imsolo-iv forensics user guide v3.1

7/21/2019 IMSolo-IV Forensics User Guide v3.1

1/111

IMSolo-IV ForensicsUsers Guide

Intelligent

Computer

Solutions


2/111

2

Intelligent Computer Solutions9350 Eton Avenue

Chatsworth, CA 91311

Rev. 3.1

May 2010

Printed in the USA

Sales/Technical SupportPhone: 1-818-998-5805

Fax: 1-818-998-3190E-Mail: [email protected]

E-Mail: [email protected]

Home Page: http://www.ics-iq.com

Copyright 2009, Intelligent Computer Solutions. All rights reserved. The Image MASSter

and associated

software are copyrighted and registered in accordance with the laws and regulations of the State of California and

the United States of America. IBM

and OS/2

are registered trademarks of the International Business Machines

Corporation. DOS

, Windows

, Windows NT

, and Windows 95/98/2000

Windows ME

, Windows XPP

,

Windows VISTA

are registered trademarks of the Microsoft Corporation. All other brand and product names are

trademarks of their respective owners.


3/111

Contents

CONTENTS

CHAPTER 1: INTRODUCTION ...........................................8

Overview.............................................................................................9

Features............................................................................................10About this User Guide.............................................................................................................................11Typical Conventions Used......................................................................................................................11

CHAPTER 2: QUICK START SETUP...............................12

CHAPTER 3: INSTALLATION ..........................................17

Setup.................................................................................................18System Specifications.............................................................................................................................18

CHAPTER 4: OPERATION ...............................................26

User Interface ...................................................................................27

IMSolo-IV Forensics Wizard Interface Control Console....................28Wizard - Main Menu................................................................................................................................ 29

Operational Mode Selection ............................................................................................. 29

Navigation Bar .................................................................................................................. 29Wizard - Seize Drives Menu ...................................................................................................................31

Single Capture................................................................................................................... 31LinuxDD Capture.............................................................................................................. 32

Wizard - WipeOut Drives Menu ..............................................................................................................33WipeOut-DoD................................................................................................................... 33

WipeOut -Fast................................................................................................................... 33Wizard - Suspect Drive Select Menu......................................................................................................34Wizard - Evidence Drive Select Menu ....................................................................................................35Wizard - Operator Main Menu ................................................................................................................ 36

Operational Status Information......................................................................................... 37

Station ........................................................................................................................... 37

Speed............................................................................................................................. 37Operational Mode ......................................................................................................... 37

Load Size ...................................................................................................................... 37Percent Completion....................................................................................................... 37

Elapsed Time ................................................................................................................ 37

Estimated Time Left ..................................................................................................... 37

Operation Control Functions............................................................................................. 38Start ............................................................................................................................... 38

Abort ............................................................................................................................. 38


4/111

4

IMSolo-IV Forensics Advanced Interface Control Console ...............39Advanced Drive Detect Menu.................................................................................................................40

Drive Selection Panel........................................................................................................ 40

Suspect 1-2 Drive Select ............................................................................................... 40

Evidence 1-2 Drive Select ............................................................................................ 40

Detect Drives ................................................................................................................ 41Remove Drives.............................................................................................................. 41

Add Network Location ................................................................................................. 41

Detect Remote Drives................................................................................................... 41Drive Status Panels ........................................................................................................... 42

Active Suspect Drive Panel .......................................................................................... 42

Active Evidence Drives Panel ...................................................................................... 42Other Detected Drives................................................................................................... 42

Operational Mode Select Menu ........................................................................................ 43

Single Capture............................................................................................................... 43

LinuxDD Capture.......................................................................................................... 43

LinuxDD Restore.......................................................................................................... 44LinuxDD Hash.............................................................................................................. 44

E01 Capture .................................................................................................................. 44E01 Restore................................................................................................................... 45

E01 Hash....................................................................................................................... 45

Format Drives ............................................................................................................... 45WipeOut........................................................................................................................ 46

Hash .............................................................................................................................. 46

Event Log Window........................................................................................................... 46Advanced Operation Settings Menu....................................................................................................... 47

Single Capture Settings..................................................................................................... 47

Read Back-Verify ......................................................................................................... 48Hash Targets ................................................................................................................. 48

Hashing Methods .......................................................................................................... 48

Wipe Remainder ........................................................................................................... 49Encrypt/Decrypt............................................................................................................ 50

WipeOut Settings.............................................................................................................. 51

Mode ............................................................................................................................. 51Iterations ....................................................................................................................... 51

Pattern (0-255) .............................................................................................................. 51

Read Back-Verify ......................................................................................................... 52

Format Drives Settings ..................................................................................................... 53Linux DD Capture Settings............................................................................................... 54

Capture File Size........................................................................................................... 54Custom File Size (MB) ................................................................................................. 54File Name...................................................................................................................... 54

LinuxDD Hash Settings .................................................................................................... 56

LinuxDD or E01 Restore Settings .................................................................................... 57Hash Settings .................................................................................................................... 58

Sectors to Hash ............................................................................................................. 58

E01 Capture Settings......................................................................................................... 59

Capture File Size........................................................................................................... 59


5/111

Contents

Custom File Size (MB) ................................................................................................. 59

File Name...................................................................................................................... 59Advanced Settings Main Menu...............................................................................................................60

Automation Settings.......................................................................................................... 60

Start Operation after Detection ..................................................................................... 61

Confirm Master and Target drives after Power up/Detection and Before startingOperation....................................................................................................................... 61

Auto Run....................................................................................................................... 61

Bad Sector Handling......................................................................................................... 61Log and skip.................................................................................................................. 61

Abort drive.................................................................................................................... 61Start View ......................................................................................................................... 61

Wizard Screen............................................................................................................... 61

Operator Screen ............................................................................................................ 62

Advanced Screen .......................................................................................................... 62Add/Remove Optional Features........................................................................................ 62

Apply Settings................................................................................................................... 62Advanced Drive Detection Settings Menu..............................................................................................63

Drive Detection Mode....................................................................................................... 63Auto............................................................................................................................... 63

Fast Detection ............................................................................................................... 63

Sequential Detection ..................................................................................................... 64Fast Detection Settings ..................................................................................................... 64

Wait Time After Powering Up Each Drive................................................................... 64

Wait Time Between Powering Up Each Drive and Starting Drive Detection.............. 64Max Scanning /Detection Time allowed by Application (Sec) .................................... 64

Auto Calibrate Detection of All Drives ........................................................................ 64

Calibration Starts From Drive....................................................................................... 64

Calibrate Detection of a Selected Drive........................................................................ 65Sequential Detection Settings ........................................................................................... 65

Max Detect Time .......................................................................................................... 65

Max Detect Power Time ............................................................................................... 65Calibrate Current Threshold ......................................................................................... 65

Diagnostics and Tools Settings Menu ....................................................................................................66Slow Drive Filter Speed Threshold................................................................................... 66

Speed Threshold............................................................................................................ 66

Speed Optimization........................................................................................................... 67

Transfer Buffer Size (in 64 kb)..................................................................................... 67Speed Sampling rate ..................................................................................................... 67

Forced Power off............................................................................................................... 67Power off selected drives .............................................................................................. 67

Diagnostic ......................................................................................................................... 67

Instantaneous Drive Transfer Speed ............................................................................. 67Advanced Case Info Menu .....................................................................................................................68Advanced Mount Drive Menu .................................................................................................................69

Write-Protect the Drive..................................................................................................... 70

Mount Volumes on the Drive ........................................................................................... 70Simulate Drive Signature When Mounting Volumes ....................................................... 70

Apply................................................................................................................................. 70


6/111

6

Refresh .............................................................................................................................. 70Advanced HPA/DCO Menu ....................................................................................................................71

