yourweb browser. If you know the
address,godowntothelaststepofthissection.Ifyoudonotknowtheaddress,continuetothenext
step.
f. PresstheDownnavigationbuttonontheDittoForensicFieldStationuntilyoureachthe“Settings”
menu.ThenpressEnter.
Settings
View/Edit>
g. PresstheUporDownnavigationbuttonsuntilyoureachthe“SourceIPAddress”screen.
h. TypetheIPaddressshownintoyourwebbrowser.
SourceIPAddress:
10.xxx.xxx.xxx
TheDittoForensicFieldStationisconfiguredbydefaulttouseDHCPforIPassignment. IfyouneedtochangetoastaticIPaddress,checkwithyournetworkadministratorandseeSection3.3.2ofthismanual.
i. Logintothebrowserinterface(thedefaultusernameandpasswordfortheadministratoraccountare
both“admin”).
CRUrecommendsthatyouchangetheadminaccountpasswordandcreateuseraccountsforindividualusersasbestdatamanagementpractices.
Youarenowreadytousethebrowserinterfacetoconfiguresettingsandpreview,image,orcloneattached
disks.
3.1.2 Accessing Via Direct Connection to Your Computer
a. PluganEthernetcableintotheEthernetportonthe“DestinationOutputs”sideoftheDittoForensic
FieldStation.
b. ConnecttheotherendoftheEthernetcabletoyourcomputer’sEthernetport.
ThedestinationEthernetportcanbeconfiguredtoactasaserver.AttachingaDittoForensicFieldSta-tionactingasaservertoanexistingnetworkthroughthedestinationEthernetportwillcausenetworkconflicts.Therefore it is importanttoattachtheDittoForensicFieldStationdirectlytoyourcomputerinstead.TochangethissettingsothattheDittoForensicFieldStationnolongeractsasaserver,seeSection5.2.3.
c. ConnectthepowercabletotherearoftheDittoForensicFieldStationandtotheprovidedACadapter
ortoSATApower.
d. TurnontheDittoForensicFieldStation’spowerusingtheswitchontherearpanel.(0=off,1=on)
NOTE
NOTE
STOP!
5
Protecting Your Digital AssetsTM
Ditto Forensic FieldStation User Manual
e. Type theDittoForensicFieldStation’sdestination IPaddress intoyourwebbrowser.Thedefault IP
addressforthedestinationEthernetportis10.10.10.1.Ifyouhavechangedtheaddressanddonot
rememberit,continuetothenextstep.Otherwise,godowntothelaststepofthissection.
f. PresstheDownnavigationbuttonontheDittoForensicFieldStationuntilyoureachthe“Settings”
menu.ThenpressEnter.
Settings
View/Edit>
g. PresstheUporDownnavigationbuttonsuntilyoureachthe“Dest.IPAddress”screen.
h. TypetheIPaddressshownintoyourwebbrowser.
Dest.IPAddress:
10.xxx.xxx.xxx
i. Logintothebrowserinterface(thedefaultusernameandpasswordfortheadministratoraccountare
both“admin”).
CRUrecommendsthatyouchangetheadminaccountpasswordandcreateuseraccountsforindividualusersasbestdatamanagementpractices.
Youarenowreadytousethebrowserinterfacetoconfiguresettingsandpreview,image,orcloneattached
disks.
3.2 ICONS USED IN THE BROWSER INTERFACE
Thebrowserinterfaceusesseveraliconsthatmaybeclickedontoperformcertainactions.
ICON ACTION
InformationOpensawindowwithabriefdescriptionofthesettingtheinformationiconappearsnextto.
Refresh Refreshesthefieldthattheiconappearsnexttoinordertogiveupdatedinformation.
Reset LoadsthedefaultsforthesettingthattheRefreshiconappearsnextto.
Add Addsauserdefinedfieldtoalistofitems.
Remove Removesauserdefinedfieldfromalistofitems.
NOTE
6
Protecting Your Digital AssetsTM
Ditto Forensic FieldStation User Manual
3.3 USER ACCOUNTS
TheDittoForensicFieldStationemploysauseraccountsystemtocontrolaccesstoitsfeatures.The“Login”
screenpresentsyouwiththeabilitytologinthroughhttp,oryoucanclicktheSecure Login (HTTPS) linkto
loginsecurely.Acceptthecertificateand/orcontinuetothewebsite,evenifyourbrowsertellsyouitdoes
notrecognizeit.
ThedefaultusernameandpasswordfortheAdministratoraccountareboth“admin”.CRUrecommendsthat
youchangetheadminaccountpasswordandcreateuseraccountsforindividualusersasbestdatamanage-
mentpractices.
ClickontheLog Out buttonatthetoprightofthebrowserinterfacetologout.
4 HOME SCREENThe“Home”screeniswhereyouwillperformmostofyouroperationswiththeDittoForensicFieldStation,andis
thedefaultscreentoloaduponloggingintothebrowserinterface.ClickontheHome tabtoaccessthe“Home”
sceenfromanyotherareaofthebrowserinterface.
4.1 ACTION
The“Action”panelletsyoustart,abort,anddocumentthefollowingactions.The“Start”buttonbeginsthe
action.The“Abort”buttonstopstheactioninprogress.ClicktheComment buttontowriteanotethatwill
beappendedtothelog.ClicktheConfigure buttontomodifythedefaultsettingsforeachaction,whichcan
alsobemodifiedonthe“Configure”screen(SeeSection5).
Figure 1. The“Home”screen.
7
Protecting Your Digital AssetsTM
Ditto Forensic FieldStation User Manual
4.1.1 Clone Source Disk
TheDittoForensicFieldStationmakesanexactduplicateofthesourcediskandcanclonetoasingleor
mirroreddestinationdisk.
Whilecloningthesourcedisk,theDittoForensicFieldStationcanalsohashthesourcediskusingtheMD5,SHA-1,orMD5+SHA-1algorithms.Selectthehashtypeunderthe“SystemSettings”panelonthe“Home”screen.SeeSection4.3.HashingwhileusingbothMD5+SHA-1significantlyreducesperformance.
Toclone,followthesesteps:
a. Usingthebrowserinterface,selectClone Source Diskfromthe“ActiontoPerform”drop-downbox.
b. Selectthesourcedisktoclonefromthe“Source”drop-downbox.
c. Selectthedestinationdiskfromthe“Destination”drop-downbox.Toclonetotwodestinationdisksat
thesametime,selecttheMirror option.Destinationdisksdonothavetobethesamephysicalmedia
asthesourcedisk,buteachmustbelargerthanthesourcedisk.
FortheMirrorfeaturetobeshown,twodestinationdisksmustbeattached.
d. ClicktheStart button.A“Completed”messageboxwillpopupwhentheactionhasfinished.Click
onthemessagetocontinue.
Youcanincreasetheperformanceoftheoperationbyclickingoffofthebrowserinterfacewindowsothatitisnotcontinuallyupdated.
Youcanviewtheresultsofthecloneactionbyscrollingdowntothe“SystemLog”panelonthe“Home”
screen.Findandclickonthelatestlink,whichwillbedenotedbyafilenamewithadate/timestampformat:
“S_yyyymmddhhmmss”.Alternatively,youcanclickontheLogs button fromthetopmenubar.
4.1.2 Physical Image Source Disk
TheDittoForensicFieldStationcreatesanE01orDDimageofthesourcediskononeortwodestination
disks.
Whileimagingthesourcedisk,theDittoForensicFieldStationcanalsohashthesourcediskusingtheMD5,SHA-1,orMD5+SHA-1algorithms.Selectthehashtypeunderthe“SystemSettings”panelonthe“Home”screen.SeeSection4.3.HashingwhileusingbothMD5+SHA-1significantlyreducesperformance.
Forthefastestperformance,werecommendutilizinganNTFSfilesystemforWindows,HFS+forMac,or
XFSforLinuxmachines.Tocreateaphysicalimage,followthestepsonthenextpage:
Figure 2. The“Action”sectiononthe“Home”screen,showingtheoptionsavailableforthe“CloneSourceDisk”action.
Figure 3.The“Action”sectiononthe“Home”screen,showingtheoptionsavailableforthe“PhysicalImageSourceDisk”action.
NOTE
NOTE
NOTE
NOTE
8
Protecting Your Digital AssetsTM
Ditto Forensic FieldStation User Manual
a. Usingthebrowserinterface,selectPhysical Image Source Disk fromthe“ActiontoPerform”drop-
downbox.
b. Selectthesourcedisktoimagefromthe“Source”drop-downbox.
c. Selectwhichpartition(s)toimagefromthe“Partition”drop-downbox.ChooseAlltoimagetheentire
sourcedisk.
d. Select thedestinationdisk for the image from the“Destination”drop-downbox.To image to two
destinationdisksatthesametime,selectthe Mirror option.Destinationsdonothavetobethesame
physicalmediaasthesourcedisk,buteachmustbelargerthanthesourcedisk.
FortheMirrorfeaturetobeshown,bothdestinationdisksmustbeempty.AquickwaytoaccomplishthisistousetheDittoForensicFieldStationtoeraseeachdiskbyselectingErase Destination Diskfromthe“ActiontoPerform”drop-downboxandusingthe“ClearPartitionTable”erasemode(seeSec-tion4.1.5).YoumustalsogototheErase tabonthe“Configure”Screenandmakesurethat“FormatAfterErase” is unchecked (seeSection5.6), because if a destinationdisk has a partitionon it, the“Mirror”optionwillnotappear.
e. Selectwhichtypeofphysical imageyouwouldliketocreatefromthe“PhysicalImageType”drop-
downbox.The imagetypesavailableareE01orDD.Youcanmodifywhich imagetypeappearsby
defaultinthedrop-downboxonthe“Home”screen’s“SystemSettings”section(seeSection4.3),or
onthe“Configure”screen’s“System”tab(seeSection5.1).
f. ClicktheStart button.A“Completed”messageboxwillpopupwhentheactionhasfinished.Click
onthemessagetocontinue.
Youcanincreasetheperformanceoftheoperationbyclickingoffofthebrowserinterfacewindowsothatitisnotcontinuallyupdated.
Youcanviewtheresultsoftheimageactionbyscrollingdowntothe“SystemLog”panelonthe“Home”
screen.Findandclickonthelatestlink,whichwillbedenotedbyafilenamewithadate/timestampformat:
“S_yyyymmddhhmmss”.Alternatively,youcanclickontheLogs buttonfromthetopmenubar.
4.1.3 Logical Image Source Disk
Logicalimagingallowsaninvestigatortoquicklyscanthecontentsofaharddiskandimageonlythefiles
andfoldersrelevanttotheinvestigationintoanL01,ZIP,TAR,orLISTfileformat.Datacanbeimagedto
oneortwodestinationdisks.Tocreatealogicalimage,followthesesteps:
a. SelectLogical Image Source Diskfromthe“ActiontoPerform”drop-downbox.
b. Selectthesourcedisktoimagefromthe“Source”drop-downbox,thenchoosewhichpartition(s)to
imagefromthe“Partition”drop-downboxunderneaththe“Source”drop-downbox.Ifyouselect“All”,
partitionswillbeimagedsequentially.
NOTE
Figure 4.The“Action” sectionon the“Home”screen, showingtheoptionsavailableforthe“LogicalImageSourceDisk”action.
NOTE
9
Protecting Your Digital AssetsTM
Ditto Forensic FieldStation User Manual
c. Selectthedestinationdiskforthelogicalimagefromthe“Destination”drop-downbox,thenchoose
thedestinationdiskpartitionfromthe“Partition”drop-downboxunderneath.Toimagetotwodestina-
tiondisksatthesametime,selecttheMirror option.Destinationdisksdonothavetobethesame
physicalmediaasthesourcedisk,buteachmustbelargerthanthesourcedisk.
FortheMirrorfeaturetobeshown,bothdestinationdisksmustbeempty.AquickwaytoaccomplishthisistousetheDittoForensicFieldStationtoeraseeachdiskbyselectingErase Destination Diskfromthe“ActiontoPerform”drop-downboxandusingthe“ClearPartitionTable”erasemode(seeSec-tion4.1.5).YoumustalsogototheErase tabonthe“Configure”Screenandmakesurethat“FormatAfterErase” is unchecked (seeSection5.6), because if a destinationdisk has a partitionon it, the“Mirror”optionwillnotappear.
d. Selectwhichtypeoflogicalimageyouwouldliketocreatefromthe“LogicalImageType”drop-down
box.TheformatoptionsavailableareL01,TAR,ZIP,orLIST.(Youcanmodifywhichlogicalimagetype
appearsbydefaultinthedrop-downboxonthe“Configure”screen’s“System”tab.SeeSection5.1.)
“LogicalImageSourceDisk”actionscreateareportofdirectoriesandfileschosenfromthesourcediskaswellastheirfilesizesandanyerrormessagesencountered.ThisreportcanbeviewedfromwithinthebrowserinterfaceandcanbeexportedasanExcelspreadsheet.SeeSection7.1.4.
e. SelecttheLogicalImageModefromthe“LogicalImageMode”drop-downbox.Seethelistoflogical
imagemodesattheendofthissubsectionforinformationonwhateachmodedoes.
f. IfyouchoseanyotherLogical ImageMode,click theStart buttonat thetopofActionsection.A
“Completed”messageboxwillpopupwhentheactionhasfinished.Clickonthemessagetocon-
tinue.
Ifyouchose“ManualSelect”,followthesesteps:
i. ClickonSelect Files & Dirs.Adialogboxwillopen.
ii. Usethenavigationtreetoselectthefilesandfoldersyouwishtoimage(SeeFigure5).
iii. ClicktheStart button atthebottomofthedialogbox.A“Completed”messageboxwillpopup
whentheactionhasfinished.Clickonthemessagetocontinue.
Youcanview the resultsof the logical imageactionbyscrollingdown to the“SystemLog”panelon
the“Home”screen.Findandclickonthelatest link,whichwillbedenotedbyafilenamewithadate/
timestampformat:“S_yyyymmddhhmmss”.Alternatively,youcanclickontheLogs buttonfromthetop
menubar.
NOTE
NOTE
Figure 5.Thefilenavigationtree.
10
Protecting Your Digital AssetsTM
Ditto Forensic FieldStation User Manual
Logical Image Modes
BeginningwiththeSeptember19,2015firmwareupdate,theLogicalImageactioncanautomatically
searchforfilesthatfitthefollowingLogicalImageModes.Theactionwillsearchforspecificfileexten-
sionsspecifiedbytheLogicalImageMode.Seethenextpageforinformationonspecificfiletypes.
Logical Image Modes, continued...
• Manual Select: Enablesthe“SelectFiles&Dirs”buttonsothatyoucanmanuallyselectwhich
filestologicallyimage.
• All Files and Dirs: Imagesallfilesanddirectories.
