WiebeTech Ditto Forensic FieldStation User manual

Brand: WiebeTech

Model: Ditto Forensic FieldStation

Type: User manual

Protecting Your Digital Assets

Wiebetech Branding

2c85m76y

PMS 711C

66c7m7y

PMS 299C

Product Name:

Univers 73 Black Extended

abcdefghijklmnopqrstuvwxyz

ABCDEFGHIJKLMNOPQRSTUVWXYZ

Ditto Forensic FieldStation

User Manual

Features

• Sourceinputs(write-blocked)–eSATA(SATA),PATA,USB2.0,PCIex1expansionport,

andgigabitnetwork(NFS,iSCSI,SMB)

• Destinationoutputs–DualeSATA(SATA)portstostoreacquireddataononeortwo

disks,SDcard,orgigabitnetwork(iSCSI,NFS,SMB)

• Data acquisition modes – physical image DD, physical image E01 with empty block

compression,logicalimageL01,clone,andsimultaneousclone&image.

• Hashtypes-MD5,SHA-1,MD5+SHA-1

• Remoteusage–Performoperationsusingthewebbrowserinterfacefromanyremote

networkedlocationintheworld

• SystemcongurationmanagementviafrontpanelLCDorwebbrowserinterface

• Userprolescanbepasswordprotectedandassignedspecicpermissionlevels

• Data log captures a complete history of data acquisitions and can be managed and

printedfromwebbrowserorextractedtoauser-specicdocument

• StealthModeavailableforusewithnightvisiongoggles(notincluded)

Protecting Your Digital Assets

Ditto Forensic FieldStation User Manual

TABLE OF CONTENTS

1Pre-InstallationSteps 2

2Setup 3

3BrowserInterface 3

3.1AccessingtheBrowserInterface 3

3.2IconsUsedintheBrowserInterface 5

3.3UserAccounts 6

4HomeScreen 6

4.1Action 6

4.1.1CloneSourceDisk 7

4.1.2PhysicalImageSourceDisk 7

4.1.3LogicalImageSourceDisk 8

4.1.4CloneandImageSourceDisk 10

4.1.5EraseDestinationDisk 11

4.1.6HashDisk 12

4.1.7SnapshotDisk 12

4.1.8NetViewScan 12

4.2InvestigationInfo 13

4.3SystemSettings 13

4.4CurrentStatus 13

4.5Disks 14

4.6SystemLog 15

5CongureScreen 16

6AdminScreen 27

6.1UserAccounts 27

6.2PermissionLevels 27

6.3AddingaNewUser 28

6.4EditinganExistingUser 28

6.5DeletingaUser 28

7LogsScreen 28

8UtilitiesScreen 29

9UsingtheFrontPanelInterfaceinStandaloneMode 31

10StealthMode 35

11AdvancedFeaturesandFunctions 36

11.1NetviewScan 36

11.2TargetMode:RemotelyAccessDisksAttachedtothe

DittoForensicFieldStationwithThirdPartySoftware

11.3UsingiSCSIDevices 39

11.4UsingNFSandSMB(Samba)Shares 42

11.5AddingaNewLogicalImageMode 42

12UpgradingFirmware 43

13TechnicalSpecications 45

1 PRE-INSTALLATION STEPS

1.1 PACKAGE CONTENTS

Thefollowing list containstheitems that are included in the

completecongurationforthisdevice.PleasecontactCRUif

anyitemsaremissingordamaged:

DittoForensicFieldStationUnit 1

UnitizedSAS-to-eSATA+Mini-Fitpowercable 3

IDEcable 1

12Vpowersupply 1

Powercord 1

Legacypower-to-Mini-Fitcable 1

Ethernetcable(RJ45) 1

2.5”IDE-to-3.5”IDEandMini-Fitcable 1

Poweradapter,legacy-to-SATA 1

Velcrocablewrap 6

eSATAcable 2

SDcard(pre-installed) 1

QuickStartGuide 1

1.2 IDENTIFYING PARTS

TakeamomenttofamiliarizeyourselfwiththepartsoftheDitto

Forensic FieldStation.Thiswillhelpyoutobetter understand

thefollowinginstructions.

TOP OF UNIT

PowerAvailableLEDs

LCDMenu

SourceLEDs

DestinationLEDs

NavigationButtonsforLCDMenu

Protecting Your Digital Assets

Ditto Forensic FieldStation User Manual

2 SETUP

Plugthe“suspect”disksordevicesintotheSource Inputssideof

theDittoForensicFieldStation.Allsourceinputsarewrite-blocked

topreventalteration.ThesourceinputsincludeaUSB2.0connec-

tionforUSBdevices,anRJ45gigabitEthernetconnection,anIDE/

PATAdiskconnection,andaneSATAconnectionforSATAdisksor

aneSATAdevice.Theexpansionmoduleconnectionisusedwith

theSAS,USB3.0,andotherDittoForensicFieldStationexpansion

modules.

UsetheDestination OutputssideoftheDittoForensicFieldSta-

tion to store acquired data.The destination output connections

includetwoeSATAconnectionsforSATAdisksoreSATAdevices

andanRJ45gigabitEthernetconnection.

TherearoftheDittoForensicFieldStationhasanSDcardslotand

two powering options: a 12V input for the power supply, and a

SATApowerconnection.Therearalsohasahookforhangingthe

unitinsidethecomputercaseorworkstation.

CRU recommends that you switchthe power off to

theDittowhenyouaddorremoveadevicefromitin

ordertoavoiddiskdamageanddatacorruption.

3 BROWSER INTERFACE

The Ditto Forensic FieldStation can be congured and operated

either from the Front Panel (see Section 9) or through a web

browser.

