Download - IMSolo-IV Forensics User Guide v3.1
-
7/21/2019 IMSolo-IV Forensics User Guide v3.1
1/111
IMSolo-IV ForensicsUsers Guide
Intelligent
Computer
Solutions
-
7/21/2019 IMSolo-IV Forensics User Guide v3.1
2/111
2
Intelligent Computer Solutions9350 Eton Avenue
Chatsworth, CA 91311
Rev. 3.1
May 2010
Printed in the USA
Sales/Technical SupportPhone: 1-818-998-5805
Fax: 1-818-998-3190E-Mail: [email protected]
E-Mail: [email protected]
Home Page: http://www.ics-iq.com
Copyright 2009, Intelligent Computer Solutions. All rights reserved. The Image MASSter
and associated
software are copyrighted and registered in accordance with the laws and regulations of the State of California and
the United States of America. IBM
and OS/2
are registered trademarks of the International Business Machines
Corporation. DOS
, Windows
, Windows NT
, and Windows 95/98/2000
Windows ME
, Windows XPP
,
Windows VISTA
are registered trademarks of the Microsoft Corporation. All other brand and product names are
trademarks of their respective owners.
-
7/21/2019 IMSolo-IV Forensics User Guide v3.1
3/111
Contents
CONTENTS
CHAPTER 1: INTRODUCTION ...........................................8
Overview.............................................................................................9
Features............................................................................................10About this User Guide.............................................................................................................................11Typical Conventions Used......................................................................................................................11
CHAPTER 2: QUICK START SETUP...............................12
CHAPTER 3: INSTALLATION ..........................................17
Setup.................................................................................................18System Specifications.............................................................................................................................18
CHAPTER 4: OPERATION ...............................................26
User Interface ...................................................................................27
IMSolo-IV Forensics Wizard Interface Control Console....................28Wizard - Main Menu................................................................................................................................ 29
Operational Mode Selection ............................................................................................. 29
Navigation Bar .................................................................................................................. 29Wizard - Seize Drives Menu ...................................................................................................................31
Single Capture................................................................................................................... 31LinuxDD Capture.............................................................................................................. 32
Wizard - WipeOut Drives Menu ..............................................................................................................33WipeOut-DoD................................................................................................................... 33
WipeOut -Fast................................................................................................................... 33Wizard - Suspect Drive Select Menu......................................................................................................34Wizard - Evidence Drive Select Menu ....................................................................................................35Wizard - Operator Main Menu ................................................................................................................ 36
Operational Status Information......................................................................................... 37
Station ........................................................................................................................... 37
Speed............................................................................................................................. 37Operational Mode ......................................................................................................... 37
Load Size ...................................................................................................................... 37Percent Completion....................................................................................................... 37
Elapsed Time ................................................................................................................ 37
Estimated Time Left ..................................................................................................... 37
Operation Control Functions............................................................................................. 38Start ............................................................................................................................... 38
Abort ............................................................................................................................. 38
-
7/21/2019 IMSolo-IV Forensics User Guide v3.1
4/111
4
IMSolo-IV Forensics Advanced Interface Control Console ...............39Advanced Drive Detect Menu.................................................................................................................40
Drive Selection Panel........................................................................................................ 40
Suspect 1-2 Drive Select ............................................................................................... 40
Evidence 1-2 Drive Select ............................................................................................ 40
Detect Drives ................................................................................................................ 41Remove Drives.............................................................................................................. 41
Add Network Location ................................................................................................. 41
Detect Remote Drives................................................................................................... 41Drive Status Panels ........................................................................................................... 42
Active Suspect Drive Panel .......................................................................................... 42
Active Evidence Drives Panel ...................................................................................... 42Other Detected Drives................................................................................................... 42
Operational Mode Select Menu ........................................................................................ 43
Single Capture............................................................................................................... 43
LinuxDD Capture.......................................................................................................... 43
LinuxDD Restore.......................................................................................................... 44LinuxDD Hash.............................................................................................................. 44
E01 Capture .................................................................................................................. 44E01 Restore................................................................................................................... 45
E01 Hash....................................................................................................................... 45
Format Drives ............................................................................................................... 45WipeOut........................................................................................................................ 46
Hash .............................................................................................................................. 46
Event Log Window........................................................................................................... 46Advanced Operation Settings Menu....................................................................................................... 47
Single Capture Settings..................................................................................................... 47
Read Back-Verify ......................................................................................................... 48Hash Targets ................................................................................................................. 48
Hashing Methods .......................................................................................................... 48
Wipe Remainder ........................................................................................................... 49Encrypt/Decrypt............................................................................................................ 50
WipeOut Settings.............................................................................................................. 51
Mode ............................................................................................................................. 51Iterations ....................................................................................................................... 51
Pattern (0-255) .............................................................................................................. 51
Read Back-Verify ......................................................................................................... 52
Format Drives Settings ..................................................................................................... 53Linux DD Capture Settings............................................................................................... 54
Capture File Size........................................................................................................... 54Custom File Size (MB) ................................................................................................. 54File Name...................................................................................................................... 54
LinuxDD Hash Settings .................................................................................................... 56
LinuxDD or E01 Restore Settings .................................................................................... 57Hash Settings .................................................................................................................... 58
Sectors to Hash ............................................................................................................. 58
E01 Capture Settings......................................................................................................... 59
Capture File Size........................................................................................................... 59
-
7/21/2019 IMSolo-IV Forensics User Guide v3.1
5/111
Contents
Custom File Size (MB) ................................................................................................. 59
File Name...................................................................................................................... 59Advanced Settings Main Menu...............................................................................................................60
Automation Settings.......................................................................................................... 60
Start Operation after Detection ..................................................................................... 61
Confirm Master and Target drives after Power up/Detection and Before startingOperation....................................................................................................................... 61
Auto Run....................................................................................................................... 61
Bad Sector Handling......................................................................................................... 61Log and skip.................................................................................................................. 61
Abort drive.................................................................................................................... 61Start View ......................................................................................................................... 61
Wizard Screen............................................................................................................... 61
Operator Screen ............................................................................................................ 62
Advanced Screen .......................................................................................................... 62Add/Remove Optional Features........................................................................................ 62
Apply Settings................................................................................................................... 62Advanced Drive Detection Settings Menu..............................................................................................63
Drive Detection Mode....................................................................................................... 63Auto............................................................................................................................... 63
Fast Detection ............................................................................................................... 63
Sequential Detection ..................................................................................................... 64Fast Detection Settings ..................................................................................................... 64
