2. WiebeTech
  3. Ditto Forensic FieldStation

WiebeTech Ditto Forensic FieldStation User manual

  • Hello! I am an AI chatbot trained to assist you with the WiebeTech Ditto Forensic FieldStation User manual. I’ve already reviewed the document and can help you find the information you need or explain it in simple terms. Just ask your questions, and providing more details will help me assist you more effectively!
Protecting Your Digital Assets
TM
Wiebetech Branding
2c85m76y
PMS 711C
66c7m7y
PMS 299C
Product Name:
Univers 73 Black Extended
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
Ditto Forensic FieldStation
User Manual
Features
• Sourceinputs(write-blocked)–eSATA(SATA),PATA,USB2.0,PCIex1expansionport,
andgigabitnetwork(NFS,iSCSI,SMB)
• Destinationoutputs–DualeSATA(SATA)portstostoreacquireddataononeortwo
disks,SDcard,orgigabitnetwork(iSCSI,NFS,SMB)
• Data acquisition modes – physical image DD, physical image E01 with empty block
compression,logicalimageL01,clone,andsimultaneousclone&image.
• Hashtypes-MD5,SHA-1,MD5+SHA-1
• Remoteusage–Performoperationsusingthewebbrowserinterfacefromanyremote
networkedlocationintheworld
• SystemcongurationmanagementviafrontpanelLCDorwebbrowserinterface
• Userprolescanbepasswordprotectedandassignedspecicpermissionlevels
• Data log captures a complete history of data acquisitions and can be managed and
printedfromwebbrowserorextractedtoauser-specicdocument
• StealthModeavailableforusewithnightvisiongoggles(notincluded)
2
Protecting Your Digital Assets
TM
Ditto Forensic FieldStation User Manual
TABLE OF CONTENTS
1Pre-InstallationSteps 2
2Setup 3
3BrowserInterface 3
3.1AccessingtheBrowserInterface 3
3.2IconsUsedintheBrowserInterface 5
3.3UserAccounts 6
4HomeScreen 6
4.1Action 6
4.1.1CloneSourceDisk 7
4.1.2PhysicalImageSourceDisk 7
4.1.3LogicalImageSourceDisk 8
4.1.4CloneandImageSourceDisk 10
4.1.5EraseDestinationDisk 11
4.1.6HashDisk 12
4.1.7SnapshotDisk 12
4.1.8NetViewScan 12
4.2InvestigationInfo 13
4.3SystemSettings 13
4.4CurrentStatus 13
4.5Disks 14
4.6SystemLog 15
5CongureScreen 16
6AdminScreen 27
6.1UserAccounts 27
6.2PermissionLevels 27
6.3AddingaNewUser 28
6.4EditinganExistingUser 28
6.5DeletingaUser 28
7LogsScreen 28
8UtilitiesScreen 29
9UsingtheFrontPanelInterfaceinStandaloneMode 31
10StealthMode 35
11AdvancedFeaturesandFunctions 36
11.1NetviewScan 36
11.2TargetMode:RemotelyAccessDisksAttachedtothe
DittoForensicFieldStationwithThirdPartySoftware
38
11.3UsingiSCSIDevices 39
11.4UsingNFSandSMB(Samba)Shares 42
11.5AddingaNewLogicalImageMode 42
12UpgradingFirmware 43
13TechnicalSpecications 45
1 PRE-INSTALLATION STEPS
1.1 PACKAGE CONTENTS
Thefollowing list containstheitems that are included in the
completecongurationforthisdevice.PleasecontactCRUif
anyitemsaremissingordamaged:
DittoForensicFieldStationUnit 1
UnitizedSAS-to-eSATA+Mini-Fitpowercable 3
IDEcable 1
12Vpowersupply 1
Powercord 1
Legacypower-to-Mini-Fitcable 1
Ethernetcable(RJ45) 1
2.5”IDE-to-3.5”IDEandMini-Fitcable 1
Poweradapter,legacy-to-SATA 1
Velcrocablewrap 6
eSATAcable 2
SDcard(pre-installed) 1
QuickStartGuide 1
1.2 IDENTIFYING PARTS
TakeamomenttofamiliarizeyourselfwiththepartsoftheDitto
Forensic FieldStation.Thiswillhelpyoutobetter understand
thefollowinginstructions.
TOP OF UNIT
PowerAvailableLEDs
LCDMenu
SourceLEDs
DestinationLEDs
NavigationButtonsforLCDMenu
3
Protecting Your Digital Assets
TM
Ditto Forensic FieldStation User Manual
2 SETUP
Plugthe“suspect”disksordevicesintotheSource Inputssideof
theDittoForensicFieldStation.Allsourceinputsarewrite-blocked
topreventalteration.ThesourceinputsincludeaUSB2.0connec-
tionforUSBdevices,anRJ45gigabitEthernetconnection,anIDE/
PATAdiskconnection,andaneSATAconnectionforSATAdisksor
aneSATAdevice.Theexpansionmoduleconnectionisusedwith
theSAS,USB3.0,andotherDittoForensicFieldStationexpansion
modules.
UsetheDestination OutputssideoftheDittoForensicFieldSta-
tion to store acquired data.The destination output connections
includetwoeSATAconnectionsforSATAdisksoreSATAdevices
andanRJ45gigabitEthernetconnection.
TherearoftheDittoForensicFieldStationhasanSDcardslotand
two powering options: a 12V input for the power supply, and a
SATApowerconnection.Therearalsohasahookforhangingthe
unitinsidethecomputercaseorworkstation.
CRU recommends that you switchthe power off to
theDittowhenyouaddorremoveadevicefromitin
ordertoavoiddiskdamageanddatacorruption.
3 BROWSER INTERFACE
The Ditto Forensic FieldStation can be congured and operated
either from the Front Panel (see Section 9) or through a web
browser.