3.1 ACCESSING THE BROWSER INTERFACE

3.1.1 Accessing Via A Network

a. Plug an Ethernet cable into the Ethernet port on the

“SourceInputs”sideoftheDittoForensicFieldStation.

b. Connect the other end of the Ethernet cable to your

network.Thisusuallymeanspluggingitintoarouteror

hub.Inanofceenvironment,youmayhaveanetwork

jackbuiltintoyourofcewall.

c. Connect the power cable to the rear of the Ditto

Forensic FieldStation and to the providedAC adapter

ortoSATApower.

d. Turn on the Ditto Forensic FieldStation’s power using

theswitchontherearpanel.(0=off,1=on)

SOURCE INPUTS

(allinputsarewrite-blocked)

RJ45GigabitEthernetConnection

4-pinMini-FitPowerConnection

(DCPowerOutput)

IDE/PATAConnection

USB2.0TypeAConnection

ExpansionModuleConnection

eSATAConnection

DESTINATION OUTPUTS

eSATAConnections RJ45GigabitEthernetConnection

StealthModeSwitch

4-pinMini-FitPowerConnections

(DCPowerOutput)

REAR OF THE UNIT

HangingHook

PowerSwitch

(0=off,1=on)

SDCardSlot

SATAPowerConnection

PowerInputforACSupply

NOTE

Protecting Your Digital Assets

Ditto Forensic FieldStation User Manual

e. Type the Ditto Forensic FieldStation’s source IP address into your web browser. If you know the

address,godowntothelaststepofthissection.Ifyoudonotknowtheaddress,continuetothenext

step.

f. PresstheDownnavigationbuttonontheDittoForensicFieldStationuntilyoureachthe“Settings”

menu.ThenpressEnter.

Settings

View/Edit>

g. PresstheUporDownnavigationbuttonsuntilyoureachthe“SourceIPAddress”screen.

h. TypetheIPaddressshownintoyourwebbrowser.

SourceIPAddress:

10.xxx.xxx.xxx

TheDittoForensicFieldStationis conguredbydefaulttouseDHCPfor IPassignment.Ifyouneed

tochangetoastaticIPaddress,checkwithyournetworkadministratorandseeSection3.3.2ofthis

manual.

i. Logintothebrowserinterface(thedefaultusernameandpasswordfortheadministratoraccountare

both“admin”).

CRUrecommendsthatyouchangetheadminaccountpasswordandcreateuseraccountsforindividual

usersasbestdatamanagementpractices.

Youarenowreadytousethebrowserinterfacetoconguresettingsandpreview,image,orcloneattached

disks.

3.1.2 Accessing Via Direct Connection to Your Computer

a. PluganEthernetcableintotheEthernetportonthe“DestinationOutputs”sideoftheDittoForensic

FieldStation.

b. ConnecttheotherendoftheEthernetcabletoyourcomputer’sEthernetport.

ThedestinationEthernetportcanbeconguredtoactasaserver.AttachingaDittoForensicFieldSta-

tionactingasaservertoanexistingnetworkthroughthedestinationEthernetportwillcausenetwork

conicts.Thereforeitis importantto attachtheDittoForensicFieldStationdirectlytoyourcomputer

instead.TochangethissettingsothattheDittoForensicFieldStationnolongeractsasaserver,see

Section5.2.3.

c. ConnectthepowercabletotherearoftheDittoForensicFieldStationandtotheprovidedACadapter

ortoSATApower.

d. TurnontheDittoForensicFieldStation’spowerusingtheswitchontherearpanel.(0=off,1=on)

NOTE

STOP!

Protecting Your Digital Assets

Ditto Forensic FieldStation User Manual

e. Type the DittoForensic FieldStation’sdestinationIP address into yourwebbrowser.Thedefault IP

addressforthedestinationEthernetportis10.10.10.1.Ifyouhavechangedtheaddressanddonot

rememberit,continuetothenextstep.Otherwise,godowntothelaststepofthissection.

f. PresstheDownnavigationbuttonontheDittoForensicFieldStationuntilyoureachthe“Settings”

menu.ThenpressEnter.

Settings

View/Edit>

g. PresstheUporDownnavigationbuttonsuntilyoureachthe“Dest.IPAddress”screen.

h. TypetheIPaddressshownintoyourwebbrowser.

Dest.IPAddress:

10.xxx.xxx.xxx

i. Logintothebrowserinterface(thedefaultusernameandpasswordfortheadministratoraccountare

both“admin”).

CRUrecommendsthatyouchangetheadminaccountpasswordandcreateuseraccountsforindividual

usersasbestdatamanagementpractices.

Youarenowreadytousethebrowserinterfacetoconguresettingsandpreview,image,orcloneattached

disks.

3.2 ICONS USED IN THE BROWSER INTERFACE

Thebrowserinterfaceusesseveraliconsthatmaybeclickedontoperformcertainactions.

ICON ACTION

Information

Opensawindowwithabriefdescriptionofthesettingtheinformationiconappearsnext

to.

Refresh

Refreshestheeldthattheiconappearsnexttoinordertogiveupdatedinformation.

Reset

LoadsthedefaultsforthesettingthattheRefreshiconappearsnextto.

Add

Addsauserdenedeldtoalistofitems.

Remove

Removesauserdenedeldfromalistofitems.

NOTE

Protecting Your Digital Assets

Ditto Forensic FieldStation User Manual

3.3 USER ACCOUNTS

TheDittoForensicFieldStationemploysauseraccountsystemtocontrolaccesstoitsfeatures.The“Login”

screenpresentsyouwiththeabilitytologinthroughhttp,oryoucanclicktheSecure Login (HTTPS) linkto

loginsecurely.Acceptthecerticateand/orcontinuetothewebsite,evenifyourbrowsertellsyouitdoes

notrecognizeit.

ThedefaultusernameandpasswordfortheAdministratoraccountareboth“admin”.CRUrecommendsthat

youchangetheadminaccountpasswordandcreateuseraccountsforindividualusersasbestdatamanage-

mentpractices.

ClickontheLog Out buttonatthetoprightofthebrowserinterfacetologout.

4 HOME SCREEN

The“Home”screeniswhereyouwillperformmostofyouroperationswiththeDittoForensicFieldStation,andis

thedefaultscreentoloaduponloggingintothebrowserinterface.ClickontheHome tabtoaccessthe“Home”

sceenfromanyotherareaofthebrowserinterface.

4.1 ACTION

The“Action”panelletsyoustart,abort,anddocumentthefollowingactions.The“Start”buttonbeginsthe

action.The“Abort”buttonstopstheactioninprogress.ClicktheComment buttontowriteanotethatwill

beappendedtothelog.ClicktheConﬁgure buttontomodifythedefaultsettingsforeachaction,whichcan

alsobemodiedonthe“Congure”screen(SeeSection5).

Figure 1. The“Home”screen.

