imsolo-5 forensics user’s guide downloads/imsolo-5...ssd drives in addition to supporting p-ata3,...

IMSolo-5 Forensics

User’s Guide

Intelligent Computer Solutions

8968 Fullbright Avenue Chatsworth, CA 91311

DOC-5000-100A Rev. 4.4

April 2017

Printed in the USA

Sales/Technical Support Phone: 1-818-998-5805

Fax: 1-818-998-3190 E-Mail: [email protected]

E-Mail: [email protected]

Home Page: http://www.ics-iq.com

Copyright© 2009, Intelligent Computer Solutions. All rights reserved. The Image MASSter®

and associated

software are copyrighted and registered in accordance with the laws and regulations of the State of California and

the United States of America. IBM®

and OS/2®

are registered trademarks of the International Business Machines

Corporation. DOS®

, Windows®

, Windows NT®

, and Windows 95/98/2000®

Windows ME®

, Windows XP®

,

Windows VISTA®

are registered trademarks of the Microsoft Corporation. All other brand and product names are

trademarks of their respective owners.

Contents

CONTENTS

CHAPTER 1: INTRODUCTION ........................................... 9

Overview .......................................................................................... 10

Features .......................................................................................... 11 About this User Guide ............................................................................................................................. 14 Typical Conventions Used ...................................................................................................................... 14

Setup ............................................................................................... 15 System Specifications ............................................................................................................................. 15

CHAPTER 2: QUICK START SETUP ............................... 16

CHAPTER 3: INSTALLATION .......................................... 21

CHAPTER 4: OPERATION ............................................... 27

User Interface .................................................................................. 28

IMSolo-5 Forensics Advanced Interface Control Console ................ 29 Advanced Drive Detect Menu ................................................................................................................. 30

Drive Selection Panel ........................................................................................................ 30 Suspect 1-2 Drive Select ............................................................................................... 30 Evidence 1-2 Drive Select ............................................................................................ 30

Detect Drives ................................................................................................................ 31 Remove Drives.............................................................................................................. 31

Add Network Location ................................................................................................. 31 Detect Remote Drives ................................................................................................... 31

Drive Status Panels ........................................................................................................... 32

Active Suspect Drive Panel .......................................................................................... 32 Active Evidence Drives Panel ...................................................................................... 32 Other Detected Drives................................................................................................... 32

Operational Mode Select Menu ........................................................................................ 33

Single Capture ............................................................................................................... 33 LinuxDD Capture.......................................................................................................... 33 LinuxDD and Single Capture ........................................................................................ 34 LinuxDD Restore .......................................................................................................... 34 LinuxDD Hash .............................................................................................................. 34

E01 Capture .................................................................................................................. 34 E01 and Single Capture ................................................................................................ 35 E01 Restore ................................................................................................................... 36

E01 Hash ....................................................................................................................... 36 Format Drives ............................................................................................................... 36

Contents

WipeOut-DoD ............................................................................................................... 37 WipeOut –Fast .............................................................................................................. 37 WipeOut –Secure Erase ................................................................................................ 37 Partial Wipe with ICS Signature ................................................................................... 37

Hash .............................................................................................................................. 38 Event Log Window ........................................................................................................... 38 Navigation Bar .................................................................................................................. 38 Operational Status Information ......................................................................................... 40

Station ........................................................................................................................... 40

Speed ............................................................................................................................. 40 Operational Mode ......................................................................................................... 40 Load Size ...................................................................................................................... 40

Percent Completion ....................................................................................................... 40 Elapsed Time ................................................................................................................ 40 Estimated Time Left ..................................................................................................... 40

Operation Control Functions............................................................................................. 41 Start ............................................................................................................................... 41

Abort ............................................................................................................................. 41 Advanced Operation Settings Menu ....................................................................................................... 42

Single Capture Settings ..................................................................................................... 42

Read Back-Verify ......................................................................................................... 43 Hash Targets ................................................................................................................. 43

Hashing Methods .......................................................................................................... 43

Wipe Remainder ........................................................................................................... 44

Encrypt/Decrypt ............................................................................................................ 45 WipeOut Settings .............................................................................................................. 47

Mode ............................................................................................................................. 47 Iterations ....................................................................................................................... 47 Pattern (0-255) .............................................................................................................. 48