3.1 ACCESSING THE BROWSER INTERFACE
3.1.1 Accessing Via A Network
a. Plug an Ethernet cable into the Ethernet port on the
“SourceInputs”sideoftheDittoForensicFieldStation.
b. Connect the other end of the Ethernet cable to your
network.Thisusuallymeanspluggingitintoarouteror
hub.Inanofceenvironment,youmayhaveanetwork
jackbuiltintoyourofcewall.
c. Connect the power cable to the rear of the Ditto
Forensic FieldStation and to the providedAC adapter
ortoSATApower.
d. Turn on the Ditto Forensic FieldStations power using
theswitchontherearpanel.(0=off,1=on)
SOURCE INPUTS
(allinputsarewrite-blocked)
RJ45GigabitEthernetConnection
4-pinMini-FitPowerConnection
(DCPowerOutput)
IDE/PATAConnection
USB2.0TypeAConnection
ExpansionModuleConnection
eSATAConnection
DESTINATION OUTPUTS
eSATAConnections RJ45GigabitEthernetConnection
StealthModeSwitch
4-pinMini-FitPowerConnections
(DCPowerOutput)
REAR OF THE UNIT
HangingHook
PowerSwitch
(0=off,1=on)
SDCardSlot
SATAPowerConnection
PowerInputforACSupply
NOTE
4
Protecting Your Digital Assets
TM
Ditto Forensic FieldStation User Manual
e. Type the Ditto Forensic FieldStations source IP address into your web browser. If you know the
address,godowntothelaststepofthissection.Ifyoudonotknowtheaddress,continuetothenext
step.
f. PresstheDownnavigationbuttonontheDittoForensicFieldStationuntilyoureachthe“Settings”
menu.ThenpressEnter.
Settings
View/Edit>
g. PresstheUporDownnavigationbuttonsuntilyoureachthe“SourceIPAddress”screen.
h. TypetheIPaddressshownintoyourwebbrowser.
SourceIPAddress:
10.xxx.xxx.xxx
TheDittoForensicFieldStationis conguredbydefaulttouseDHCPfor IPassignment.Ifyouneed
tochangetoastaticIPaddress,checkwithyournetworkadministratorandseeSection3.3.2ofthis
manual.
i. Logintothebrowserinterface(thedefaultusernameandpasswordfortheadministratoraccountare
bothadmin”).
CRUrecommendsthatyouchangetheadminaccountpasswordandcreateuseraccountsforindividual
usersasbestdatamanagementpractices.
Youarenowreadytousethebrowserinterfacetoconguresettingsandpreview,image,orcloneattached
disks.
3.1.2 Accessing Via Direct Connection to Your Computer
a. PluganEthernetcableintotheEthernetportonthe“DestinationOutputs”sideoftheDittoForensic
FieldStation.
b. ConnecttheotherendoftheEthernetcabletoyourcomputer’sEthernetport.
ThedestinationEthernetportcanbeconguredtoactasaserver.AttachingaDittoForensicFieldSta-
tionactingasaservertoanexistingnetworkthroughthedestinationEthernetportwillcausenetwork
conicts.Thereforeitis importantto attachtheDittoForensicFieldStationdirectlytoyourcomputer
instead.TochangethissettingsothattheDittoForensicFieldStationnolongeractsasaserver,see
Section5.2.3.
c. ConnectthepowercabletotherearoftheDittoForensicFieldStationandtotheprovidedACadapter
ortoSATApower.
d. TurnontheDittoForensicFieldStationspowerusingtheswitchontherearpanel.(0=off,1=on)
NOTE
NOTE
STOP!
5
Protecting Your Digital Assets
TM
Ditto Forensic FieldStation User Manual
e. Type the DittoForensic FieldStationsdestinationIP address into yourwebbrowser.Thedefault IP
addressforthedestinationEthernetportis10.10.10.1.Ifyouhavechangedtheaddressanddonot
rememberit,continuetothenextstep.Otherwise,godowntothelaststepofthissection.
f. PresstheDownnavigationbuttonontheDittoForensicFieldStationuntilyoureachthe“Settings”
menu.ThenpressEnter.
Settings
View/Edit>
g. PresstheUporDownnavigationbuttonsuntilyoureachthe“Dest.IPAddress”screen.
h. TypetheIPaddressshownintoyourwebbrowser.
Dest.IPAddress:
10.xxx.xxx.xxx
i. Logintothebrowserinterface(thedefaultusernameandpasswordfortheadministratoraccountare
bothadmin”).
CRUrecommendsthatyouchangetheadminaccountpasswordandcreateuseraccountsforindividual
usersasbestdatamanagementpractices.
Youarenowreadytousethebrowserinterfacetoconguresettingsandpreview,image,orcloneattached
disks.
3.2 ICONS USED IN THE BROWSER INTERFACE
Thebrowserinterfaceusesseveraliconsthatmaybeclickedontoperformcertainactions.
ICON ACTION
Information
Opensawindowwithabriefdescriptionofthesettingtheinformationiconappearsnext
to.
Refresh
Refreshestheeldthattheiconappearsnexttoinordertogiveupdatedinformation.
Reset
LoadsthedefaultsforthesettingthattheRefreshiconappearsnextto.
Add
Addsauserdenedeldtoalistofitems.
Remove
Removesauserdenedeldfromalistofitems.
NOTE
6
Protecting Your Digital Assets
TM
Ditto Forensic FieldStation User Manual
3.3 USER ACCOUNTS
TheDittoForensicFieldStationemploysauseraccountsystemtocontrolaccesstoitsfeatures.The“Login”
screenpresentsyouwiththeabilitytologinthroughhttp,oryoucanclicktheSecure Login (HTTPS) linkto
loginsecurely.Acceptthecerticateand/orcontinuetothewebsite,evenifyourbrowsertellsyouitdoes
notrecognizeit.
ThedefaultusernameandpasswordfortheAdministratoraccountarebothadmin.CRUrecommendsthat
youchangetheadminaccountpasswordandcreateuseraccountsforindividualusersasbestdatamanage-
mentpractices.
ClickontheLog Out buttonatthetoprightofthebrowserinterfacetologout.
4 HOME SCREEN
The“Home”screeniswhereyouwillperformmostofyouroperationswiththeDittoForensicFieldStation,andis
thedefaultscreentoloaduponloggingintothebrowserinterface.ClickontheHome tabtoaccessthe“Home”
sceenfromanyotherareaofthebrowserinterface.
4.1 ACTION
The“Action”panelletsyoustart,abort,anddocumentthefollowingactions.The“Start”buttonbeginsthe
action.The“Abort”buttonstopstheactioninprogress.ClicktheComment buttontowriteanotethatwill
beappendedtothelog.ClicktheConfigure buttontomodifythedefaultsettingsforeachaction,whichcan
alsobemodiedonthe“Congure”screen(SeeSection5).