Protected Area Type ......................................................................................................... 71Protected Area Support ..................................................................................................... 72

New Capacity.................................................................................................................... 72

Current Capacity ............................................................................................................... 72Native Capacity................................................................................................................. 72

Set Capacity ...................................................................................................................... 72

Reset Capacity .................................................................................................................. 72Volatile.............................................................................................................................. 72

Advanced LOG Menu .............................................................................................................................73Print Logs.......................................................................................................................... 74Copy Logs......................................................................................................................... 74

Open Log Folder ............................................................................................................... 74

Set Audit Trail Logo ......................................................................................................... 74Advanced Tools Menu............................................................................................................................75

Disable Password.............................................................................................................. 75

CHAPTER 5: OPERATIONAL PROCEDURES...............76

Prepare for Operation .......................................................................77

Capturing Drives using Single Capture Mode...................................79

Capturing using LinuxDD Capture Mode ..........................................81

Capturing using E01 Capture Mode..................................................83

Capturing from an Unopened PC or Notebook .................................85

Capturing to a Shared Folder............................................................87

Encrypting Data During Data Capture...............................................89

Decrypting Data During Data Transfer..............................................91

Restoring from LinuxDD or E01 Segmented File Format..................93

Sanitizing Drives Using WipeOut DoD..............................................94

Sanitizing Drives Using WipeOut - User ...........................................95

Sanitizing Drives Using WipeOut Secure Erase ............................96

Transferring Audit Trail and Log Information.....................................97

Running Multiple Operational Modes Simultaneously.......................98


7/111

Contents

Previewing Write-Protected Drive Data.............................................99

Enabling Manual Write-Access to Evidence Drive Positions ..........100

APPENDIX A: OPERATIONAL NOTES .........................101

Image MASSter Solo-IV Internet/Network Connection Disclaimer102

USB-to-Ethernet Connection...........................................................103

USB LinkMASSter Setup ................................................................104

USB LinkMASSter Usage ...............................................................104

IMSOLO-IV USB FLASH RESTORE INSTRUCTIONS ..................105Prepare the USB Flash Device.............................................................................................................105Prepare the IMSolo-IV BIOS and Start Restore ...................................................................................106

LinuxDD and E01 Capture exFAT Usage .......................................107

DEFINITIONS .................................................................................108

APPENDIX B: PRODUCT INFORMATION....................110

Limited Warranty.............................................................................110

What is Not Covered: ......................................................................111

Limitation of Liability........................................................................111

Technical Support ...........................................................................111


8/111

8

Chapter 1: Introduction


9/111

Chapter 1 - Introduction

Overview

Designed exclusively for Forensic applications, the Image MASSter Solo-IV Forensicssystem is a versatile light weight, portable, high speed data acquisition device.

Suspects data can be seized at speeds exceeding 6GB per minute. Using the units onthe fly hashing capabilities, the transferred data can be guaranteed to be an exactreplica of the Suspects data without modification, re-arrangement or corruption. Theunit provides Native interface support for SAS, S-ATA and External USB drives inaddition to supporting P-ATA1, including ATA compatible solid state and flash devices.Provides flexible Capture mode formats including Segmented File and Mirror imageformats. Capable of capturing two Suspect drives simultaneously. The units advancedtouch screen user interface provides ease of use.

IMSolo-IV ForensicsFigure 1

1Optional P-ATA Adapters required.

9


10/111

10

Features

High Speed Operation:

Transfer rates can exceed 6GB/min.

Supports Multiple Sessions:

Simultaneously seize data from two Suspect drives. Hash or Wipe driveswhile Seizing Data.

Multiple Media Support:

Provides Native support for SATA and SAS drives, including external USB

devices. Provides support for PATA and SCSI drives using optional adapters.

Multiple File Format Support:

Seize Data using a Mirror capture format or using a Segment file format.

Preview Suspects Data:

View Suspects Data in a write-protected environment.

Multiple Operational Modes:

Seize, Hash or Wipe Data.

Multiple Hash Modes:

Hash using SHA-1, SHA-2 (Hardware Accelerated), MD5, CRC32

Write Protection:

Protect Suspect drives data against accidental overwrites.

WipeOut:

Sanitize drives using the DoD standard.

Log Information:

Store and print detail operational Event Log and Audit Trail information.

LCD Touch Screen Display:

Large, 8 Color LCD Touch Screen Display.


11/111

Chapter 1 - Introduction

About this User GuideThe IMSolo-IV ForensicsUser Guide will be updated as needed to reflect hardware andsoftware modifications. Therefore, descriptions of features may be subject to change.The document makes use of hyperlinksto provide shortcut links.

Typical Conventions Used

Convention Meaning

Highlighted This is a hyperlink: shortcut link to a referred topic. Select it to jump

to the topic. Use the MS Word Back tool to jump back toprevious location.

Bold Indicates a screen menu item or function such as a setting orcontrol button.

Italic Indicates the name of a IMSolo-IV Forensics feature, system,mode, or other important reference.

Note Identifies additional important information regarding a topic or task.

Indicates a warning or caution

11


12/111

12

Chapter 2: Quick Start

Setup


13/111

Chapter 2 Quick Start

1. Place the IMSolo-IV Forensicson a level surface.

2. Attach the units Power Adapter to the unit's DC Power-Inport, located on the unit'sback panel, and to an electrical outlet. The voltage may be either 110v or 220v.The Power Adapter will automatically switch to use either voltage.

3. Power ON the unit by pressing the units Power ON button, located on top corner ofthe units back panel. The IMSolo-IV ForensicsAdvanced Interface Control Consolewill be displayed.

Advanced Interface Control ConsoleFigure 2

13


14/111

4. Attach the ICS supplied SATA/SAS drive data/power cables to the units Suspect

and Evidence connectors (See Fig. 5 through Fig. 9) and to the SATA or SAS drives.For PATA drives use the supplied ICS SATA-to-PATA Adapter and connect thesupplied PATA data cables Unit Side connector to the Adapters data connector

and the HDD Side connector to the drive.

Suspect 2Port

Suspect 1Port

14

Drive Positions

Evidence 1Port

Evidence 2Port

Figure 3


15/111

Chapter 2 Quick Start

5. Select the Mode of Operation from the Operations pull down menu.

Drive SelectionPanel

Figure 4

6. Select the drives to be used for the selected operation from the Drive SelectionPanel.

7. Verify all remaining applicable settings and optionally enter Case Information usingthe CASE INFOscreen functions. It is recommended to enable the Hash Targetsfunction. Selecting Hash Targets will result in the Capture operation generating theHash value for the data read from the Suspect drive and the data written to theEvidence drive. After all the data is written to the Evidence drive, the Captureoperation will generate the Hash value for the data read from the Evidence drive.

Hash values generated during the capture operation are generated for the dataread from the Suspects drive not from the data read from the Evidence (target)drive, unless the unit is instructed to hash the Evidence drive(s) by enabling theHash Targets function.

8. Select START to begin the operation. Operational status information will bedisplayed during an operation.

15


16/111

16

9. After the operation completes, the drives will be powered OFF and the drives can besafely removed. The simulated drive status LEDs will be set to GREEN if theoperation passes or RED if the operation fails. Log files will automatically be storedinternally and can be transferred to external media using the units USB ports,located on the back of the unit.

NOTE: Audit Trails are saved in both a standard text format and a PDF format using128-bit password encryption protection, so the Audit Trail contents cannotbe changed. The Company Logo can be added to the Audit Trail PDF byselecting its location using the "SET AUDIT TRAIL LOGO" function, locatedin the LOG menu screen.

The unit can be powered OFF by pressing and releasing the units Powerbutton, located on the top corner of the units back panel.