• All Except Windows: ImagesallfilesanddirectoriesexceptfortheWindowsdirectory.
• All Except Windows and Programs: ImagesallfilesanddirectoriesexceptfortheWindows,
ProgramFiles,ProgramFiles(x86),andProgramDatadirectories.
• All Users - Windows: ImagestheWindows“Users”directory.
• All Temporary - Windows: ImagestheWindows/TempandTempdirectories.
• All Except Swap and Hibernate:Imagesallfilesanddirectoriesexceptfilesnamedhiberfil.sys,
pagefile.sys,Win386.swp,and386part.par.
• All Media Files: Imagesall.avi,.jpeg,.jpg,.wav,and.movfiles,aswellasallfileswithexten-
sionsbeginningin“.mp”(.mpeg,.mp4,.mp3,etc.)andallfileswithextensionsbeginningin“.m4”
(.m4a,.m4v,etc.).
• All Office Files: Imagesall.txtand.pdffiles,aswellasallfileswithextensionsbeginningin“.doc”,
“.xls”,“.ppt”(.doc,.docx,.xlsx,.pptx,etc.).
• All Financial Files:Imagesall.ifx,.ofx,.qfx,.qif,and.taxfiles.
Youmayalsoaddyourowncustomizedlogicalimagemodestothisdrop-downlist.Todoso,seeSec-
tion11.5.
4.1.4 Clone and Image Source Disk
Thisactionsimultaneouslycreatesacloneofthesourcediskononedestinationdiskandcreatesanimage
onaseconddestinationdisk.Two destination disks are required for this action.
Whilecloningandimagingthesourcedisk,theDittoForensicFieldStationcanalsohashthesourcediskusingtheMD5,SHA-1,orMD5+SHA-1algorithms.Selectthehashtypeunderthe“SystemSettings”panelonthe“Home”screen.SeeSection4.3.HashingwhileusingbothMD5+SHA-1significantlyreducesperformance.
Tosimultaneouslycreateacloneandaphysicalimageofthesourcedisk,followthesesteps:
a. SelectClone & Image Source Diskfromthe“ActiontoPerform”drop-downbox.
b. Selectthesourcedisktocloneandimagefromthe“Source”drop-downbox.
c. Selectthedestinationdiskfortheclonefromthe“CloneDestination”drop-downboxandthedestina-
tiondiskfortheimagefromthe“ImageDestination”drop-downbox.Destinationdisksdonothaveto
bethesamephysicalmediaasthesourcedisk,buteachmustbelargerthanthesourcedisk.
NOTE
11
Protecting Your Digital AssetsTM
Ditto Forensic FieldStation User Manual
d. Selectthedestinationdiskpartitiononwhichtosavetheimagefilefromthe“ImagePartition”drop-
downbox.
e. Selectwhichtypeofphysical imageyouwouldliketocreatefromthe“PhysicalImageType”drop-
downbox.TheimagetypesavailableareE01orDD.(Youcanmodifywhichimagetypeappearsby
defaultinthedrop-downboxonthe“Configure”screen’s“System”tab.SeeSection5.1.)
f. ClicktheStart button.A“Completed”messageboxwillpopupwhentheactionhasfinished.Click
onthemessagetocontinue.
Youcanviewtheresultsofthecloneandimageactionbyscrollingdowntothe“SystemLog”panelon
the“Home”screen.Findandclickonthelatestlinks,whichwillbedenotedbyafilenamewithadate/
timestampformat:“S_yyyymmddhhmmss”.Alternatively,youcanclickontheLogs buttonfromthetop
menubar.
4.1.5 Erase Destination Disk
TheDittoForensicFieldStationerasesthedestinationdiskusingyourpreferredEraseMode.TheErase
ModesavailableareClearPartitionTable,QuickErase,LBA/OffsetPattern,CustomErase,SecureErase
Normal,SecureEraseEnhanced,DODClear,DODSanitize,NIST800-88Clear,andNIST800-88Purge.
Toeraseadisk,followthesesteps:
a. SelectEraseDestinationDiskfromthe“ActiontoPerform”drop-downbox.
b. SelecttheEraseModetousefromthe“EraseMode”drop-downbox.(Youcanmodifywhicherase
modeappearsbydefaultinthedrop-downboxonthe“Configure”screen’s“System”tab.SeeSec-
tion5.1.)
c. Selectthetargetdestinationdisk(s)fromthe“Target”drop-downbox.
d. ClicktheStart button.A“Completed”messageboxwillpopupwhentheactionhasfinished.Click
onthemessagetocontinue.
Youcanviewtheresultsoftheerasureactionbyscrollingdowntothe“SystemLog”panelonthe“Home”
screen.Findandclickonthelatestlink,whichwillbedenotedbyafilenamewithadate/timestampformat:
“S_yyyymmddhhmmss”.Alternatively,youcanclickontheLogs buttonfromthetopmenubar.
Format After Erase
YoucanconfiguretheDittoForensicFieldStationtoautomaticallyformatadiskafteryoueraseit.Click
ontheConfigure tabtogotothe“Configure”screen.ThenclickontheErase tabmakesurethat
“FormatAfterErase”ischeckedforeachoftheerasemodesonwhichyou’dliketoenablethissetting.
Figure 7.The“Action”sectiononthe“Home”screen,showingtheoptionsavailableforthe“EraseDestinationDisk”action.
Figure 6. The“Action”sectionon the“Home”screen, showingtheoptionsavailableforthe“Clone&ImageSourceDisk”action.
12
Protecting Your Digital AssetsTM
Ditto Forensic FieldStation User Manual
4.1.6 Hash Disk
TheDittoForensicFieldStationwillhashanysourceoradestinationdiskusingyourpreferredalgorithm.
HashvaluesaresavedintheSystemLog.Theavailablealgorithmsare“MD5”,“SHA-1”,or“MD5+SHA-1”.
Tohashadisk,followthesesteps:
a. SelectHash Disk fromthe“ActiontoPerform”drop-downbox.
b. Selectyourpreferredhashalgorithmfromthe“HashType”drop-downbox. (Youcanmodifywhich
hashalgorithmappearsbydefaultinthedrop-downboxonthe“Configure”screen’s“System”tab.
SeeSection5.1.)
c. Selectthetargetdiskfromthe“Target”drop-downbox.
d. Selectthepartitionyouwanttohashfromthe“Partition”drop-downbox.
e. ClicktheStart button.A“Completed”messageboxwillpopupwhentheactionhasfinished.Click
onthemessagetocontinue.
Youcanviewtheresultsofthehashactionbyscrollingdowntothe“SystemLog”panelonthe“Home”
screen.Findandclickonthelatestlink,whichwillbedenotedbyafilenamewithadate/timestampformat:
“S_yyyymmddhhmmss”.Alternatively,youcanclickontheLogs buttonfromthetopmenubar.
4.1.7 Snapshot Disk
TheDittoForensicFieldStationprovidesS.M.A.R.T.andhdparminformationforanysourceordestination
diskconnectedtoitself.Nocloneorimagerequestneedstobedone.
Tocreateasnapshotofadisk,followthesesteps:
a. SelectSnapshot Disk fromthe“ActiontoPerform”drop-downbox.
b. Selectthetargetdiskfromthe“Target”drop-downbox.
c. ClicktheStart button.A“Completed”messageboxwillpopupwhentheactionhasfinished.Click
onthemessagetocontinue.
Youcanview the resultsof thesnapshotactionbyscrollingdown to the“SystemLog”panelon the
“Home”screen.Findandclickonthelatestlink,whichwillbedenotedbyafilenamewithadate/time-
stampformat:“S_yyyymmddhhmmss”.Alternatively,youcanclickontheLogs buttonfromthetopmenu
bar.
Scrollto“eSATAExtendedDiskInfo”toseerecordeddata,includingS.M.A.R.T.andhdparminformation.
4.1.8 NetView Scan
NetViewisanetworktoolthatcanbeusedtodiscovermachinesonanetworkandevenprobethemfor
specificservicesthattheymayberunning.Thiscapabilitycanhelpaninvestigatorlocatephysicallyhidden
Figure 9. The“Action”sectiononthe“Home”screen,showingtheoptionsavailableforthe“SnapshotDisk”action.
Figure 8. The“Action”sectionon the“Home”screen, showingtheoptionsavailableforthe“HashDisk”action.
13
Protecting Your Digital AssetsTM
Ditto Forensic FieldStation User Manual
computersorquicklydeterminewhetheramachineisactingasadatastoragedevice
thattheDittoForensicFieldStationcanimage.
SeeSection11.1formoreinformationabouttheNetViewScanfeature.
4.2 INVESTIGATION INFO
TheInvestigationInfopanelgroupsrelatedinformationthatmayalsobeusedincreating
customdirectoriesandfilenames (seeSection5.8).The“Hide”buttonallowsyouto
minimizethepanel.
Click theEdit button to enter information about the Investigator,CaseNumber,Evi-
denceNumber,Description,Notes,Basedirectoryprefix,andaBasefilenameprefixfor
anE01orDDimage.
Eachfield isfilteredtoblocknon-printableASCIIcharacters.Anycharactersat thefile
systemlevelthatmaynotbesafeforadirectorynameorfilenamewillbefilteredout
andreplacedwithanunderscore.OnlyprintableASCIIcharactersarecurrentlyallowed
fordirectoryandfilenames.Multipleunderscoreswillalsobereducedtoasingleunder-
scorepernamingitem.
TheDittoForensicFieldStationwillgenerateanerrormessageifyouenteranon-print-
ableASCII character or if yourmessage exceeds the 58 character limit.Additionally,
whenthefinaldirectoryorfilenamethatusesanyofthesefieldsiscreated,anotherlevel
offilteringisapplied.
Usingapostrophes(‘)inthenamefieldswillcauseanerrorwhenthefileorfoldernameiscreated.TheyshouldnotbeusedintheInvestigationInfofields.
4.2.1 User Defined Fields
Clickonthegreen plus sign icontoopenthe“AddUserDefinedField”window(see
Figure12).Youmayaddasmanyuserdefinedfieldsasyouwish.Eachuserdefined
fieldmusthaveatitle,XMLtag,andvalue.
The title identifies the value in theDittoForensicFieldStation’sbrowser andLCD
interfaces,andtheXMLtagonlyappearsintheconfigurationandlogfiles.
Toremoveauserdefinedfield,clickonthegreen minus sign icon.
4.3 SYSTEM SETTINGS
DisplaysthecurrentconfigurationsettingsoftheDittoForensicFieldStation.Theseset-
tingsareloadedasthedefaultsettingsfortheactionsyouperforminthe“Action”panel.
The“Hide”buttonallowsyoutominimizethepanel.ClicktheEdit buttontocustomize
thesesettings.SeeSection5.1fordetailsoneachoption.
4.4 CURRENT STATUS
Reportseitheras“Idle”ordisplaysinfoabouttheactionthattheDittoForensicFieldSta-
tioniscurrentlyperforming.
STOP!
Figure 11. The“InvestigationInfo”section.
Figure 13.The“SystemSettings”section.
Figure 14. The“CurrentStatus”section,displayingathestatusofaPhysicalImageaction.
Figure 10.The“Action”sectiononthe“Home”screen,showing theoptionsavailable for the“NetviewScan”action.
Figure 12. The“AddUserDefinedField”window.
14
Protecting Your Digital AssetsTM
Ditto Forensic FieldStation User Manual
4.5 DISKS
DisplaysinformationabouttheattatcheddisksthatarecurrentlyconnectedtotheDitto
ForensicFieldStation.The“Hide”buttonallowsyou tominimize thepanel.Tosee the
availablespaceadiskhas,clickthegreen double arrow iconnextinthe“Used”column
header(seeFigure16).Thediskusagewillrefreshandgiveanupdatedamount.
The“TargetMode”buttonallowsyoutopresentthedisksattachedtotheDittoForensic
FieldStationasiSCSIdisksonanetwork.Thisisusefulifyouwishtousethirdpartydata
acquisitiontoolsagainstthediskswithoutcreatinganimage.The“SourceNetwork”and
“SourceDestination”buttonsareusedformountingiSCSIdevicesaswellasNFSand
SMBsharestotheDittoForensicFieldStation.Formoreinformation,seeSection11.
4.5.1 Previewing and Browsing Disks
Tobrowseordownloaddiskdata,ortoselectfilesandfoldersforlogical imaging,
clickonapartition’snumberunderthedisk’s“Partition”columnandthenselectPre-
view(seeFigure17).Thisopensupafileexplorerwindowwhereyoucannavigate
throughthefilesandfoldersonthedisk.
Directory Toolbar and Right-Click Context Menu Items
ICON ACTION
CollapseFolderTreeCollapsestheentirefoldertreesothatonlythepreviewedpartition’sfolderisvisible.
Refresh Refreshesthefoldercontentsinordertogiveupdatedinformation.
Up Movesuptotheparentfolder.
Back Movesbacktothepreviouslyviewedfolder.
Folders Toggleswhetherfoldersaredisplayedinthecontentspanel.
SelectMode Togglestheabilitytoselectindividualfilesforlogicalimaging.
Figure 15. The“Disks”sectiononthe“Home”screen.
Figure 16. Clickingthegreendoublearrowicondisplaysandupdatesamountofspacecurrentlyusedandavail-able.
Figure 17. Drop-downmenusforadisk(left)andadisk’spartition(right).
15
Protecting Your Digital AssetsTM
Ditto Forensic FieldStation User Manual
Directory Toolbar and Right-Click Context Menu Items, continued...
ICON ACTION
DetailView/ListViewToggleswhethertheSize,Type,DateCreated,DateModfied,andDateAccessedcolumnsarevisible.
SizeFormatChangeswhetherfilesizesinthe“Size”columnaremeasuredasbytesorasmegabytes,gigabytes,etc.
ViewOpenstheselectedfile.ImagesandPDFfileswillopeninapreviewwindow.Otherfileswillopenadialogboxtodownloadthefiletoyourcomputer.
Download Opensadialogboxtodownloadtheselectedfiletoyourcomputer.
HashOpensaninfowindowwiththeselectedfile’sname,MD5hash,andfilesizeinbytes.
HexViewOpensthefileintheDittoForensicFieldStation’sbuilt-inhexadecimalviewer.
Logically Image Data
Tologicallyimagedatausingthe“Preview”window,clickontheSelect Mode buttonandthencheck
theboxnexttoeachfileorfolderyouwantto logically image.Whenyouarefinished,clickonthe
Stage buttoninthelowerrightcornerofthe“Preview”window.Youwillbetakenbacktothe“Home”
screen.Usethe“Action”controlpanelasdirectedinSection4.1.3.Whenyouclickon“SelectFiles&
Dirs”,youwillbeaskedtoconfirmwhethertologicallyimagethefilesandfoldersyouhaveselected,
ortoselectnewfilesandfolders.