Figure 1. The“Home”screen.
7
Protecting Your Digital Assets
TM
Ditto Forensic FieldStation User Manual
4.1.1 Clone Source Disk
TheDittoForensicFieldStationmakesanexactduplicateofthesourcediskandcanclonetoasingleor
mirroreddestinationdisk.
Whilecloningthesourcedisk,theDittoForensicFieldStationcanalsohashthesourcediskusingthe
MD5,SHA-1,orMD5+SHA-1algorithms.Selectthehashtypeunderthe“SystemSettings”panel
onthe“Home”screen.SeeSection4.3.HashingwhileusingbothMD5+SHA-1signicantlyreduces
performance.
Toclone,followthesesteps:
a. Usingthebrowserinterface,selectClone Source DiskfromtheActiontoPerform”drop-downbox.
b. Selectthesourcedisktoclonefromthe“Source”drop-downbox.
c. Selectthedestinationdiskfromthe“Destination”drop-downbox.Toclonetotwodestinationdisksat
thesametime,selecttheMirror option.Destinationdisksdonothavetobethesamephysicalmedia
asthesourcedisk,buteachmustbelargerthanthesourcedisk.
FortheMirrorfeaturetobeshown,twodestinationdisksmustbeattached.
d. ClicktheStart button.A“Completed”messageboxwillpopupwhentheactionhasnished.Click
onthemessagetocontinue.
Youcanincreasetheperformanceoftheoperationbyclickingoffofthebrowserinterfacewindowso
thatitisnotcontinuallyupdated.
Youcanviewtheresultsofthecloneactionbyscrollingdowntothe“SystemLog”panelonthe“Home”
screen.Findandclickonthelatestlink,whichwillbedenotedbyalenamewithadate/timestampformat:
“S_yyyymmddhhmmss”.Alternatively,youcanclickontheLogs button fromthetopmenubar.
4.1.2 Physical Image Source Disk
TheDittoForensicFieldStationcreatesanE01orDDimageofthesourcediskononeortwodestination
disks.
Whileimagingthesourcedisk,theDittoForensicFieldStationcanalsohashthesourcediskusingthe
MD5,SHA-1,orMD5+SHA-1algorithms.Selectthehashtypeunderthe“SystemSettings”panel
onthe“Home”screen.SeeSection4.3.HashingwhileusingbothMD5+SHA-1signicantlyreduces
performance.
Forthefastestperformance,werecommendutilizinganNTFSlesystemforWindows,HFS+forMac,or
XFSforLinuxmachines.Tocreateaphysicalimage,followthestepsonthenextpage:
Figure 2. TheAction”sectiononthe“Home”screen,showingthe
optionsavailableforthe“CloneSourceDisk”action.
Figure 3.TheAction”sectiononthe“Home”screen,showingthe
optionsavailableforthe“PhysicalImageSourceDisk”action.
NOTE
NOTE
NOTE
NOTE
8
Protecting Your Digital Assets
TM
Ditto Forensic FieldStation User Manual
a. Usingthebrowserinterface,selectPhysical Image Source Disk fromthe“ActiontoPerform”drop-
downbox.
b. Selectthesourcedisktoimagefromthe“Source”drop-downbox.
c. Selectwhichpartition(s)toimagefromthe“Partition”drop-downbox.ChooseAlltoimagetheentire
sourcedisk.
d. Select the destination disk for the image from the“Destination” drop-down box.To image to two
destinationdisksatthesametime,selectthe Mirror option.Destinationsdonothavetobethesame
physicalmediaasthesourcedisk,buteachmustbelargerthanthesourcedisk.
FortheMirrorfeaturetobeshown,bothdestinationdisksmustbeempty.Aquickwaytoaccomplish
thisistousetheDittoForensicFieldStationtoeraseeachdiskbyselectingErase Destination Disk
fromtheActiontoPerform”drop-downboxandusingthe“ClearPartitionTable”erasemode(seeSec-
tion4.1.5).YoumustalsogototheErase tabonthe“Congure”Screenandmakesurethat“Format
After Erase” is unchecked (see Section 5.6), because if a destination disk has a partition on it, the
“Mirror”optionwillnotappear.
e. Selectwhichtypeofphysicalimageyouwouldliketocreatefromthe“PhysicalImageType”drop-
downbox.The image typesavailableareE01orDD.Youcanmodifywhichimagetypeappearsby
defaultinthedrop-downboxonthe“Home”screens“SystemSettings”section(seeSection4.3),or
onthe“Congure”screens“System”tab(seeSection5.1).
f. ClicktheStart button.A“Completed”messageboxwillpopupwhentheactionhasnished.Click
onthemessagetocontinue.
Youcanincreasetheperformanceoftheoperationbyclickingoffofthebrowserinterfacewindowso
thatitisnotcontinuallyupdated.
Youcanviewtheresultsoftheimageactionbyscrollingdowntothe“SystemLog”panelonthe“Home”
screen.Findandclickonthelatestlink,whichwillbedenotedbyalenamewithadate/timestampformat:
“S_yyyymmddhhmmss”.Alternatively,youcanclickontheLogs buttonfromthetopmenubar.
4.1.3 Logical Image Source Disk
Logicalimagingallowsaninvestigatortoquicklyscanthecontentsofaharddiskandimageonlytheles
andfoldersrelevanttotheinvestigationintoanL01,ZIP,TAR,orLISTleformat.Datacanbeimagedto
oneortwodestinationdisks.Tocreatealogicalimage,followthesesteps:
a. SelectLogical Image Source Diskfromthe“ActiontoPerform”drop-downbox.
b. Selectthesourcedisktoimagefromthe“Source”drop-downbox,thenchoosewhichpartition(s)to
imagefromthe“Partition”drop-downboxunderneaththe“Source”drop-downbox.IfyouselectAll”,
partitionswillbeimagedsequentially.
NOTE
Figure 4.The Action” section on the“Home” screen, showing
theoptionsavailableforthe“LogicalImageSourceDisk”action.