Write ICS Signature ...................................................................................................... 48 Read Back-Verify ......................................................................................................... 48

Format Drives Settings ..................................................................................................... 49 Linux DD Capture Settings ............................................................................................... 50

Capture File Size ........................................................................................................... 50 Custom File Size (MB) ................................................................................................. 50 File Name ...................................................................................................................... 50

LinuxDD Hash Settings .................................................................................................... 51 LinuxDD or E01 Restore Settings .................................................................................... 52

Hash Settings .................................................................................................................... 53 Sectors to Hash ............................................................................................................. 53

E01 Capture Settings......................................................................................................... 54 Capture File Size ........................................................................................................... 54 Custom File Size (MB) ................................................................................................. 54

Ex01 .............................................................................................................................. 54 File Name ...................................................................................................................... 54

Settings Main Menu ................................................................................................................................ 55 User Interface Culture ....................................................................................................... 55

Additional Operational Mode Settings ............................................................................. 55

Contents

Read Back-Verify ......................................................................................................... 55 Protected Area Support Enabled ....................................................................................... 56 Bad Sector Handling ......................................................................................................... 56

Skip Block ..................................................................................................................... 56

Skip Sector .................................................................................................................... 56 Abort drive .................................................................................................................... 56

Start View ......................................................................................................................... 56 Operator Screen ............................................................................................................ 56 Advanced Screen .......................................................................................................... 56

Add/Remove Optional Features ........................................................................................ 57 Advanced Drive Detection Settings Menu .............................................................................................. 58

Drive Detection Mode....................................................................................................... 58

Auto............................................................................................................................... 58 Fast Detection ............................................................................................................... 59

Sequential Detection ..................................................................................................... 59 Fast Detection Settings ..................................................................................................... 59

Wait Time After Powering Up Each Drive................................................................... 59

Wait Time Between Powering Up Each Drive and Starting Drive Detection .............. 59 Max Scanning /Detection Time allowed by Application (Sec) .................................... 59 Auto Calibrate Detection of All Drives ........................................................................ 59

Calibration Starts From Drive ....................................................................................... 59 Calibrate Detection of a Selected Drive ........................................................................ 60

Sequential Detection Settings ........................................................................................... 60

Max Detect Time .......................................................................................................... 60

Max Detect Power Time ............................................................................................... 60 Calibrate Current Threshold ......................................................................................... 60

Drive Detection Warning .................................................................................................. 60 Test Drive Detection ......................................................................................................... 60

Advanced Settings Menu ........................................................................................................................ 61 Warn if Drive is not Inserted ............................................................................................ 61 Use Master Password for Secure Erase ............................................................................ 62 Hash Advisory .................................................................................................................. 62

Confirm Drives ................................................................................................................. 62 Set Target Protected Area ................................................................................................. 62

Forced Power off............................................................................................................... 62

Power off selected drives .............................................................................................. 62

Auto Run ........................................................................................................................... 62 Verify Location of Suspect Drive ..................................................................................... 62

More Settings Menu ................................................................................................................................ 63 Slow Drive Filter Speed Threshold................................................................................... 63

Speed Threshold............................................................................................................ 63 Speed Optimization ........................................................................................................... 64

Transfer Buffer Size (in 64 kb) ..................................................................................... 64 Fan Control ....................................................................................................................... 64

Launch Drive Port Assignment ......................................................................................... 64 Enable IMAccess .............................................................................................................. 64

SAS/SATA Controller Settings ........................................................................................ 64

Disable Destination Writes ............................................................................................... 64 Advanced Case Info Menu ..................................................................................................................... 65

Contents

Advanced Mount Drive Menu ................................................................................................................. 66 Write-Protect the Drive ..................................................................................................... 67 Mount Volumes on the Drive ........................................................................................... 67 Simulate Drive Signature When Mounting Volumes ....................................................... 67 Apply................................................................................................................................. 67 Refresh .............................................................................................................................. 67

Advanced HPA/DCO Menu .................................................................................................................... 68 Protected Area Type ......................................................................................................... 68 Protected Area Support ..................................................................................................... 69

New Capacity .................................................................................................................... 69 Current Capacity ............................................................................................................... 69 Native Capacity ................................................................................................................. 69

Set Capacity ...................................................................................................................... 69 Reset Capacity .................................................................................................................. 69 Volatile .............................................................................................................................. 69