4.5.2 View Hexidecimal Data
Toviewadisk’shexidecimaldata,clickonthedisknameunderthe“Port”columnandthenselectHex-
View. Toviewadiskpartition’shexidecimaldata,clickonthepartition’snumberunderthedisk’s“Parti-
tion”columnandthenselectHexView (seeFigure17).
4.5.3 View Snapshot Data
Toviewadisk’ssnapshotinformation,clickonthedisknameunderthe“Port”columnandthenselect
Snapshot.
4.6 SYSTEM LOG
Shows the actions that theDitto Forensic FieldStationhasperformed (seeFigure18).The“Hide”button
allowsyoutominimizethepanel.The“Comment”buttonallowsyoutowriteanotethatisappendedtothe
log.
IfthereisnoSDcardpresentintheSDcardslot,thispaneldisplaysthelogsthathavebeenstoredinvola-
tilememorysincetheDittoForensicFieldStation’slastpowercycle.TheselogsaredeletedwhentheDitto
ForensicFieldStationispowereddown.IfthereisanSDcardpresent,thispaneldisplaysallactionssavedon
theSDCard.
Toviewthe logdetailsofaparticularaction,clickonthe linkunderthe“Message”column.whichwillbe
denotedbyafilenamewithadate/timestampformat:“S_yyyymmddhhmmss”.Alternatively,youcanclickon
theLogs buttonfromthetopmenubar.
16
Protecting Your Digital AssetsTM
Ditto Forensic FieldStation User Manual
5 CONFIGURE SCREENThe“Configure”screenallowsyoutomodifythewaytheDittoForensicFieldStationfunctionstosuityourspe-
cificneeds.ClickontheConfigure tabtoaccessthe“Configure”screenfromthebrowserinterface.
5.1 SYSTEM
The“System”taballowsyoutoviewandcustomizethefollowingsettings.Thisinformationisalsodisplayed
inthe“SystemSettings”panelonthe“Home”screen.Whenyouarefinished,clicktheCommit Changes
buttontosavethechanges.
• Default Format: Thisisthedefaultfilesystemthatwillbeusedtoformatdestinationdiskswhenthey
areusedinactionsthattheDittoForensicFieldStationperforms.
• Physical Image Type: Setsthedefaultphysicalimagetypeforallactionsthatcreateaphysicalimage.
• Logical Image Type: Setsthedefaultlogicalimagetypeforthe“LogicalImageSourceDisk”action.
• Logical Image Mode:SetsthedefaultLogicalImageModeforthe“LogicalImageSourceDisk”action.
• Verify Single: Determineswhether individualdestinationdiskarehashedandcompared to thehash
valueofthesourcedisk’shashvalue.
Figure 18. The“Configure”screen,showingthe“System”tab.
Figure 18. The“SystemLogs”sectiononthe“Home”screen.
17
Protecting Your Digital AssetsTM
Ditto Forensic FieldStation User Manual
• Verify Mirror: Determineswhethermirroreddestinationdisksarehashedandcomparedto thehash
valueofthesourcedisk’shashvalue(s).YoucanchoosetoverifyeSATA-AoreSATA-Bindividually,both
disks,ornone.
• Verify Clone & Image: Determineswhetherclonedandimageddisksarehashedandcomparedtothe
hashvalueofthesourcedisk’shashvalueduringa“Clone&ImageSourceDisk”action.Youcanchoose
toverifytheclone,theimage,both,ornone.
• Log Disk Info: DetermineswhetherS.M.A.R.T.andhdparmdiskinformationisloggedbeforerunningan
action,afterrunninganaction,both,ornotatall.CRUrecommendsthatyoulogdiskinformationbefore
andafteranaction.
• HTML Logging: Logsarealwayssavedin.XMLformat.ThisoptioncausestheDittoForensicFieldSta-
tiontosavelogsinHTMLformataswell.
• DiskView Logging: Logsanyactiontopreviewadiskoractionsperformedwhilepreviewingadisk(i.e.
startingorfinishingapreviewofadisk,startingorfinishingaHexViewaction).
• Hash Type: Setsthedefaulthashalgorithmthatwillbeusedfordiskverificationandthe“HashDisk”
action.TheavailablealgorithmsareMD5,SHA-1,orMD5+SHA-1.Notethathashingwhileusingboth
MD5+SHA-1significantlyreducesperformance.
• Erase Mode: Setsthedefaulterasemodethatwillbeusedforallactionsthatrequireerasingdisks.
• Stealth Mode: TurnsoffallLEDsandLCDson theDittoForensicFieldStation.Thephysical“Stealth
Mode”Switchservesthesamepurpose(seeSection1.2).IfStealthModeisenabledfromthebrowser
interface,thephysicalswitchcannotoverrideit.
• LCD/LED Brightness:SetstherelativebrightnessoftheLCDsandLEDsonthefaceoftheDittoForensic
FieldStationonascaleof1to255.
• Audible Buzzer: Thisisaplannedfeaturethatisnotcurrentlyimplemented.Theaudiblebuzzerwillalert
theusertovariousactionsthatoccurwhenusingtheDittoForensicFieldStation.
• Prompt Invest. Info: Opensa“ConfigureInvestigationInfo”windowaftertheuserhashitthe“Start”
buttoninthe“Action”sectiononthe“Home”screen.ThisallowstheusertocustomizetheInvestigator,
CaseNumber,EvidenceNumber,Description,Notes,BaseDirectoryName,andtheBaseFileName
informationpriortoperformingtherequestedaction.
• LCD Prompt Case: Fiveoptionsmaybechosentomodifythecasenumberspecifiedinthe“Investi-
gationInfo”sectionofthe“Home”screen.Thecasenumber is includedinthelogfortherequested
action.“Disabled” leaves thecasenumberas it is.“Inc/Dec”allowsyou tomanually increment the
casenumberupordownusingthenavigationbuttonsonthefaceof theDittoForensicFieldStation.
“AutoInc” automatically increments the case number, and“AutoInc/Pause” automatically increments
thecasenumber,butdisplaysaconfirmationprompttheLCDscreenbeforebeginningtherequested
action.TheseoptionsrequireanumbertobepresentontheendoftheCaseNumberspecifiedinthe
“InvestigationInfo”section.
• LCD Prompt Evidence: Fiveoptionsmaybechosentomodifytheevidencenumberspecified inthe
“InvestigationInfo”sectionofthe“Home”screen.Theevidencenumberisincludedinthelogforthe
requestedaction.“Disabled” leaves theevidencenumberas it is.“Inc/Dec”allowsyou tomanually
incrementtheevidencenumberupordownusingthenavigationbuttonsonthefaceoftheDittoForensic
18
Protecting Your Digital AssetsTM
Ditto Forensic FieldStation User Manual
FieldStation.“AutoInc”automaticallyincrementstheevidencenumber,and“AutoInc/Pause”automati-
callyincrementstheevidencenumber,butdisplaysaconfirmationprompttheLCDscreenbeforebegin-
ningtherequestedaction.TheseoptionsrequireanumbertobepresentontheendoftheEvidence
Numberspecifiedinthe“InvestigationInfo”section.
• Quick Start: Enablesthe“QuickStart”screenontheLCDthatappearsafteryoubootorreboottheDitto
ForensicFieldStation.Thesettingsforthismodemaybemodifiedinthe“QuickStart”tab.SeeSection
5.9.
5.2 NETWORK
The“Network”taballowsyoutoviewandcustomizethefollowingsettings.Ifyouareunsureorhaveques-
tionsaboutchangingyournetworksettings,contactyournetworkadministrator.Whenyouarefinished,click
theCommit Changes buttontosavethechanges.
5.2.1 Host Name
AllowsyoutochangewhatnamefortheDittoForensicFieldStationwillbedisplayedonanetwork.Host
namesarenotcasesensitive,butmustbeginwithanyletter“A-Z”.TheycancontainthethelettersA-Z,
numbers0-9,underscore“_”,anddash“-”characters.Hostnamesmustalsobelimitedto64characters.
Figure 20. The“Network”tabonthe“Configure”screen,showingthe“Source”,“Destination”,and“Wifi”networksettings.The“WifiNetwork”sectiononlyappearswhenaUSBwirelessnetworkadapterhasbeenpluggedin.
19
Protecting Your Digital AssetsTM
Ditto Forensic FieldStation User Manual
5.2.2 Source Network
The“SourceNetwork”sectiondisplaysthesourceEthernetport’sMACAddressaswellasitsIPassign-
mentmethod.Youcanchooseeither“DHCP(AutoConfig)”or“StaticIP(ManualSettings)”fromthetop
drop-downbox.
The“RemoteAccessibility”drop-downboxallowsyoutochoosewhetherornottheDittoForensicField-
StationrespondstoanynetworktrafficviathesourceEthernetport.
5.2.3 Destination Network
The“DestinationNetwork”sectiondisplaysthesourceEthernetport’sMACAddressaswellasitsnet-
workingmode.Youcanchooseeither“Server”,“Client(DHCP)”,or“Client(StaticIP)”fromthedrop-down
box.
Server
“Server”allowsyoutoconfiguretheDittoForensicFieldStationforuseasaserver.Thiscanbehelpful
ifyouareconnectinganiSCSIdevicetothedestinationEthernetport,forexample(seeSection11.3.2),
or you are connectingDittodirectly to your computer insteadof throughyourofficenetwork.The
defaultsettingsbelowwillworkformostenvironments.Thisisanadvancedoption,sodonotcus-
tomizethedefaultserverconfigurationbelowunlessdirectedtodosobyyournetworkadministrator.
IP Address: 10.10.10.1
Subnet Mask: 255.255.255.0
DHCP Server: Enabled
DHCP Start Address: 10.10.10.100
DHCP End Address: 10.10.10.199
DNS Server: Enabled
DNS Domain Name: ditto.local
NTP Server: Enabled
NAT Gateway: Disabled
DonotconnecttheDittoForensicFieldStationtoanothernetworkwhileit isconfiguredasaserver.Doingsowillcausenetworkconflictsandmaydisruptnetworktraffic.
Client (DHCP)
ThisoptionautomaticallyconfiguresthedestinationEthernetporttoconnecttotheattachednetwork.
Client (Static IP)
ThisoptionallowsyoutomanuallyconfigurethedestinationEthernetporttoconnecttotheattached
network.
5.2.4 Wifi Network
The“WifiNetwork”sectionallowsyoutoconfigureathirdpartyUSBwifinetworkadapterthat’sbeen
pluggedintothe“SouceInputs”USBport. Italsodisplaysthatport’sMACAddress.Adapterswithan
AtheroschipsetandsomeadapterswithRealtekchipsetsarecompatible.
TheDittoForensicFieldStationcanhandlemultipleUSBdevicesthroughaUSBhubattachedtotheUSBportonthe“SourceInputs”sideoftheForensicFieldStation.
STOP!
NOTE
20
Protecting Your Digital AssetsTM
Ditto Forensic FieldStation User Manual
“WifiMode”allowsyoutodeterminewhethertheDittoForensicFieldStationconnectstoawifinetwork
oractsasawifihotspotitself.HotSpotModeishelpfulifyouareworkinginaseparatelocationfrom
theDittoForensicFieldStationthatisstillwithinrangeofawirelessnetwork,orifthereisnohardwired
networkavailableinthelocation.
Choose“ClientMode” toconnect toanexistingwifinetworkor“HotSpotMode” tomake theDitto
ForensicFieldStationintoawifihotspot.
Client Mode
Check“Status:AutoStart”ifyouwanttheDittoForensicFieldStationtoconnecttothespecifiedwire-
lessnetworkautomatically.
Toselecttheclientmode’snetworkingmode,youcanchooseeither“Client(DHCP)”or“Client(Static
IP)fromthedrop-downboxunderneaththeMACAddress.“Client(DHCP)”automaticallyconfigures
theUSBwifinetworkadaptertoconnecttoawifinetwork.“Client(StaticIP)”allowsyoutomanually
configuretheconnection.
Hot Spot Mode
Check“Status:AutoStart”ifyouwanttheDittoForensicFieldStationtobeginbroadcastingasahot
spotautomaticallywheneverawifiadapterispluggedin.
Thedefaultsettingsbelowwillworkformostenvironments,withseveralexceptions.
InputyourownkeytoensurethatyourDittoForensicFieldStationremainssecure.
Youmayberequiredtoconformtoyourcountry’s lawsandregulationsregardingwirelessradiofre-quencyusage.Selectyourtwo-digitcountrycodefromthe“RegulatoryDomain”dropdownlist,andtheDittoForensicFieldStationwilllimitthefrequenciesitmaybroadcastontoonlythoseintheper-mittedrange(s).
DonotconnecttheDittoForensicFieldStationtoawirednetworkwhileitisconfiguredasahotspot.Doingsowillcausenetworkconflictsandmaydisruptnetworktraffic.
SSID: {HostName}-wifi
Regulatory Domain: Global
Band: G-2.4GHz
Channel: Auto
Broadcast: Checked
Security: WPA2Personal
Key: ditto123
Show Key: Unchecked
IP Address: 10.10.10.1
Subnet Mask: 255.255.255.0
DHCP Server: Enabled
DHCP Start Address: 10.10.20.100
DHCP End Address: 10.10.20.199
Moresettingsareavailableonthenextpage.
STOP!
STOP!
STOP!
21
Protecting Your Digital AssetsTM
Ditto Forensic FieldStation User Manual
Hot Spot Mode, continued...
DNS Server: Enabled
DNS Domain Name: dittowifi.local
NTP Server: Enabled
NAT Gateway: Disabled
5.3 CLONE
The“Clone”taballowsyoutoviewandcustomizethefollowingsettingsfordiskcloningactions,including
the“Clone&ImageSourceDisk”action.Whenyouarefinished,clicktheCommit Changes buttontosave
thechanges.
5.3.1 Typical Settings
• Source HPA/DCO: SetswhetherthecloningactionshouldindicateinthelogthatthereisanHPA
(hostprotectedarea)orDCO(deviceconfigurationoverlay)present, temporarilybypasstheHPA,
permanentlyunhidetheHPA,orpermanentlyunhideboththeHPAandDCO.
• Fill to End of Disk: Checkthisboxtoenablezeroestobewrittentotheendofthedisk.
• Reset HPA After Fill: SetstheHPAonthedestinationdisksothatthecapacityofthedestinationdisk
isidenticaltothecapacityonthesourcedisk.
5.3.2 Advanced Settings
Theadvancedsettingsmaybehidden.ClicktheShow buttontorevealthem.
• Buffer Size: SetsthethebuffersizeusedbytheDittoForensicFieldStationduringacloningaction.
Theminimumsizeis512K(kilobytes).Thedefaultsizeof1M(megabyte)worksbestformostuses.
Themaximumsizeislimitedbythetargetfilesystem.