17/111

Chapter 3 - Installation

17

Chapter 3: Installation


18/111

18

Setup1. Carefully remove the IMSolo-IV Forensicsunit from its shipping box.

2. Use the supplied parts list (Table 1) to complete an inventory check.

3. Follow the outlined steps in the Quick Start SetupChapter.

Part Part Number Quantity

IMSolo-IV Forensics Unit 1DC Power Adapter and AC Power Cord 1SAS/SATA Data/Power Cable 4SATA-to-PATA Adapter 1PATA 2.5 44-Pin Adapter 1

PATA Data Cable 1PATA Power Cable 1Stylus 1Restore DVD 1IMSolo-IV Forensics Users Guide 1

Quick-Reference Parts ListTable 1

System Specifications

Supply Voltage 100 - 240V / 50 - 60 Hz 400Watt Universal Auto switching input voltagePower Consumption 9WOperating Temperature 5 degrees - 55 degrees CRelative Humidity 20% - 60% non-condensingNet Weight 5.35 lbsOverall Dimensions 10.5 x 4 x 7.6


19/111

Chapter 3 - Installation

Hardware AccessoriesThe following section provides a description of the Hardware Accessories that areavailable for the IMSolo-IV Forensicsunit.

Drive Bay with Fan AssemblyThe "Drive Bay with Fan Assembly" is designed to provide a convenient location tomount drives for use with the IMSolo-IVunit. Cooling fans are provided to keep thedrives operating at proper temperatures.

Figure 5

19


20/111

20

Hardware DescriptionThis section describes the hardware of the IMSolo-IV Forensicsunit.

Components and Functions

Top Panel (Fig. 6)

Display LCD Touch Screen Color Display.

Front Panel (Fig.10)

Evidence 1 and 2SATA/SAS Hard DiskDrive Data/PowerConnector

Used to connect the Evidence SATA/SASdrive(s) directly to the Forensicsunit forDirect data seizure operations.

Evidence 1 and 2 USBConnectors

Used to connect the USB Evidence device(s)

directly to the Forensicsunit for Direct dataseizure operations.

Back Panel (Fig. 7)

eSATA Port Used to connect External Storage Device.

Mouse PortOptional. Connect the mouse (not supplied)to the port.

Keyboard PortOptional. Connect the keyboard (notsupplied) to this port.

Power ON Button Used to power the unit ON and OFF.

DC-IN Power Socket Connect DC Power Adapter to this socket.

USB ConnectorsProvides USB v2.0 ports used to connectexternal USB devices.

LAN Ports Provides 2GB Ethernet Network Interface.

L-out, L-in, MICProvides Audio Line input/output ports andMicrophone port.

Expansion Port Panel Provides access to units Expansion Ports.

Left Side Panel (Fig. 8)

Suspect 1SATA/SAS Hard DiskDrive Data/PowerConnector

Used to connect the Suspects SATA/SASdrive directly to the Forensicsunit for Directdata seizure operations.

Suspect 1 USBConnectors

Used to connect the Suspects USB devicedirectly to the Forensicsunit for Direct dataseizure operations.


21/111

Chapter 4 - Operation

21

Right Side Panel(Fig. 9)

Suspect 2SATA/SAS Hard DiskDrive Data/Power

Connector

Used to connect the Suspects SATA/SASdrive directly to the Forensicsunit for Directdata seizure operations.

Suspect 2 USBConnectors

Used to connect the Suspects USB devicedirectly to the Forensicsunit for Direct dataseizure operations.

Bottom Panel(Fig. 11)

Hard Drive Bay Panel Provides access to the units Host S-ATAHard Drive.

Expansion Card SlotPanel

Provides access to the units Expansion CardSlot.


22/111

TouchScreenDisplay

Top ViewFigure 6

22


23/111


23

ON/OFFPowerButton

DC

Power-IN

ExternalDrive

Power Port

HeatExhaustFan

ExpansionPorts

Line-Out, Line-In, MicEthernetandUSB 2.0Ports

Back ViewFigure 7

MouseandKeyboardPorts

Suspect 1USBPort

Suspect 1SAS/SATA

Port

Left ViewFigure 8


24/111

Suspect 2USBPort

Suspect 2SAS/SATA

Port

Right ViewFigure 9

24


25/111


25

Evidence 1SAS/SATAUSB Port

Evidence 1SAS/SATAUSB Ports

Front ViewFigure 10

Evidence 2

SAS/SATAUSB Ports

ExpansionCard Bay

Hard DriveBay

Bottom ViewFigure 11


26/111

26

Chapter 4: Operation


27/111


27

User Interface

The IMSolo-IV Forensics provides Windows based Graphical User Interfaceapplications, which the user can use to setup and control the units various functions.

All of the units menus and functions are controlled through the units Touch ScreenDisplay. Screen menu items can be selected by touch or with use of the includedTouch Screen Stylus Pen. An On-Screen Keyboard is available for an easy method toenter text related information. Optionally, an external keyboard, mouse or display 2canbe connected. The IMSolo-IV unit provides a Wizard Interface and an AdvancedInterface. By default the units Advanced Interface will run at start up and can also beactivated from Windows START/PROGRAMS menu or by selecting the IMSolo-IVapplications Desktop Shortcut ICON. The Advanced Interface screens are available to

customize operations. The Wizard Interface provides the user with simple navigationalmenu screens to quickly setup and start operations. Multiple instances of the IMSolo-IVapplication can be activated to allow multiple operations to be performedsimultaneously.

This chapter provides a detail description of the available functions.

2USB Monitor Required


28/111

IMSolo-IV Forensics Wizard Interface ControlConsole

The IMSolo-IV Forensics Wizard Interface Control Console guides the Operatorthrough the process of selecting the mode of operation and the drives and drivepositions for the selected operation. The Wizard provides all the functions and controlsnecessary to setup and perform the units most common Forensic data transferoperations. The functional descriptions of the Wizard Interface items are discussed inthe following section. Multiple instances of the Wizardcan be activated, which allowsmore than one operation to be performed simultaneously.

Operational ModeMenu

Navigation BarMAIN MENU

Figure 12

28


29/111


Wizard - Main MenuThe IMSolo-IV ForensicsWizardMain Menuscreen can be activated by selecting theWizard Screen function from the Navigation Bar. It provides access to all of the unitsmain functions. The following Wizard functions are available from the MainMenu:

Operational Mode Selection Navigation Bar

Operational Mode Selection

The Operational Mode Selectionmenu provides the user with Data Seizure orWipeOut Operational Mode options.

Duplicate Drives

Selecting Duplicate Drivesprovides the User with the option to select from one ofthe two common Data Seizure modes of operation.

Wipeout Drives

Selecting Wipeout Drivesprovides the User with the option to select from one ofthe two common Wipeout modes of operation.

Navigation Bar

The Navigation Barmenu provides the user with functions to select the various User

Interfaces and IM support functions.

The following functions are provided by the Navigation Bar.

Advanced Screen

Provides access to theAdvanced User InterfaceScreenfunctions. These functions

include access to advanced settings and advanced operational modes.

Operator Screen

Provides access to the Operator User InterfaceScreen functions. Allows theOperator to start or abort common operations.

29


30/111

30

Wizard Screen

Provides access to the Wizard MainScreen. The Wizard provides the Operator witha short series of multiple choice menu selections to assist the Operator too easily

and quickly setup and start an operation.

On-Screen Keyboard

Provides access to an On-Screen-Keyboard. The On-Screen-Keyboard allows foran easy method to enter text related information. A keyboard and mouse can alsobe connected to the IMSolo-IV Forensicsunit.

New Copy Session

Selecting this function results in starting a new session of the IMSolo-IV ForensicsWizardInterface Control Console. Multiple sessions allow more than one operationto be performed simultaneously.