NOTE
9
Protecting Your Digital Assets
TM
Ditto Forensic FieldStation User Manual
c. Selectthedestinationdiskforthelogicalimagefromthe“Destination”drop-downbox,thenchoose
thedestinationdiskpartitionfromthe“Partition”drop-downboxunderneath.Toimagetotwodestina-
tiondisksatthesametime,selecttheMirror option.Destinationdisksdonothavetobethesame
physicalmediaasthesourcedisk,buteachmustbelargerthanthesourcedisk.
FortheMirrorfeaturetobeshown,bothdestinationdisksmustbeempty.Aquickwaytoaccomplish
thisistousetheDittoForensicFieldStationtoeraseeachdiskbyselectingErase Destination Disk
fromtheActiontoPerform”drop-downboxandusingthe“ClearPartitionTable”erasemode(seeSec-
tion4.1.5).YoumustalsogototheErase tabonthe“Congure”Screenandmakesurethat“Format
After Erase” is unchecked (see Section 5.6), because if a destination disk has a partition on it, the
“Mirror”optionwillnotappear.
d. Selectwhichtypeoflogicalimageyouwouldliketocreatefromthe“LogicalImageType”drop-down
box.TheformatoptionsavailableareL01,TAR,ZIP,orLIST.(Youcanmodifywhichlogicalimagetype
appearsbydefaultinthedrop-downboxonthe“Congure”screens“System”tab.SeeSection5.1.)
“LogicalImageSourceDisk”actionscreateareportofdirectoriesandleschosenfromthesourcedisk
aswellastheirlesizesandanyerrormessagesencountered.Thisreportcanbeviewedfromwithin
thebrowserinterfaceandcanbeexportedasanExcelspreadsheet.SeeSection7.1.4.
e. SelecttheLogicalImageModefromthe“LogicalImageMode”drop-downbox.Seethelistoflogical
imagemodesattheendofthissubsectionforinformationonwhateachmodedoes.
f. Ifyouchose anyotherLogicalImageMode,click the Start button at the top ofActionsection.A
“Completed”messageboxwillpopupwhentheactionhasnished.Clickonthemessagetocon-
tinue.
Ifyouchose“ManualSelect”,followthesesteps:
i. ClickonSelect Files & Dirs.Adialogboxwillopen.
ii. Usethenavigationtreetoselectthelesandfoldersyouwishtoimage(SeeFigure5).
iii. ClicktheStart button atthebottomofthedialogbox.A“Completed”messageboxwillpopup
whentheactionhasnished.Clickonthemessagetocontinue.
You can view the resultsof the logical image action by scrolling down tothe“SystemLog”panelon
the“Home”screen.Findandclickonthelatestlink,whichwillbedenotedbyalenamewithadate/
timestampformat:“S_yyyymmddhhmmss”.Alternatively,youcanclickontheLogs buttonfromthetop
menubar.
NOTE
NOTE
Figure 5.Thelenavigationtree.
10
Protecting Your Digital Assets
TM
Ditto Forensic FieldStation User Manual
Logical Image Modes
BeginningwiththeSeptember19,2015rmwareupdate,theLogicalImageactioncanautomatically
searchforlesthattthefollowingLogicalImageModes.Theactionwillsearchforspecicleexten-
sionsspeciedbytheLogicalImageMode.Seethenextpageforinformationonspecicletypes.
Logical Image Modes, continued...
• Manual Select: Enablesthe“SelectFiles&Dirs”buttonsothatyoucanmanuallyselectwhich
lestologicallyimage.
• All Files and Dirs: Imagesalllesanddirectories.
• All Except Windows: ImagesalllesanddirectoriesexceptfortheWindowsdirectory.
• All Except Windows and Programs: ImagesalllesanddirectoriesexceptfortheWindows,
ProgramFiles,ProgramFiles(x86),andProgramDatadirectories.
• All Users - Windows: ImagestheWindows“Users”directory.
• All Temporary - Windows: ImagestheWindows/TempandTempdirectories.
• All Except Swap and Hibernate:Imagesalllesanddirectoriesexceptlesnamedhiberl.sys,
pagele.sys,Win386.swp,and386part.par.
• All Media Files: Imagesall.avi,.jpeg,.jpg,.wav,and.movles,aswellasallleswithexten-
sionsbeginningin.mp”(.mpeg,.mp4,.mp3,etc.)andallleswithextensionsbeginningin.m4”
(.m4a,.m4v,etc.).
• All Office Files: Imagesall.txtand.pdfles,aswellasallleswithextensionsbeginningin.doc”,
.xls”,.ppt”(.doc,.docx,.xlsx,.pptx,etc.).
• All Financial Files:Imagesall.ifx,.ofx,.qfx,.qif,and.taxles.
Youmayalsoaddyourowncustomizedlogicalimagemodestothisdrop-downlist.Todoso,seeSec-
tion11.5.
4.1.4 Clone and Image Source Disk
Thisactionsimultaneouslycreatesacloneofthesourcediskononedestinationdiskandcreatesanimage
onaseconddestinationdisk.Two destination disks are required for this action.
Whilecloningandimagingthesourcedisk,theDittoForensicFieldStationcanalsohashthesourcedisk
usingtheMD5,SHA-1,orMD5+SHA-1algorithms.Selectthehashtypeunderthe“SystemSettings”
panelonthe“Home”screen.SeeSection4.3.HashingwhileusingbothMD5+SHA-1signicantly
reducesperformance.
Tosimultaneouslycreateacloneandaphysicalimageofthesourcedisk,followthesesteps:
a. SelectClone & Image Source Diskfromthe“ActiontoPerform”drop-downbox.
b. Selectthesourcedisktocloneandimagefromthe“Source”drop-downbox.
c. Selectthedestinationdiskfortheclonefromthe“CloneDestination”drop-downboxandthedestina-
tiondiskfortheimagefromthe“ImageDestination”drop-downbox.Destinationdisksdonothaveto
bethesamephysicalmediaasthesourcedisk,buteachmustbelargerthanthesourcedisk.
NOTE
11
Protecting Your Digital Assets
TM
Ditto Forensic FieldStation User Manual
d. Selectthedestinationdiskpartitiononwhichtosavetheimagelefromthe“ImagePartition”drop-
downbox.
e. Selectwhichtypeofphysicalimageyouwouldliketocreatefromthe“PhysicalImageType”drop-
downbox.TheimagetypesavailableareE01orDD.(Youcanmodifywhichimagetypeappearsby
defaultinthedrop-downboxonthe“Congure”screens“System”tab.SeeSection5.1.)
f. ClicktheStart button.A“Completed”messageboxwillpopupwhentheactionhasnished.Click
onthemessagetocontinue.