• Exit when a bad sector is encountered: AbortsthecloningactioniftheDittoForensicFieldStation
encountersabadsectoronthesourcedisk.
5.4 PHYSICAL IMAGE
The“PhysicalImage”taballowsyoutoviewandcustomizethefollowingsettingsforphysicalimagingactions,
includingthe“Clone&ImageSourceDisk”action.Thereareseparateoptionsavailableforboththe“E01”and
“DD”imagetypes.Whenyouarefinished,clicktheCommit Changes buttontosavethechanges.
5.4.1 E01
ClickontheE01 tab torevealtheE01imagesettings.
Typical Settings
• Image File Segment Size: Allowsyoutospecifythesizeinbytesthat imagefilesegments
shouldbe.Theminimumsizeis1M(megabyte).Themaximumsizeislimitedbythetargetfile
system.Ifthisfieldisleftblank,themaximumsizewillbeused.Clickthe“I”informationicon
formoreinformation.
• Source HPA/DCO: Setswhetherthephysicalimageactionshouldindicateinthelogthatthere
is an HPA (host protected area) or DCO (device configuration overlay) present, temporarily
bypasstheHPA,permanentlyunhidetheHPA,orpermanentlyunhideboththeHPAandDCO.
22
Protecting Your Digital AssetsTM
Ditto Forensic FieldStation User Manual
• Compression Type: Setswhethertheactionshoulduseemptyblockcompressionornocom-
pression.
• EWF File Format: ChoosewhichEnCaseimagefileformatshouldbeusedduringE01physical
images.CRUrecommendsusing“encase6”formostacquisitions.
Advanced Settings
Theadvancedsettingsmaybehidden.ClicktheShow buttontorevealthem.
• Buffer Size: Sets the the buffer size used by theDitto Forensic FieldStation during anE01
physicalimageaction.Theminimumsizeis512K(kilobytes).Thedefaultsizeof1M(megabyte)
worksbestformostuses.Themaximumsizeislimitedbythetargetfilesystem.
• Error Granularity: Determineshowmanysectorsareignoredonareaderror.Theminimum
sizeis512bytes.ThedefaultsizeistheBufferSize.Themaximumsizeislimitedbythetarget
filesystem.
• Swap Byte Pairs of the Media Data (endian conversion): Check this box if you need to
convertfrombig-endiantolittle-endianorvice-versa,whichmaybenecessaryfordisksusedin
olderx86orPowerPC-basedsystems.
• Wipe Sectors on Read Error (mimic EnCase-like behavior): Ifareaderror isencountered
duringanE01physicalimageaction,theDittoForensicFieldStationwillwriteoutzeroestofill
thesector.
• Read Error Retries: SpecifiesthenumberoftriestheDittoForensicFieldStationwilltrytoread
asectorbeforemovingontothenextsector.
5.4.2 DD
ClickontheDD tab toconfiguretheDDimagesettings.
Typical Settings
• Image File Segment Size: Allowsyoutospecifythesizeinbytesthat imagefilesegments
shouldbe.Theminimumsizeis1M(megabyte).Themaximumsizeislimitedbythetargetfile
system.Ifthisfieldisleftblank,themaximumsizewillbeused.Clickthe“I”informationicon
formoreinformation.
• Source HPA/DCO: SetswhetherthephysicalimageactionshouldindicatethatthereisanHPA
(host protected area) orDCO (device configurationoverlay) present, temporarily bypass the
HPA,permanentlyunhidetheHPA,orpermanentlyunhideboththeHPAandDCO.
Advanced Settings
Theadvancedsettingsmaybehidden.ClicktheShow button torevealthem.
• Buffer Size: SetsthethebuffersizeusedbytheDittoForensicFieldStationduringaDDphysical
imageaction.Theminimumsizeis512K(kilobytes).Thedefaultsizeof1M(megabyte)works
bestformostuses.Themaximumsizeislimitedbythetargetfilesystem.
• Exit when a bad sector is encountered: Aborts theDDphysical image action if theDitto
ForensicFieldStationencountersabadsectoronthesourcedisk.
23
Protecting Your Digital AssetsTM
Ditto Forensic FieldStation User Manual
5.5 LOGICAL IMAGE
The“Logical Image” tab allowsyou to viewand customize the following settings for the“Logical Image
SourceDisk”action.TherearedifferentoptionsavailableforeachoftheL01,ZIP,TAR,andLISTfiletypes.
Whenyouarefinished,clicktheCommit Changes buttontosavethechanges.
5.5.1 L01
ClickontheL01 tab toconfiguretheL01imagesettings.
Typical Settings
• Image File Segment Size: Allowsyoutospecifythesizeinbytesthat imagefilesegments
shouldbe.Theminimumsizeis1M(megabyte).Themaximumsizeislimitedbythetargetfile
system.Ifthisfieldisleftblank,themaximumsizewillbeused.Clickthe“I”informationicon
formoreinformation.
• Log File Access/Modify/Change Times: Checkthisboxtologtheaccess,modify,andchange
timestampsoffilesanddirectoriesduringanL01logicalimageaction.
• Compression Type: Setswhethertheactionshoulduseemptyblockcompressionornocom-
pression.
• Per File Hash Type: Setsthedefaulthashalgorithmthatwillbeusedforindividualfileverifica-
tion.TheavailablealgorithmsareMD5andSHA-1.Thedefaultsettingis“None”.
Advanced Settings
Theadvancedsettingsmaybehidden.ClicktheShow button torevealthem.
• Buffer Size: SetsthethebuffersizeusedbytheDittoForensicFieldStationduringanL01logical
imageaction.Theminimumsizeis512K(kilobytes).Thedefaultsizeof1M(megabyte)works
bestformostuses.Themaximumsizeislimitedbythetargetfilesystem.
• Read Error Retries: SpecifiesthenumberoftriestheDittoForensicFieldStationwilltrytoread
asectorbeforemovingontothenextsector.
5.5.2 ZIP and TAR Settings
ClickontheZIP or TAR tabtoconfigurethesettingsforeitherofthoselogicalimagetypes.
• Log File Access/Modify/Change Times: Check this box to log the access,modify, and change
timestampsoffilesanddirectoriesduringthelogicalimageaction.Thissettingisformat-dependent.
5.5.3 LIST Settings
ClickontheLIST tabtoconfiguretheLISTimagesettings.
• Log File Access/Modify/Change Times: Check this box to log the access,modify, and change
timestampsoffilesanddirectoriesduringthelogicalimageaction.Thissettingisformat-dependent.
• Validate File Extensions: UsesMIMEtomakesure that thefileheadersof thefileswithin the
newlycreatedlogicalimagelistmatchtheirfileextensions.Anyquestionablefilesarehighlightedin
theLogicalImageReport.
24
Protecting Your Digital AssetsTM
Ditto Forensic FieldStation User Manual
5.6 ERASE
TheDittoForensicFieldStationallowsyoutoviewandcustomizesettingsforhowtheDittoForensicFieldSta-
tionerasesdisks.
5.6.1 Available Erase Modes
ERASE MODE EXPLANATION
ClearPartitionTable Removesthepartitiontableonthedisk.
QuickErase Performsasinglepasswritingallzeroes.
LBA/OffsetPattern Writesbyte/LBAinfotoeachsector.Each512bytesectoriswrittenwith:B_XXXXXXXXXXXXXXL_DDDDDDDDDDDD‘XXXXXXXXXXXXXX’istheByteoffsetasahexadecimalstring,and‘DDDDDDDDDDDD’istheLBAnumberasadecimalstring.Theremainderofthesectorisfilledwithzero.
CustomErase Performs1-99passes,overwritingthediskwithzeroesorauser-selectedpattern.
SecureEraseNormal Initiatesthedisk’sbuilt-inSecureEraseNormalfunction.
SecureEraseEnhanced Initiatesthedisk’sbuilt-inSecureEraseEnhancedfunction.
DODClear PerformstheU.S.DepartmentofDefense“Clear”standardbywritingzeroestothedrive.
DODSanitize PerformstheU.S.DepartmentofDefense“Sanitize”standardbyusinga0xAAAAAAApattern,thenitscomplement,andthenanotherunclassifiedpattern.
NIST800-88Clear Performsthe“Clear”standarddefinedbyNISTspecialpublication800-88bywritingallzeroestothedrive.
NIST800-88Purge Performsthe“Purge”standarddefinedbyNISTspecialpublication800-88.byinitiatingthedrive’sbuilt-inSecureErase(Normal)command.
Figure 21. The“Erase”tabonthe“Configure”screen,showingallavailableerasemodesandtheircustomizablesettings.
25
Protecting Your Digital AssetsTM
Ditto Forensic FieldStation User Manual
5.6.2 Customizable Settings
SomeEraseModesrequireseveralofthefollowingsettingstobeconfiguredacertainwayaspartoftheir
standard.Inthesecases,thesettingscannotbemodified.
• Mode Name: Thenameoftheerasemode.
• HPA/DCO Handling: SetshoweraseactionsusingthespecifiederasemodeshouldhandleHPAs
andDCOs.ItcanindicateinthelogthatthereisanHPA(hostprotectedarea)orDCO(deviceconfig-
urationoverlay)present,temporarilybypasstheHPA,permanentlyunhidetheHPA,orpermanently
unhideboththeHPAandDCO.
• Passes: Forthe“CustomErase”settingonly,thisallowsyoutospecifythenumberofpassesthe
diskisoverwrittenduringtheeraseaction.Youcanspecifybetween1and99passes.
• Overwrite Method: Forthe“CustomErase”settingonly,youcanspecifyapatternforthediskto
writerepeatedlyacrosstheentiredisk.If“text”isselectedfromthedrop-downbox,the“Pattern”
fieldmustcontainoneormoreASCIIcharacters.If“hex”isselected,the“Pattern”fieldmustcon-
tainanevennumberofASCIIcharactersrepresentinghexadecimaldigits(e.g.17a64F).Leavingthe
“Pattern”fieldblanktellstheDittoForensicFieldStationtousezeroes.
• Verify: Thisisaplannedfeaturethatisnotcurrentlyimplemented.The“Verify”drop-downboxwill
allowyoutoverifytheeraseddiskafterithasbeenfullyerased.If“Quick”isselected,thebeginning,
middle,andendofthediskwillbereadtoensurethatthelastpatternwasactuallywritten.If“Full”
isselected,theentirediskwillbereadtoensurethatthelastpatternwasactuallywritten.If“None”
isselected,noverificationwillbeperformed.
• Format After Erase: Checkthisboxtoformatthediskwiththedefaultformat.Thedefaultformatcan
besetinthe“System”tabonthe“Configure”screen(seeSection5.1).
5.7 HASH
The“Hash”taballowsyoutoviewandcustomizethefollowingsettingsforallhashactions.Whenyouare
finished,clicktheCommit Changesbuttontosavethechanges.
• Buffer Size: SetsthethebuffersizeusedbytheDittoForensicFieldStationduringahashaction.The
minimumsizeis512K(kilobytes).Thedefaultsizeof1M(megabyte)worksbestformostuses.The
maximumsizeislimitedbythetargetfilesystem.
• Exit when a bad sector is encountered: AbortsthehashdiskactioniftheDittoForensicFieldSta-
tionencountersabadsectoronthetargetdisk.
5.8 NAMING
The“Naming”taballowsyoutocustomizehowtheDittoForensicFieldStationnamesdirectoriesandfiles
duringimagingactions.Whenyouarefinished,clicktheCommit Changes button tosavethechanges.
AsshowninFigure22onthenextpage,thefiledirectoryusedinimagingactionscanbeanamethatcontains
uptosixuser-selectablefields,andthefilenameusedinimagingactionscancontainuptofouruser-select-
ablefields.Asyoucustomizethesefields,the“DirectoryNameTemplate”,“FinalDirectoryName”,“FileName
Template”,and“FinalFileName”fieldswillupdate.Thetemplatefieldsshowtheorderofvariableswillappear
inthename,whereasthefinalnamefieldsdisplaythedirectoryorfilenameusingtheactualinformationfrom
the“InvestigationInfo”panelonthe“Home”screenandthesourcedisk.
26
Protecting Your Digital AssetsTM
Ditto Forensic FieldStation User Manual
5.8.1 Variables
Tomodifytheanyoftheuser-customizablevariables,navigatetothe“Investigation
Info”panelonthe“Home”screen(seeSection4.2).
• Timestamp/{Timestamp}: Displaysthetimestamp.Thetimestampisrequired
tobeincludedinalldirectorynames,butitisoptionalforfilenames.
• Base Filename: Displaysthebasefilename.Thisoptionisthedefaultfirstvari-
ableforfilenames,butmaybechanged.Usercustomizable.
• Case Number: Displaysthecasenumber.Usercustomizable.
• Description: Displaysthedescriptionfield.Usercustomizable.
• Evidence Number: Displaystheevidencenumber.Usercustomizable.
• Investigator: Displaystheinvestigator.Usercustomizable.
• Source Drive Model Type: Displaysthemodelnumberofthesourcedisk.
• Source Drive Unique ID: DisplaystheuniqueIDnumberofthesourcedisk.
5.9 QUICK START
The“QuickStart”taballowsyoutocustomizethequickstartmodethatappearsonthe
LCDoftheDittoForensicFieldStationwhenthe“QuickStart”optionisenabledinthe
“System”tab.Manyofthesettingsbelowarevisibleonlywhencertaintypesofactions
areselectedinthe“Actiontoperform”drop-downbox.
• Action to perform: Setstheactionthatisperformedbythequickstartmode.
• Allowed Sources: PlaceacheckmarknexttoeachsourcewhereyouwanttheDittoForensicFieldSta-
tiontosearchforaconnectedsource.
• Allowed Targets: PlaceacheckmarknexttoeachtargetwhereyouwanttheDittoForensicFieldStation
tosearchforaconnectedtarget.
• Clone Destination: Forthe“CloneSourceDisk”and“Clone&ImageSourceDisk”actionsonly.Speci-
fiesthetargetdestinationwherethesourcediskwillbecloned.
• Source Partition: Determineswhichpartition(s)will be imaged from thesourcedisk.ChooseAll to
imagetheentiresourcedisk.
• Image Destination: Specifiesthetargetdestinationwheretheimagewillbeplaced.
• Image Partition: Specifiesthepartitiononthetargetdestinationwheretheimagewillbeplaced.
• Action Target: Forthe“EraseDestinationDisk”actiononly.Specifieswhichtargetvolumewillbeerased.
Figure 22. The “Naming” tab on the “Configure”screen.
27
Protecting Your Digital AssetsTM
Ditto Forensic FieldStation User Manual
6 ADMIN SCREENThe“Admin”screenallowstheadministratortomanageuseraccountsandassignpermissionlevelsforeachuser.
ClickontheAdmin tabtoaccessthe“Admin”screenfromthebrowserinterface.