Next Copy Session

Switches between the different active session views.

Desktop

Allows access to Windows Desktop while running session(s)

Exit

Terminates the active visible session. The function automatically releases alldetected drives before exiting the session.

About

SelectingAbout, displays information about the IMSolo-IV Forensicsunit, such asserial number and software version in use.


31/111


Wizard - Seize Drives MenuThe IMSolo-IV ForensicsWizard Duplicate DrivesMenuscreen is displayed byselecting the Duplicate Drivesfunction from the Wizard Main Menu screen. It providesaccess to the units Copy Mode functions. The following Copy Mode functions options

are provided:

Single Capture LinuxDD Capture

Figure 13

Single Capture

The Single Capture operational mode will seize the entire contents of the Suspectsdrive to the Evidence drive. The operation will create an exact duplicate of all of theSuspects drive partitioned and un-partitioned areas as well as all used and unusedsectors on the Suspects drive. The process of acquiring the data from the Suspectsdrive is methodical and contiguous, beginning from the first byte of the first sector on thedrive, and ending on the last byte of the last sector of the drive. The data is copied tothe corresponding sector on the Evidence drive. Only one seizure operation can beperformed to the same Evidence drive.

31


32/111

32

LinuxDD Capture

The LinuxDD Capturemethod will copy the entire contents of the Suspects drive to the

Evidence drive. The data will be written as individual segmented LinuxDD files andstored in an individual subdirectory on the Evidence drive. The size of the individualLinuxDD files can be set by selecting a value within the Fragment pull down menu.The default setting is 650MB(CD). The Case Name information entered by the user willbe used as the name of the subdirectory where the Suspects LinuxDD files will bestored. This Case Name will also be used as the filename of all LinuxDD filesassociated with this seizure. The Linux DD files will begin with the extension 001, andincremented by 1 for each additional file.

Any number of seizures can be performed to the same Evidence drive provided there isadequate space to save the seized data on the Evidence drive.


33/111


33

Wizard - WipeOut Drives MenuThe IMSolo-IV Forensics Wizard WipeOut Drives Menu screen is displayed byselecting the WipeOut Drives function from the Wizard Main Menu screen. It providesaccess to the units WipeOut Mode functions. The following WipeOut Mode functions

options are provided:

WipeOut-DoD WipeOut-Fast

WipeOut-DoD

The WipeOut DoDOperational mode provides a method of sanitizing a drive that meetsthe U.S. Department of Defense specification DOD 5220-22M for sanitizing drives.Using ordinary DELETE and ERASE commands, data on a hard drive remains

accessible to a variety of intrusive procedures. The WipeOut DoD erasure techniqueprovides a solution to this problem using a series of null-coded overwrites thatcompletely removes all data from the hard drive. The process is performed in threeiterations and two individual passes that completely over writes the drive connected tothe internal drive position. Each iteration makes two write-passes over the entire drive.The first pass writes ONEs (Hex 0xFF) over the entire drive surface. The second passwrites ZEROes (Hex 0x00) over the entire drive surface. After the third iteration, aseventh pass writes the government designated code 246 (Hex 0xF6) across theentire drive surface, which is then followed by an eighth pass that inspects the drive witha Read-Verify review.

WipeOut -Fast

The Wipeout FastOperational mode provides a quick non-DoD method of sanitizing adrive of all previously stored data. The process involves writing a user defined hexpattern to the drive connected in the Target drive position, for a number of user definediterations. The process is methodical and contiguous, beginning from the first byte ofthe first sector on the drive, and ending on the last byte of the last sector of the drive.


34/111

Wizard - Suspect Drive Select MenuThe IMSolo-IV ForensicsWizard Suspect Drive SelectMenuscreen is displayed afterselecting the Operational mode from the Wizard Seize DrivesMenu. It provides theuser with a graphical view of the source drive positions and the ability to select the

source drive to be used for the selected operation using the units Touch Screendisplay. The selected drive positions graphical color code will change from Grey toYellow, indicating that it has been activated for use. The Grey color code statusindicates that the drive position is inactive.

Suspect DriveSelect ControlIcons

Figure 14

34


35/111


Wizard - Evidence Drive Select MenuThe IMSolo-IV Forensics Wizard Evidence Drive Select Menu screen is displayedafter selecting the Suspect Drive from the Wizard Evidence Drive Select Menu. Itprovides the user with a graphical view of the Evidence drive positions and the ability toselect the Evidence drive(s) to be used for the selected operation using the units Touch

Screen display. The selected drive positions graphical color code will change fromGrey to Yellow, indicating that it has been activated for use. The Grey color code statusindicates that the drive position is inactive.

EvidenceDrive SelectControl Icons

Figure 15

35


36/111

Wizard - Operator Main MenuThe IMSolo-IV ForensicsWizard OperatorMenuscreen is displayed after selecting theEvidence Drive(s) from the Wizard Evidence Drive SelectMenu. The Operator Menuprovides all the functions and controls necessary to start or stop the selected

operations. It provides the user with a graphical view of the Suspect and Evidence drivepositions and the ability to change the active drive(s) for the selected operation usingthe units Touch Screen display. The following Wizard functions are available from theOperation Menu.

Operation Status Information Operation Controls Navigation Bar

36

Operational StatusInformation

OperationControls

Drive SelectControl Icons

Figure 16

Navigation Bar


37/111


37

Operational Status Information

The Control Console provides Operational Status Informationsupplying the user-withreal time event log data.

The following Operation Status Information fields are available:

Station Speed Operational Mode Load Size Percent Completion Elapsed Time Estimated Time Left

Station

Displays the Computer Name of the IMSolo-IV Forensics unit.

Speed

The Speed field displays the average transfer rate in megabytes per minute.

Operational Mode

Displays the selected Operational Mode.

Load Size

The Load Size field displays the total data required to be transferred.

Percent Completion

Displays the percent of completion for the active operation.

Elapsed Time

Refers to the time elapsed during an operation. This field will also display thetotal elapsed time at the end of an operation.

Estimated Time Left

Refers to the time remaining to complete the operation.


38/111

38

Operation Control Functions

The Control Console provides the functions necessary to start or stop the selectedoperation.

The following Control Functions are available:

Start Abort

Start

Selecting Start will instruct the Control Console to turn ON the drives and beginthe selected operation.

Abort

SelectingAbortwill instruct the Control Console to turn OFF the drives and

terminate the selected operation.


39/111


IMSolo-IV Forensics Advanced Interface ControlConsoleThe IMSolo-IV Forensics Advanced Interface Control Console provides all the

functions and controls necessary to setup, customize and perform the units commonand advanced Forensic operations. It can be used as an alternative to the WizardInterface Control Console which provides limited functions for ease of use. Multipleinstances of the Advanced Console can be activated, which allows more than oneoperation to be performed simultaneously. The functional descriptions of the units

Advanced Interface Control Consolefunctions are discussed in the following section.

Drive Selection Panel Drive Status Panels Operational Mode Select Menu Operation Status Information

Operation Controls

39

Navigation BarOperationalSettings Tabs

Active DriveStatus Panels

Drive SelectionPanel

Non-ActiveDrive Panel

Event LogWindow

NavigationBar

OperationalMode SelectMenu

Figure 17

OperationStatus

Information


40/111

Advanced Drive Detect MenuThe IMSolo-IV ForensicsAdvanced Drive Detect Menu will provide a list of thedetected drives and allows detected drives to be configured as active or inactive drives.

The menu screen will also allow drives connected in Evidence positions to beconfigured as Suspect Drives. The menu is displayed by selecting the Detection Tabfrom the Advanced Interface Control Console. The descriptions of the available

Advanced Drive Detect Menufunctions are discussed in the following section.