Youcanviewtheresultsofthecloneandimageactionbyscrollingdowntothe“SystemLog”panelon
the“Home”screen.Findandclickonthelatestlinks,whichwillbedenotedbyalenamewithadate/
timestampformat:“S_yyyymmddhhmmss”.Alternatively,youcanclickontheLogs buttonfromthetop
menubar.
4.1.5 Erase Destination Disk
TheDittoForensicFieldStationerasesthedestinationdiskusingyourpreferredEraseMode.TheErase
ModesavailableareClearPartitionTable,QuickErase,LBA/OffsetPattern,CustomErase,SecureErase
Normal,SecureEraseEnhanced,DODClear,DODSanitize,NIST800-88Clear,andNIST800-88Purge.
Toeraseadisk,followthesesteps:
a. SelectEraseDestinationDiskfromtheActiontoPerform”drop-downbox.
b. SelecttheEraseModetousefromthe“EraseMode”drop-downbox.(Youcanmodifywhicherase
modeappearsbydefaultinthedrop-downboxonthe“Congure”screens“System”tab.SeeSec-
tion5.1.)
c. Selectthetargetdestinationdisk(s)fromthe“Target”drop-downbox.
d. ClicktheStart button.A“Completed”messageboxwillpopupwhentheactionhasnished.Click
onthemessagetocontinue.
Youcanviewtheresultsoftheerasureactionbyscrollingdowntothe“SystemLog”panelonthe“Home”
screen.Findandclickonthelatestlink,whichwillbedenotedbyalenamewithadate/timestampformat:
“S_yyyymmddhhmmss”.Alternatively,youcanclickontheLogs buttonfromthetopmenubar.
Format After Erase
YoucanconguretheDittoForensicFieldStationtoautomaticallyformatadiskafteryoueraseit.Click
ontheConfigure tabtogotothe“Congure”screen.ThenclickontheErase tabmakesurethat
“FormatAfterErase”ischeckedforeachoftheerasemodesonwhichyou’dliketoenablethissetting.
Figure 7.TheAction”sectiononthe“Home”screen,showingthe
optionsavailableforthe“EraseDestinationDisk”action.
Figure 6. TheAction” section on the“Home” screen, showing
theoptionsavailableforthe“Clone&ImageSourceDisk”action.
12
Protecting Your Digital Assets
TM
Ditto Forensic FieldStation User Manual
4.1.6 Hash Disk
TheDittoForensicFieldStationwillhashanysourceoradestinationdiskusingyourpreferredalgorithm.
HashvaluesaresavedintheSystemLog.Theavailablealgorithmsare“MD5”,“SHA-1”,or“MD5+SHA-1”.
Tohashadisk,followthesesteps:
a. SelectHash Disk fromtheActiontoPerform”drop-downbox.
b. Selectyourpreferredhash algorithmfromthe“HashType”drop-downbox. (Youcanmodifywhich
hashalgorithmappearsbydefaultinthedrop-downboxonthe“Congure”screens“System”tab.
SeeSection5.1.)
c. Selectthetargetdiskfromthe“Target”drop-downbox.
d. Selectthepartitionyouwanttohashfromthe“Partition”drop-downbox.
e. ClicktheStart button.A“Completed”messageboxwillpopupwhentheactionhasnished.Click
onthemessagetocontinue.
Youcanviewtheresultsofthehashactionbyscrollingdowntothe“SystemLog”panelonthe“Home”
screen.Findandclickonthelatestlink,whichwillbedenotedbyalenamewithadate/timestampformat:
“S_yyyymmddhhmmss”.Alternatively,youcanclickontheLogs buttonfromthetopmenubar.
4.1.7 Snapshot Disk
TheDittoForensicFieldStationprovidesS.M.A.R.T.andhdparminformationforanysourceordestination
diskconnectedtoitself.Nocloneorimagerequestneedstobedone.
Tocreateasnapshotofadisk,followthesesteps:
a. SelectSnapshot Disk fromtheActiontoPerform”drop-downbox.
b. Selectthetargetdiskfromthe“Target”drop-downbox.
c. ClicktheStart button.A“Completed”messageboxwillpopupwhentheactionhasnished.Click
onthemessagetocontinue.
You can view the resultsof the snapshot action byscrolling down to the“System Log” panel onthe
“Home”screen.Findandclickonthelatestlink,whichwillbedenotedbyalenamewithadate/time-
stampformat:“S_yyyymmddhhmmss”.Alternatively,youcanclickontheLogs buttonfromthetopmenu
bar.
ScrolltoeSATAExtendedDiskInfo”toseerecordeddata,includingS.M.A.R.T.andhdparminformation.
4.1.8 NetView Scan
NetViewisanetworktoolthatcanbeusedtodiscovermachinesonanetworkandevenprobethemfor
specicservicesthattheymayberunning.Thiscapabilitycanhelpaninvestigatorlocatephysicallyhidden
Figure 9. TheAction”sectiononthe“Home”screen,showingthe
optionsavailableforthe“SnapshotDisk”action.
Figure 8. TheAction” section on the“Home” screen, showing
theoptionsavailableforthe“HashDisk”action.
13
Protecting Your Digital Assets
TM
Ditto Forensic FieldStation User Manual
computersorquicklydeterminewhetheramachineisactingasadatastoragedevice
thattheDittoForensicFieldStationcanimage.
SeeSection11.1formoreinformationabouttheNetViewScanfeature.
4.2 INVESTIGATION INFO
TheInvestigationInfopanelgroupsrelatedinformationthatmayalsobeusedincreating
customdirectoriesandlenames(seeSection5.8).The“Hide”button allowsyouto
minimizethepanel.
Click the Edit button to enter information about the Investigator, Case Number, Evi-
denceNumber,Description,Notes,Basedirectoryprex,andaBaselenameprexfor
anE01orDDimage.
Eacheld is lteredtoblocknon-printableASCII characters.Anycharacters at thele
systemlevelthatmaynotbesafeforadirectorynameorlenamewillbelteredout
andreplacedwithanunderscore.OnlyprintableASCIIcharactersarecurrentlyallowed
fordirectoryandlenames.Multipleunderscoreswillalsobereducedtoasingleunder-
scorepernamingitem.