Wait Time After Powering Up Each Drive................................................................... 64
Wait Time Between Powering Up Each Drive and Starting Drive Detection.............. 64Max Scanning /Detection Time allowed by Application (Sec) .................................... 64
Auto Calibrate Detection of All Drives ........................................................................ 64
Calibration Starts From Drive....................................................................................... 64
Calibrate Detection of a Selected Drive........................................................................ 65Sequential Detection Settings ........................................................................................... 65
Max Detect Time .......................................................................................................... 65
Max Detect Power Time ............................................................................................... 65Calibrate Current Threshold ......................................................................................... 65
Diagnostics and Tools Settings Menu ....................................................................................................66Slow Drive Filter Speed Threshold................................................................................... 66
Speed Threshold............................................................................................................ 66
Speed Optimization........................................................................................................... 67
Transfer Buffer Size (in 64 kb)..................................................................................... 67Speed Sampling rate ..................................................................................................... 67
Forced Power off............................................................................................................... 67Power off selected drives .............................................................................................. 67
Diagnostic ......................................................................................................................... 67
Instantaneous Drive Transfer Speed ............................................................................. 67Advanced Case Info Menu .....................................................................................................................68Advanced Mount Drive Menu .................................................................................................................69
Write-Protect the Drive..................................................................................................... 70
Mount Volumes on the Drive ........................................................................................... 70Simulate Drive Signature When Mounting Volumes ....................................................... 70
Apply................................................................................................................................. 70
-
7/21/2019 IMSolo-IV Forensics User Guide v3.1
6/111
6
Refresh .............................................................................................................................. 70Advanced HPA/DCO Menu ....................................................................................................................71
Protected Area Type ......................................................................................................... 71Protected Area Support ..................................................................................................... 72
New Capacity.................................................................................................................... 72
Current Capacity ............................................................................................................... 72Native Capacity................................................................................................................. 72
Set Capacity ...................................................................................................................... 72
Reset Capacity .................................................................................................................. 72Volatile.............................................................................................................................. 72
Advanced LOG Menu .............................................................................................................................73Print Logs.......................................................................................................................... 74Copy Logs......................................................................................................................... 74
Open Log Folder ............................................................................................................... 74
Set Audit Trail Logo ......................................................................................................... 74Advanced Tools Menu............................................................................................................................75
Disable Password.............................................................................................................. 75
CHAPTER 5: OPERATIONAL PROCEDURES...............76
Prepare for Operation .......................................................................77
Capturing Drives using Single Capture Mode...................................79
Capturing using LinuxDD Capture Mode ..........................................81
Capturing using E01 Capture Mode..................................................83
Capturing from an Unopened PC or Notebook .................................85
Capturing to a Shared Folder............................................................87
Encrypting Data During Data Capture...............................................89
Decrypting Data During Data Transfer..............................................91
Restoring from LinuxDD or E01 Segmented File Format..................93
Sanitizing Drives Using WipeOut DoD..............................................94
Sanitizing Drives Using WipeOut - User ...........................................95
Sanitizing Drives Using WipeOut Secure Erase ............................96
Transferring Audit Trail and Log Information.....................................97
Running Multiple Operational Modes Simultaneously.......................98
-
7/21/2019 IMSolo-IV Forensics User Guide v3.1
7/111
Contents
Previewing Write-Protected Drive Data.............................................99
Enabling Manual Write-Access to Evidence Drive Positions ..........100
APPENDIX A: OPERATIONAL NOTES .........................101
Image MASSter Solo-IV Internet/Network Connection Disclaimer102
USB-to-Ethernet Connection...........................................................103
USB LinkMASSter Setup ................................................................104
USB LinkMASSter Usage ...............................................................104
IMSOLO-IV USB FLASH RESTORE INSTRUCTIONS ..................105Prepare the USB Flash Device.............................................................................................................105Prepare the IMSolo-IV BIOS and Start Restore ...................................................................................106
LinuxDD and E01 Capture exFAT Usage .......................................107
DEFINITIONS .................................................................................108
APPENDIX B: PRODUCT INFORMATION....................110
Limited Warranty.............................................................................110
What is Not Covered: ......................................................................111
Limitation of Liability........................................................................111
Technical Support ...........................................................................111
-
7/21/2019 IMSolo-IV Forensics User Guide v3.1
8/111
8
Chapter 1: Introduction
-
7/21/2019 IMSolo-IV Forensics User Guide v3.1
9/111
Chapter 1 - Introduction
Overview
Designed exclusively for Forensic applications, the Image MASSter Solo-IV Forensicssystem is a versatile light weight, portable, high speed data acquisition device.
Suspects data can be seized at speeds exceeding 6GB per minute. Using the units onthe fly hashing capabilities, the transferred data can be guaranteed to be an exactreplica of the Suspects data without modification, re-arrangement or corruption. Theunit provides Native interface support for SAS, S-ATA and External USB drives inaddition to supporting P-ATA1, including ATA compatible solid state and flash devices.Provides flexible Capture mode formats including Segmented File and Mirror imageformats. Capable of capturing two Suspect drives simultaneously. The units advancedtouch screen user interface provides ease of use.
IMSolo-IV ForensicsFigure 1
1Optional P-ATA Adapters required.
9
-
7/21/2019 IMSolo-IV Forensics User Guide v3.1
10/111
10
Features
High Speed Operation:
Transfer rates can exceed 6GB/min.
Supports Multiple Sessions:
Simultaneously seize data from two Suspect drives. Hash or Wipe driveswhile Seizing Data.
Multiple Media Support:
Provides Native support for SATA and SAS drives, including external USB
devices. Provides support for PATA and SCSI drives using optional adapters.
Multiple File Format Support:
Seize Data using a Mirror capture format or using a Segment file format.
Preview Suspects Data:
View Suspects Data in a write-protected environment.
Multiple Operational Modes:
Seize, Hash or Wipe Data.
Multiple Hash Modes:
Hash using SHA-1, SHA-2 (Hardware Accelerated), MD5, CRC32
Write Protection:
Protect Suspect drives data against accidental overwrites.
WipeOut:
Sanitize drives using the DoD standard.
Log Information:
Store and print detail operational Event Log and Audit Trail information.
LCD Touch Screen Display:
Large, 8 Color LCD Touch Screen Display.
-
7/21/2019 IMSolo-IV Forensics User Guide v3.1
11/111
Chapter 1 - Introduction
About this User GuideThe IMSolo-IV ForensicsUser Guide will be updated as needed to reflect hardware andsoftware modifications. Therefore, descriptions of features may be subject to change.The document makes use of hyperlinksto provide shortcut links.
Typical Conventions Used
Convention Meaning
Highlighted This is a hyperlink: shortcut link to a referred topic. Select it to jump
to the topic. Use the MS Word Back tool to jump back toprevious location.
Bold Indicates a screen menu item or function such as a setting orcontrol button.
Italic Indicates the name of a IMSolo-IV Forensics feature, system,mode, or other important reference.
Note Identifies additional important information regarding a topic or task.
Indicates a warning or caution
11
-
7/21/2019 IMSolo-IV Forensics User Guide v3.1
12/111
12
Chapter 2: Quick Start
Setup
-
7/21/2019 IMSolo-IV Forensics User Guide v3.1
13/111
Chapter 2 Quick Start
1. Place the IMSolo-IV Forensicson a level surface.
2. Attach the units Power Adapter to the unit's DC Power-Inport, located on the unit'sback panel, and to an electrical outlet. The voltage may be either 110v or 220v.The Power Adapter will automatically switch to use either voltage.
3. Power ON the unit by pressing the units Power ON button, located on top corner ofthe units back panel. The IMSolo-IV ForensicsAdvanced Interface Control Consolewill be displayed.
Advanced Interface Control ConsoleFigure 2
13
-
7/21/2019 IMSolo-IV Forensics User Guide v3.1
14/111
4. Attach the ICS supplied SATA/SAS drive data/power cables to the units Suspect
and Evidence connectors (See Fig. 5 through Fig. 9) and to the SATA or SAS drives.For PATA drives use the supplied ICS SATA-to-PATA Adapter and connect thesupplied PATA data cables Unit Side connector to the Adapters data connector
and the HDD Side connector to the drive.
Suspect 2Port
Suspect 1Port
14
Drive Positions
Evidence 1Port
Evidence 2Port
Figure 3
-
7/21/2019 IMSolo-IV Forensics User Guide v3.1
15/111
Chapter 2 Quick Start
5. Select the Mode of Operation from the Operations pull down menu.
Drive SelectionPanel
Figure 4
6. Select the drives to be used for the selected operation from the Drive SelectionPanel.
7. Verify all remaining applicable settings and optionally enter Case Information usingthe CASE INFOscreen functions. It is recommended to enable the Hash Targetsfunction. Selecting Hash Targets will result in the Capture operation generating theHash value for the data read from the Suspect drive and the data written to theEvidence drive. After all the data is written to the Evidence drive, the Captureoperation will generate the Hash value for the data read from the Evidence drive.
Hash values generated during the capture operation are generated for the dataread from the Suspects drive not from the data read from the Evidence (target)drive, unless the unit is instructed to hash the Evidence drive(s) by enabling theHash Targets function.
8. Select START to begin the operation. Operational status information will bedisplayed during an operation.
15
-
7/21/2019 IMSolo-IV Forensics User Guide v3.1
16/111
16
9. After the operation completes, the drives will be powered OFF and the drives can besafely removed. The simulated drive status LEDs will be set to GREEN if theoperation passes or RED if the operation fails. Log files will automatically be storedinternally and can be transferred to external media using the units USB ports,located on the back of the unit.
NOTE: Audit Trails are saved in both a standard text format and a PDF format using128-bit password encryption protection, so the Audit Trail contents cannotbe changed. The Company Logo can be added to the Audit Trail PDF byselecting its location using the "SET AUDIT TRAIL LOGO" function, locatedin the LOG menu screen.
The unit can be powered OFF by pressing and releasing the units Powerbutton, located on the top corner of the units back panel.
-
7/21/2019 IMSolo-IV Forensics User Guide v3.1
17/111
Chapter 3 - Installation
17
Chapter 3: Installation
-
7/21/2019 IMSolo-IV Forensics User Guide v3.1
18/111
18
Setup1. Carefully remove the IMSolo-IV Forensicsunit from its shipping box.