Protecting Your Digital Assets

Ditto Forensic FieldStation User Manual

4.1.1 Clone Source Disk

TheDittoForensicFieldStationmakesanexactduplicateofthesourcediskandcanclonetoasingleor

mirroreddestinationdisk.

Whilecloningthesourcedisk,theDittoForensicFieldStationcanalsohashthesourcediskusingthe

MD5,SHA-1,orMD5+SHA-1algorithms.Selectthehashtypeunderthe“SystemSettings”panel

onthe“Home”screen.SeeSection4.3.HashingwhileusingbothMD5+SHA-1signicantlyreduces

performance.

Toclone,followthesesteps:

a. Usingthebrowserinterface,selectClone Source Diskfromthe“ActiontoPerform”drop-downbox.

b. Selectthesourcedisktoclonefromthe“Source”drop-downbox.

c. Selectthedestinationdiskfromthe“Destination”drop-downbox.Toclonetotwodestinationdisksat

thesametime,selecttheMirror option.Destinationdisksdonothavetobethesamephysicalmedia

asthesourcedisk,buteachmustbelargerthanthesourcedisk.

FortheMirrorfeaturetobeshown,twodestinationdisksmustbeattached.

d. ClicktheStart button.A“Completed”messageboxwillpopupwhentheactionhasnished.Click

onthemessagetocontinue.

Youcanincreasetheperformanceoftheoperationbyclickingoffofthebrowserinterfacewindowso

thatitisnotcontinuallyupdated.

Youcanviewtheresultsofthecloneactionbyscrollingdowntothe“SystemLog”panelonthe“Home”

screen.Findandclickonthelatestlink,whichwillbedenotedbyalenamewithadate/timestampformat:

“S_yyyymmddhhmmss”.Alternatively,youcanclickontheLogs button fromthetopmenubar.

4.1.2 Physical Image Source Disk

TheDittoForensicFieldStationcreatesanE01orDDimageofthesourcediskononeortwodestination

disks.

Whileimagingthesourcedisk,theDittoForensicFieldStationcanalsohashthesourcediskusingthe

MD5,SHA-1,orMD5+SHA-1algorithms.Selectthehashtypeunderthe“SystemSettings”panel

onthe“Home”screen.SeeSection4.3.HashingwhileusingbothMD5+SHA-1signicantlyreduces

performance.

Forthefastestperformance,werecommendutilizinganNTFSlesystemforWindows,HFS+forMac,or

XFSforLinuxmachines.Tocreateaphysicalimage,followthestepsonthenextpage:

Figure 2. The“Action”sectiononthe“Home”screen,showingthe

optionsavailableforthe“CloneSourceDisk”action.

Figure 3.The“Action”sectiononthe“Home”screen,showingthe

optionsavailableforthe“PhysicalImageSourceDisk”action.

NOTE

Protecting Your Digital Assets

Ditto Forensic FieldStation User Manual

a. Usingthebrowserinterface,selectPhysical Image Source Disk fromthe“ActiontoPerform”drop-

downbox.

b. Selectthesourcedisktoimagefromthe“Source”drop-downbox.

c. Selectwhichpartition(s)toimagefromthe“Partition”drop-downbox.ChooseAlltoimagetheentire

sourcedisk.

d. Select the destination disk for the image from the“Destination” drop-down box.To image to two

destinationdisksatthesametime,selectthe Mirror option.Destinationsdonothavetobethesame

physicalmediaasthesourcedisk,buteachmustbelargerthanthesourcedisk.

FortheMirrorfeaturetobeshown,bothdestinationdisksmustbeempty.Aquickwaytoaccomplish

thisistousetheDittoForensicFieldStationtoeraseeachdiskbyselectingErase Destination Disk

fromthe“ActiontoPerform”drop-downboxandusingthe“ClearPartitionTable”erasemode(seeSec-

tion4.1.5).YoumustalsogototheErase tabonthe“Congure”Screenandmakesurethat“Format

After Erase” is unchecked (see Section 5.6), because if a destination disk has a partition on it, the

“Mirror”optionwillnotappear.

e. Selectwhichtypeofphysicalimageyouwouldliketocreatefromthe“PhysicalImageType”drop-

downbox.The image typesavailableareE01orDD.Youcanmodifywhichimagetypeappearsby

defaultinthedrop-downboxonthe“Home”screen’s“SystemSettings”section(seeSection4.3),or

onthe“Congure”screen’s“System”tab(seeSection5.1).

f. ClicktheStart button.A“Completed”messageboxwillpopupwhentheactionhasnished.Click

onthemessagetocontinue.

Youcanincreasetheperformanceoftheoperationbyclickingoffofthebrowserinterfacewindowso

thatitisnotcontinuallyupdated.

Youcanviewtheresultsoftheimageactionbyscrollingdowntothe“SystemLog”panelonthe“Home”

screen.Findandclickonthelatestlink,whichwillbedenotedbyalenamewithadate/timestampformat:

“S_yyyymmddhhmmss”.Alternatively,youcanclickontheLogs buttonfromthetopmenubar.

4.1.3 Logical Image Source Disk

Logicalimagingallowsaninvestigatortoquicklyscanthecontentsofaharddiskandimageonlytheles

andfoldersrelevanttotheinvestigationintoanL01,ZIP,TAR,orLISTleformat.Datacanbeimagedto

oneortwodestinationdisks.Tocreatealogicalimage,followthesesteps:

a. SelectLogical Image Source Diskfromthe“ActiontoPerform”drop-downbox.

b. Selectthesourcedisktoimagefromthe“Source”drop-downbox,thenchoosewhichpartition(s)to

imagefromthe“Partition”drop-downboxunderneaththe“Source”drop-downbox.Ifyouselect“All”,

partitionswillbeimagedsequentially.

NOTE

Figure 4.The “Action” section on the“Home” screen, showing

theoptionsavailableforthe“LogicalImageSourceDisk”action.

NOTE

Protecting Your Digital Assets

Ditto Forensic FieldStation User Manual

c. Selectthedestinationdiskforthelogicalimagefromthe“Destination”drop-downbox,thenchoose

thedestinationdiskpartitionfromthe“Partition”drop-downboxunderneath.Toimagetotwodestina-

tiondisksatthesametime,selecttheMirror option.Destinationdisksdonothavetobethesame

physicalmediaasthesourcedisk,buteachmustbelargerthanthesourcedisk.