TheDittoForensicFieldStationwillgenerateanerrormessageifyouenteranon-print-
able ASCII character or if your message exceeds the 58 character limit. Additionally,
whenthenaldirectoryorlenamethatusesanyoftheseeldsiscreated,anotherlevel
oflteringisapplied.
Usingapostrophes(‘)inthenameeldswillcauseanerrorwhentheleorfolder
nameiscreated.TheyshouldnotbeusedintheInvestigationInfoelds.
4.2.1 User Defined Fields
Clickonthegreen plus sign icontoopentheAddUserDenedField”window(see
Figure12).Youmayaddasmanyuserdenedeldsasyouwish.Eachuserdened
eldmusthaveatitle,XMLtag,andvalue.
Thetitle identies the value in the DittoForensic FieldStations browser and LCD
interfaces,andtheXMLtagonlyappearsinthecongurationandlogles.
Toremoveauserdenedeld,clickonthegreen minus sign icon.
4.3 SYSTEM SETTINGS
DisplaysthecurrentcongurationsettingsoftheDittoForensicFieldStation.Theseset-
tingsareloadedasthedefaultsettingsfortheactionsyouperformintheAction”panel.
The“Hide”buttonallowsyoutominimizethepanel.ClicktheEdit buttontocustomize
thesesettings.SeeSection5.1fordetailsoneachoption.
4.4 CURRENT STATUS
Reportseitheras“Idle”ordisplaysinfoabouttheactionthattheDittoForensicFieldSta-
tioniscurrentlyperforming.
STOP!
Figure 11. The“InvestigationInfo”section.
Figure 13.The“SystemSettings”section.
Figure 14. The“Current Status” section, displaying a
thestatusofaPhysicalImageaction.
Figure 10.TheAction”sectiononthe“Home”screen,
showingtheoptions availablefor the“NetviewScan”
action.
Figure 12. TheAddUserDenedField”window.
14
Protecting Your Digital Assets
TM
Ditto Forensic FieldStation User Manual
4.5 DISKS
DisplaysinformationabouttheattatcheddisksthatarecurrentlyconnectedtotheDitto
Forensic FieldStation.The“Hide” buttonallowsyoutominimizethepanel.To see the
availablespaceadiskhas,clickthegreen double arrow iconnextinthe“Used”column
header(seeFigure16).Thediskusagewillrefreshandgiveanupdatedamount.
The“TargetMode”buttonallowsyoutopresentthedisksattachedtotheDittoForensic
FieldStationasiSCSIdisksonanetwork.Thisisusefulifyouwishtousethirdpartydata
acquisitiontoolsagainstthediskswithoutcreatinganimage.The“SourceNetwork”and
“SourceDestination”buttonsareusedformountingiSCSIdevicesaswellasNFSand
SMBsharestotheDittoForensicFieldStation.Formoreinformation,seeSection11.
4.5.1 Previewing and Browsing Disks
Tobrowseordownloaddiskdata,ortoselectlesandfoldersforlogicalimaging,
clickonapartitionsnumberunderthedisk’s“Partition”columnandthenselectPre-
view(seeFigure17).Thisopensupaleexplorerwindowwhereyoucannavigate
throughthelesandfoldersonthedisk.
Directory Toolbar and Right-Click Context Menu Items
ICON ACTION
CollapseFolderTree
Collapsestheentirefoldertreesothatonlythepreviewedpartitions
folderisvisible.
Refresh
Refreshesthefoldercontentsinordertogiveupdatedinformation.
Up
Movesuptotheparentfolder.
Back
Movesbacktothepreviouslyviewedfolder.
Folders
Toggleswhetherfoldersaredisplayedinthecontentspanel.
SelectMode
Togglestheabilitytoselectindividuallesforlogicalimaging.
Figure 15. The“Disks”sectiononthe“Home”screen.
Figure 16. Clickingthegreendoublearrowicondisplays
andupdatesamountofspacecurrentlyusedandavail-
able.
Figure 17. Drop-downmenusforadisk(left)andadisk’s
partition(right).
15
Protecting Your Digital Assets
TM
Ditto Forensic FieldStation User Manual
Directory Toolbar and Right-Click Context Menu Items, continued...
ICON ACTION
DetailView/ListView
ToggleswhethertheSize,Type,DateCreated,DateModed,andDate
Accessedcolumnsarevisible.
SizeFormat
Changeswhetherlesizesinthe“Size”columnaremeasuredasbytes
orasmegabytes,gigabytes,etc.
View
Openstheselectedle.ImagesandPDFleswillopeninapreview
window.Otherleswillopenadialogboxtodownloadtheletoyour
computer.
Download
Opensadialogboxtodownloadtheselectedletoyourcomputer.
Hash
Opensaninfowindowwiththeselectedle’sname,MD5hash,and
lesizeinbytes.
HexView
OpenstheleintheDittoForensicFieldStationsbuilt-inhexadecimal
viewer.
Logically Image Data
Tologicallyimagedatausingthe“Preview”window,clickontheSelect Mode buttonandthencheck
theboxnexttoeach le orfolderyouwantto logically image.Whenyouarenished,clickonthe
Stage buttoninthelowerrightcornerofthe“Preview”window.Youwillbetakenbacktothe“Home”
screen.Usethe“Action”controlpanelasdirectedinSection4.1.3.Whenyouclickon“SelectFiles&
Dirs”,youwillbeaskedtoconrmwhethertologicallyimagethelesandfoldersyouhaveselected,
ortoselectnewlesandfolders.
4.5.2 View Hexidecimal Data
Toviewadisk’shexidecimaldata,clickonthedisknameunderthe“Port”columnandthenselectHex-
View. Toviewadiskpartitionshexidecimaldata,clickonthepartitionsnumberunderthedisk’s“Parti-
tion”columnandthenselectHexView (seeFigure17).
4.5.3 View Snapshot Data
Toviewadisk’ssnapshotinformation,clickonthedisknameunderthe“Port”columnandthenselect
Snapshot.
4.6 SYSTEM LOG
Shows the actions that the Ditto Forensic FieldStation has performed (see Figure 18).The“Hide” button
allowsyoutominimizethepanel.The“Comment”buttonallowsyoutowriteanotethatisappendedtothe
log.