2. Use the supplied parts list (Table 1) to complete an inventory check.
3. Follow the outlined steps in the Quick Start SetupChapter.
Part Part Number Quantity
IMSolo-IV Forensics Unit 1DC Power Adapter and AC Power Cord 1SAS/SATA Data/Power Cable 4SATA-to-PATA Adapter 1PATA 2.5 44-Pin Adapter 1
PATA Data Cable 1PATA Power Cable 1Stylus 1Restore DVD 1IMSolo-IV Forensics Users Guide 1
Quick-Reference Parts ListTable 1
System Specifications
Supply Voltage 100 - 240V / 50 - 60 Hz 400Watt Universal Auto switching input voltagePower Consumption 9WOperating Temperature 5 degrees - 55 degrees CRelative Humidity 20% - 60% non-condensingNet Weight 5.35 lbsOverall Dimensions 10.5 x 4 x 7.6
-
7/21/2019 IMSolo-IV Forensics User Guide v3.1
19/111
Chapter 3 - Installation
Hardware AccessoriesThe following section provides a description of the Hardware Accessories that areavailable for the IMSolo-IV Forensicsunit.
Drive Bay with Fan AssemblyThe "Drive Bay with Fan Assembly" is designed to provide a convenient location tomount drives for use with the IMSolo-IVunit. Cooling fans are provided to keep thedrives operating at proper temperatures.
Figure 5
19
-
7/21/2019 IMSolo-IV Forensics User Guide v3.1
20/111
20
Hardware DescriptionThis section describes the hardware of the IMSolo-IV Forensicsunit.
Components and Functions
Top Panel (Fig. 6)
Display LCD Touch Screen Color Display.
Front Panel (Fig.10)
Evidence 1 and 2SATA/SAS Hard DiskDrive Data/PowerConnector
Used to connect the Evidence SATA/SASdrive(s) directly to the Forensicsunit forDirect data seizure operations.
Evidence 1 and 2 USBConnectors
Used to connect the USB Evidence device(s)
directly to the Forensicsunit for Direct dataseizure operations.
Back Panel (Fig. 7)
eSATA Port Used to connect External Storage Device.
Mouse PortOptional. Connect the mouse (not supplied)to the port.
Keyboard PortOptional. Connect the keyboard (notsupplied) to this port.
Power ON Button Used to power the unit ON and OFF.
DC-IN Power Socket Connect DC Power Adapter to this socket.
USB ConnectorsProvides USB v2.0 ports used to connectexternal USB devices.
LAN Ports Provides 2GB Ethernet Network Interface.
L-out, L-in, MICProvides Audio Line input/output ports andMicrophone port.
Expansion Port Panel Provides access to units Expansion Ports.
Left Side Panel (Fig. 8)
Suspect 1SATA/SAS Hard DiskDrive Data/PowerConnector
Used to connect the Suspects SATA/SASdrive directly to the Forensicsunit for Directdata seizure operations.
Suspect 1 USBConnectors
Used to connect the Suspects USB devicedirectly to the Forensicsunit for Direct dataseizure operations.
-
7/21/2019 IMSolo-IV Forensics User Guide v3.1
21/111
Chapter 4 - Operation
21
Right Side Panel(Fig. 9)
Suspect 2SATA/SAS Hard DiskDrive Data/Power
Connector
Used to connect the Suspects SATA/SASdrive directly to the Forensicsunit for Directdata seizure operations.
Suspect 2 USBConnectors
Used to connect the Suspects USB devicedirectly to the Forensicsunit for Direct dataseizure operations.
Bottom Panel(Fig. 11)
Hard Drive Bay Panel Provides access to the units Host S-ATAHard Drive.
Expansion Card SlotPanel
Provides access to the units Expansion CardSlot.
-
7/21/2019 IMSolo-IV Forensics User Guide v3.1
22/111
TouchScreenDisplay
Top ViewFigure 6
22
-
7/21/2019 IMSolo-IV Forensics User Guide v3.1
23/111
Chapter 4 - Operation
23
ON/OFFPowerButton
DC
Power-IN
ExternalDrive
Power Port
HeatExhaustFan
ExpansionPorts
Line-Out, Line-In, MicEthernetandUSB 2.0Ports
Back ViewFigure 7
MouseandKeyboardPorts
Suspect 1USBPort
Suspect 1SAS/SATA
Port
Left ViewFigure 8
-
7/21/2019 IMSolo-IV Forensics User Guide v3.1
24/111
Suspect 2USBPort
Suspect 2SAS/SATA
Port
Right ViewFigure 9
24
-
7/21/2019 IMSolo-IV Forensics User Guide v3.1
25/111
Chapter 4 - Operation
25
Evidence 1SAS/SATAUSB Port
Evidence 1SAS/SATAUSB Ports
Front ViewFigure 10
Evidence 2
SAS/SATAUSB Ports
ExpansionCard Bay
Hard DriveBay
Bottom ViewFigure 11
-
7/21/2019 IMSolo-IV Forensics User Guide v3.1
26/111
26
Chapter 4: Operation
-
7/21/2019 IMSolo-IV Forensics User Guide v3.1
27/111
Chapter 4 - Operation
27
User Interface
The IMSolo-IV Forensics provides Windows based Graphical User Interfaceapplications, which the user can use to setup and control the units various functions.
All of the units menus and functions are controlled through the units Touch ScreenDisplay. Screen menu items can be selected by touch or with use of the includedTouch Screen Stylus Pen. An On-Screen Keyboard is available for an easy method toenter text related information. Optionally, an external keyboard, mouse or display 2canbe connected. The IMSolo-IV unit provides a Wizard Interface and an AdvancedInterface. By default the units Advanced Interface will run at start up and can also beactivated from Windows START/PROGRAMS menu or by selecting the IMSolo-IVapplications Desktop Shortcut ICON. The Advanced Interface screens are available to
customize operations. The Wizard Interface provides the user with simple navigationalmenu screens to quickly setup and start operations. Multiple instances of the IMSolo-IVapplication can be activated to allow multiple operations to be performedsimultaneously.
This chapter provides a detail description of the available functions.
2USB Monitor Required
-
7/21/2019 IMSolo-IV Forensics User Guide v3.1
28/111
IMSolo-IV Forensics Wizard Interface ControlConsole
The IMSolo-IV Forensics Wizard Interface Control Console guides the Operatorthrough the process of selecting the mode of operation and the drives and drivepositions for the selected operation. The Wizard provides all the functions and controlsnecessary to setup and perform the units most common Forensic data transferoperations. The functional descriptions of the Wizard Interface items are discussed inthe following section. Multiple instances of the Wizardcan be activated, which allowsmore than one operation to be performed simultaneously.
Operational ModeMenu
Navigation BarMAIN MENU
Figure 12
28
-
7/21/2019 IMSolo-IV Forensics User Guide v3.1
29/111
Chapter 4 - Operation
Wizard - Main MenuThe IMSolo-IV ForensicsWizardMain Menuscreen can be activated by selecting theWizard Screen function from the Navigation Bar. It provides access to all of the unitsmain functions. The following Wizard functions are available from the MainMenu:
Operational Mode Selection Navigation Bar
Operational Mode Selection
The Operational Mode Selectionmenu provides the user with Data Seizure orWipeOut Operational Mode options.
Duplicate Drives
Selecting Duplicate Drivesprovides the User with the option to select from one ofthe two common Data Seizure modes of operation.
Wipeout Drives
Selecting Wipeout Drivesprovides the User with the option to select from one ofthe two common Wipeout modes of operation.
Navigation Bar
The Navigation Barmenu provides the user with functions to select the various User
Interfaces and IM support functions.
The following functions are provided by the Navigation Bar.
Advanced Screen
Provides access to theAdvanced User InterfaceScreenfunctions. These functions
include access to advanced settings and advanced operational modes.
Operator Screen
Provides access to the Operator User InterfaceScreen functions. Allows theOperator to start or abort common operations.
29
-
7/21/2019 IMSolo-IV Forensics User Guide v3.1
30/111
30
Wizard Screen
Provides access to the Wizard MainScreen. The Wizard provides the Operator witha short series of multiple choice menu selections to assist the Operator too easily
and quickly setup and start an operation.
On-Screen Keyboard
Provides access to an On-Screen-Keyboard. The On-Screen-Keyboard allows foran easy method to enter text related information. A keyboard and mouse can alsobe connected to the IMSolo-IV Forensicsunit.