FortheMirrorfeaturetobeshown,bothdestinationdisksmustbeempty.Aquickwaytoaccomplish

thisistousetheDittoForensicFieldStationtoeraseeachdiskbyselectingErase Destination Disk

fromthe“ActiontoPerform”drop-downboxandusingthe“ClearPartitionTable”erasemode(seeSec-

tion4.1.5).YoumustalsogototheErase tabonthe“Congure”Screenandmakesurethat“Format

After Erase” is unchecked (see Section 5.6), because if a destination disk has a partition on it, the

“Mirror”optionwillnotappear.

d. Selectwhichtypeoflogicalimageyouwouldliketocreatefromthe“LogicalImageType”drop-down

box.TheformatoptionsavailableareL01,TAR,ZIP,orLIST.(Youcanmodifywhichlogicalimagetype

appearsbydefaultinthedrop-downboxonthe“Congure”screen’s“System”tab.SeeSection5.1.)

“LogicalImageSourceDisk”actionscreateareportofdirectoriesandleschosenfromthesourcedisk

aswellastheirlesizesandanyerrormessagesencountered.Thisreportcanbeviewedfromwithin

thebrowserinterfaceandcanbeexportedasanExcelspreadsheet.SeeSection7.1.4.

e. SelecttheLogicalImageModefromthe“LogicalImageMode”drop-downbox.Seethelistoflogical

imagemodesattheendofthissubsectionforinformationonwhateachmodedoes.

f. Ifyouchose anyotherLogicalImageMode,click the Start button at the top ofActionsection.A

“Completed”messageboxwillpopupwhentheactionhasnished.Clickonthemessagetocon-

tinue.

Ifyouchose“ManualSelect”,followthesesteps:

i. ClickonSelect Files & Dirs.Adialogboxwillopen.

ii. Usethenavigationtreetoselectthelesandfoldersyouwishtoimage(SeeFigure5).

iii. ClicktheStart button atthebottomofthedialogbox.A“Completed”messageboxwillpopup

whentheactionhasnished.Clickonthemessagetocontinue.

You can view the resultsof the logical image action by scrolling down tothe“SystemLog”panelon

the“Home”screen.Findandclickonthelatestlink,whichwillbedenotedbyalenamewithadate/

timestampformat:“S_yyyymmddhhmmss”.Alternatively,youcanclickontheLogs buttonfromthetop

menubar.

NOTE

Figure 5.Thelenavigationtree.

Protecting Your Digital Assets

Ditto Forensic FieldStation User Manual

Logical Image Modes

BeginningwiththeSeptember19,2015rmwareupdate,theLogicalImageactioncanautomatically

searchforlesthattthefollowingLogicalImageModes.Theactionwillsearchforspecicleexten-

sionsspeciedbytheLogicalImageMode.Seethenextpageforinformationonspecicletypes.

Logical Image Modes, continued...

• Manual Select: Enablesthe“SelectFiles&Dirs”buttonsothatyoucanmanuallyselectwhich

lestologicallyimage.

• All Files and Dirs: Imagesalllesanddirectories.

• All Except Windows: ImagesalllesanddirectoriesexceptfortheWindowsdirectory.

• All Except Windows and Programs: ImagesalllesanddirectoriesexceptfortheWindows,

ProgramFiles,ProgramFiles(x86),andProgramDatadirectories.

• All Users - Windows: ImagestheWindows“Users”directory.

• All Temporary - Windows: ImagestheWindows/TempandTempdirectories.

• All Except Swap and Hibernate:Imagesalllesanddirectoriesexceptlesnamedhiberl.sys,

pagele.sys,Win386.swp,and386part.par.

• All Media Files: Imagesall.avi,.jpeg,.jpg,.wav,and.movles,aswellasallleswithexten-

sionsbeginningin“.mp”(.mpeg,.mp4,.mp3,etc.)andallleswithextensionsbeginningin“.m4”

(.m4a,.m4v,etc.).

• All Ofﬁce Files: Imagesall.txtand.pdfles,aswellasallleswithextensionsbeginningin“.doc”,

“.xls”,“.ppt”(.doc,.docx,.xlsx,.pptx,etc.).

• All Financial Files:Imagesall.ifx,.ofx,.qfx,.qif,and.taxles.

Youmayalsoaddyourowncustomizedlogicalimagemodestothisdrop-downlist.Todoso,seeSec-

tion11.5.

4.1.4 Clone and Image Source Disk

Thisactionsimultaneouslycreatesacloneofthesourcediskononedestinationdiskandcreatesanimage

onaseconddestinationdisk.Two destination disks are required for this action.

Whilecloningandimagingthesourcedisk,theDittoForensicFieldStationcanalsohashthesourcedisk

usingtheMD5,SHA-1,orMD5+SHA-1algorithms.Selectthehashtypeunderthe“SystemSettings”

panelonthe“Home”screen.SeeSection4.3.HashingwhileusingbothMD5+SHA-1signicantly

reducesperformance.

Tosimultaneouslycreateacloneandaphysicalimageofthesourcedisk,followthesesteps:

a. SelectClone & Image Source Diskfromthe“ActiontoPerform”drop-downbox.

b. Selectthesourcedisktocloneandimagefromthe“Source”drop-downbox.

c. Selectthedestinationdiskfortheclonefromthe“CloneDestination”drop-downboxandthedestina-

tiondiskfortheimagefromthe“ImageDestination”drop-downbox.Destinationdisksdonothaveto

bethesamephysicalmediaasthesourcedisk,buteachmustbelargerthanthesourcedisk.

NOTE

Protecting Your Digital Assets

Ditto Forensic FieldStation User Manual

d. Selectthedestinationdiskpartitiononwhichtosavetheimagelefromthe“ImagePartition”drop-

downbox.

e. Selectwhichtypeofphysicalimageyouwouldliketocreatefromthe“PhysicalImageType”drop-

downbox.TheimagetypesavailableareE01orDD.(Youcanmodifywhichimagetypeappearsby

defaultinthedrop-downboxonthe“Congure”screen’s“System”tab.SeeSection5.1.)

f. ClicktheStart button.A“Completed”messageboxwillpopupwhentheactionhasnished.Click

onthemessagetocontinue.