IfthereisnoSDcardpresentintheSDcardslot,thispaneldisplaysthelogsthathavebeenstoredinvola-
tilememorysincetheDittoForensicFieldStation’slastpowercycle.TheselogsaredeletedwhentheDitto
ForensicFieldStationispowereddown.IfthereisanSDcardpresent,thispaneldisplaysallactionssavedon
theSDCard.
Toviewthelog detailsof aparticularaction,clickonthe linkunderthe“Message”column.whichwillbe
denotedbyalenamewithadate/timestampformat:“S_yyyymmddhhmmss”.Alternatively,youcanclickon
theLogs buttonfromthetopmenubar.
16
Protecting Your Digital Assets
TM
Ditto Forensic FieldStation User Manual
5 CONFIGURE SCREEN
The“Congure”screenallowsyoutomodifythewaytheDittoForensicFieldStationfunctionstosuityourspe-
cicneeds.ClickontheConfigure tabtoaccessthe“Congure”screenfromthebrowserinterface.
5.1 SYSTEM
The“System”taballowsyoutoviewandcustomizethefollowingsettings.Thisinformationisalsodisplayed
inthe“SystemSettings”panelonthe“Home”screen.Whenyouarenished,clicktheCommit Changes
buttontosavethechanges.
• Default Format: Thisisthedefaultlesystemthatwillbeusedtoformatdestinationdiskswhenthey
areusedinactionsthattheDittoForensicFieldStationperforms.
• Physical Image Type: Setsthedefaultphysicalimagetypeforallactionsthatcreateaphysicalimage.
• Logical Image Type: Setsthedefaultlogicalimagetypeforthe“LogicalImageSourceDisk”action.
• Logical Image Mode:SetsthedefaultLogicalImageModeforthe“LogicalImageSourceDisk”action.
• Verify Single: Determineswhether individual destination disk arehashedand compared to the hash
valueofthesourcedisk’shashvalue.
Figure 18. The“Congure”screen,showingthe“System”tab.
Figure 18. The“SystemLogs”sectiononthe“Home”screen.
17
Protecting Your Digital Assets
TM
Ditto Forensic FieldStation User Manual
• Verify Mirror: Determineswhethermirroreddestinationdisksarehashedandcomparedtothehash
valueofthesourcedisk’shashvalue(s).YoucanchoosetoverifyeSATA-AoreSATA-Bindividually,both
disks,ornone.
• Verify Clone & Image: Determineswhetherclonedandimageddisksarehashedandcomparedtothe
hashvalueofthesourcedisk’shashvalueduringa“Clone&ImageSourceDisk”action.Youcanchoose
toverifytheclone,theimage,both,ornone.
• Log Disk Info: DetermineswhetherS.M.A.R.T.andhdparmdiskinformationisloggedbeforerunningan
action,afterrunninganaction,both,ornotatall.CRUrecommendsthatyoulogdiskinformationbefore
andafteranaction.
• HTML Logging: Logsarealwayssavedin.XMLformat.ThisoptioncausestheDittoForensicFieldSta-
tiontosavelogsinHTMLformataswell.
• DiskView Logging: Logsanyactiontopreviewadiskoractionsperformedwhilepreviewingadisk(i.e.
startingornishingapreviewofadisk,startingornishingaHexViewaction).
• Hash Type: Setsthedefaulthashalgorithmthatwillbeusedfordiskvericationandthe“HashDisk”
action.TheavailablealgorithmsareMD5,SHA-1,orMD5+SHA-1.Notethathashingwhileusingboth
MD5+SHA-1signicantlyreducesperformance.
• Erase Mode: Setsthedefaulterasemodethatwillbeusedforallactionsthatrequireerasingdisks.
• Stealth Mode: Turns off allLEDs and LCDs ontheDitto Forensic FieldStation.The physical“Stealth
Mode”Switchservesthesamepurpose(seeSection1.2).IfStealthModeisenabledfromthebrowser
interface,thephysicalswitchcannotoverrideit.
• LCD/LED Brightness:SetstherelativebrightnessoftheLCDsandLEDsonthefaceoftheDittoForensic
FieldStationonascaleof1to255.
• Audible Buzzer: Thisisaplannedfeaturethatisnotcurrentlyimplemented.Theaudiblebuzzerwillalert
theusertovariousactionsthatoccurwhenusingtheDittoForensicFieldStation.
• Prompt Invest. Info: Opensa“CongureInvestigationInfo”windowaftertheuserhashitthe“Start”
buttonintheAction”sectiononthe“Home”screen.ThisallowstheusertocustomizetheInvestigator,
CaseNumber, Evidence Number,Description,Notes,BaseDirectory Name, and the BaseFileName
informationpriortoperformingtherequestedaction.
• LCD Prompt Case: Fiveoptions maybechosentomodifythecasenumberspeciedin the“Investi-
gationInfo”sectionofthe“Home”screen.Thecasenumberisincludedin thelogfortherequested
action.“Disabled”leaves the case numberas it is.“Inc/Dec”allowsyouto manually increment the
casenumberupordownusing the navigationbuttonsonthefaceoftheDitto ForensicFieldStation.
AutoInc” automatically increments the case number, and AutoInc/Pause” automatically increments
thecasenumber,butdisplaysaconrmationprompttheLCDscreenbeforebeginningtherequested
action.TheseoptionsrequireanumbertobepresentontheendoftheCaseNumberspeciedinthe
“InvestigationInfo”section.
• LCD Prompt Evidence: Fiveoptionsmaybechosentomodifytheevidencenumberspeciedinthe
“InvestigationInfo”sectionofthe“Home”screen.Theevidencenumberisincludedinthelogforthe
requested action.“Disabled”leaves the evidencenumber as itis.“Inc/Dec”allowsyoutomanually
incrementtheevidencenumberupordownusingthenavigationbuttonsonthefaceoftheDittoForensic
18
Protecting Your Digital Assets
TM
Ditto Forensic FieldStation User Manual
FieldStation.AutoInc”automaticallyincrementstheevidencenumber,and“AutoInc/Pause”automati-
callyincrementstheevidencenumber,butdisplaysaconrmationprompttheLCDscreenbeforebegin-
ningtherequestedaction.TheseoptionsrequireanumbertobepresentontheendoftheEvidence
Numberspeciedinthe“InvestigationInfo”section.