New Copy Session
Selecting this function results in starting a new session of the IMSolo-IV ForensicsWizardInterface Control Console. Multiple sessions allow more than one operationto be performed simultaneously.
Next Copy Session
Switches between the different active session views.
Desktop
Allows access to Windows Desktop while running session(s)
Exit
Terminates the active visible session. The function automatically releases alldetected drives before exiting the session.
About
SelectingAbout, displays information about the IMSolo-IV Forensicsunit, such asserial number and software version in use.
-
7/21/2019 IMSolo-IV Forensics User Guide v3.1
31/111
Chapter 4 - Operation
Wizard - Seize Drives MenuThe IMSolo-IV ForensicsWizard Duplicate DrivesMenuscreen is displayed byselecting the Duplicate Drivesfunction from the Wizard Main Menu screen. It providesaccess to the units Copy Mode functions. The following Copy Mode functions options
are provided:
Single Capture LinuxDD Capture
Figure 13
Single Capture
The Single Capture operational mode will seize the entire contents of the Suspectsdrive to the Evidence drive. The operation will create an exact duplicate of all of theSuspects drive partitioned and un-partitioned areas as well as all used and unusedsectors on the Suspects drive. The process of acquiring the data from the Suspectsdrive is methodical and contiguous, beginning from the first byte of the first sector on thedrive, and ending on the last byte of the last sector of the drive. The data is copied tothe corresponding sector on the Evidence drive. Only one seizure operation can beperformed to the same Evidence drive.
31
-
7/21/2019 IMSolo-IV Forensics User Guide v3.1
32/111
32
LinuxDD Capture
The LinuxDD Capturemethod will copy the entire contents of the Suspects drive to the
Evidence drive. The data will be written as individual segmented LinuxDD files andstored in an individual subdirectory on the Evidence drive. The size of the individualLinuxDD files can be set by selecting a value within the Fragment pull down menu.The default setting is 650MB(CD). The Case Name information entered by the user willbe used as the name of the subdirectory where the Suspects LinuxDD files will bestored. This Case Name will also be used as the filename of all LinuxDD filesassociated with this seizure. The Linux DD files will begin with the extension 001, andincremented by 1 for each additional file.
Any number of seizures can be performed to the same Evidence drive provided there isadequate space to save the seized data on the Evidence drive.
-
7/21/2019 IMSolo-IV Forensics User Guide v3.1
33/111
Chapter 4 - Operation
33
Wizard - WipeOut Drives MenuThe IMSolo-IV Forensics Wizard WipeOut Drives Menu screen is displayed byselecting the WipeOut Drives function from the Wizard Main Menu screen. It providesaccess to the units WipeOut Mode functions. The following WipeOut Mode functions
options are provided:
WipeOut-DoD WipeOut-Fast
WipeOut-DoD
The WipeOut DoDOperational mode provides a method of sanitizing a drive that meetsthe U.S. Department of Defense specification DOD 5220-22M for sanitizing drives.Using ordinary DELETE and ERASE commands, data on a hard drive remains
accessible to a variety of intrusive procedures. The WipeOut DoD erasure techniqueprovides a solution to this problem using a series of null-coded overwrites thatcompletely removes all data from the hard drive. The process is performed in threeiterations and two individual passes that completely over writes the drive connected tothe internal drive position. Each iteration makes two write-passes over the entire drive.The first pass writes ONEs (Hex 0xFF) over the entire drive surface. The second passwrites ZEROes (Hex 0x00) over the entire drive surface. After the third iteration, aseventh pass writes the government designated code 246 (Hex 0xF6) across theentire drive surface, which is then followed by an eighth pass that inspects the drive witha Read-Verify review.
WipeOut -Fast
The Wipeout FastOperational mode provides a quick non-DoD method of sanitizing adrive of all previously stored data. The process involves writing a user defined hexpattern to the drive connected in the Target drive position, for a number of user definediterations. The process is methodical and contiguous, beginning from the first byte ofthe first sector on the drive, and ending on the last byte of the last sector of the drive.
-
7/21/2019 IMSolo-IV Forensics User Guide v3.1
34/111
Wizard - Suspect Drive Select MenuThe IMSolo-IV ForensicsWizard Suspect Drive SelectMenuscreen is displayed afterselecting the Operational mode from the Wizard Seize DrivesMenu. It provides theuser with a graphical view of the source drive positions and the ability to select the
source drive to be used for the selected operation using the units Touch Screendisplay. The selected drive positions graphical color code will change from Grey toYellow, indicating that it has been activated for use. The Grey color code statusindicates that the drive position is inactive.
Suspect DriveSelect ControlIcons
Figure 14
34
-
7/21/2019 IMSolo-IV Forensics User Guide v3.1
35/111
Chapter 4 - Operation
Wizard - Evidence Drive Select MenuThe IMSolo-IV Forensics Wizard Evidence Drive Select Menu screen is displayedafter selecting the Suspect Drive from the Wizard Evidence Drive Select Menu. Itprovides the user with a graphical view of the Evidence drive positions and the ability toselect the Evidence drive(s) to be used for the selected operation using the units Touch
Screen display. The selected drive positions graphical color code will change fromGrey to Yellow, indicating that it has been activated for use. The Grey color code statusindicates that the drive position is inactive.
EvidenceDrive SelectControl Icons
Figure 15
35
-
7/21/2019 IMSolo-IV Forensics User Guide v3.1
36/111
Wizard - Operator Main MenuThe IMSolo-IV ForensicsWizard OperatorMenuscreen is displayed after selecting theEvidence Drive(s) from the Wizard Evidence Drive SelectMenu. The Operator Menuprovides all the functions and controls necessary to start or stop the selected
operations. It provides the user with a graphical view of the Suspect and Evidence drivepositions and the ability to change the active drive(s) for the selected operation usingthe units Touch Screen display. The following Wizard functions are available from theOperation Menu.
Operation Status Information Operation Controls Navigation Bar
36
Operational StatusInformation
OperationControls
Drive SelectControl Icons
Figure 16
Navigation Bar
-
7/21/2019 IMSolo-IV Forensics User Guide v3.1
37/111
Chapter 4 - Operation
37
Operational Status Information
The Control Console provides Operational Status Informationsupplying the user-withreal time event log data.
The following Operation Status Information fields are available:
Station Speed Operational Mode Load Size Percent Completion Elapsed Time Estimated Time Left
Station
Displays the Computer Name of the IMSolo-IV Forensics unit.
Speed
The Speed field displays the average transfer rate in megabytes per minute.
Operational Mode
Displays the selected Operational Mode.
Load Size
The Load Size field displays the total data required to be transferred.
Percent Completion
Displays the percent of completion for the active operation.
Elapsed Time
Refers to the time elapsed during an operation. This field will also display thetotal elapsed time at the end of an operation.
Estimated Time Left
Refers to the time remaining to complete the operation.
-
7/21/2019 IMSolo-IV Forensics User Guide v3.1
38/111
38
Operation Control Functions
The Control Console provides the functions necessary to start or stop the selectedoperation.
The following Control Functions are available:
Start Abort
Start
Selecting Start will instruct the Control Console to turn ON the drives and beginthe selected operation.
Abort
SelectingAbortwill instruct the Control Console to turn OFF the drives and
terminate the selected operation.
-
7/21/2019 IMSolo-IV Forensics User Guide v3.1
39/111
Chapter 4 - Operation
IMSolo-IV Forensics Advanced Interface ControlConsoleThe IMSolo-IV Forensics Advanced Interface Control Console provides all the
functions and controls necessary to setup, customize and perform the units commonand advanced Forensic operations. It can be used as an alternative to the WizardInterface Control Console which provides limited functions for ease of use. Multipleinstances of the Advanced Console can be activated, which allows more than oneoperation to be performed simultaneously. The functional descriptions of the units
Advanced Interface Control Consolefunctions are discussed in the following section.
Drive Selection Panel Drive Status Panels Operational Mode Select Menu Operation Status Information
Operation Controls
39
Navigation BarOperationalSettings Tabs
Active DriveStatus Panels
Drive SelectionPanel
Non-ActiveDrive Panel
Event LogWindow
NavigationBar
OperationalMode SelectMenu
Figure 17
OperationStatus
Information
-
7/21/2019 IMSolo-IV Forensics User Guide v3.1
40/111
Advanced Drive Detect MenuThe IMSolo-IV ForensicsAdvanced Drive Detect Menu will provide a list of thedetected drives and allows detected drives to be configured as active or inactive drives.