6.1 USER ACCOUNTS
TheDittoForensicFieldStationcontainstwopermanentaccounts;“admin”and“panel”.The“admin”account
istheAdministratoraccount,andonlytheFullNameandpasswordmaybemodified.The“panel”accountis
theFrontPanelaccount,andmodifiesaccesspermissionsforfunctionalitythatcanbeaccessedthroughthe
LCDscreenandnavigationbuttonsontheDittoForensicFieldStation.
6.2 PERMISSIONS
6.2.1 Permission Levels
Permissionlevelsonthebrowserinterfacearedisplayedas“FULL”,“AUTH”,orasahyphen,andas“Full
Access,“MustAuthenticate”,and“None”,respectively,wheneditingorcreatingauser.“FULL”and“Full
Access”indicatethattheuserhascompleteaccesstothefeaturesgovernedbythatpermissionandisnot
requiredtoenterapassword.“AUTH”and“MustAuthenticate”indicatethattheusermustauthenticate
hiscredentialswithapassword inordertochangeasettingorperformanactionthatthatpermission
governs.Ahyphenor“None”indicatesthattheuserdoesnothaveaccesstothefeaturesgovernedby
thatpermission.
6.2.2 Configurable Permissions
The following listofpermissionsspecifieswhateachcontrols,andcanbeconfiguredwhenaddingor
editingauseraccount.SomepermissionsfortheAdministratorandFrontPanelaccountswillbegreyed
outbydefault.
• Admin: “None”allowsaccesstomodifytheUserNameandFullNameoftheAdministrator,Front
Panel, and the user’s own account, and allows the user to change his or her ownpassword, but
blockstheuserfromviewinganyaccount’spermissionlevels.“ModifyUsers”enablestheusertobe
abletomodifyuseraccounts,passwords,andpermissions(exceptforthe“Admin”permission).“Full
Access”additionallyenablestheabilitytocreateanddeleteusersandassignthe“Admin”permission.
• Config: Governsallnon-networkconfigurationsettings, including those found in the“SystemSet-
tings”panelonthe“Home”screenandonalltabsonthe“Configure”screen.
• NetSettings: Controlsaccesstothenetworksettingsonthe“Configure”screen.
• Clone: Controlsaccesstothe“CloneSourceDisk”and“Clone&ImageSourceDisk”actions.
Figure 23. The“Admin”screen.
28
Protecting Your Digital AssetsTM
Ditto Forensic FieldStation User Manual
• Physical Image: Controlsaccesstothe“PhysicalImageSourceDisk”and“Clone&ImageSource
Disk”actions.
• Logical Image: Controlsaccesstothe“LogicalImageSourceDisk”action.
• Erase: Controlsaccesstothe“EraseDestinationDisk”action.
• Hash: Controlsaccesstothe“HashDisk”action.
• Snapshot: Controlsaccesstothe“SnapshotDisk”action.
• Netview: Controlsaccesstothe“NetviewScan”action.
• Abort: Controlsaccesstotheabilitytoabortactionsinprogress.
• Note: Controlsaccesstothe“Comment”buttonsinthe“Action”and“SystemLog”panelsonthe
“Home”screen.
• Logs: Controlstheabilitytodeletelogfilesfromthe“Logs”screen.
• DiskView: Controlstheabilitytopreviewanddownloadfilesfromthesuspectdriveviathe“Disks”
panelonthe“Home”screen.
6.3 ADDING A NEW USER
Toaddanewuser,clicktheAdd User button,entertheuser’sinformation,andsetthepermissionlevels.
Whenfinished,clickontheCommit Add button.
6.4 EDITING AN EXISTING USER
Toupdateauser’sname,password,orpermissions,clickontheuseraccountunderthe“UserName”column,
updatetheinformation,andthenclicktheCommit Edits button.
6.5 DELETING A USER
Todeleteauser,clickon theuseraccountunder the“UserName”columnandclickon theDelete User
button.Donotclickthisbuttonunlessyouareabsolutelycertainyouwishtodeletetheaccount.
7 LOGS SCREENThe“Logs”screenprovidesinformationabouttheDittoForensicFieldStation’sactions.ClickontheLogs tabto
accessthe“Logs”screenfromthebrowserinterface.
Actionlogsshowthetimestamp,thetypeofactionperformed,theuserwhoperformedtheaction,andalinkto
the“ActionLog”screenthatprovidesmoreinformationabouttheperformedaction.
7.1 ACTION LOG
7.1.1 Settings
DisplaysthesettingsoftheDittoForensicFieldStationthatwereactivewhentheparticularactionwas
performed.
7.1.2 User Permissions
Displaysthepermissionsoftheuserthatwereinplacewhentheparticularactionwasperformed.
29
Protecting Your Digital AssetsTM
Ditto Forensic FieldStation User Manual
7.1.3 Extended Disk Info
Thisreportdisplaystheinformationofthediskused(whichisnotedinthetitleofthisreport)intheaction,
includingtheinterface,model,serialnumber,capacity,thepresenceofHPAs(hostprotectedareas)or
DCOs(deviceconfigurationoverlays),partitioninformation,hdparminformation,andS.M.A.R.Tinforma-
tion.Ifmultipledisksareusedintheaction,thenmultiplereportsarecreated.
7.1.4 Logical Image Report
Thisreportappearsinactionlogsof“LogicalImageSourceDisk”actionsanddisplayseachdirectoryand
filethatwasimaged,alongwiththeirsizeandanyerrormessagesthatweregenerated.If“ValidateFile
Extensions”isenabledforLISTlogicalimagesinthe“Configure”screen,itwillalsologanyfilesinLIST
logicalimagesthathaveamismatchedfileheaderandextension(seeSection5.5.3).ClickontheExport
buttontosaveacopyofthelogasanExcelspreadsheet.ClickontheExport Suspects buttontosavea
copyofallofthesuspectfileswherethereisamismatchbetweenthefile’sMIMEtypeandfileextension.
7.1.5 Netview Report
Thisreportappearsinactionlogsof“NetviewScan”actionsanddisplayssummariesofthediscovered
hosts,includingtheIPaddress,MACaddress,andthemanufacturerassociatedwiththeMACaddress
ifthatinformationcanbedetermined.The“Hostname”willbeblankifaDNSlookupcouldnotassociate
thehost’sIPaddresstoaname.
8 UTILITIES SCREENThe“Utilities”screenallowsyou toperformvariousmiscellaneous functions, including theability toupgrade
firmware, importcustomizedconfigurations, remotely reboot theDittoForensicFieldStation,modifydateand
timesettings,andperformafactoryreset.ClickontheUtilities tabtoaccessthe“Utilities”screenfromthe
browserinterface.
Figure 24. The“Logs”screen.
30
Protecting Your Digital AssetsTM
Ditto Forensic FieldStation User Manual
8.1 SYSTEM MAINTENANCE
8.1.1 Firmware Upgrade
Forinformationonhowtoupgradethefirmware,seeSection12.
8.1.2 Configuration
YoucansaveandloadconfigurationsfortheDittoForensicFieldStation.Thefilegeneratedsavesacopyof
everycustomizablesettingfortheunit.
Save Configuration
Tosaveaconfiguration,clickontheSave Config button.Namethefile,andthenclickContinueto
openaSaveAsdialogboxandsavethefiletoyourcomputer.
Load Configuration
a. ClickontheLoad Config button,browsetothe.xmlconfigurationfileyouwanttoload,highlight
it,andclickOpen.
b. The“ConfirmImport”windowwillopen.Placeachecknexttoeachsettingyouwanttoload,and
thenclick Continue.Byselectingthesesettings,youwillbeoverwritingtheexistingsettings,so
besuretosavethecurrentconfigurationfirst.
c. TheDittoForensicFieldStationwillimporttheconfigurationsettings.ClickOKwhenit’sfinished.
8.1.3 Other Buttons
• Reboot: OpensaconfirmationtoreboottheDittoForensicFieldStation.
• Date & Time: Allowsyoutosetthecurrentdate,time,andtimezone.ClicktheSynchronize button
tosyncthesesettingswithyourbrowser’soperatingsystem.
• Factory Reset: OpensaconfirmationdialogtoreturntheDittoForensicFieldStationtofactoryset-
tings.CheckthePurge Ditto SD card log files boxtoremovealllogfilesfromtheSDcardintheunit.
YoucanalsousetheFrontPaneltoperformafactoryreset.SeeSection9.3.
• System Verify: Verifies that theDittoForensicFieldStation’soperatingsystemfileshavenotbeen
modifiedandplacesastatementinthesystemlog.Iftheverificationfails,thedetailscanbeviewed
byexportingtheSystemDiagnostics.
Figure 25. The“Utilities”screen.
31
Protecting Your Digital AssetsTM
Ditto Forensic FieldStation User Manual
• Diagnostics: ExportsadiagnosticslogfileinHTMLformat.Thediagnosticslogcontainsinformation
about theDitto Forensic FieldStation’s current configuration, including user accounts, kernelmes-
sages,logs,processinformation,disks,PHPerrors,andsystemverifyresults.
8.2 UPGRADE LOG MESSAGES
Thissectiondisplaysthestatuslogoffirmwareupgradesandisonlyvisibleafterafirmwareupgradehasbeen
performed.
8.3 IMPORT LOG MESSAGES
Thissectiondisplaysthestatuslogofconfigurationfileexportsandimportsandisonlyvisibleafteraconfigu-
rationfilehasbeenloadedorsaved.
9 USING THE FRONT PANEL INTERFACE IN STANDALONE MODE TheDittoForensicFieldStationcanworkasastandalonedevicewithnoadditionalcomputerrequired,whichcan
beusefulwhenworkingwithevidencedisksinthefield.
TheFrontPanelinterfaceallowsyoutoclone,physicallyimage,performalogicalimageusingaLogicalImage
Mode,simultaneouslycloneandimage,erase,hashadisk,orperformasnapshotofadisk.Youcanalsoadjust
settings,viewinformationaboutattacheddisks,orcheckontheDittoForensicFieldStation’soperationalstatus.
Theadministrator account canassignaccesspermissions to theFrontPanel’s actionsandsettingsusing the
browserinterface.
9.1 HOW TO NAVIGATE
9.1.1 Using the Navigation Buttons
ThenavigationbuttonsonthefrontoftheDittoForensicFieldStationallowyoutonavigatethroughthe
menu. UpandDownallowyoutoscroll throughtheavailableoptionsontheFrontPanel,whileEnter
selectstheoptionandBackgoesbacktothepreviousscreen.IfQuickStartModeisenabled,pressBack
toexitit.
9.1.2 Using a Keyboard
PlugaPCUSBkeyboardintotheUSBportonthe“SourceInputs”sideoftheDittoForensicFieldStation.
Youcannavigateusingthearrowkeys.PressEnter or the Right Arrow keys toselectamenuoption.
Pressthe Left Arrow keytobackoutofamenuorsetting.IfQuickStartModeisenabled,youcanpress
theEscape keytoexitit.
TheDittoForensicFieldStationcanhandlemultipleUSBdevicesthroughaUSBhubattachedtotheUSBportonthe“SourceInputs”sideoftheForensicFieldStation.However,ifmultiplekeyboardsareconnected,keystrokesfromallkeyboardsareprocessed.
9.2 MENU SCREENS
TheDittoForensicFieldStationmenuconsistsofthefollowingscreens:
9.2.1 Status
Thestatusscreenisthedefaultscreen.Itshowstheprogressofanycurrentpro-
cesses.WhentheDittoForensicFieldStationis“Idle”,thecurrentfirmwareofthe
unitisalsolistedonthisscreen.AnexampleofastatusscreenisshowninFigure26.
Ditto:IdleVersion:2015Sep19a
(Up/DnforMenu)
Figure 26. The“Status”screenontheFrontPanelLCD.
NOTE
32
Protecting Your Digital AssetsTM
Ditto Forensic FieldStation User Manual
9.2.2 Perform Action
Afteryouadjustsettings toyourspecifications,youare readytoput theDittoForensicFieldStation to
work.The“PerformAction”screenletsyoustartorabortanyoftheDittoForensicFieldStation’sactions
usingthecurrentsettings.
a. Onthe“PerformAction”screen,usetheUpandDownbuttonstocyclethroughtheavailableactions.
PressEntertoselecttheoneyouwant.
b. Cyclethroughtheavailablesettingsfortheaction.PressEnterifyouwishtomodifythem.
c. Whenyouarefinishedmodifyingsettings,scrolldowntooptionthatasksyoutostarttheaction(ex.
“StartPhysicalImage?”.PressEntertobegin.
ThestatusandremainingtimewillbedisplayedontheLCDscreenastheDittoForensicFieldStationper-
formstheaction.Toabortanaction,presstheBack button.TheLCDscreenwillaskifyouwishtoabort
theaction.PressEntertoconfirm,orBacktocanceltheabortrequest.
9.2.3 Investigation Info
The“InvestigationInfo”liststhecurrentsettingsthatcanbemodifiedinthe“Investi-
gationInfo”sectiononthe“Home”screenofthebrowserinterface.Tomodifythese
settingsfromthebrowserinterface,seeSection4.2.
Editing Fields With A Keyboard
Onthe“InvestigationInfo”menu,an“Edit(Keyboard)”menuitemwillappear
whenakeyboardisdetected(seeFigure27).Youcaneditthefieldcurrentlydis-
playedontheLCDbypressingtheEnter buttononthefaceoftheDittoForensic
FieldStationorbypressingEnter or the Right Arrow keysonthekeyboard,and
thenusingthekeystotype.
Usingapostrophes(‘)inthenamefieldswillcauseanerrorwhenthefileorfoldernameiscreated.TheyshouldnotbeusedintheInvestigationInfofields.
Stringslongerthan24charactersaredisplayedwithanellipsescharacter(...)attherightsideofthestring.
TheDittoForensicFieldStationcanhandlemultipleUSBdevicesthroughaUSBhubattachedtotheUSBportonthe“SourceInputs”sideoftheForensicFieldStation.However,ifmultiplekeyboardsareconnected,keystrokesfromallkeyboardsareprocessed.
Hereisatableofthemostcommonkeyboardcommands:
KEY COMMAND
Escape Cancelsanedit.
Enter Beginsaneditonauser-editablestringorselectsthecurrently-visiblemenuoption.Whenpressedwhileeditingastring,itconfirmstheedit.
Home/End Wheneditingastring,thesekeysmovethecursortothebeginning/endofthestring,respectively.
Up/Down Movesthroughthemenuoptions.Wheneditingastring,theymovethecursortothebeginning/endofthestring,respectively.
Delete Deletesthecharactercurrentlyhighlightedbythecursor.
STOP!
Investigator:C.Walker
Edit(Keyboard)
Figure 27. The“Investigator”fieldinthe“InvestigationInfo”menuontheFrontPanelLCD,whenaUSBkey-boardisattachedtotheDittoForensicFieldStation.