Youcanviewtheresultsofthecloneandimageactionbyscrollingdowntothe“SystemLog”panelon

the“Home”screen.Findandclickonthelatestlinks,whichwillbedenotedbyalenamewithadate/

timestampformat:“S_yyyymmddhhmmss”.Alternatively,youcanclickontheLogs buttonfromthetop

menubar.

4.1.5 Erase Destination Disk

TheDittoForensicFieldStationerasesthedestinationdiskusingyourpreferredEraseMode.TheErase

ModesavailableareClearPartitionTable,QuickErase,LBA/OffsetPattern,CustomErase,SecureErase

Normal,SecureEraseEnhanced,DODClear,DODSanitize,NIST800-88Clear,andNIST800-88Purge.

Toeraseadisk,followthesesteps:

a. SelectEraseDestinationDiskfromthe“ActiontoPerform”drop-downbox.

b. SelecttheEraseModetousefromthe“EraseMode”drop-downbox.(Youcanmodifywhicherase

modeappearsbydefaultinthedrop-downboxonthe“Congure”screen’s“System”tab.SeeSec-

tion5.1.)

c. Selectthetargetdestinationdisk(s)fromthe“Target”drop-downbox.

d. ClicktheStart button.A“Completed”messageboxwillpopupwhentheactionhasnished.Click

onthemessagetocontinue.

Youcanviewtheresultsoftheerasureactionbyscrollingdowntothe“SystemLog”panelonthe“Home”

screen.Findandclickonthelatestlink,whichwillbedenotedbyalenamewithadate/timestampformat:

“S_yyyymmddhhmmss”.Alternatively,youcanclickontheLogs buttonfromthetopmenubar.

Format After Erase

YoucanconguretheDittoForensicFieldStationtoautomaticallyformatadiskafteryoueraseit.Click

ontheConﬁgure tabtogotothe“Congure”screen.ThenclickontheErase tabmakesurethat

“FormatAfterErase”ischeckedforeachoftheerasemodesonwhichyou’dliketoenablethissetting.

Figure 7.The“Action”sectiononthe“Home”screen,showingthe

optionsavailableforthe“EraseDestinationDisk”action.

Figure 6. The“Action” section on the“Home” screen, showing

theoptionsavailableforthe“Clone&ImageSourceDisk”action.

Protecting Your Digital Assets

Ditto Forensic FieldStation User Manual

4.1.6 Hash Disk

TheDittoForensicFieldStationwillhashanysourceoradestinationdiskusingyourpreferredalgorithm.

HashvaluesaresavedintheSystemLog.Theavailablealgorithmsare“MD5”,“SHA-1”,or“MD5+SHA-1”.

Tohashadisk,followthesesteps:

a. SelectHash Disk fromthe“ActiontoPerform”drop-downbox.

b. Selectyourpreferredhash algorithmfromthe“HashType”drop-downbox. (Youcanmodifywhich

hashalgorithmappearsbydefaultinthedrop-downboxonthe“Congure”screen’s“System”tab.

SeeSection5.1.)

c. Selectthetargetdiskfromthe“Target”drop-downbox.

d. Selectthepartitionyouwanttohashfromthe“Partition”drop-downbox.

e. ClicktheStart button.A“Completed”messageboxwillpopupwhentheactionhasnished.Click

onthemessagetocontinue.

Youcanviewtheresultsofthehashactionbyscrollingdowntothe“SystemLog”panelonthe“Home”

screen.Findandclickonthelatestlink,whichwillbedenotedbyalenamewithadate/timestampformat:

“S_yyyymmddhhmmss”.Alternatively,youcanclickontheLogs buttonfromthetopmenubar.

4.1.7 Snapshot Disk

TheDittoForensicFieldStationprovidesS.M.A.R.T.andhdparminformationforanysourceordestination

diskconnectedtoitself.Nocloneorimagerequestneedstobedone.

Tocreateasnapshotofadisk,followthesesteps:

a. SelectSnapshot Disk fromthe“ActiontoPerform”drop-downbox.

b. Selectthetargetdiskfromthe“Target”drop-downbox.

c. ClicktheStart button.A“Completed”messageboxwillpopupwhentheactionhasnished.Click

onthemessagetocontinue.

You can view the resultsof the snapshot action byscrolling down to the“System Log” panel onthe

“Home”screen.Findandclickonthelatestlink,whichwillbedenotedbyalenamewithadate/time-

stampformat:“S_yyyymmddhhmmss”.Alternatively,youcanclickontheLogs buttonfromthetopmenu

bar.

Scrollto“eSATAExtendedDiskInfo”toseerecordeddata,includingS.M.A.R.T.andhdparminformation.

4.1.8 NetView Scan

NetViewisanetworktoolthatcanbeusedtodiscovermachinesonanetworkandevenprobethemfor

specicservicesthattheymayberunning.Thiscapabilitycanhelpaninvestigatorlocatephysicallyhidden

Figure 9. The“Action”sectiononthe“Home”screen,showingthe

optionsavailableforthe“SnapshotDisk”action.

Figure 8. The“Action” section on the“Home” screen, showing

theoptionsavailableforthe“HashDisk”action.

Protecting Your Digital Assets

Ditto Forensic FieldStation User Manual

computersorquicklydeterminewhetheramachineisactingasadatastoragedevice

thattheDittoForensicFieldStationcanimage.

SeeSection11.1formoreinformationabouttheNetViewScanfeature.

4.2 INVESTIGATION INFO

TheInvestigationInfopanelgroupsrelatedinformationthatmayalsobeusedincreating

customdirectoriesandlenames(seeSection5.8).The“Hide”button allowsyouto

minimizethepanel.

Click the Edit button to enter information about the Investigator, Case Number, Evi-

denceNumber,Description,Notes,Basedirectoryprex,andaBaselenameprexfor

anE01orDDimage.

Eacheld is lteredtoblocknon-printableASCII characters.Anycharacters at thele

systemlevelthatmaynotbesafeforadirectorynameorlenamewillbelteredout

andreplacedwithanunderscore.OnlyprintableASCIIcharactersarecurrentlyallowed

fordirectoryandlenames.Multipleunderscoreswillalsobereducedtoasingleunder-

scorepernamingitem.