The menu screen will also allow drives connected in Evidence positions to beconfigured as Suspect Drives. The menu is displayed by selecting the Detection Tabfrom the Advanced Interface Control Console. The descriptions of the available
Advanced Drive Detect Menufunctions are discussed in the following section.
Drive Selection Panel
The Drive Selection Panel provides the settings and functions used to detect drivesconnected to the units dedicated Suspect and Evidence drive positions, includingdevices connected to the dedicated USB ports located on the back of the unit. The
Drive Select Panel allows the operator to select the drive position(s) to scan during adrive detect operation.
Suspect 1-2 Drive Select
Select the Suspect Check Box to select the drive(s) in the Suspect position(s) fordetection. The unit provides two dedicated Write-Protected Suspect drivepositions. The drives positions are referenced by the drives physical location onthe unit. The Suspect 1 position is located on the left side of the unit, labeledSuspect 1. The Suspect 2 position is located on the right side of the unit, labeledSuspect 2.
Evidence 1-2 Drive Select
Select the Evidence Check Box to select the drive(s) in the Evidence position(s) fordetection. The unit provides two dedicated Evidence drive positions. The drivespositions are referenced by the drives physical location on the unit. TheEvidence 1 position is located as the left drive slot on the front of the unit. TheEvidence 2 position is located as the right drive slot on the front of the unit.
NOTE: The Drive Selectmenu provides a power indicator for each drive position.The indicator will be GREY prior to drive detection, GREEN if the drive isdetected or the operation passed, and RED if the drive is not detected or ifthe operation was not successful.
40
-
7/21/2019 IMSolo-IV Forensics User Guide v3.1
41/111
Chapter 4 - Operation
Detect Drives
Select the Detect DrivesButton to turn ON and detect the selected the drive(s).
NOTE: By default, all ports are Write-Protected. The drives Write-Protectproperty will automatically be disabled if the selected operational moderequires writing to the drive(s).
Remove Drives
Select Remove Drivesto turn OFF and remove the selected the drive(s).
Add Network Location
Allows a Suspects drive contents to be captured and stored in a Network or LocallyShared Folder. The Shared Folder location can be designated as the Evidencedrive using theAdd Network Locationfunction. TheAdd Network Location functionis available when running the LinuxDD or E01 Capture operations. The descriptionsof the available settings are discussed in the following section.
Browse
Figure 18
Browse
Select Browseto select the Shared Folder Location.
Detect Remote Drives
The Detect Remote Drivesfunction allows capturing data from a drive installed in aNotebook or PC3, using the units Ethernet port.
3The Detect Remote Drives Option requires purchase
41
-
7/21/2019 IMSolo-IV Forensics User Guide v3.1
42/111
42
Drive Status Panels
TheActive Drive Status Panels lists the drives detected and their respective locations.The Panels will also indicate the drives burst transfer rate during operation. Detecteddrives are listed in their respective Drive Status Panels.
NOTE: Drives can be manually transferred between Drive Panels by selecting anddragging the listed drive using the Touch Screen or using an attached mouse.Suspects Drives cannot be moved to Evidence locations.
Active Suspect Drive Panel
The Suspect Drive Panel will list the detected and active Suspect drives for theactive session. Drives listed in the Other Detected DrivesPanelcan be manuallytransferred to the Active Suspect Drive Panel. The drive listed in this panel isconsidered an active drive and will be used as the Suspects drive during theoperation.
NOTE: Drive(s) in the Suspect position(s) cannot be configured as Destinationdrives.
Active Evidence Drives Panel
The Active Evidence Drives Panel will list the detected and active Evidencedrive(s) for the active session. Drives listed in the Other Detected DrivesPanelcan be manually transferred to theActive Evidence Drives Panel. The drive listedin this panel is considered an active drive and will be used as the Evidence driveduring the operation.
NOTE: Evidence drives can be configured as Suspect drives by transferring thedrive from theActive Evidence Drive Panelto theActive Suspect DrivePanel.
Other Detected Drives
The Other Detected Drives Panel will list the non-active drives detected on allports other than the dedicated Suspect and Evidence ports. Drives listed in theSuspect Driveor Evidence DrivePanelscan be manually transferred to the OtherDetected Drives Panel. The drive(s) listed in this panel are non-active drives, andwill not be used during an operation.
-
7/21/2019 IMSolo-IV Forensics User Guide v3.1
43/111
Chapter 4 - Operation
43
Operational Mode Select Menu
TheOperational Mode Select Menu provides a list of the available Operational Modes.The functional descriptions of the available Operational Modes are discussed in the
following section.
Single Capture LinuxDD Capture LinuxDD Restore LinuxDD Hash E01 Capture E01 Restore E01 Hash Hash WipeOut Format Drives
Single Capture
The Single Captureoperational mode will seize the entire contents of the Suspectsdrive to the Evidence drive. The operation will create an exact duplicate of all of theSuspects drive partitioned and un-partitioned areas as well as all used and unusedsectors on the Suspects drive. The process of acquiring the data from theSuspects drive is methodical and contiguous, beginning from the first byte of thefirst sector on the drive, and ending on the last byte of the last sector of the drive.The data is copied to the corresponding sector on the Evidence drive. Only one
seizure operation can be performed to the same Evidence drive. See SingleCapture Settingsfor more details.
LinuxDD Capture
The LinuxDD Capture Mode will copy the entire contents of the Suspects drive tothe Destination drives. The data will be written as individual segmented LinuxDDfiles and stored in an individual subdirectory on the Destination drive(s). The size ofthe individual LinuxDD files can be set by selecting a value within the Capture FileSize pull down menu. The default setting is 650MB (CD). The File Nameinformation entered by the user will be used as the name of the subdirectory where
the Suspects LinuxDD files will be stored. This File Name will also be used as thefilename of all LinuxDD files associated with this seizure. The Linux DD files willbegin with the extension 000, and incremented by 1 for each additional file.
The Destination drive will be inspected prior to transferring data. The operation willverify if the first partition on the Evidence drive is based on the exFAT4File Systemand will have EVIDENCE as the volume label. A Destination drive that meetsthese criteria will be a valid Destination drive, a new subdirectory will be created,
4The exFAT File System was introduced with version 4.2.54.0. Prior versions used NTFS.
-
7/21/2019 IMSolo-IV Forensics User Guide v3.1
44/111
44
and the transfer will begin. A Destination drive that fails these criteria will cause theuser to be prompted with a message asking whether or not to overwrite the currentcontents of the Destination drive in order to make it a valid LinuxDD Destinationdrive. The operation will abort unless the user agrees to overwrite the Destinationdrive.
Any number of Loads can be placed on the same Destination drive provided thereis adequate space to save the transferred data on the Destination drive. SeeLinuxDD Capture Settingsfor more details.
LinuxDD Restore
This function allows restoring the captured LinuxDD formatted Case to its original fileformat. This function requires the LinuxDD drive, containing the LinuxDD Case files,to be connected to one of the units Suspect positions and the Destination drive tobe connected to the units Evidence position.
LinuxDD Hash
This function will generate a Hash value for the selected LinuxDD Case. TheLinuxDD drive can be connected to either the Suspect or Evidence position.
E01 Capture
The E01 CaptureMode will capture the entire contents of the Suspects drive to theDestination drives using Guidance Softwares EnCaseForensic format. The datawill be written as individual segmented EnCase formatted files and stored in anindividual subdirectory on the Destination drive(s). The size of the individual E01files can be set by selecting a value within the Capture File Size pull down menu.The default setting is 650MB (CD). The EnCaseformat limits the File Size to 2GB.
The File Name information entered by the user will be used as the name of thesubdirectory where the Suspects files will be stored. This File Name will also beused as the filename of all files associated with this seizure. The E01 files will beginwith the extension E01, and incremented by 1 for each additional file. TheCompression Level can be set between 0 and 9, with 0 defined as NoCompression, and 9 defined as Highest Compression.
The Destination drive will be inspected prior to transferring data. Theoperation willverify if the first partition on the Evidence drive is based on the exFAT 5File Systemand will have EVIDENCE as the volume label. Otherwise, the operation willprompt the User that the Evidence drive will be overwritten.
Any number of Loads can be placed on the same Destination drive provided thereis adequate space to save the transferred data on the Destination drive. SeeE01 Capture Settingsfor more details.
NOTE: The E01 Capture Mode will result in reduced transfer rates when comparedwith other Capture Modes.