Drive Selection Panel

The Drive Selection Panel provides the settings and functions used to detect drivesconnected to the units dedicated Suspect and Evidence drive positions, includingdevices connected to the dedicated USB ports located on the back of the unit. The

Drive Select Panel allows the operator to select the drive position(s) to scan during adrive detect operation.

Suspect 1-2 Drive Select

Select the Suspect Check Box to select the drive(s) in the Suspect position(s) fordetection. The unit provides two dedicated Write-Protected Suspect drivepositions. The drives positions are referenced by the drives physical location onthe unit. The Suspect 1 position is located on the left side of the unit, labeledSuspect 1. The Suspect 2 position is located on the right side of the unit, labeledSuspect 2.

Evidence 1-2 Drive Select

Select the Evidence Check Box to select the drive(s) in the Evidence position(s) fordetection. The unit provides two dedicated Evidence drive positions. The drivespositions are referenced by the drives physical location on the unit. TheEvidence 1 position is located as the left drive slot on the front of the unit. TheEvidence 2 position is located as the right drive slot on the front of the unit.

NOTE: The Drive Selectmenu provides a power indicator for each drive position.The indicator will be GREY prior to drive detection, GREEN if the drive isdetected or the operation passed, and RED if the drive is not detected or ifthe operation was not successful.

40


41/111


Detect Drives

Select the Detect DrivesButton to turn ON and detect the selected the drive(s).

NOTE: By default, all ports are Write-Protected. The drives Write-Protectproperty will automatically be disabled if the selected operational moderequires writing to the drive(s).

Remove Drives

Select Remove Drivesto turn OFF and remove the selected the drive(s).

Add Network Location

Allows a Suspects drive contents to be captured and stored in a Network or LocallyShared Folder. The Shared Folder location can be designated as the Evidencedrive using theAdd Network Locationfunction. TheAdd Network Location functionis available when running the LinuxDD or E01 Capture operations. The descriptionsof the available settings are discussed in the following section.

Browse

Figure 18

Browse

Select Browseto select the Shared Folder Location.

Detect Remote Drives

The Detect Remote Drivesfunction allows capturing data from a drive installed in aNotebook or PC3, using the units Ethernet port.

3The Detect Remote Drives Option requires purchase

41


42/111

42

Drive Status Panels

TheActive Drive Status Panels lists the drives detected and their respective locations.The Panels will also indicate the drives burst transfer rate during operation. Detecteddrives are listed in their respective Drive Status Panels.

NOTE: Drives can be manually transferred between Drive Panels by selecting anddragging the listed drive using the Touch Screen or using an attached mouse.Suspects Drives cannot be moved to Evidence locations.

Active Suspect Drive Panel

The Suspect Drive Panel will list the detected and active Suspect drives for theactive session. Drives listed in the Other Detected DrivesPanelcan be manuallytransferred to the Active Suspect Drive Panel. The drive listed in this panel isconsidered an active drive and will be used as the Suspects drive during theoperation.

NOTE: Drive(s) in the Suspect position(s) cannot be configured as Destinationdrives.

Active Evidence Drives Panel

The Active Evidence Drives Panel will list the detected and active Evidencedrive(s) for the active session. Drives listed in the Other Detected DrivesPanelcan be manually transferred to theActive Evidence Drives Panel. The drive listedin this panel is considered an active drive and will be used as the Evidence driveduring the operation.

NOTE: Evidence drives can be configured as Suspect drives by transferring thedrive from theActive Evidence Drive Panelto theActive Suspect DrivePanel.

Other Detected Drives

The Other Detected Drives Panel will list the non-active drives detected on allports other than the dedicated Suspect and Evidence ports. Drives listed in theSuspect Driveor Evidence DrivePanelscan be manually transferred to the OtherDetected Drives Panel. The drive(s) listed in this panel are non-active drives, andwill not be used during an operation.


43/111


43

Operational Mode Select Menu

TheOperational Mode Select Menu provides a list of the available Operational Modes.The functional descriptions of the available Operational Modes are discussed in the

following section.

Single Capture LinuxDD Capture LinuxDD Restore LinuxDD Hash E01 Capture E01 Restore E01 Hash Hash WipeOut Format Drives

Single Capture

The Single Captureoperational mode will seize the entire contents of the Suspectsdrive to the Evidence drive. The operation will create an exact duplicate of all of theSuspects drive partitioned and un-partitioned areas as well as all used and unusedsectors on the Suspects drive. The process of acquiring the data from theSuspects drive is methodical and contiguous, beginning from the first byte of thefirst sector on the drive, and ending on the last byte of the last sector of the drive.The data is copied to the corresponding sector on the Evidence drive. Only one

seizure operation can be performed to the same Evidence drive. See SingleCapture Settingsfor more details.

LinuxDD Capture

The LinuxDD Capture Mode will copy the entire contents of the Suspects drive tothe Destination drives. The data will be written as individual segmented LinuxDDfiles and stored in an individual subdirectory on the Destination drive(s). The size ofthe individual LinuxDD files can be set by selecting a value within the Capture FileSize pull down menu. The default setting is 650MB (CD). The File Nameinformation entered by the user will be used as the name of the subdirectory where

the Suspects LinuxDD files will be stored. This File Name will also be used as thefilename of all LinuxDD files associated with this seizure. The Linux DD files willbegin with the extension 000, and incremented by 1 for each additional file.

The Destination drive will be inspected prior to transferring data. The operation willverify if the first partition on the Evidence drive is based on the exFAT4File Systemand will have EVIDENCE as the volume label. A Destination drive that meetsthese criteria will be a valid Destination drive, a new subdirectory will be created,

4The exFAT File System was introduced with version 4.2.54.0. Prior versions used NTFS.


44/111

44

and the transfer will begin. A Destination drive that fails these criteria will cause theuser to be prompted with a message asking whether or not to overwrite the currentcontents of the Destination drive in order to make it a valid LinuxDD Destinationdrive. The operation will abort unless the user agrees to overwrite the Destinationdrive.

Any number of Loads can be placed on the same Destination drive provided thereis adequate space to save the transferred data on the Destination drive. SeeLinuxDD Capture Settingsfor more details.

LinuxDD Restore

This function allows restoring the captured LinuxDD formatted Case to its original fileformat. This function requires the LinuxDD drive, containing the LinuxDD Case files,to be connected to one of the units Suspect positions and the Destination drive tobe connected to the units Evidence position.

LinuxDD Hash

This function will generate a Hash value for the selected LinuxDD Case. TheLinuxDD drive can be connected to either the Suspect or Evidence position.

E01 Capture

The E01 CaptureMode will capture the entire contents of the Suspects drive to theDestination drives using Guidance Softwares EnCaseForensic format. The datawill be written as individual segmented EnCase formatted files and stored in anindividual subdirectory on the Destination drive(s). The size of the individual E01files can be set by selecting a value within the Capture File Size pull down menu.The default setting is 650MB (CD). The EnCaseformat limits the File Size to 2GB.

The File Name information entered by the user will be used as the name of thesubdirectory where the Suspects files will be stored. This File Name will also beused as the filename of all files associated with this seizure. The E01 files will beginwith the extension E01, and incremented by 1 for each additional file. TheCompression Level can be set between 0 and 9, with 0 defined as NoCompression, and 9 defined as Highest Compression.

The Destination drive will be inspected prior to transferring data. Theoperation willverify if the first partition on the Evidence drive is based on the exFAT 5File Systemand will have EVIDENCE as the volume label. Otherwise, the operation willprompt the User that the Evidence drive will be overwritten.

Any number of Loads can be placed on the same Destination drive provided thereis adequate space to save the transferred data on the Destination drive. SeeE01 Capture Settingsfor more details.