• Quick Start: Enablesthe“QuickStart”screenontheLCDthatappearsafteryoubootorreboottheDitto
ForensicFieldStation.Thesettingsforthismodemaybemodiedinthe“QuickStart”tab.SeeSection
5.9.
5.2 NETWORK
The“Network”taballowsyoutoviewandcustomizethefollowingsettings.Ifyouareunsureorhaveques-
tionsaboutchangingyournetworksettings,contactyournetworkadministrator.Whenyouarenished,click
theCommit Changes buttontosavethechanges.
5.2.1 Host Name
AllowsyoutochangewhatnamefortheDittoForensicFieldStationwillbedisplayedonanetwork.Host
namesarenotcasesensitive,butmustbeginwithanyletter“A-Z”.TheycancontainthethelettersA-Z,
numbers0-9,underscore“_”,anddash“-”characters.Hostnamesmustalsobelimitedto64characters.
Figure 20. The“Network”tabonthe“Congure”screen,showingthe“Source,“Destination,and“Wi”
networksettings.The“WiNetwork”sectiononlyappearswhenaUSBwirelessnetworkadapterhasbeen
pluggedin.
19
Protecting Your Digital Assets
TM
Ditto Forensic FieldStation User Manual
5.2.2 Source Network
The“SourceNetwork”sectiondisplaysthesourceEthernetport’sMACAddressaswellasitsIPassign-
mentmethod.Youcanchooseeither“DHCP(AutoCong)”or“StaticIP(ManualSettings)”fromthetop
drop-downbox.
The“RemoteAccessibility”drop-downboxallowsyoutochoosewhetherornottheDittoForensicField-
StationrespondstoanynetworktrafcviathesourceEthernetport.
5.2.3 Destination Network
The“DestinationNetwork”sectiondisplaysthesourceEthernetport’sMACAddressaswellasitsnet-
workingmode.Youcanchooseeither“Server”,“Client(DHCP)”,or“Client(StaticIP)”fromthedrop-down
box.
Server
“Server”allowsyoutoconguretheDittoForensicFieldStationforuseasaserver.Thiscanbehelpful
ifyouareconnectinganiSCSIdevicetothedestinationEthernetport,forexample(seeSection11.3.2),
or you are connecting Ditto directly to your computer instead of through your ofcenetwork.The
defaultsettingsbelowwillworkformostenvironments.Thisisanadvancedoption,sodonotcus-
tomizethedefaultservercongurationbelowunlessdirectedtodosobyyournetworkadministrator.
IP Address: 10.10.10.1
Subnet Mask: 255.255.255.0
DHCP Server: Enabled
DHCP Start Address: 10.10.10.100
DHCP End Address: 10.10.10.199
DNS Server: Enabled
DNS Domain Name: ditto.local
NTP Server: Enabled
NAT Gateway: Disabled
DonotconnecttheDittoForensicFieldStationtoanothernetworkwhileitisconguredasaserver.
Doingsowillcausenetworkconictsandmaydisruptnetworktrafc.
Client (DHCP)
ThisoptionautomaticallyconguresthedestinationEthernetporttoconnecttotheattachednetwork.
Client (Static IP)
ThisoptionallowsyoutomanuallycongurethedestinationEthernetporttoconnecttotheattached
network.
5.2.4 Wifi Network
The“WiNetwork”sectionallowsyoutocongureathirdpartyUSBwinetworkadapterthat’sbeen
pluggedintothe“SouceInputs”USBport.Italsodisplaysthatport’s MACAddress.Adapterswithan
AtheroschipsetandsomeadapterswithRealtekchipsetsarecompatible.
TheDitto Forensic FieldStation canhandlemultipleUSBdevicesthroughaUSBhubattachedtothe
USBportonthe“SourceInputs”sideoftheForensicFieldStation.
STOP!
NOTE
20
Protecting Your Digital Assets
TM
Ditto Forensic FieldStation User Manual
“WiMode”allowsyoutodeterminewhethertheDittoForensicFieldStationconnectstoawinetwork
oractsasawihotspotitself.HotSpotModeishelpfulifyouareworkinginaseparatelocationfrom
theDittoForensicFieldStationthatisstillwithinrangeofawirelessnetwork,orifthereisnohardwired
networkavailableinthelocation.
Choose“Client Mode” to connectto an existing wi networkor“Hot SpotMode” tomaketheDitto
ForensicFieldStationintoawihotspot.
Client Mode
Check“Status:AutoStart”ifyouwanttheDittoForensicFieldStationtoconnecttothespeciedwire-
lessnetworkautomatically.
Toselecttheclientmode’snetworkingmode,youcanchooseeither“Client(DHCP)”or“Client(Static
IP)fromthedrop-downboxunderneaththeMACAddress.“Client(DHCP)”automaticallycongures
theUSBwinetworkadaptertoconnecttoawinetwork.“Client(StaticIP)”allowsyoutomanually
conguretheconnection.
Hot Spot Mode
Check“Status:AutoStart”ifyouwanttheDittoForensicFieldStationtobeginbroadcastingasahot
spotautomaticallywheneverawiadapterispluggedin.
Thedefaultsettingsbelowwillworkformostenvironments,withseveralexceptions.
InputyourownkeytoensurethatyourDittoForensicFieldStationremainssecure.
Youmay berequiredtoconformtoyourcountry’slawsand regulationsregardingwirelessradio fre-
quencyusage.Selectyourtwo-digitcountrycodefromthe“RegulatoryDomain”dropdownlist,and
theDittoForensicFieldStationwilllimitthefrequenciesitmaybroadcastontoonlythoseintheper-
mittedrange(s).
DonotconnecttheDittoForensicFieldStationtoawirednetworkwhileitisconguredasahotspot.
Doingsowillcausenetworkconictsandmaydisruptnetworktrafc.
SSID: {HostName}-wi
Regulatory Domain: Global
Band: G-2.4GHz
Channel: Auto
Broadcast: Checked
Security: WPA2Personal
Key: ditto123
Show Key: Unchecked
IP Address: 10.10.10.1
Subnet Mask: 255.255.255.0
DHCP Server: Enabled
DHCP Start Address: 10.10.20.100
DHCP End Address: 10.10.20.199
Moresettingsareavailableonthenextpage.
STOP!
STOP!
STOP!
/