5The exFAT File System was introduced with version 4.2.54.0. Prior versions used NTFS.
-
7/21/2019 IMSolo-IV Forensics User Guide v3.1
45/111
Chapter 4 - Operation
45
E01 Restore
This function allows restoring the captured E01 formatted Case to its original fileformat. This function requires the E01 drive, containing the E01 Case files, to beconnected to one of the units Suspect positions and the Destination drive to be
connected to the units Evidence position.
E01 Hash6
This function will generate a Hash value for the selected E01 Case. The E01 drivecan be connected to either the Suspect or Evidence position.
Format Drives
This function can be used to quickly format drives and to prepare drives as exFATLinuxDD or exFAT E01 Evidence drives. It may be necessary to manually transferLinuxDD or E01 Evidence files from an NTFS based Evidence drive to an exFATbased Evidence drive.
6Pending development as of release of this document (11/09).
-
7/21/2019 IMSolo-IV Forensics User Guide v3.1
46/111
46
WipeOut
The WipeOut-User Mode of operation provides a quick non-DoD method ofsanitizing a drive of all previously stored data. The process involves writing a user
defined hex pattern to the destination drive for a number of user defined iterations.The process is methodical and contiguous, beginning from the first byte of the firstsector on the drive, and ending on the last byte of the last sector of the drive.
The WipeOut-DoD Mode of operation provides a method of sanitizing a drive thatmeets the U.S. Department of Defense specification DOD 5220-22M for sanitizingdrives.
Using ordinary DELETE and ERASE commands, data on a hard drive remainsaccessible to a variety of intrusive procedures. The WipeOut DoD erasuretechnique provides a solution to this problem using a series of null-coded overwritesthat completely removes all data from the hard drive.
The process is performed in three iterations and two individual passes thatcompletely overwrites the destination drives. Each iteration makes two write-passesover the entire drive. The first pass writes ONEs (Hex 0xFF) over the entire drivesurface. The second pass writes ZEROes (Hex 0x00) over the entire drive surface.
After the third iteration, a seventh pass writes the government designated code 246(Hex 0xF6) across the entire drive surface, which is then followed by an eighth passthat inspects the drive with a Read-Verify review. See Wipeout Settings for moredetails.
The WipeOut-Secure Erase option uses the drives own built-in firmware SecureErase function to erase data. The WipeOut-Secure Eraseoption offers two modes
which are automatically selected if the drive supports the modes. Normal Erase andEnhanced Erase. Normal Erase will erase drives using the 0x00 pattern. TheEnhanced Erase mode will erase drives with a predetermined pattern and will clearRelocation List Sectors.
NOTE: Not all drives provide support for the Secure Erase command. Secureerase is recognized by NIST 800-88 as an effective and secure way tomeet legal data sanitization requirements
Hash
The Hash operation provides a method of generating a hash value for either theentire area of a drive or for a selected number of sectors of a drive. No data iswritten to the selected drives during this operation. When hashing the entire drivethe process is methodical and contiguous, beginning with the first sector on the driveand ending with the last sector of the drive. See Hash Settingsfor more details.
Event Log Window
TheEvent Log Windowdisplays real time operational event log information.
-
7/21/2019 IMSolo-IV Forensics User Guide v3.1
47/111
Chapter 4 - Operation
Advanced Operation Sett ings MenuThe IMSolo-IV ForensicsAdvanced Operation Settings Menu provides access to theOperational Mode settings. The menu is displayed by selecting the MainTab from the
Advanced Interface Control Console. TheAdvanced Operation Settings Menu
provides the Operator with a menu of Operational Mode Settings for the selectedOperation. The Settings menu list is dynamic, and will change to reflect the selectedOperational Mode. The descriptions of the available Operational Mode Settings arediscussed in the following section.
Single Capture Settings Hash Settings LinuxDD Capture Settings LinuxDD Hash Settings LinuxDD Restore Settings E01 Capture Settings
E01 Hash Settings E01 Restore Settings WipeOut Settings Format Drives Settings
Single Capture Settings
The Single Capture Settings menu provides the Operator with a list of settings availablefor the selected operation. The menu is selected when the Operational Mode is selectedfrom the Operational Mode Select Menu.
Read Back-Verify Hash Targets Hashing Methods Encryption/Decryption Wipe Remainder
Figure 19
47
-
7/21/2019 IMSolo-IV Forensics User Guide v3.1
48/111
48
Read Back-Verify
Provides additional data integrity checks during data transfers. When Read Back-Verify is selected the operation will verify each block of data transferred during thedata transfer process. Data written to the Evidence drive is read back and
compared to the data read from the Suspects drive. Enabling this option results inreducing the transfer rate. Disabling this option will result in the data transferprocess to make use of the drive's own Ultra DMA Mode error-detection handlingmechanism known as cyclical redundancy checking (CRC-16) to check for DataIntegrity. In most cases the CRC-16 error checking algorithm is sufficient. CRC isan algorithm that calculates an order and value sensitive checksum used to detecterrors in a stream of data. Both the Suspects drive and the Evidence drivescalculate a CRC value for each Ultra DMA burst. After the Suspects data is sent,the Evidence drive calculates a CRC value and this is compared to the originalSuspects CRC value. If a difference is reported, the unit may be required to selecta slower transfer mode and re-try the original request for data. The transfer rate will
not be affected when using the drives CRC-16 mechanism for checking dataintegrity.
Hash Targets
The Hash Targets function provides a method of generating Hash values for theSource drives data and for the data written to the Target drives, in the sameoperation. The data is read back and hashed from the target drive(s) after eachtransferred block. Since data is read back during the operation the average transferrate will decrease and the total time of completion will increase when this function isenabled.
Hashing Methods
The Hashing Methods menu selection provides the user with list of different HashAlgorithms to generate a Hash value for the Source drives data. Hashing is aprocess that calculates a "unique signature" value for the contents of an entire drive.
CRC32
Selecting CRC32 will result in the operation generating the CRC3232-bit hash value for the data read from the source drive(s). Selecting the HashTargetsfunction will result in the operation generating the CRC32 Hash values for
the data read from the Source drive and the data written to the Target drive.MD5
Selecting MD5 will result in the operation generating the MD5 128-bit hash valuefor the data read from the source drives. Selecting the Hash Targetsfunction willresult in the operation generating the MD5 Hash values for the data read from theSource drive and the data written to the Target drive.
-
7/21/2019 IMSolo-IV Forensics User Guide v3.1
49/111
Chapter 4 - Operation
49
SHA-1
Selecting SHA-1 will result in the operation generating the SHA-1 160-bit hashvalue for the data read from the source drives. Selecting the Hash Targetsfunction will result in the operation generating the SHA-1 Hash values for the data
read from the Source drive and the data written to the Target drive.NOTE: The SHA-1 Hash function uses Hardware Acceleration for calculations and
therefore effects on transfer rates are limited.
SHA-2 (224,384,256,512)
Selecting SHA-2 (224,384,256,512)will result in the operation generating the SHA-2 (224,384,256,512)-bit hash value for the data read from the source drives.Selecting the Hash Targets function will result in the operation generating theHash values for the data read from the Source drive and the data written to theTarget drive.
NOTE: The SHA-2(256) Hash function uses Hardware Acceleration for
calculations and therefore effects on transfer rates are limited.
Wipe Remainder
The Wipe Remainder function instructs the capture operation to wipe (erase)remaining sectors after a capture operation is performed, if the Evidence drive islarger than the Suspects drive.
-
7/21/2019 IMSolo-IV Forensics User Guide v3.1
50/111
Encrypt/Decrypt
The Encrypt/Decrypt menu selection provides the user with the functions andsettings necessary to configure an operation to Encrypt or Decrypt captured data.
AES Key Length (bits)
Provides the user with the list of three AES Key Sizes to choose from. Thechoices are 128, 192, and 256 bits.
AES Mode
Provides the user with the list of AES Modes to choose from. The choices areECB, CBC, CFB, 0FB, and CTR.
Action - None
Instructs the operation to transfer data without Encrypting or Decrypting data.
Action - Encrypt
Instructs the operation to Encrypt data during the data transfer operation.
Action - Decrypt
Instructs the operation to Decrypt data during the data transfer operation.
Save Key
The Encryption Key used to Encrypt the Suspect drives data is generated and
saved.
Load Key
Provides the function to allow the User to select and load the Encryption Key whichcan be used to Decrypt the Evidence drives Encrypted data.