NOTE
NOTE
33
Protecting Your Digital AssetsTM
Ditto Forensic FieldStation User Manual
Most Common Keyboard Commands, continued...
KEY COMMAND
Backspace Deletesthecharacterimmediatelybehindthecursor.
NumLock Forcesthenumberedarrowkeystotypenumberswhenpressed.
CapsLock Forcesallletterkeystotypecapitalletters.
Tab/Shift+Tab/PageUp/PageDown/Function/Alt/Windows/Control/Insert
Nothandled.
9.2.4 Settings
The“Settings”screenallowsyoutoviewandcustomizethefollowingsettings,whicharegroupedinto
threesubsections.Thesesettingswillbethedefaultsettingsusedinanyactionsperformed.
TheSystemSettingsbelowcannotbemodifiediftheFrontPaneluseraccountdoesnothavefullaccesstothe“Config”permission,andtheSourceandDestinationNetworkSettingscannotbemodifiediftheFrontPaneluseraccountdoesnothaveaccesstothe“NetSettings”permission.SeeSection6forinformationonhowtocustomizetheFrontPaneluseraccount.
System Settings
• Physical Image Type: Setsthedefaultphysicalimagetypeforallactionsthatcreateaphysical
image.TheimagetypesavailableareE01orDD.
• Logical Image Type: Setsthedefaultlogicalimagetypeforallactionsthatcreatealogicalimage.
ThelogicalimagetypesavailableareL01,TAR,ZIP,andLIST.
• Logical Image Mode: Setsthedefault logical imagemode.Thelogical imagemodesavailable
areAllFilesandDirs,AllExceptWindows,AllExceptWindowsPrograms (abbreviatedas“All
ExceptW...ndPrograms”),AllUsers-Windows,AllTemporary-Windows,AllExceptSwapand
Hibernate(abbreviatedas“AllExceptS..dandHibernate”),AllMediaFiles,AllOfficeFiles,andAll
FinancialFiles.SeeSection4.1.3under“LogicalImageModes”foradescriptionofeachmode.
• Hash Type: Setsthedefaulthashalgorithmthatwillbeusedfordiskverificationandthe“Hash
Disk”action.TheavailableoptionsareNone,MD5,SHA-1,orMD5+SHA-1.
• Erase Mode: Setsthedefaulterasemodethatwillbeusedforallactionsthatrequireerasing
disks.TheavailablemodesareClearPartitionTable,QuickErase,LBA/OffsetPattern,Custom
Erase,SecureEraseNormal, SecureEraseEnhanced,DODClear,DODSanitize,NIST800-88
Clear,andNIST800-88Purge.
• Default Format: Thisisthedefaultfilesystemthatwillbeusedtoformatdestinationdiskswhen
theyareusedinactionsthattheDittoForensicFieldStationperforms.Theavailableformatsare
HFS+,FAT32,NTFS,EXT2,EXT3,EXT4,andXFS.
• HTML Logging: Logsarealwayssaved in .XMLformat.ThisoptioncausestheDittoForensic
FieldStationtosavelogsinHTMLformataswell.TheavailableoptionsareOffandOn.
• DiskView Logging: Logsanyactiontopreviewadiskoractionsperformedwhilepreviewinga
disk(i.e.startingorfinishingapreviewofadisk,startingorfinishingaHexViewaction).Theavail-
ableoptionsareOffandOn.
NOTE
34
Protecting Your Digital AssetsTM
Ditto Forensic FieldStation User Manual
• LCD/LED Brightness: SetstherelativebrightnessoftheLCDsandLEDsonthefaceoftheDitto
ForensicFieldStationonascaleof1to255.
• LCD Prompt Case: Fiveoptionsmaybe chosen tomodify the casenumber specified in the
“Investigation Info”sectionofthe“Home”screen inthebrowser interface.Thecasenumber
isincludedinthelogfortherequestedaction.“Disabled”leavesthecasenumberasitis.“Inc/
Dec”allowsyoutomanuallyincrementthecasenumberupordownusingthenavigationbut-
tonsonthefaceoftheDittoForensicFieldStation.“AutoInc”automaticallyincrementsthecase
number,and“AutoInc/Pause”automatically incrementsthecasenumber,butdisplaysaconfir-
mationprompttheLCDscreenbeforebeginningtherequestedaction.Theseoptionsrequirea
numbertobepresentontheendoftheCaseNumberspecifiedinthe“InvestigationInfo”section
ofthe“Home”screeninthebrowserinterface.
• LCD Prompt Evidence: Fiveoptionsmaybechosentomodifytheevidencenumberspecifiedin
the“InvestigationInfo”sectionofthe“Home”screen.Theevidencenumberisincludedinthe
logfortherequestedaction.“Disabled”leavestheevidencenumberasitis.“Inc/Dec”allows
youtomanuallyincrementtheevidencenumberupordownusingthenavigationbuttonsonthe
faceoftheDittoForensicFieldStation.“AutoInc”automaticallyincrementstheevidencenumber,
and“AutoInc/Pause”automaticallyincrementstheevidencenumber,butdisplaysaconfirmation
prompttheLCDscreenbeforebeginningtherequestedaction.Theseoptionsrequireanumber
tobepresentontheendoftheEvidenceNumberspecifiedinthe“InvestigationInfo”sectionof
the“Home”screeninthebrowserinterface.
• Quick Start: Enablesthe“QuickStart”screenontheLCDthatappearsafteryoubootorreboot
theDittoForensicFieldStation.Thesettingsforthismodemaybemodifiedinthe“QuickStart”
tabofthe“Configure”screenonthebrowserinterface.SeeSection5.9.
• Verify Single: Determineswhetherindividualdestinationdiskarehashedandcomparedtothe
hashvalueofthesourcedisk’shashvalue.TheavailableoptionsareYesandNo.
• Verify Mirror: Determineswhethermirroreddestinationdisksarehashedandcomparedtothe
hash valueof the sourcedisk’s hash value(s).You can choose to verify nodisks, eSATA-Aor
eSATA-Bindividually,ortoverifybothdisks.
• Verify Clone & Image: Determineswhetherclonedandimageddisksarehashedandcompared
tothehashvalueofthesourcedisk’shashvalueduringa“Clone&ImageSourceDisk”action.
Youcanchoosetoverifynodisks,theclone,theimage,orboth.
• Log Disk Info: DetermineswhetherS.M.A.R.T.andhdparmdisk information is loggedbefore
runninganaction,afterrunninganaction,both,ornotatall.
Src (Source) Network Settings
• Source Network: EnableordisablethesourcenetworkEthernetconnection.
• Source MAC Address: DisplaysthesourceEthernetport’sMACaddress.
• Source IP Assignment:DisplaysthesourceEthernetport’sIPassignmentmethod.Theavailable
optionsareDHCPorStatic.AnIPaddresscanbemanuallyconfiguringinthebrowserinterface
(seeSection5.2.2).
35
Protecting Your Digital AssetsTM
Ditto Forensic FieldStation User Manual
• Source Network Access: AllowsyoutochoosewhetherornottheDittoForensicFieldStation
respondstoanynetworktrafficviathesourceEthernetport.
• Source IP Address: DisplaystheIPaddressassignedtothesourceEthernetport.
Dst (Destination) Network Settings
• Destination Network: EnableordisablethedestinationnetworkEthernetconnection.
• Dest. MAC Address: DisplaysthedestinationEthernetport’sMACaddress.
• Dest. Network Mode: DisplaysthedestinationEthernetport’snetworkingmode.Theavailable
optionsareServer,Client (DHCP),orClient (Static IP).“Server”allowsyoutouseenable the
DittoForensicFieldStationforuseasaserver.Thenetworkmodecanbefurtherconfiguredinthe
browserinterface(seeSection5.2.3).
• Dest. IP Address: DisplaystheIPaddressassignedtothedestinationEthernetport.
• Dest. Subnet Mask: Displays thesubnetmaskaddressassigned to thedestinationEthernet
port.
9.2.5 Disk Info
The“Disk Info” screen shows all available disks attached to either the source or
destinationports.Ports are shownonly if a disk is connected there.PressEnter
(View)andthenUporDowntoscrollthroughthefollowinginformationabouteach
connecteddisk:
• Modelnumber
• Diskcapacity
• Filesystem
9.3 FACTORY RESET
ToresettheDittoForensicFieldStation’ssettingsbacktotheirfactorydefaults,pressand
holdtheUp,Enter,andDownnavigationbuttonswhilepoweringtheuniton.TheDitto
ForensicFieldStationwillstartupandthendisplaythetext,“PreparingFactoryReset”
(seeFigure31).
YouwillthenbepromptedtoconfirmyourchoicetoresettheDitto.PressEntertocon-
tinueorBacktocancel.
Youcanalsousethebrowserinterfacetoperformafactoryreset.SeeSection8.1.3.
10 STEALTH MODEStealthModeturnsoffallLEDsandLCDsontheDittoForensicFieldStation.YoucanenableStealthModebyflip-
pingthephysical“StealthMode”switchontheDestinationOutputssideoftheDittoForensicFieldStation(see
Section1.2).
Youcanalsoenableitfromthebrowserinterface.ClickontheConfigure tab,andthenunderthe“System”tab
changethe“StealthMode”drop-downboxto“Enabled.”ThenclickCommit Changes.
IfStealthModeisenabledfromthebrowserinterface,thephysicalswitchcannotoverrideit.
****DITTO****Initializing...
PreparingFactoryReset
Figure 29. The“Preparing Factory Reset” screen ontheFrontPanelLCD.
SourceeSATA:HTS5410806XXXXX79.8GB
Nofilesystem
Figure 28. The“Disk Info”screenon theFrontPanelLCD.
NOTE
36
Protecting Your Digital AssetsTM
Ditto Forensic FieldStation User Manual
11 ADVANCED FEATURES AND FUNCTIONS
11.1 NETVIEW SCAN
Thistypeofnetworkprobingisvery noisyandmaytriggeranyITrelatedIntrusionDetectionDevices(IDSs)on
thenetwork.Pleasebesuretorunthisactioninaverycontrolledandisolatedenvironment.
a. SelectNetview Scan fromthe“ActiontoPerform”drop-downbox.
b. Configuretheavailableoptions,whicharedetailedbelowinSection11.1.1.
c. Whenyouarefinished,presstheStart button.Youshouldseeupdateseveryfewsecondsthatdescribe
thecurrentscanbeingexecuted,thenumberofhostsdiscovered,andtheprogressofthecurrentscan.
Pleasenotethatprogressestimatesarecrudeandarestillbeingdeveloped.A“Completed”messagebox
willpopupwhentheactionhasfinished.Clickonthemessagetocontinue.
YoucanviewtheresultsoftheNetviewScanactionbyscrollingdowntothe“SystemLog”panelonthe
“Home”screen.Findandclickonthelatestlink,whichwillbedenotedbyafilenamewithadate/timestamp
format:“S_yyyymmddhhmmss”.Alternatively,youcanclickonthe Logs buttonfromthetopmenubar.
The“NetviewReport”sectioncontainssummariesofthediscoveredhosts,includingtheIPaddress,MAC
address,andthemanufacturerassociatedwiththeMACaddressifthatinformationcanbedetermined.The
“Hostname”willbeblankifaDNSlookupcouldnotassociatethehost’sIPaddresstoaname.
11.1.1 Netview Scan Configuration Options
ThefollowingoptionscanbeconfiguredbeforerunningaNetviewScan:
Interface Selection
The“Interface”drop-downboxallowsyoutotelltheDittoForensicFieldStationwhichEthernetcon-
nectiontouseduringtheNetviewScan.YoucanchooseeithertheSourceorDestinationEthernet
ports.
Theselectedinterfacewillbeusedwhenthescanisstarted.Thismaycreateaheavynetworktrafficloadanddependingonthe“Timing”settinginthe“DiscoveryOptions”subsection,mayalertyourITdepartmentthatthenetworkisundersomesortofthreat.Ensurethattheselectedinterfaceisattachedtoacontrolledandisolatednetwork.
Figure 30. The“Action”sectiononthe“Home”screen,showingtheoptionsavailableforthe“NetviewScan”action.
STOP!
37
Protecting Your Digital AssetsTM
Ditto Forensic FieldStation User Manual
IP Scan Range
BydefaultthelastoctetoftheIPaddressoftheselectedinterfacewillbescanned.Youmaychange
thisvalueandenteralistofIPaddress,arangeofIPaddresses,oracombinationofboth.Clickthe
“Reset”icontoresettheIPScanRangebacktoitsdefaultvalue.
Examples:
1. Range:10.10.10.0-255
• Scanstheaddresses10.10.10.0through10.10.10.255.
2. Range2:10.10.10-12.0-255
• Scansaddresses10.10.10.0-255,10.10.11.0-255,and10.10.12.0-255.
3. List:10.10.10.1
• WillonlyscanIPaddress10.10.10.1
4. List2:10.10.10.2,10.10.10.3
• Willscanonlyhosts10.10.10.2and10.10.10.3
5. Combo:10.10.10.1,10.10.10.2,10.10.10.50-100
• Willscanhosts10.10.10.1,10.10.10.2andhosts10.10.10.50through10.10.10.100.
Discovery Options
Therearethreeoptionalhost(machine)discoveryoptionsandone“NoPing”portscanoptionavail-
able.Bydefault,the“PingEcho”optionisenabledandwillsufficeformostusecases.Somemachines
maybeconfiguredtoignorepingsandnotrespond,sotherearetwootherspecializedPingoptions
whichmaybeuseful.Clickthe“Reset”icontoreloadthedefaultsettings.
• Ping Echo: SendsastandardICMPechorequesttoeachIPaddress.
• Ping Timestamp: SendsarequestforatimestampedICMPpacket.
• Ping Netmask: Sendsarequestforthedestination’ssubnetmaskusinganICMPpacket.
• No Ping: Skipshostdiscoveryandforcesaportscan,whichisusefulwhenthehostsappear
tobedown.
• Timing: Selects a timing interval for scanning a network.“3” is the default setting. Lower
numbersareslowerandwillhelpyouavoidtriggeringanintrusiondetectionalert,andhigher
numbersarefasterbutmaybelessaccurate,andmaycauseintrusiondetectionalerts.
TCP Options
NetViewcanoptionallyscan thespecifiedhosts foropenTCPports.Bydefault, this feature isnot
enabled.Checktheboxnextto“TCPOptions”toenablethisfeatureandexpandmoreoptions.Click
the“Reset”icontoresetallTCPOptionsbacktotheirdefaultvalues.