NOTE: The E01 Capture Mode will result in reduced transfer rates when comparedwith other Capture Modes.

5The exFAT File System was introduced with version 4.2.54.0. Prior versions used NTFS.


45/111


45

E01 Restore

This function allows restoring the captured E01 formatted Case to its original fileformat. This function requires the E01 drive, containing the E01 Case files, to beconnected to one of the units Suspect positions and the Destination drive to be

connected to the units Evidence position.

E01 Hash6

This function will generate a Hash value for the selected E01 Case. The E01 drivecan be connected to either the Suspect or Evidence position.

Format Drives

This function can be used to quickly format drives and to prepare drives as exFATLinuxDD or exFAT E01 Evidence drives. It may be necessary to manually transferLinuxDD or E01 Evidence files from an NTFS based Evidence drive to an exFATbased Evidence drive.

6Pending development as of release of this document (11/09).


46/111

46

WipeOut

The WipeOut-User Mode of operation provides a quick non-DoD method ofsanitizing a drive of all previously stored data. The process involves writing a user

defined hex pattern to the destination drive for a number of user defined iterations.The process is methodical and contiguous, beginning from the first byte of the firstsector on the drive, and ending on the last byte of the last sector of the drive.

The WipeOut-DoD Mode of operation provides a method of sanitizing a drive thatmeets the U.S. Department of Defense specification DOD 5220-22M for sanitizingdrives.

Using ordinary DELETE and ERASE commands, data on a hard drive remainsaccessible to a variety of intrusive procedures. The WipeOut DoD erasuretechnique provides a solution to this problem using a series of null-coded overwritesthat completely removes all data from the hard drive.

The process is performed in three iterations and two individual passes thatcompletely overwrites the destination drives. Each iteration makes two write-passesover the entire drive. The first pass writes ONEs (Hex 0xFF) over the entire drivesurface. The second pass writes ZEROes (Hex 0x00) over the entire drive surface.

After the third iteration, a seventh pass writes the government designated code 246(Hex 0xF6) across the entire drive surface, which is then followed by an eighth passthat inspects the drive with a Read-Verify review. See Wipeout Settings for moredetails.

The WipeOut-Secure Erase option uses the drives own built-in firmware SecureErase function to erase data. The WipeOut-Secure Eraseoption offers two modes

which are automatically selected if the drive supports the modes. Normal Erase andEnhanced Erase. Normal Erase will erase drives using the 0x00 pattern. TheEnhanced Erase mode will erase drives with a predetermined pattern and will clearRelocation List Sectors.

NOTE: Not all drives provide support for the Secure Erase command. Secureerase is recognized by NIST 800-88 as an effective and secure way tomeet legal data sanitization requirements

Hash

The Hash operation provides a method of generating a hash value for either theentire area of a drive or for a selected number of sectors of a drive. No data iswritten to the selected drives during this operation. When hashing the entire drivethe process is methodical and contiguous, beginning with the first sector on the driveand ending with the last sector of the drive. See Hash Settingsfor more details.

Event Log Window

TheEvent Log Windowdisplays real time operational event log information.


47/111


Advanced Operation Sett ings MenuThe IMSolo-IV ForensicsAdvanced Operation Settings Menu provides access to theOperational Mode settings. The menu is displayed by selecting the MainTab from the

Advanced Interface Control Console. TheAdvanced Operation Settings Menu

provides the Operator with a menu of Operational Mode Settings for the selectedOperation. The Settings menu list is dynamic, and will change to reflect the selectedOperational Mode. The descriptions of the available Operational Mode Settings arediscussed in the following section.

Single Capture Settings Hash Settings LinuxDD Capture Settings LinuxDD Hash Settings LinuxDD Restore Settings E01 Capture Settings

E01 Hash Settings E01 Restore Settings WipeOut Settings Format Drives Settings

Single Capture Settings

The Single Capture Settings menu provides the Operator with a list of settings availablefor the selected operation. The menu is selected when the Operational Mode is selectedfrom the Operational Mode Select Menu.

Read Back-Verify Hash Targets Hashing Methods Encryption/Decryption Wipe Remainder

Figure 19

47


48/111

48

Read Back-Verify

Provides additional data integrity checks during data transfers. When Read Back-Verify is selected the operation will verify each block of data transferred during thedata transfer process. Data written to the Evidence drive is read back and

compared to the data read from the Suspects drive. Enabling this option results inreducing the transfer rate. Disabling this option will result in the data transferprocess to make use of the drive's own Ultra DMA Mode error-detection handlingmechanism known as cyclical redundancy checking (CRC-16) to check for DataIntegrity. In most cases the CRC-16 error checking algorithm is sufficient. CRC isan algorithm that calculates an order and value sensitive checksum used to detecterrors in a stream of data. Both the Suspects drive and the Evidence drivescalculate a CRC value for each Ultra DMA burst. After the Suspects data is sent,the Evidence drive calculates a CRC value and this is compared to the originalSuspects CRC value. If a difference is reported, the unit may be required to selecta slower transfer mode and re-try the original request for data. The transfer rate will

not be affected when using the drives CRC-16 mechanism for checking dataintegrity.

Hash Targets

The Hash Targets function provides a method of generating Hash values for theSource drives data and for the data written to the Target drives, in the sameoperation. The data is read back and hashed from the target drive(s) after eachtransferred block. Since data is read back during the operation the average transferrate will decrease and the total time of completion will increase when this function isenabled.

Hashing Methods

The Hashing Methods menu selection provides the user with list of different HashAlgorithms to generate a Hash value for the Source drives data. Hashing is aprocess that calculates a "unique signature" value for the contents of an entire drive.

CRC32

Selecting CRC32 will result in the operation generating the CRC3232-bit hash value for the data read from the source drive(s). Selecting the HashTargetsfunction will result in the operation generating the CRC32 Hash values for

the data read from the Source drive and the data written to the Target drive.MD5

Selecting MD5 will result in the operation generating the MD5 128-bit hash valuefor the data read from the source drives. Selecting the Hash Targetsfunction willresult in the operation generating the MD5 Hash values for the data read from theSource drive and the data written to the Target drive.


49/111


49

SHA-1

Selecting SHA-1 will result in the operation generating the SHA-1 160-bit hashvalue for the data read from the source drives. Selecting the Hash Targetsfunction will result in the operation generating the SHA-1 Hash values for the data

read from the Source drive and the data written to the Target drive.NOTE: The SHA-1 Hash function uses Hardware Acceleration for calculations and

therefore effects on transfer rates are limited.

SHA-2 (224,384,256,512)

Selecting SHA-2 (224,384,256,512)will result in the operation generating the SHA-2 (224,384,256,512)-bit hash value for the data read from the source drives.Selecting the Hash Targets function will result in the operation generating theHash values for the data read from the Source drive and the data written to theTarget drive.

NOTE: The SHA-2(256) Hash function uses Hardware Acceleration for

calculations and therefore effects on transfer rates are limited.

Wipe Remainder

The Wipe Remainder function instructs the capture operation to wipe (erase)remaining sectors after a capture operation is performed, if the Evidence drive islarger than the Suspects drive.


50/111

Encrypt/Decrypt

The Encrypt/Decrypt menu selection provides the user with the functions andsettings necessary to configure an operation to Encrypt or Decrypt captured data.

AES Key Length (bits)

Provides the user with the list of three AES Key Sizes to choose from. Thechoices are 128, 192, and 256 bits.

AES Mode

Provides the user with the list of AES Modes to choose from. The choices areECB, CBC, CFB, 0FB, and CTR.

Action - None

Instructs the operation to transfer data without Encrypting or Decrypting data.

Action - Encrypt

Instructs the operation to Encrypt data during the data transfer operation.