TheDittoForensicFieldStationwillgenerateanerrormessageifyouenteranon-print-

able ASCII character or if your message exceeds the 58 character limit. Additionally,

whenthenaldirectoryorlenamethatusesanyoftheseeldsiscreated,anotherlevel

oflteringisapplied.

Usingapostrophes(‘)inthenameeldswillcauseanerrorwhentheleorfolder

nameiscreated.TheyshouldnotbeusedintheInvestigationInfoelds.

4.2.1 User Deﬁned Fields

Clickonthegreen plus sign icontoopenthe“AddUserDenedField”window(see

Figure12).Youmayaddasmanyuserdenedeldsasyouwish.Eachuserdened

eldmusthaveatitle,XMLtag,andvalue.

Thetitle identies the value in the DittoForensic FieldStation’s browser and LCD

interfaces,andtheXMLtagonlyappearsinthecongurationandlogles.

Toremoveauserdenedeld,clickonthegreen minus sign icon.

4.3 SYSTEM SETTINGS

DisplaysthecurrentcongurationsettingsoftheDittoForensicFieldStation.Theseset-

tingsareloadedasthedefaultsettingsfortheactionsyouperforminthe“Action”panel.

The“Hide”buttonallowsyoutominimizethepanel.ClicktheEdit buttontocustomize

thesesettings.SeeSection5.1fordetailsoneachoption.

4.4 CURRENT STATUS

Reportseitheras“Idle”ordisplaysinfoabouttheactionthattheDittoForensicFieldSta-

tioniscurrentlyperforming.

STOP!

Figure 11. The“InvestigationInfo”section.

Figure 13.The“SystemSettings”section.

Figure 14. The“Current Status” section, displaying a

thestatusofaPhysicalImageaction.

Figure 10.The“Action”sectiononthe“Home”screen,

showingtheoptions availablefor the“NetviewScan”

action.

Figure 12. The“AddUserDenedField”window.

Protecting Your Digital Assets

Ditto Forensic FieldStation User Manual

4.5 DISKS

DisplaysinformationabouttheattatcheddisksthatarecurrentlyconnectedtotheDitto

Forensic FieldStation.The“Hide” buttonallowsyoutominimizethepanel.To see the

availablespaceadiskhas,clickthegreen double arrow iconnextinthe“Used”column

header(seeFigure16).Thediskusagewillrefreshandgiveanupdatedamount.

The“TargetMode”buttonallowsyoutopresentthedisksattachedtotheDittoForensic

FieldStationasiSCSIdisksonanetwork.Thisisusefulifyouwishtousethirdpartydata

acquisitiontoolsagainstthediskswithoutcreatinganimage.The“SourceNetwork”and

“SourceDestination”buttonsareusedformountingiSCSIdevicesaswellasNFSand

SMBsharestotheDittoForensicFieldStation.Formoreinformation,seeSection11.

4.5.1 Previewing and Browsing Disks

Tobrowseordownloaddiskdata,ortoselectlesandfoldersforlogicalimaging,

clickonapartition’snumberunderthedisk’s“Partition”columnandthenselectPre-

view(seeFigure17).Thisopensupaleexplorerwindowwhereyoucannavigate

throughthelesandfoldersonthedisk.

Directory Toolbar and Right-Click Context Menu Items

ICON ACTION

CollapseFolderTree

Collapsestheentirefoldertreesothatonlythepreviewedpartition’s

folderisvisible.

Refresh

Refreshesthefoldercontentsinordertogiveupdatedinformation.

Up

Movesuptotheparentfolder.

Back

Movesbacktothepreviouslyviewedfolder.

Folders

Toggleswhetherfoldersaredisplayedinthecontentspanel.

SelectMode

Togglestheabilitytoselectindividuallesforlogicalimaging.

Figure 15. The“Disks”sectiononthe“Home”screen.

Figure 16. Clickingthegreendoublearrowicondisplays

andupdatesamountofspacecurrentlyusedandavail-

able.

Figure 17. Drop-downmenusforadisk(left)andadisk’s

partition(right).

Protecting Your Digital Assets

Ditto Forensic FieldStation User Manual

Directory Toolbar and Right-Click Context Menu Items, continued...

ICON ACTION

DetailView/ListView

ToggleswhethertheSize,Type,DateCreated,DateModed,andDate

Accessedcolumnsarevisible.

SizeFormat

Changeswhetherlesizesinthe“Size”columnaremeasuredasbytes

orasmegabytes,gigabytes,etc.

View

Openstheselectedle.ImagesandPDFleswillopeninapreview

window.Otherleswillopenadialogboxtodownloadtheletoyour

computer.

Download

Opensadialogboxtodownloadtheselectedletoyourcomputer.

Hash

Opensaninfowindowwiththeselectedle’sname,MD5hash,and

lesizeinbytes.

HexView

OpenstheleintheDittoForensicFieldStation’sbuilt-inhexadecimal

viewer.

Logically Image Data

Tologicallyimagedatausingthe“Preview”window,clickontheSelect Mode buttonandthencheck

theboxnexttoeach le orfolderyouwantto logically image.Whenyouarenished,clickonthe

Stage buttoninthelowerrightcornerofthe“Preview”window.Youwillbetakenbacktothe“Home”

screen.Usethe“Action”controlpanelasdirectedinSection4.1.3.Whenyouclickon“SelectFiles&

Dirs”,youwillbeaskedtoconrmwhethertologicallyimagethelesandfoldersyouhaveselected,

ortoselectnewlesandfolders.

4.5.2 View Hexidecimal Data

Toviewadisk’shexidecimaldata,clickonthedisknameunderthe“Port”columnandthenselectHex-

View. Toviewadiskpartition’shexidecimaldata,clickonthepartition’snumberunderthedisk’s“Parti-

tion”columnandthenselectHexView (seeFigure17).

4.5.3 View Snapshot Data

Toviewadisk’ssnapshotinformation,clickonthedisknameunderthe“Port”columnandthenselect

Snapshot.

4.6 SYSTEM LOG

Shows the actions that the Ditto Forensic FieldStation has performed (see Figure 18).The“Hide” button

allowsyoutominimizethepanel.The“Comment”buttonallowsyoutowriteanotethatisappendedtothe

log.