• Ports: Bydefault,TCPportsforcommonlyusedservicesaswellasservicestowhichtheDitto
ForensicFieldStationmaybeable toconnect areentered into this textbox, includingports
forNFS,iSCSI,andSamba.Onlyportsenteredintothistextboxwillbescanned.NetViewIP
portrangesmaybespecifiedasanycombinationof listsandranges.Validportnumbersare
between1and65535(inclusive).Alistisintheform:80,22,23.Arangeisintheform:1-40.
Bothmaybecombinedtoform:22,23,40-50,80,90-91.
38
Protecting Your Digital AssetsTM
Ditto Forensic FieldStation User Manual
• Syn Scan: SynScan isselectedbydefaultand isappropriate formostusecases.TheDitto
ForensicFieldStationgeneratesrawIPpacketsandmonitorsforresponses.Thistypeofscanis
alsoknownas“half-openscanning”sinceitdoesnotopenafullTCPconnection.
• Connect Scan: TheDittoForensicFieldStationusesafullsystem-levelTCPconnectioninorder
todeterminewhatportsareavailableonthehostnetwork.Thisscanshouldonlybeperformed
byadvancedusers.
Themoreportsbeingscanned,thelongerthescanwilltake.
UDP Options
NetViewcanoptionallyscanthespecifiedhostsforopenUDPports.Bydefault,thisfeature isnot
enabled.Checktheboxnextto“UDPOptions”toenablethisfeature.Clickthe“Reset”icontoreset
theUDPoptionbacktoitsdefaultvalues.
Ports: By default, UDP ports for commonly used services aswell as services towhich theDitto
ForensicFieldStationmaybeabletoconnectareenteredintothistextbox,includingNFS,iSCSI,and
Samba.Onlyportsenteredintothistextboxwillbescanned.NetViewIPportrangesmaybespeci-
fiedasanycombinationoflistsandranges.Validportnumbersarebetween1and65535(inclusive).
Alistisintheform:80,22,23.Arangeisintheform:1-40.Bothmaybecombinedtoform:22,23,40-
50,80,90-91.
UDPportscanningtakesmuchlongerthanTCPportscanningduetothefactthatopenandfilteredportsdonot typically respond toqueries.Therefore,anyUDPportscannerwill spend time retrans-mittingitsqueryincasethequeryorresponsewaslost.Furthermore,whileclosedportsdousuallyrespondwith ICMPportunreachablemessages,hoststendto limit thenumberofthosemessagessentpersecond,resultinginfurtherdelay.
Netview Tips
1. SeeNmap.orgforgeneralinformationaboutnetworkscanning.
2. KeepyourIPaddresslists/rangesshort.Thiswillmeanfasterscansandlessnetworktraffic.
3. Keepyourportlists/rangesshort.Thiswillalsomeanfasterscansandlessnetworktraffic.
4. StartbydeselectingtheTCPandUDPscans.Justscanningforthepresenceofhostsismuch
quickerthanrunningTCPandUDPscansonanetworkwithanunknownnumberofmachines.
Onceyouhavealistofdiscoveredmachines,thenyoucandecidewhethertoTCPand/orUDP
scanthemallorscanonlyasubsetatatime.
5. TCPscanningmustbeenabledinordertodetectthetarget’soperatingsystem.
11.2 TARGET MODE: REMOTELY ACCESS DISKS ATTACHED TO THE DITTO FORENSIC FIELDSTATION WITH THIRD PARTY SOFTWARE
DisksattachedtoDittoForensicFieldStationmaybemountedonyourcomputerasiSCSIdevicesforusewith
thirdpartydataacquisitiontools.Themachinethissoftwareisinstalledondoesnothavetobephysicallycon-
nectedtotheDittoForensicFieldStation,butratherthesoftwaremayberunremotelyfromaseparateloca-
tionwithinthesamenetwork.Todoso,youwillneedtoputtheDittoForensicFieldStationintoTargetMode.
a. Onthe“Home”Screen,navigatedowntothebottomofthe“Disks”panelandselecttheTarget Mode
button.
NOTE
NOTE
39
Protecting Your Digital AssetsTM
Ditto Forensic FieldStation User Manual
b. ChecktheboxesintheiSCSIcolumnnexttothedisk(s)thatyouwishtomountonyourcomputerasiSCSI
device(s).
c. CheckEnable iSCSI and SMB authentication ifyouwishtorequireauthentication inorderfor iSCSI
initiatorsoftwaretoconnecttotheselecteddisk(s).Theninputyourdesiredcredentials.
d. Pressthe OK button.
Youcannowmountthedisk(s)youselectedinthestepsabovetoyourcomputer.UsetheDittoForensic
FieldStation’sIPaddressinyouriSCSIinitiatorsoftwareinordertoattachtoit.Initiatorscanvary,buttypi-
callyyou’lladdtheIPaddresstothe“Discovery”sectionofyourinitiator.
11.3 USING ISCSI DEVICES
11.3.1 Remotely Access an iSCSI Device
ToconnecttoaniSCSIdevicethatexistsonyournetwork,followthesedirections.
a. Ensure that theEthernetport throughwhich theDittoForensicFieldStation is
connectedtoyournetworkisproperlyconfiguredforusewithyournetwork(see
Section5.2).UnlessyouhavemanuallyconfiguredtheDittoForensicFieldSta-
tion’snetworksettingsbefore,youmostlikelydonothavetochangeanything.
IfyouaredirectlyconnectingtheiSCSIdevicetotheDittoForensicFieldStation,
thenseeSection11.3.2.
b. Onthe“Home”Screen,navigatedowntothebottomofthe“Disks”panel.
c. ClicktheSource Network buttonifyouwanttoattachtheiSCSIdevicetothe
DittoForensicFieldStationasawrite-blockedsourcedevice,orclickthe Desti-
nation Network buttonifyouwanttoattachtheiSCSIdeviceasaread/write-
enableddestination.
d. Clickonthe iSCSI tabifitisnotalreadyselected.
e. TypetheiSCSIdevice’sIPaddressintothe“TargetHost”textfield.
f. TypeintheportnumberofthetargetiSCSIvolumeintothe“Port”textfieldifthenumberisdifferent
thanthedefaultvalueof‘3260’.Ifyoudon’tknowtheportnumber,leaveitasthedefaultvalue.
g. ClicktheDiscover button.TheDittoForensicFieldStationwilldetectanyIQNs(iSCSIQualifiedNames)
attachedtotheIPaddress.
h. SelecttheIQNyouwishtoattachtotheDittoForensicFieldStationfromthedrop-downbox.
i. IfauthenticationisrequiredtoconnecttotheIQN,clicktheAdvanced... buttonandinputtheappro-
priatecredentials,includingtheusername,password,anddomain.Otherwise,continuetoStepJ.
j. ClicktheAdd button.TheIQNwillnowappearinthelistbelow.
k. RepeatstepsEthroughJtoaddmoreIQNs.Whenyouarefinished,click Close.
TheiSCSIdisk(s)havenowbeenaddedtothelistofDisks,allowingyoutoperformactionsonthemlike
youwouldanyotherdisk.
Figure 31. The“TargetMode”windowisusedtoallowcomputers and third party software to remotely con-nectviaiSCSItodisksconnectedtoDitto.
40
Protecting Your Digital AssetsTM
Ditto Forensic FieldStation User Manual
11.3.2 Directly Connect an iSCSI Device to the Ditto Forensic FieldStation
IfyoudonotwishtoconnectaniSCSIdevicetoyournetwork(forexample,itmaybeasuspectdevice
withunknownproperties),youcandirectlyconnectthedevicetotheDittoForensicFieldStationandiso-
lateitfromtherestofyournetwork.Therearetwomethodsfordoingso.Onceyouhaveconnectedthe
device,continuedowntothethirdsubsection,“AddinganiSCSIDisktothe‘Disks’Panel”.
Connect via the Source Ethernet Port
FollowtheseinstructionsiftheiSCSIdeviceyouareattachingtotheDittoForensicFieldStationisa
suspectdevice.You’llneedtoconnecttheiSCSIdevicetothesourceEthernetportandmanuallycon-
figuretheIPaddressofboththeDittoForensicFieldStationandtheiSCSIdevice.
ManuallysettheDittoForensicFieldStation’sIPaddress.
a. ClickontheConfigure tab atthetopofthepage,andthenselecttheNet-
work tab.
b. Inthe“SourceNetwork”section,selectStatic IP fromthedrop-downbox
underneaththeMACaddress.
c. TypeinthedesiredIPaddressandsubnetmaskintotheappropriatefields.
Donotfill in theGateway,PrimaryDNSServer,orSecondaryDNSServer
unlessdirectedtodosobyyournetworkadministrator.
d. ClickCommit Changes.
ManuallysettheiSCSIdevice’sIPaddress,subnetmask,andgateway.Thefirst
threeoctetsoftheIPaddressmustbeidenticaltothefirstthreeoctetsoftheDittoForensicFieldSta-
tion’sIPaddress.Thefourthoctetmustbedifferent,andmustbeanyothernumberbetween1and
255.ThesubnetmaskmustbeidenticaltotheDittoForensicFieldStation’ssubnetmask.Thegateway
mustalsobesetastheDittoForensicFieldStation’sIPaddress.
BasedontheIPaddressconfigurationofaDittoForensicFieldStationthat’sdisplayedinFigure32,a
validconfigurationforaniSCSIdevicewouldbeasfollows:
IPaddress:10.10.10.100
Subnetmask:255.255.255.0
Gateway:10.10.10.1
AfterthesesettingsareconfiguredfortheDittoForensicFieldStationandtheiSCSIdevice,ensure
thattheiSCSIdeviceisconnectedtothesourceEthernetPort.Thencontinuetothe“AddinganiSCSI
Volumetothe‘Disks’Panel”subsectionbelow.
Connect via the Destination Ethernet Port
FollowtheseinstructionsifyouwillbetransferringevidenceorotherdatatotheiSCSIdevice.First,
ensurethatthedestinationEthernetportisconfiguredtoactasaserver.
a. ClickontheConfigure tab atthetopofthepage,andthenselecttheNetwork tab.
b. Inthe“DestinationNetwork”section,selectServerfromthedrop-downboxunderneaththe
MACaddress.Donotcustomizethedefaultserverconfigurationunlessdirectedtodosoby
yournetworkadministrator.
c. Click Commit Changes.
Figure 32. The“SourceNetwork”sectiononthe“Con-figure”screen’s“Network”tab.
41
Protecting Your Digital AssetsTM
Ditto Forensic FieldStation User Manual
NowconnecttheiSCSIDevicetothedestinationEthernetport.TheiSCSIdevicewillbeassigneda
newIPaddressiftheiSCSIdeviceisconfiguredtoobtainanewIPaddressfromDHCP,whichwillthe
caseformostdevices.IfnoIPaddressisassigned,youwillneedtoconfiguretheiSCSIdevicetouse
DHCP.Ifthatisnotpossible,contactyournetworkadministrator.
Once the iSCSIdevice isassignedan IPaddress,continue to the“Addingan iSCSIVolumeto the
‘Disks’Panel”subsectionbelow.
Adding an iSCSI Disk to the “Disks” Panel
Onthe“Home”Screen,navigatedowntothebottomofthe“Disks”panel.
a. ClicktheSource Network buttonifyouwanttoattachtheiSCSIdeviceto
theDittoForensicFieldStationasawrite-blockedsourcedevice,orclickthe
Destination Network buttonifyouwanttoattachtheiSCSIdeviceasaread/
write-enableddestination.
b. Clickonthe iSCSI tabifitisnotalreadyselected.
c. TypetheiSCSIdevice’sIPaddressintothe“TargetHost”textfield.
d. TypeintheportnumberofthetargetiSCSIvolumeintothe“Port”textfield
ifthenumberisdifferentthanthedefaultvalueof‘3260’.Ifyoudon’tknowtheportnumber,leave
itasthedefaultvalue.
e. ClicktheDiscover button.TheDittoForensicFieldStationwilldetectanyIQNs(iSCSIQualified
Names)attachedtotheIPaddress.
f. SelecttheIQNyouwishtoattachtotheDittoForensicFieldStationfromthedrop-downbox.
g. Ifauthentication is requiredtoconnect to the IQN,click theAdvanced... button and input the
appropriatecredentials,includingtheusername,password,anddomain.Otherwise,continueto
thenextstep.
h. ClicktheAdd button.TheIQNwillnowappearinthelistbelow.
i. RepeatstepsCthroughHtoaddmoreIQNs.Whenyouarefinished,clickClose.
The iSCSIdisk(s)havenowbeenaddedtothe listofDisks,allowingyoutousetheDittoForensic
Fieldstationtoperformactionsonthemlikeyouwouldanyotherdisk.
11.3.3 Properly Remove an iSCSI Device
Thisprocesspreventstimeout issueswheretheDittoForensicFieldStationwillattempttoconnect to
iSCSIvolumesthatnolongerareconnectedtoit.Onthe“Home”Screen,navigatedowntothebottom
ofthe“Disks”panel.
a. Clickthe Source Network buttonifyouriSCSIdeviceisconnectedviathesourceEthernetPort,or
clicktheDestination Network buttonifyouriSCSIdeviceisconnectedviathedestinationEthernet
Port.
b. ClickontheiSCSI tab ifitisnotalreadyselected.
c. Under the“iSCSISourceConnections”or the“iSCSIDestinationConnections”section,check the
boxesnexttotheIQN(s)youwanttoremoveandclicktheRemove button.
d. PhysicallydisconnecttheiSCSIdevicefromtheDittoForensicFieldStation.
Figure 33. The“SourceNetwork”window’siSCSItaballows you to connect iSCSI devices to the Ditto viathe source Ethernet port.The“DestinationNetwork”tablookssimilaranddoesthesameviathedestinationEthernetport.
42
Protecting Your Digital AssetsTM
Ditto Forensic FieldStation User Manual
11.4 USING NFS AND SMB (SAMBA) SHARES
11.4.1 Connect to NFS and SMB Shares
a. Onthe“Home”Screen,navigatedowntothebottomofthe“Disks”panel.
b. ClicktheSource Network buttoniftheDittoForensicFieldStationisconnectedtoyournetworkvia
thesourceEthernetPort,orclicktheDestination Network buttonifitisconnectedviathedestina-
tionEthernetPort.
c. ClickontheNFS tab orthe SMB tab,dependingonwhichtypeofshareyouareconnectingto.
d. TypetheservernameintotheServertextfield.
e. IfyouareconnectingtoanSMBshare,selecttheappropriateprotocolfromthe“Protocol”drop-down
box.Ifyoudon’tknowthecorrectprotocol,leaveitasthedefaultvalueof‘SMBv1’.
f. ClicktheShow Shares button.TheDittoForensicFieldStationwilldetectanysharesattachedtothe
server.
g. SelecttheshareyouwishtoattachtotheDittoForensicFieldStationfromthedrop-downbox.
h. IfyouareconnectingtoanSMBshareandauthenticationisrequired,clicktheAdvanced... button
and inputtheappropriatecredentials, includingtheusername,password,anddomain. If theSMB
sharedoesnotrequireauthenticationoryouareconnectingtoanNFSshare,continuetothenext
step.
i. ClicktheAdd button.Thesharewillnowappearinthelistbelow.
j. RepeatstepsCthroughItoaddmoreshares.Whenyouarefinished,clickClose.