NOTE: For compatibility with the IMSolo-III Encryption and ICS DiskCypherhardware, choose 192 as the AES Key Length and ECB as the AESMode.
50
-
7/21/2019 IMSolo-IV Forensics User Guide v3.1
51/111
Chapter 4 - Operation
WipeOut Settings
The WipeOut Settings menu provides the Operator with a list of settings available forthe selected operation. The menu is selected when the Operational Mode is selectedfrom the Operational Mode Select Menu.
User DoD Secure Erase Iterations Pattern (0-255) Read Back-Verify
Figure 20
ModeThe WipeOut Mode provides the Operator with two methods of sanitizing drives.
User
The Wipeout User option provides a quick non-DoD method of sanitizing adrive of all previously stored data. The process involves writing a userdefined pattern to the drive connected in the Target drive position, for anumber of user defined drive passes (iterations). The process is methodicaland contiguous, beginning from the first byte of the first sector on the drive,and ending on the last byte of the last sector of the drive.
Iterations
Allows the Operator to define the number of WipeOut-User iterations orpasses to perform. Selecting 0 instructs the operation to sanitize the drive inone pass.
Pattern (0-255)
Allows the Operator to define the WipeOut-User Pattern to be used to sanitizethe Target drive(s). The available range is 0-255.
51
-
7/21/2019 IMSolo-IV Forensics User Guide v3.1
52/111
52
DoD
The Wipeout DoD function provides a method of sanitizing a drive that meetsthe U.S. Department of Defense specification DOD 5220-22M for sanitizingdrives.
The operation is performed in three iterations and two individual passes thatcompletely overwrites the destination drives. Each iteration makes two write-passes over the entire drive. The first pass writes ONEs (Hex 0xFF) over theentire drive surface. The second pass writes ZEROes (Hex 0x00) over theentire drive surface. After the third iteration, a seventh pass writes thegovernment designated code 246 (Hex 0xF6) across the entire drivesurface, which is then followed by an eighth pass that inspects the drive witha Read-Verify review.
Secure Erase
The WipeOut-Secure Erase option uses the drives own built-in firmware
Secure Erase function to erase data. The WipeOut-Secure Erase optionoffers two modes which are automatically selected if the drive supports themodes. Normal Erase and Enhanced Erase. Normal Erase will erase drivesusing the 0x00 pattern. The Enhanced Erase mode will erase drives with apredetermined pattern and will clear Relocation List Sectors.
NOTE: Not all drives provide support for the Secure Erase command.Secure erase is recognized by NIST 800-88 as an effective andsecure way to meet legal data sanitization requirements
Read Back-VerifyUse Link for previous description.
-
7/21/2019 IMSolo-IV Forensics User Guide v3.1
53/111
Chapter 4 - Operation
Format Drives Settings
The Format Drives Settings menu provides the Operator with a list of settingsavailable for the selected operation. The menu is selected when the Operational Modeis selected from the Operational Mode Select Menu. The exFAT setting instructs the
Format Driveoperation to use the exFAT File System to format drives.
53
-
7/21/2019 IMSolo-IV Forensics User Guide v3.1
54/111
Linux DD Capture Settings
The LinuxDD Capture Settings menu provides the Operator with a list of settingsavailable for the selected operation. The menu is selected when the Operational Modeis selected from the Operational Mode Select Menu.
Capture File Size Custom File Size (MB) File Name Read Back-Verify Hash Targets Hash Methods Encryption/Decryption
Figure 21
Capture File Size
The size of the individual LinuxDD files can be set by selecting predefined valueswithin the Capture File Size menu. The options are 640MB, 1GB, 2GB, 4.7GB,Whole Drive, and Custom. The default setting is 640MB.
Custom File Size (MB)
The size of the individual LinuxDD files can manually entered in Megabytes. Theentry is active when the Custom value is selected in the Capture File Size menu.
File Name
The File Nameentry will be used as the name for the LinuxDD subdirectory, wherethe individual LinuxDD files will be stored. This File Name will also be used as thename of all LinuxDD files associated with the selected operation.
54
-
7/21/2019 IMSolo-IV Forensics User Guide v3.1
55/111
Chapter 4 - Operation
55
NOTE: If the File Name field is left blank, the operation will use a default LinuxDDfile name referenced as CASE.
-
7/21/2019 IMSolo-IV Forensics User Guide v3.1
56/111
LinuxDD Hash Settings
The LinuxDD Hash Settings menu provides the Operator with a list of settingsavailable for the selected operation. The menu is selected when the Operational Modeis selected from the Operational Mode Select Menu.
Hash Methods File Name Encryption/Decryption
Figure 22
56
-
7/21/2019 IMSolo-IV Forensics User Guide v3.1
57/111
Chapter 4 - Operation
LinuxDD or E01 Restore Settings
The LinuxDD or E01 Restore Settings menu provides the Operator with a list ofsettings available for the selected operation. The menu is selected when theOperational Mode is selected from the Operational Mode Select Menu.
Hash Methods File Name Read Back-Verify Hash Targets Encryption/Decryption
Figure 23
57
-
7/21/2019 IMSolo-IV Forensics User Guide v3.1
58/111
Hash Settings
The Hash Settings menu provides the Operator with a list of settings available for theselected operation. The menu is selected when the Operational Mode is selected from the
Operational Mode Select Menu.
Sectors to Hash Hash Methods Encryption/Decryption
Figure 24
Sectors to Hash
Allows the Operator to define the number of sectors to hash. The default value of 0will instruct the Hash operation to hash the entire drive.
58
-
7/21/2019 IMSolo-IV Forensics User Guide v3.1
59/111
Chapter 4 - Operation
E01 Capture Settings
The E01 Capture Settings menu provides the Operator with a list of settings available
for the selected operation. The menu is selected when the Operational Mode isselected from the Operational Mode Select Menu.
Capture File Size Custom File Size (MB) Hash Methods File Name
Figure 25
Capture File Size
The size of the individual E01 files can be set by selecting predefined values withinthe Capture File Size menu. The default setting is 650MB (CD).
Custom File Size (MB)
The size of the individual E01 files can manually entered in Megabytes. The entry isactive when the Custom value is selected in the Capture File Size menu.
File Name
The File Namewill be used as the name for the E01 Case subdirectory, where theindividual E01 files will be stored. This File Name will also be used as the name ofall E01 files associated with the selected operation.
NOTE: If the File Name field is left blank, the operation will use a default E01 filename referenced as CASE.
59
-
7/21/2019 IMSolo-IV Forensics User Guide v3.1
60/111
Advanced Settings Main MenuThe IMSolo-IV Forensics Advanced Settings Main Menu provides access to thecommon Operational Mode settings. The menu is displayed by selecting the MainTabfrom the Advanced Settings Menu. The descriptions of the available settings arediscussed in the following section.
Automation Settings Bad Sector Handling Start View Add/Remove Optional Features
Figure 26
Automation Sett ings
TheAutomat ion Settings menu provides the Operator with a list of settings common toeach of the available Operational Modes.
60
-
7/21/2019 IMSolo-IV Forensics User Guide v3.1
61/111
Chapter 4 - Operation
61
Start Operation after Detection
Instructs the Operation to automatically power ON and detect the selected driveswhen selecting START. When disabled, the selected drives would need to bemanually detected prior to selecting START, using the DETECT DRIVESfunction.
Confirm Master and Target drives after Power up/Detection and Before startingOperation
Instructs the Operation to prompt the Operator and confirm if the detected Sourceand Target drives are the correct drives to use before starting the selectedOperation. When the setting is disabled, the Operation will use the selected driveswithout prompting.
Auto Run
Instructs the selected Operation to continuously run until the Operation is manually
aborted. This function can be used to test drives or units hardware.
Bad Sector Handling
This setting allows the user to select from a list of two methods of handling bad sectorswhen they are encountered on the source drive.
Log and skip
The operation will log the location of the bad sector on the source drive and the badsector will be skipped.
Abort drive
The operation will abort when encountering a bad sector on the source drive.
Start View
The Start Viewmenu provides optional Start Up View options.
Wizard Screen
Instructs the RI unit to Start Up using the Wizard Interface Control Console. The
Wizard Interfaceprovides the user with simple navigational menu screens to quicklysetup and start operations.