IfthereisnoSDcardpresentintheSDcardslot,thispaneldisplaysthelogsthathavebeenstoredinvola-

tilememorysincetheDittoForensicFieldStation’slastpowercycle.TheselogsaredeletedwhentheDitto

ForensicFieldStationispowereddown.IfthereisanSDcardpresent,thispaneldisplaysallactionssavedon

theSDCard.

Toviewthelog detailsof aparticularaction,clickonthe linkunderthe“Message”column.whichwillbe

denotedbyalenamewithadate/timestampformat:“S_yyyymmddhhmmss”.Alternatively,youcanclickon

theLogs buttonfromthetopmenubar.

Protecting Your Digital Assets

Ditto Forensic FieldStation User Manual

5 CONFIGURE SCREEN

The“Congure”screenallowsyoutomodifythewaytheDittoForensicFieldStationfunctionstosuityourspe-

cicneeds.ClickontheConﬁgure tabtoaccessthe“Congure”screenfromthebrowserinterface.

5.1 SYSTEM

The“System”taballowsyoutoviewandcustomizethefollowingsettings.Thisinformationisalsodisplayed

inthe“SystemSettings”panelonthe“Home”screen.Whenyouarenished,clicktheCommit Changes

buttontosavethechanges.

• Default Format: Thisisthedefaultlesystemthatwillbeusedtoformatdestinationdiskswhenthey

areusedinactionsthattheDittoForensicFieldStationperforms.

• Physical Image Type: Setsthedefaultphysicalimagetypeforallactionsthatcreateaphysicalimage.

• Logical Image Type: Setsthedefaultlogicalimagetypeforthe“LogicalImageSourceDisk”action.

• Logical Image Mode:SetsthedefaultLogicalImageModeforthe“LogicalImageSourceDisk”action.

• Verify Single: Determineswhether individual destination disk arehashedand compared to the hash

valueofthesourcedisk’shashvalue.

Figure 18. The“Congure”screen,showingthe“System”tab.

Figure 18. The“SystemLogs”sectiononthe“Home”screen.

Protecting Your Digital Assets

Ditto Forensic FieldStation User Manual

• Verify Mirror: Determineswhethermirroreddestinationdisksarehashedandcomparedtothehash

valueofthesourcedisk’shashvalue(s).YoucanchoosetoverifyeSATA-AoreSATA-Bindividually,both

disks,ornone.

• Verify Clone & Image: Determineswhetherclonedandimageddisksarehashedandcomparedtothe

hashvalueofthesourcedisk’shashvalueduringa“Clone&ImageSourceDisk”action.Youcanchoose

toverifytheclone,theimage,both,ornone.

• Log Disk Info: DetermineswhetherS.M.A.R.T.andhdparmdiskinformationisloggedbeforerunningan

action,afterrunninganaction,both,ornotatall.CRUrecommendsthatyoulogdiskinformationbefore

andafteranaction.

• HTML Logging: Logsarealwayssavedin.XMLformat.ThisoptioncausestheDittoForensicFieldSta-

tiontosavelogsinHTMLformataswell.

• DiskView Logging: Logsanyactiontopreviewadiskoractionsperformedwhilepreviewingadisk(i.e.

startingornishingapreviewofadisk,startingornishingaHexViewaction).

• Hash Type: Setsthedefaulthashalgorithmthatwillbeusedfordiskvericationandthe“HashDisk”

action.TheavailablealgorithmsareMD5,SHA-1,orMD5+SHA-1.Notethathashingwhileusingboth

MD5+SHA-1signicantlyreducesperformance.

• Erase Mode: Setsthedefaulterasemodethatwillbeusedforallactionsthatrequireerasingdisks.

• Stealth Mode: Turns off allLEDs and LCDs ontheDitto Forensic FieldStation.The physical“Stealth

Mode”Switchservesthesamepurpose(seeSection1.2).IfStealthModeisenabledfromthebrowser

interface,thephysicalswitchcannotoverrideit.

• LCD/LED Brightness:SetstherelativebrightnessoftheLCDsandLEDsonthefaceoftheDittoForensic

FieldStationonascaleof1to255.

• Audible Buzzer: Thisisaplannedfeaturethatisnotcurrentlyimplemented.Theaudiblebuzzerwillalert

theusertovariousactionsthatoccurwhenusingtheDittoForensicFieldStation.

• Prompt Invest. Info: Opensa“CongureInvestigationInfo”windowaftertheuserhashitthe“Start”

buttoninthe“Action”sectiononthe“Home”screen.ThisallowstheusertocustomizetheInvestigator,

CaseNumber, Evidence Number,Description,Notes,BaseDirectory Name, and the BaseFileName

informationpriortoperformingtherequestedaction.

• LCD Prompt Case: Fiveoptions maybechosentomodifythecasenumberspeciedin the“Investi-

gationInfo”sectionofthe“Home”screen.Thecasenumberisincludedin thelogfortherequested

action.“Disabled”leaves the case numberas it is.“Inc/Dec”allowsyouto manually increment the

casenumberupordownusing the navigationbuttonsonthefaceoftheDitto ForensicFieldStation.

“AutoInc” automatically increments the case number, and “AutoInc/Pause” automatically increments

thecasenumber,butdisplaysaconrmationprompttheLCDscreenbeforebeginningtherequested

action.TheseoptionsrequireanumbertobepresentontheendoftheCaseNumberspeciedinthe

“InvestigationInfo”section.

• LCD Prompt Evidence: Fiveoptionsmaybechosentomodifytheevidencenumberspeciedinthe

“InvestigationInfo”sectionofthe“Home”screen.Theevidencenumberisincludedinthelogforthe

requested action.“Disabled”leaves the evidencenumber as itis.“Inc/Dec”allowsyoutomanually

incrementtheevidencenumberupordownusingthenavigationbuttonsonthefaceoftheDittoForensic

Protecting Your Digital Assets

Ditto Forensic FieldStation User Manual

FieldStation.“AutoInc”automaticallyincrementstheevidencenumber,and“AutoInc/Pause”automati-

callyincrementstheevidencenumber,butdisplaysaconrmationprompttheLCDscreenbeforebegin-

ningtherequestedaction.TheseoptionsrequireanumbertobepresentontheendoftheEvidence

Numberspeciedinthe“InvestigationInfo”section.

• Quick Start: Enablesthe“QuickStart”screenontheLCDthatappearsafteryoubootorreboottheDitto

ForensicFieldStation.Thesettingsforthismodemaybemodiedinthe“QuickStart”tab.SeeSection

5.9.