Theshare(s)havenowbeenaddedtothelistofDisks,allowingyoutoperformactionsonthemlikeyou
wouldanyotherdisk.
11.4.2 Remove an NFS or SMB (Samba) Share
a. Onthe“Home”Screen,navigatedowntothebottomofthe“Disks”panel.
b. ClicktheSource Network button iftheDittoForensicFieldStationisconnectedtoyournetworkvia
thesourceEthernetPort,orclicktheDestination Network buttonifitisconnectedviathedestina-
tionEthernetPort.
c. ClickontheNFS taborSMB tab,dependingonthewhichtypeofshareyouareremoving.
d. Under the“iSCSISourceConnections”or the“iSCSIDestinationConnections”section,check the
boxesnexttotheshare(s)youwanttoremoveandthenclicktheRemove button.
11.5 ADDING A NEW LOGICAL IMAGE MODE
IfyouwanttoaddyourownLogicalImageModeselection,youmustcreateaDittoAutoSelectdirectoryon
yourSDCardfirst.ThenyoucanaddoneormoreautoselectXMLfilestothatdirectory.Youmayalsoadd
subdirectoriesthatcontainoneormoreautoselectXMLfilestotheDittoAutoSelectdirectory.InserttheSD
CardintotheDittoForensicFieldStationandyourcustomLogicalImageModeswillthenbeselectablewhen
configuringa“LogicalImageSourceDisk”action.
43
Protecting Your Digital AssetsTM
Ditto Forensic FieldStation User Manual
11.5.1 DittoAutoSelect XML File Structure<?xml version=”1.0” encoding=”UTF-8”?>
<!-- All attributes must be in single quotes if they contain double quotes.
-->
<dittoAutoSelect
xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance”
xsi:noNamespaceSchemaLocation=”autoSelect.xsd”
>
<select title=”Example Title”>
<include path=”*”>
<name>*.jpeg</name>
<name>*.jpg</name>
<name>*.m4*</name> <!-- .m4a, .m4v, etc -->
</include>
<exclude path=”Windows”/>
</select>
</dittoAutoSelect>
ThenameoftheautoselectXMLfilecanbeany legalfilenamewitha .xmlfileextension.Eachauto
selectXMLfilemaycontainoneormore<selecttitle=”...”>blocks.Theselectblock’stitlewillappearat
thebottomoftheLogicalImageModeselectionlistprependedwith“SDCard/”followedbythesubdirec-
tory’sname,ifany.
Eachselectblockmaycontainoneormore<includepath=”...”>and/or<excludepath=”...”>blocks.The
include/excludeblock’spath(case-insensitive)maycontainwildcardcharactersandwillbeincludedinor
excludedfromtheautoselection,respectively.
Eachincludeblockmaycontainzeroormore<name>...</name>blocks,whichspecifyafilenametobe
included in theautoselection.Filenamesarecase-insensitiveandmaycontainwildcardcharacters to
specifyasetoffilenames.Excludeblockscannotcontainnameblocks.
YoucannotremoveexistingselectionsfromtheLogicalImageModelist.
TodownloadanXMLSchemathatcanbeusedtovalidateyourautoselectXMLfile,typethefollowing
intotheaddressbarofanInternetbrowser,where<IPAddress>istheIPaddressofyourDittoForensic
FieldStation:http://<IPAddress>/data/DittoAutoSelect/autoSelect.xsd
12 UPGRADING FIRMWAREFirmwareupgradesaremadeavailableonCRU’swebsiteatwww.cru-inc.com/support/software-downloads/ditto-
firmware-updates/.TherearethreemethodstoupgradeyourDittoForensicFieldStation’sfirmware.
METHOD 1: COPY AND PASTE A LINK
a. EnsurethattheDittoForensicFieldStationisconnectedtoanetworkwithInternetaccess.
b. Gotothefirmwareupdateswebpageandscrolldowntothe“DittoFirmwareLinks”section.Copythe
URLofthefirmwareyouwishtousetoupgrade.
c. LogintoyourDittoForensicFieldStation’sbrowserinterfaceandnavigatetothe“Utilities”screen.
NOTE
44
Protecting Your Digital AssetsTM
Ditto Forensic FieldStation User Manual
d. PastethelinkintothetoptextfieldandclicktheFirmware Upgrade button.
e. Whenitasksyoutoconfirmtheretrievaloftheupgradefile,clickContinue.
f. TheDittoForensicFieldStationwilldownloadthefiletoitself.Oncedownloaded,itwillaskyoutoconfirm
theupgrade.ClickContinue.Aftertheupgradeisfinished,cickOK.
g. TheLCDpaneloftheDittoForensicFieldStationwillaskyoutoreboot.PresstheEnterbuttonontheface
oftheunittoreboot,orclickontheReboot button onthe“Utilities”screen.
METHOD 2: DOWNLOAD TO YOUR COMPUTER
a. Gotothefirmwareupdateswebspageandscrolldowntothe“DittoFirmwareLinks”section.
b. Clickonthefirmwareyouwishtousetoupgradetodownloadthefile.Savethefileinaconvenientloca-
tion.
c. LogintoyourDittoForensicFieldStation’sbrowserinterface,navigatetothe“Utilities”screen,andclick
onthetopUpload... button.
d. Locatethefirmwarefileyoujustdownloaded,selectit,andclick Open.
e. ClickontheFirmware Upgrade button.
f. TheDittoForensicFieldStationwilluploadthefiletoitself.Onceuploaded,itwillaskyoutoconfirmthe
upgrade.Click Continue.Aftertheupgradeisfinished,cickOK.
g. TheLCDpaneloftheDittoForensicFieldStationwillaskyoutoreboot.PresstheEnter buttonontheface
oftheunittoreboot,orclickontheReboot button onthe“Utilities”screen.
METHOD 3: UPLOAD VIA A USB THUMB DRIVE
a. Gotothefirmwareupdateswebspageandscrolldowntothe“DittoFirmwareLinks”section.
b. Clickonthefirmwareyouwishtousetoupgradetodownloadthefile.SavethefiletoaUSBthumbdrive.
c. InsertthethumbdriveintothesourcesideUSBportoftheDittoForensicFieldStation.
d. TheDittoForensicFieldStationwillimmediatelyscanthethumbdriveanddisplayalistontheLCDscreen
ofallfirmwarefilesfoundonthedrive.Usethenavigationbuttonsonthefaceoftheunittomovethe
blinkingcursortothefirmwarethatyouwishtousetoupgrade,andthenpressEnter.
e. TheDittoForensicFieldStation’sfirmwarewillbeupgraded.TheLCDpaneloftheDittoForensicFieldSta-
tionwillaskyoutoreboot.Press Enter toreboot.
45
Protecting Your Digital AssetsTM
Ditto Forensic FieldStation User Manual
13 TECHNICAL SPECIFICATIONSProductName DittoForensicFieldStation
DataInterfaceTypes&Speeds
• eSATA:upto3Gbps• 1000BASE-TEtherNet:upto1Gbps• PATA/IDE:upto133MB/s• USB2.0:upto480Mbps
SupportedDiskTypes 2.5”and3.5”rotationalorsolidstateharddisks
SDCardSlotSupport SD,SDHC(MMC,mini-SD,andmicroSDarecompatiblewithadapters)
WifiUSBAdapterSupport • WifiadapterswithAtheroschipsets,andsomeRealtekchipsets
DataConnectors
• Three(3)eSATAports• Two(2)1000BASE-TEthernetconnectors• One(1)PATA/IDEconnector• One(1)USB2.0connector• One(1)SDCardslot• One(1)DittoExpansionModuleconnector
Write-BlockedDataInputs eSATA,PATA/IDE,USB2.0.Source-sideEthernetport.OtherinputtypessupportedwithDittoExpansionModulesordriveadapters.
DataOutputs Two(2)eSATAoperableassingle,dual,ormirrored.Both1000BASE-TEthernetports.
SupportedFileSystems ext2,ext3,ext4,FAT32,HFS+,NTFS,XFS
UserInterface• Four-lineLCDcontrolledwithfoursoft-touchmenunavigationbuttonsorUSBkeyboard• Browser-basedDittointerfaceallowsfordirectoperation,remoteoperation,andadministra-
tion
LEDIndicators Powerin5V/12V,USB,SourceNetwork,IDE,eSATA,Expansion,HPA/DCO,DestinationNetwork,eSATAA,eSATAB
StealthMode Turnsoffalllights(LEDs/LCD)
BrowserCompatibility InternetExplorer,Firefox,Safari,Chrome,Opera
PhysicalImageTypes DD,E01
LogicalImageTypes L01,LIST,TAR,ZIP
Image/CloneOutputModes
Singlediskimage,singlediskclone,imageandclone,imagetomirroreddisks,clonetomirroreddisks,logicalimagetosingledisk,logicalimagetomirroreddisks
HashModes None,MD5,SHA-1,MD5+SHA-1,enabledduringimagingandcloningoperations.HashingwhileusingbothMD5+SHA-1significantlyreducesperformance.
EraseModes ClearPartitionTable,QuickErase,CustomErase,SecureEraseNormal,SecureEraseEnhanced,DoDClear,DoDSanitize,NIST800-88Clear,NIST800-88Purge
Externalmaterial All-aluminumconstruction
OperatingHumidity 5%to95%,non-condensing
PowerSwitch 2position:On/Off
PowerInputs 40W12V3.33ADCbarrelconnector(centerpinpositive),15-pinstandardSATApower
Protecting Your Digital AssetsTM
For more information, visit the CRU web site.
www.cru-inc.com
Compliance
• EMIStandard:FCCPart15ClassA• CE• EMCStandard:EN55022,EN55024• C-Tick
ShippingWeight 5lbs(2.3kg)
ProductDimensions 4.92inx6.77inx1.72in(125mmx172mmx43.7mm)
TechnicalSupportYourinvestmentinCRUproductsisbackedupbyourfreetechnicalsupportforthelifetimeoftheproduct.Contactusthroughourwebsite,www.cru-inc.com/supportorcallusat1-800-260-9800or+1-360-816-1800.
©2012-2014CRUAcquisitionGroup,LLC.ALLRIGHTSRESERVED.
ThisUserManualcontainsproprietarycontentofCRUAcquisitionGroup,LLC(“CRU”)whichisprotectedbycopyright,trademark,andotherintellectualpropertyrights.
UseofthisUserManualisgovernedbyalicensegrantedexclusivelybyCRU(the“License”).Thus,exceptasotherwiseexpresslypermittedbythatLicense,nopartofthisUserManualmaybereproduced(byphotocopyingorotherwise),transmitted,stored(inadatabase,retrievalsystem,orotherwise),orotherwiseusedthroughanymeanswithoutthepriorexpresswrittenpermissionofCRU.
UseofthefullDittoForensicFieldStationproduct,including,withoutlimitation,itswebinterface,issubjecttoallofthetemrsandconditionsofthisUserManualandtheabovereferencedLicense.
ThisDittoForensicFieldStationproductandUserManualareprovidedonaRESTRICTEDbasis.Use,duplication,ordisclosurebytheUSGovernmentissubjecttorestrictionssetforthinParagraph(b)oftheCommercialComputerSoftwareLicenseclauseat48CFR42.227-19,asapplicable.
CRU®,Ditto®,andWiebeTech®(collectively,the“Trademarks”)aretrademarksownedbyCRUandareprotectedundertrademarklaw.NmapisaregisteredtrademarkofInsecure.Com,LLCintheUnitedStatesand/orothercountries.ExcelisaregisteredtrademarkofMicrosoftintheUnitedStatesand/orothercountries.EnCaseisaregisteredtrademarkofGuidanceSoftwareintheUnitedStatesand/orothercountries.ThisUserManualdoesnotgrantanyuserofthisdocumentanyrighttouseanyoftheTrademarks.
Product WarrantyCRUwarrantsthisproducttobefreeofsignificantdefectsinmaterialandworkmanshipforaperiodofthreeyearsfromtheoriginaldateofpurchase.CRU’swarrantyisnontransferableandislimitedtotheoriginalpurchaser.
Limitation of LiabilityThewarrantiessetforthinthisagreementreplaceallotherwarranties.CRUexpresslydisclaimsallotherwarranties,includingbutnotlimitedto,theimpliedwarrantiesofmerchantabilityandfitnessforaparticularpurposeandnon-infringementofthird-partyrightswithrespecttothedocumentationandhardware.NoCRUdealer,agent,oremployeeisauthorizedtomakeanymodification,extension,oradditiontothiswarranty.InnoeventwillCRUoritssuppliersbeliableforanycostsofprocurementofsubstituteproductsorservices,lostprofits,lossofinformationordata,computermalfunction,oranyotherspecial,indirect,consequential,orincidentaldamagesarisinginanywayoutofthesaleof,useof,orinabilitytouseanyCRUproductorservice,evenifCRUhasbeenadvisedofthepossibilityofsuchdamages.InnocaseshallCRU’sliabilityexceedtheactualmoneypaidfortheproductsatissue.CRUreservestherighttomakemodificationsandadditionstothisproductwithoutnoticeortakingonadditionalliability.
FCC Compliance Statement: “ThisdevicecomplieswithPart15oftheFCCrules.Operationissubjecttothefollowingtwoconditions:(1)Thisdevicemaynotcauseharmfulinterference,and(2)thisdevicemustacceptanyinterferencereceived,includinginterferencethatmaycauseundesiredoperation.”
ThisequipmenthasbeentestedandfoundtocomplywiththelimitsforaClassAdigitaldevice,pursuanttoPart15oftheFCCRules.Theselimitsaredesignedtoprovidereasonableprotectionagainstharmfulinterferencewhentheequipmentisoperatedinacommercialenvironment.Thisequipmentgenerates,uses,andcanradiateradiofrequencyenergyand,ifnotinstalledandusedinaccordancewiththeinstructionmanual,maycauseharmfulinterferenceinwhichtheuserwillberequiredtocorrecttheinterferenceattheirownexpense.
IntheeventthatyouexperienceRadioFrequencyInterference,youshouldtakethefollowingstepstoresolvetheproblem:1) Ensurethatthecaseofyourattacheddiskisgrounded.2) UseadatacablewithRFIreducingferritesoneachend.3) UseapowersupplywithanRFIreducingferriteapproximately5inchesfromtheDCplug.4) Reorientorrelocatethereceivingantenna.
FOROFFICEORCOMMERCIALUSE
PartNumber:A9-000-0028Rev3.2