-
7/21/2019 IMSolo-IV Forensics User Guide v3.1
62/111
62
Operator Screen
Instructs the RI unit to Start Up using the Operator Interface Control Console. TheOperator Interfaceprovides all the functions and controls necessary to start or stopthe operations pre-selected using the Wizard Interface or Advanced Interface. It
provides the user with a graphical view of the Source and Target drive positions andthe ability to change the active drive(s) for the selected operation using the unitsTouch Screen display.
Advanced Screen
Instructs the RI unit to Start Up using theAdvanced Interface Control Console. TheAdvanced Interface provides all the functions and controls necessary to setup,customize and perform the units common and advanced IT operations.
Add/Remove Optional Features
This function allows adding or removing Software Options
Apply Settings
Used to apply the settings selected.
-
7/21/2019 IMSolo-IV Forensics User Guide v3.1
63/111
Chapter 4 - Operation
Advanced Drive Detection Settings MenuThe IMSolo-IV ForensicsAdvanced Drive Detection Settings provides the Operatorwith User-Defined settings to customize the units drive detect handling functions.
Drive Detection Mode Fast Detection Sequential Detection
Figure 27
Drive Detection Mode
Allows the Operator to choose between the three available Drive Detect methods.
Auto
Automatically selects Drive Detection method based on the hardware detected. Thismode will automatically select Fast Detection for the IMSolo-IV Forensics systems.
Fast Detection
Selects use of the Fast Detectionmethod to detect drives. This method identifiesthe drive by the SAS/S-ATA controllers physical address location used by pollingthe drive. It is the quickest method to detect drives.
63
-
7/21/2019 IMSolo-IV Forensics User Guide v3.1
64/111
64
Sequential Detection
Selects the Sequential Detectionmethod to detect drives. This method identifies thedrive by sensing the drives current load. The selected drives are detected in turnby powering Up the individual drive and then waiting for each individual drive to bedetected before powering Up the next selected drive. This method is slower than
the Fast Detectionmethod to detect drives.
Fast Detection Settings
The Fast Detection Settings menu provides optional Fast Detection User-Definedsettings.
Wait Time After Powering Up Each Drive
This is the time allocated before powering Up the next selected drive. The defaultvalue is 2 seconds.
Wait Time Between Powering Up Each Drive and Starting Drive Detection
This is the time allocated after powering Up each drive, and before checking thecontroller and O/S for detected drives. The default value is 20 seconds.
Max Scanning /Detection Time allowed by Application (Sec)
This is the time allocated for the O/S to detect New Hardware or discover eachselected drive. The default value is 60 seconds.
NOTE: Some drives may take longer to be discovered by the O/S. This settinglimits the wait time.
Auto Calibrate Detection of Al l Drives
Used to restore the map which links the units SAS/SATA controllers physicaladdresses to the units assigned drive positions, listed in the Drive Detectionmenuscreen, for all connected drives. The Calibration starts with the drive specified in theCalibration Starts From Driveinput box.
NOTE: Calibration would only be necessary if the unit can no longer detectdrives.
Calibration Starts From DriveThe Auto Calibration starts with the drive number specified in the Calibration StartsFrom Drive input box. The drive number starts with 0 and follows the order of thedrive positions listed in theDrive Detectionmenu screen.
-
7/21/2019 IMSolo-IV Forensics User Guide v3.1
65/111
Chapter 4 - Operation
65
Calibrate Detection of a Selected Drive
Used to restore the map which links the units SAS/SATA controllers physicaladdresses to the units assigned drive positions, for individually selected drives.
NOTE: Calibration would only be necessary if the unit can no longer detectdrives.
Sequential Detection Settings
The Sequential Detection Settingsmenu provides optional Sequential DetectionUser-Defined settings.
Max Detect Time
This is the time allocated for the O/S to detect New Hardware or discover each
selected drive. The default value is 60 seconds.
NOTE: Some drives may take longer to be discovered by the O/S. This settinglimits the wait time.
Max Detect Power Time
Maximum time allowed for the drives applied current load to be detected. After theset time, if the drives applied current load is not detected, the drive will be poweredOFF.
Calibrate Current Threshold
The Calibrate Current Threshold function will measure the idle current used by theunits power control board. A current level measured that is greater than theCalibrated Current Threshold value will indicate that a device is connected.
NOTE: Verify that NO drive is connected, while calibrating the currentthresholds.
-
7/21/2019 IMSolo-IV Forensics User Guide v3.1
66/111
Diagnost ics and Tools Settings MenuThe IMSolo-IV Forensics Advanced Diagnostic and Tools Sett ings provides accessto the Operational Mode settings. The menu is displayed by selecting the OperationSettings Tab from the Advanced Interface Control Console. The Operational Mode
Settings Menu provides the Operator with a menu of Operational Mode Settings for theselected Operation. The Settings menu list is dynamic, and will change to reflect theselected Operational Mode. The descriptions of the available Operational ModeSettings are discussed in the following section.
Slow Drive Filter Speed Optimization Diagnostics Forced Power Off
Figure 28
Slow Drive Filter Speed Threshold
The Slow Drive Filtermenu allows the operation to abort individual drives which would
cause slow transfer rates. After aborting the individual drive, the operation wouldcontinue for the remaining drives, without reducing the transfer rate.
Speed Threshold
Minimum transfer rate accepted before the drive is aborted. The decision to abort adrive is based on the individual drive speed and not on the average speed of theprocess.
66
-
7/21/2019 IMSolo-IV Forensics User Guide v3.1
67/111
Chapter 4 - Operation
67
Speed Optimization
Used to obtain optimal transfer rates.
Transfer Buffer Size (in 64 kb)
The default setting of (10) instructs to operation to use a Transfer Buffer size of640KB. In most cases a Transfer Buffer size of 640KB is optimal; however withsome drive combinations it might be useful to change the value in order to achievefaster transfer rates.
Speed Sampling rate
The value sets the rate with which the speed of each drive is sampled. The sampledvalue is used by the Slow Down Filter and is displayed in the Detected Drivespanel. A low sampling rate would slow down the average transfer rate of operation.
The default value is 100.
Forced Power off
Provides a function to manually power OFF all selected drives.
Power off selected drives
Manually powers OFF the selected drives. The function should only be used if theRemove Drivesfunction does not power off the selected drives.
NOTE: Exit all applications which may be using the drives prior to manually
powering OFF the drives.
Diagnostic
Provides a Diagnostic function to isolate drives which can result in slow transfer rates.
Instantaneous Drive Transfer Speed
Instructs the operation to display drives speed at the moment of sampling.
-
7/21/2019 IMSolo-IV Forensics User Guide v3.1
68/111
Advanced Case Info MenuThe IMSolo-IV ForensicsAdvanced Case Info Menu provides the user with a list ofspecific Case Information to enter for the Capture Operation. This Case Information willbe stored for Audit Trail output. The menu is displayed by selecting the Case InfoTab
from the Advanced Main Menu.
Figure 29
68
-
7/21/2019 IMSolo-IV Forensics User Guide v3.1
69/111
Chapter 4 - Operation
Advanced Mount Drive MenuThe IMSolo-IV Forensics Advanced Mount Drive Menu provides access to thefunctions and controls necessary to change the state of the detected device WriteProtection and Mount Volumeproperties. By default, all ports including the Evidence
Drive ports and units USB ports are Write-Protected. In addition, the detected drivespartitions or volumes are hidden from the units O/S. The drives properties willautomatically be configured for the common Operational Modes. The recommendedstate of each device will depend on the operation to be performed with the detecteddevices. The menu is displayed by selecting the Mount DriveTab from the AdvancedInterface Control Console. The descriptions of the available Mount DriveSettings arediscussed in the following section.
Write-Protection Mount Volumes Simulate Drive Signature Apply Refresh
Figure 30
69
-
7/21/2019 IMSolo-IV Forensics User Guide v3.1
70/111
Write-Protect the Drive
When selected (checked), the detected drive will be Write-Protected. This settingshould be enabled only when it is necessary to allow the units O/S or 3 rd party
application write access to the drives volume. The detected drives Write-Protectproperty can be changed by first selecting the detected drive then using the Mount DriveMenu, Write-Protectfunction.
NOTE: By default, all ports are Write-Protected. The Write-Protect property of drivesdetected in the Suspect positions cannot be disabled.
Mount Volumes on the Drive
When selected (checked), the detected drives volume will be accessible by the unitsOperating System. This setting should be enabled only when it is necessary to allowthe units O/S or 3rd party application preview access to the drives volume. The
detected drives Mount Volume property can be changed by first selecting the detecteddrive then