5.2 NETWORK

The“Network”taballowsyoutoviewandcustomizethefollowingsettings.Ifyouareunsureorhaveques-

tionsaboutchangingyournetworksettings,contactyournetworkadministrator.Whenyouarenished,click

theCommit Changes buttontosavethechanges.

5.2.1 Host Name

AllowsyoutochangewhatnamefortheDittoForensicFieldStationwillbedisplayedonanetwork.Host

namesarenotcasesensitive,butmustbeginwithanyletter“A-Z”.TheycancontainthethelettersA-Z,

numbers0-9,underscore“_”,anddash“-”characters.Hostnamesmustalsobelimitedto64characters.

Figure 20. The“Network”tabonthe“Congure”screen,showingthe“Source”,“Destination”,and“Wi”

networksettings.The“WiNetwork”sectiononlyappearswhenaUSBwirelessnetworkadapterhasbeen

pluggedin.

Protecting Your Digital Assets

Ditto Forensic FieldStation User Manual

5.2.2 Source Network

The“SourceNetwork”sectiondisplaysthesourceEthernetport’sMACAddressaswellasitsIPassign-

mentmethod.Youcanchooseeither“DHCP(AutoCong)”or“StaticIP(ManualSettings)”fromthetop

drop-downbox.

The“RemoteAccessibility”drop-downboxallowsyoutochoosewhetherornottheDittoForensicField-

StationrespondstoanynetworktrafcviathesourceEthernetport.

5.2.3 Destination Network

The“DestinationNetwork”sectiondisplaysthesourceEthernetport’sMACAddressaswellasitsnet-

workingmode.Youcanchooseeither“Server”,“Client(DHCP)”,or“Client(StaticIP)”fromthedrop-down

box.

Server

“Server”allowsyoutoconguretheDittoForensicFieldStationforuseasaserver.Thiscanbehelpful

ifyouareconnectinganiSCSIdevicetothedestinationEthernetport,forexample(seeSection11.3.2),

or you are connecting Ditto directly to your computer instead of through your ofcenetwork.The

defaultsettingsbelowwillworkformostenvironments.Thisisanadvancedoption,sodonotcus-

tomizethedefaultservercongurationbelowunlessdirectedtodosobyyournetworkadministrator.

IP Address: 10.10.10.1

Subnet Mask: 255.255.255.0

DHCP Server: Enabled

DHCP Start Address: 10.10.10.100

DHCP End Address: 10.10.10.199

DNS Server: Enabled

DNS Domain Name: ditto.local

NTP Server: Enabled

NAT Gateway: Disabled

DonotconnecttheDittoForensicFieldStationtoanothernetworkwhileitisconguredasaserver.

Doingsowillcausenetworkconictsandmaydisruptnetworktrafc.

Client (DHCP)

ThisoptionautomaticallyconguresthedestinationEthernetporttoconnecttotheattachednetwork.

Client (Static IP)

ThisoptionallowsyoutomanuallycongurethedestinationEthernetporttoconnecttotheattached

network.

5.2.4 Wiﬁ Network

The“WiNetwork”sectionallowsyoutocongureathirdpartyUSBwinetworkadapterthat’sbeen

pluggedintothe“SouceInputs”USBport.Italsodisplaysthatport’s MACAddress.Adapterswithan

AtheroschipsetandsomeadapterswithRealtekchipsetsarecompatible.

TheDitto Forensic FieldStation canhandlemultipleUSBdevicesthroughaUSBhubattachedtothe

USBportonthe“SourceInputs”sideoftheForensicFieldStation.

STOP!

NOTE

Protecting Your Digital Assets

Ditto Forensic FieldStation User Manual

“WiMode”allowsyoutodeterminewhethertheDittoForensicFieldStationconnectstoawinetwork

oractsasawihotspotitself.HotSpotModeishelpfulifyouareworkinginaseparatelocationfrom

theDittoForensicFieldStationthatisstillwithinrangeofawirelessnetwork,orifthereisnohardwired

networkavailableinthelocation.

Choose“Client Mode” to connectto an existing wi networkor“Hot SpotMode” tomaketheDitto

ForensicFieldStationintoawihotspot.

Client Mode

Check“Status:AutoStart”ifyouwanttheDittoForensicFieldStationtoconnecttothespeciedwire-

lessnetworkautomatically.

Toselecttheclientmode’snetworkingmode,youcanchooseeither“Client(DHCP)”or“Client(Static

IP)fromthedrop-downboxunderneaththeMACAddress.“Client(DHCP)”automaticallycongures

theUSBwinetworkadaptertoconnecttoawinetwork.“Client(StaticIP)”allowsyoutomanually

conguretheconnection.

Hot Spot Mode

Check“Status:AutoStart”ifyouwanttheDittoForensicFieldStationtobeginbroadcastingasahot

spotautomaticallywheneverawiadapterispluggedin.

Thedefaultsettingsbelowwillworkformostenvironments,withseveralexceptions.

InputyourownkeytoensurethatyourDittoForensicFieldStationremainssecure.

Youmay berequiredtoconformtoyourcountry’slawsand regulationsregardingwirelessradio fre-

quencyusage.Selectyourtwo-digitcountrycodefromthe“RegulatoryDomain”dropdownlist,and

theDittoForensicFieldStationwilllimitthefrequenciesitmaybroadcastontoonlythoseintheper-

mittedrange(s).

DonotconnecttheDittoForensicFieldStationtoawirednetworkwhileitisconguredasahotspot.

Doingsowillcausenetworkconictsandmaydisruptnetworktrafc.

SSID: {HostName}-wi

Regulatory Domain: Global

Band: G-2.4GHz

Channel: Auto

Broadcast: Checked

Security: WPA2Personal

Key: ditto123

Show Key: Unchecked

IP Address: 10.10.10.1

Subnet Mask: 255.255.255.0

DHCP Server: Enabled

DHCP Start Address: 10.10.20.100

DHCP End Address: 10.10.20.199

Moresettingsareavailableonthenextpage.

STOP!

Page is loading ...

WiebeTech Ditto Forensic FieldStation User manual

WiebeTech Ditto Forensic FieldStation User manual

WiebeTech Ditto Forensic FieldStation User manual

Related papers

Other documents