Advanced LOG Menu ............................................................................................................................. 70 Print Logs .......................................................................................................................... 71 Copy Logs ......................................................................................................................... 71

Open Log Folder ............................................................................................................... 71 Set Audit Trail Logo ......................................................................................................... 71

Advanced Tools Menu ............................................................................................................................ 72 Disable Password .............................................................................................................. 72

CHAPTER 5: OPERATIONAL PROCEDURES ............... 73

Prepare for Operation ...................................................................... 74

1. Prepare Suspect’s Drive ............................................................. 74

2. Prepare the Evidence Drive(s) .................................................... 74

3. Connect the printer (optional). ..................................................... 75

4. Configure the unit’s Settings. ...................................................... 75

Capturing Drives using Single Capture Mode .................................. 76

Capturing using LinuxDD Capture Mode .......................................... 78

Capturing using E01 Capture Mode ................................................. 80

Capturing from a PCIe M.2 Drive. .................................................... 82

Capturing from an Unopened PC or Notebook ................................. 84

Capturing to a Local Shared Folder ................................................. 86

Capturing to a Shared Network Folder ............................................. 89

Contents

Encrypting Data During Data Capture .............................................. 91

Decrypting Data During Data Transfer ............................................. 93

Restoring from LinuxDD or E01 Segmented File Format ................. 95

Sanitizing Drives Using WipeOut DoD ............................................. 96

Sanitizing Drives Using WipeOut - User ........................................... 97

Sanitizing Drives Using WipeOut – Secure Erase ............................ 98

Transferring Audit Trail and Log Information .................................... 99

Running Multiple Operational Modes Simultaneously .................... 100

Previewing Write-Protected Drive Data .......................................... 101

Enabling Manual Write-Access to Evidence Drive Positions .......... 102

Verify Location of Suspect Drive Configuration .............................. 103

APPENDIX A: OPERATIONAL NOTES ......................... 104

Image MASSter™ IMSolo-5 Internet/Network Connection Disclaimer105

USB-to-Ethernet Connection.......................................................... 106

USB LinkMASSter Setup ............................................................... 107

USB LinkMASSter Usage .............................................................. 107

IMSolo-5 USB Restore Instructions ............................................... 108

IMSolo-5 System Drive Removal Instructions ................................ 109

LinuxDD and E01 Capture exFAT Usage ...................................... 110

“Verify Location of Suspect Drive” Usage Notes ............................ 111

DEFINITIONS ................................................................................ 112

APPENDIX B: PRODUCT INFORMATION .................... 114

Limited Warranty ............................................................................ 114

Contents

What is Not Covered: ..................................................................... 115

Limitation of Liability....................................................................... 115

Technical Support .......................................................................... 115

Chapter 1 - Introduction

9

Chapter 1: Introduction


10

Overview

Designed exclusively for Forensic applications, the ImageMASSter IMSolo-5 Forensics system is a versatile, light-weight, portable, high speed data acquisition device. The IMSolo-5 Product Line offers the same slim, low profile design as the IMSolo-5 Slim units with similar features and the same High Speed support for 6Gb/s SAS-2 and SATA-3 drives. SAS/SATA Suspect’s data can be seized at speeds exceeding 20GB per minute. The IMSolo-5 Enterprise offers two additional, unique 4-lane PCIe Expansion Ports, allowing it to acquire data from a PCIe M.2 storage device to another PCIe M.2 device at speeds exceeding 65 GB/min. Using the unit’s on the fly hashing capabilities, the transferred data can be guaranteed to be an exact replica of the Suspect’s data without modification, re-arrangement or corruption. The unit provides Native interface support for SAS, SATA, eSATA, USB 3.0, Firewire1 and PCIe M.22 SSD drives in addition to supporting P-ATA3, including ATA compatible solid state and flash devices. Provides flexible Capture mode formats including “Segmented File” and “Mirror” image formats. Capable of capturing two Suspect drives simultaneously. The unit’s advanced touch screen user interface provides ease of use.