Action - Decrypt

Instructs the operation to Decrypt data during the data transfer operation.

Save Key

The Encryption Key used to Encrypt the Suspect drives data is generated and

saved.

Load Key

Provides the function to allow the User to select and load the Encryption Key whichcan be used to Decrypt the Evidence drives Encrypted data.

NOTE: For compatibility with the IMSolo-III Encryption and ICS DiskCypherhardware, choose 192 as the AES Key Length and ECB as the AESMode.

50


51/111


WipeOut Settings

The WipeOut Settings menu provides the Operator with a list of settings available forthe selected operation. The menu is selected when the Operational Mode is selectedfrom the Operational Mode Select Menu.

User DoD Secure Erase Iterations Pattern (0-255) Read Back-Verify

Figure 20

ModeThe WipeOut Mode provides the Operator with two methods of sanitizing drives.

User

The Wipeout User option provides a quick non-DoD method of sanitizing adrive of all previously stored data. The process involves writing a userdefined pattern to the drive connected in the Target drive position, for anumber of user defined drive passes (iterations). The process is methodicaland contiguous, beginning from the first byte of the first sector on the drive,and ending on the last byte of the last sector of the drive.

Iterations

Allows the Operator to define the number of WipeOut-User iterations orpasses to perform. Selecting 0 instructs the operation to sanitize the drive inone pass.

Pattern (0-255)

Allows the Operator to define the WipeOut-User Pattern to be used to sanitizethe Target drive(s). The available range is 0-255.

51


52/111

52

DoD

The Wipeout DoD function provides a method of sanitizing a drive that meetsthe U.S. Department of Defense specification DOD 5220-22M for sanitizingdrives.

The operation is performed in three iterations and two individual passes thatcompletely overwrites the destination drives. Each iteration makes two write-passes over the entire drive. The first pass writes ONEs (Hex 0xFF) over theentire drive surface. The second pass writes ZEROes (Hex 0x00) over theentire drive surface. After the third iteration, a seventh pass writes thegovernment designated code 246 (Hex 0xF6) across the entire drivesurface, which is then followed by an eighth pass that inspects the drive witha Read-Verify review.

Secure Erase

The WipeOut-Secure Erase option uses the drives own built-in firmware

Secure Erase function to erase data. The WipeOut-Secure Erase optionoffers two modes which are automatically selected if the drive supports themodes. Normal Erase and Enhanced Erase. Normal Erase will erase drivesusing the 0x00 pattern. The Enhanced Erase mode will erase drives with apredetermined pattern and will clear Relocation List Sectors.

NOTE: Not all drives provide support for the Secure Erase command.Secure erase is recognized by NIST 800-88 as an effective andsecure way to meet legal data sanitization requirements

Read Back-VerifyUse Link for previous description.


53/111


Format Drives Settings

The Format Drives Settings menu provides the Operator with a list of settingsavailable for the selected operation. The menu is selected when the Operational Modeis selected from the Operational Mode Select Menu. The exFAT setting instructs the

Format Driveoperation to use the exFAT File System to format drives.

53


54/111

Linux DD Capture Settings

The LinuxDD Capture Settings menu provides the Operator with a list of settingsavailable for the selected operation. The menu is selected when the Operational Modeis selected from the Operational Mode Select Menu.

Capture File Size Custom File Size (MB) File Name Read Back-Verify Hash Targets Hash Methods Encryption/Decryption

Figure 21

Capture File Size

The size of the individual LinuxDD files can be set by selecting predefined valueswithin the Capture File Size menu. The options are 640MB, 1GB, 2GB, 4.7GB,Whole Drive, and Custom. The default setting is 640MB.

Custom File Size (MB)

The size of the individual LinuxDD files can manually entered in Megabytes. Theentry is active when the Custom value is selected in the Capture File Size menu.

File Name

The File Nameentry will be used as the name for the LinuxDD subdirectory, wherethe individual LinuxDD files will be stored. This File Name will also be used as thename of all LinuxDD files associated with the selected operation.

54


55/111


55

NOTE: If the File Name field is left blank, the operation will use a default LinuxDDfile name referenced as CASE.


56/111

LinuxDD Hash Settings

The LinuxDD Hash Settings menu provides the Operator with a list of settingsavailable for the selected operation. The menu is selected when the Operational Modeis selected from the Operational Mode Select Menu.

Hash Methods File Name Encryption/Decryption

Figure 22

56


57/111


LinuxDD or E01 Restore Settings

The LinuxDD or E01 Restore Settings menu provides the Operator with a list ofsettings available for the selected operation. The menu is selected when theOperational Mode is selected from the Operational Mode Select Menu.

Hash Methods File Name Read Back-Verify Hash Targets Encryption/Decryption

Figure 23

57


58/111

Hash Settings

The Hash Settings menu provides the Operator with a list of settings available for theselected operation. The menu is selected when the Operational Mode is selected from the

Operational Mode Select Menu.

Sectors to Hash Hash Methods Encryption/Decryption

Figure 24

Sectors to Hash

Allows the Operator to define the number of sectors to hash. The default value of 0will instruct the Hash operation to hash the entire drive.

58


59/111


E01 Capture Settings

The E01 Capture Settings menu provides the Operator with a list of settings available

for the selected operation. The menu is selected when the Operational Mode isselected from the Operational Mode Select Menu.

Capture File Size Custom File Size (MB) Hash Methods File Name

Figure 25

Capture File Size

The size of the individual E01 files can be set by selecting predefined values withinthe Capture File Size menu. The default setting is 650MB (CD).

Custom File Size (MB)

The size of the individual E01 files can manually entered in Megabytes. The entry isactive when the Custom value is selected in the Capture File Size menu.

File Name

The File Namewill be used as the name for the E01 Case subdirectory, where theindividual E01 files will be stored. This File Name will also be used as the name ofall E01 files associated with the selected operation.

NOTE: If the File Name field is left blank, the operation will use a default E01 filename referenced as CASE.

59


60/111

Advanced Settings Main MenuThe IMSolo-IV Forensics Advanced Settings Main Menu provides access to thecommon Operational Mode settings. The menu is displayed by selecting the MainTabfrom the Advanced Settings Menu. The descriptions of the available settings arediscussed in the following section.

Automation Settings Bad Sector Handling Start View Add/Remove Optional Features

Figure 26

Automation Sett ings

TheAutomat ion Settings menu provides the Operator with a list of settings common toeach of the available Operational Modes.

60


61/111


61

Start Operation after Detection

Instructs the Operation to automatically power ON and detect the selected driveswhen selecting START. When disabled, the selected drives would need to bemanually detected prior to selecting START, using the DETECT DRIVESfunction.

Confirm Master and Target drives after Power up/Detection and Before startingOperation

Instructs the Operation to prompt the Operator and confirm if the detected Sourceand Target drives are the correct drives to use before starting the selectedOperation. When the setting is disabled, the Operation will use the selected driveswithout prompting.

Auto Run

Instructs the selected Operation to continuously run until the Operation is manually

aborted. This function can be used to test drives or units hardware.

Bad Sector Handling

This setting allows the user to select from a list of two methods of handling bad sectorswhen they are encountered on the source drive.

Log and skip

The operation will log the location of the bad sector on the source drive and the badsector will be skipped.

Abort drive

The operation will abort when encountering a bad sector on the source drive.

Start View

The Start Viewmenu provides optional Start Up View options.

Wizard Screen

Instructs the RI unit to Start Up using the Wizard Interface Control Console. The

Wizard Interfaceprovides the user with simple navigational menu screens to quicklysetup and start operations.


62/111

62

Operator Screen

Instructs the RI unit to Start Up using the Operator Interface Control Console. TheOperator Interfaceprovides all the functions and controls necessary to start or stopthe operations pre-selected using the Wizard Interface or Advanced Interface. It

provides the user with a graphical view of the Source and Target drive positions andthe ability to change the active drive(s) for the selected operation using the unitsTouch Screen display.

Advanced Screen

Instructs the RI unit to Start Up using theAdvanced Interface Control Console. TheAdvanced Interface provides all the functions and controls necessary to setup,customize and perform the units common and advanced IT operations.

Add/Remove Optional Features

This function allows adding or removing Software Options

Apply Settings

Used to apply the settings selected.


63/111


Advanced Drive Detection Settings MenuThe IMSolo-IV ForensicsAdvanced Drive Detection Settings provides the Operatorwith User-Defined settings to customize the units drive detect handling functions.

Drive Detection Mode Fast Detection Sequential Detection

Figure 27

Drive Detection Mode

Allows the Operator to choose between the three available Drive Detect methods.

Auto

Automatically selects Drive Detection method based on the hardware detected. Thismode will automatically select Fast Detection for the IMSolo-IV Forensics systems.

Fast Detection

Selects use of the Fast Detectionmethod to detect drives. This method identifiesthe drive by the SAS/S-ATA controllers physical address location used by pollingthe drive. It is the quickest method to detect drives.

63


64/111

64

Sequential Detection

Selects the Sequential Detectionmethod to detect drives. This method identifies thedrive by sensing the drives current load. The selected drives are detected in turnby powering Up the individual drive and then waiting for each individual drive to bedetected before powering Up the next selected drive. This method is slower than

the Fast Detectionmethod to detect drives.

Fast Detection Settings

The Fast Detection Settings menu provides optional Fast Detection User-Definedsettings.

Wait Time After Powering Up Each Drive

This is the time allocated before powering Up the next selected drive. The defaultvalue is 2 seconds.

Wait Time Between Powering Up Each Drive and Starting Drive Detection

This is the time allocated after powering Up each drive, and before checking thecontroller and O/S for detected drives. The default value is 20 seconds.

Max Scanning /Detection Time allowed by Application (Sec)

This is the time allocated for the O/S to detect New Hardware or discover eachselected drive. The default value is 60 seconds.

NOTE: Some drives may take longer to be discovered by the O/S. This settinglimits the wait time.

Auto Calibrate Detection of Al l Drives

Used to restore the map which links the units SAS/SATA controllers physicaladdresses to the units assigned drive positions, listed in the Drive Detectionmenuscreen, for all connected drives. The Calibration starts with the drive specified in theCalibration Starts From Driveinput box.

NOTE: Calibration would only be necessary if the unit can no longer detectdrives.

Calibration Starts From DriveThe Auto Calibration starts with the drive number specified in the Calibration StartsFrom Drive input box. The drive number starts with 0 and follows the order of thedrive positions listed in theDrive Detectionmenu screen.


65/111


65

Calibrate Detection of a Selected Drive

Used to restore the map which links the units SAS/SATA controllers physicaladdresses to the units assigned drive positions, for individually selected drives.

NOTE: Calibration would only be necessary if the unit can no longer detectdrives.

Sequential Detection Settings

The Sequential Detection Settingsmenu provides optional Sequential DetectionUser-Defined settings.

Max Detect Time

This is the time allocated for the O/S to detect New Hardware or discover each

selected drive. The default value is 60 seconds.

NOTE: Some drives may take longer to be discovered by the O/S. This settinglimits the wait time.

Max Detect Power Time

Maximum time allowed for the drives applied current load to be detected. After theset time, if the drives applied current load is not detected, the drive will be poweredOFF.

Calibrate Current Threshold

The Calibrate Current Threshold function will measure the idle current used by theunits power control board. A current level measured that is greater than theCalibrated Current Threshold value will indicate that a device is connected.

NOTE: Verify that NO drive is connected, while calibrating the currentthresholds.


66/111

Diagnost ics and Tools Settings MenuThe IMSolo-IV Forensics Advanced Diagnostic and Tools Sett ings provides accessto the Operational Mode settings. The menu is displayed by selecting the OperationSettings Tab from the Advanced Interface Control Console. The Operational Mode

Settings Menu provides the Operator with a menu of Operational Mode Settings for theselected Operation. The Settings menu list is dynamic, and will change to reflect theselected Operational Mode. The descriptions of the available Operational ModeSettings are discussed in the following section.

Slow Drive Filter Speed Optimization Diagnostics Forced Power Off

Figure 28

Slow Drive Filter Speed Threshold

The Slow Drive Filtermenu allows the operation to abort individual drives which would

cause slow transfer rates. After aborting the individual drive, the operation wouldcontinue for the remaining drives, without reducing the transfer rate.

Speed Threshold

Minimum transfer rate accepted before the drive is aborted. The decision to abort adrive is based on the individual drive speed and not on the average speed of theprocess.

66


67/111


67

Speed Optimization

Used to obtain optimal transfer rates.

Transfer Buffer Size (in 64 kb)

The default setting of (10) instructs to operation to use a Transfer Buffer size of640KB. In most cases a Transfer Buffer size of 640KB is optimal; however withsome drive combinations it might be useful to change the value in order to achievefaster transfer rates.

Speed Sampling rate

The value sets the rate with which the speed of each drive is sampled. The sampledvalue is used by the Slow Down Filter and is displayed in the Detected Drivespanel. A low sampling rate would slow down the average transfer rate of operation.

The default value is 100.

Forced Power off

Provides a function to manually power OFF all selected drives.

Power off selected drives

Manually powers OFF the selected drives. The function should only be used if theRemove Drivesfunction does not power off the selected drives.

NOTE: Exit all applications which may be using the drives prior to manually

powering OFF the drives.

Diagnostic

Provides a Diagnostic function to isolate drives which can result in slow transfer rates.

Instantaneous Drive Transfer Speed

Instructs the operation to display drives speed at the moment of sampling.


68/111

Advanced Case Info MenuThe IMSolo-IV ForensicsAdvanced Case Info Menu provides the user with a list ofspecific Case Information to enter for the Capture Operation. This Case Information willbe stored for Audit Trail output. The menu is displayed by selecting the Case InfoTab

from the Advanced Main Menu.

Figure 29

68


69/111


Advanced Mount Drive MenuThe IMSolo-IV Forensics Advanced Mount Drive Menu provides access to thefunctions and controls necessary to change the state of the detected device WriteProtection and Mount Volumeproperties. By default, all ports including the Evidence

Drive ports and units USB ports are Write-Protected. In addition, the detected drivespartitions or volumes are hidden from the units O/S. The drives properties willautomatically be configured for the common Operational Modes. The recommendedstate of each device will depend on the operation to be performed with the detecteddevices. The menu is displayed by selecting the Mount DriveTab from the AdvancedInterface Control Console. The descriptions of the available Mount DriveSettings arediscussed in the following section.

Write-Protection Mount Volumes Simulate Drive Signature Apply Refresh

Figure 30

69


70/111

Write-Protect the Drive

When selected (checked), the detected drive will be Write-Protected. This settingshould be enabled only when it is necessary to allow the units O/S or 3 rd party

application write access to the drives volume. The detected drives Write-Protectproperty can be changed by first selecting the detected drive then using the Mount DriveMenu, Write-Protectfunction.

NOTE: By default, all ports are Write-Protected. The Write-Protect property of drivesdetected in the Suspect positions cannot be disabled.

Mount Volumes on the Drive

When selected (checked), the detected drives volume will be accessible by the unitsOperating System. This setting should be enabled only when it is necessary to allowthe units O/S or 3rd party application preview access to the drives volume. The

detected drives Mount Volume property can be changed by first selecting the detecteddrive then

imsolo-iv forensics user guide v3.1

Documents