IMSolo-5 Forensics Figure 1

1 Available only on some models.

2 Available only on some models. Requires the M.2 Adapter Module.

3 Optional P-ATA Adapters required.


11

The New Image MASSter™ Solo 5 Enterprise Forensic unit is designed using Today’s Advanced Acquisition technology, providing a fast, reliable and versatile forensic handheld Data Acquisition Tool. The unit’s Key Features include the support for PCIe M.2 storage devices, the capability of imaging multiple "Suspect" drives to multiple "Evidence" drives simultaneously. Capture Suspect drive’s data in LinuxDD, E01 or EX01 Segmented File Format or as a “mirror” capture. The Image MASSter™ Solo 5 Enterprise supports SHA-1 and SHA-2 Accelerated Drive Hash methods as well as the standard MD5 Hash method. With built-in Hard Drive Encryption support, target drive’s data can be secured utilizing the NIST approved AES-256 Encryption standard. The units are configured with a 1Gbit Ethernet port for Network Connectivity support allowing the simultaneous acquisition and upload of Suspect’s hard drive data directly to External Storage Media or to a Network Location in a forensically secure environment. Network Uploads using the unit’s native 1Gigabit Ethernet interface offers speeds exceeding 2GB/min. The Solo 5 Enterprise units are also designed with a slide out system drive for easy removal.

Features

High-end Processing Power: The Image MASSter™ IMSolo-5 Pro Forensic units are supplied with a powerful INTEL i7™ CPU to handle today’s most demanding Forensic Acquisition and Analysis tasks. The Image MASSter™ IMSolo-5 Basic Forensic units are supplied with a powerful INTEL i3™ CPU.

Advanced SATA-3 Technology: Implements support for 6Gb/s SAS-2 and SATA-3 drives using 6Gb/s SATA-3 SAS Controller technology. The unit is designed to acquire today’s High Performance drives and prepares the user with the hardware necessary to take advantage of tomorrow’s hard drive speed improvements. The unit’s advanced Duplication Technology provides the capability of performing multiple operations simultaneously. Capture and Wipe standard SAS/SATA drives with speeds up to 32 GB/min, and PCIe M.2 drives with speeds up to 70GB/min.

PCIe Expansion Port: Allows expanding the unit’s capabilities to support PCIe M.2 storage devices, using the PCIe M.2 Adapter Module, SCSI drives using the optional SCSI Interface Adapter, and allowing for future performance enhancement options.

PCIe M.2 Support: Two 4-lane PCIe Expansion Ports allows for data acquisition from one PCIe M.2 storage device to another at speeds up to 70 GB/Min. The unit’s M.2 Adapter Module supports varying M.2 form factor lengths of 30, 42, 60, 80 and 110mm and is designed for easy and safe insertion and release of M.2 storage devices. The M.2 Adapter Module also supports U.2 SSD drives with optional 3rd Party Adapters.

Hard Drive Support: Offers native support for SAS, SATA, Firewire and USB 3.0 drives. Optional adapters are available to support M.2 SATA SSD*, IDE Drives*, Micro SATA*, e-SATA Drives*, 2.5”, 1.8” IDE Notebook Drives*, ZIF drives*, and Flash media*. The unit ships with expansion ready hardware to support the Optional PCIe expansion box which can be used to expand the unit’s capability to support additional drive interfaces such as SCSI and Fiber Channel.

*Available for purchase/Optional Adapters Required


12

Multiple "Suspect" and Evidence Drive interface Ports: Provides 2 Native SATA/SAS ports and 2 USB 3.0 ports dedicated for the Suspect Drive Positions. Both SATA/SAS and USB Suspect ports can be use simultaneously to capture 4 drives in one operation. Provides 2 Native SATA/SAS ports and 2 USB 3.0 ports dedicated for the Evidence Drive Positions. The unit is supplied with an IDE drive adapter for IDE drives. Optional drive adapters are available for 1.8", 2.5" ZIF, proprietary interface/Laptop drives, and Micro Media Cards including Compact Flash, Memory Sticks, SD, Micro SD, MultiMedia cards. Mixed Drive Interface support allows seizing data between different drive interface types (ie. Use IDE "Suspect" drive with a SATA "Evidence" drive). All "Suspect" Drive ports are permanently write-protected to prevent altering “Suspect" Drive Data. The Write-Protect properties of the Suspect ports cannot be disabled.

Multi-Session Capability: Capture multiple Source drives simultaneously or run multiple operations simultaneously. Multi-Session supports the high-speed duplication of up to 2 Source drives simultaneously. Copy and Sanitize drives at the same time.

Multiple Operational Modes: o Single Capture: Creates “Mirror” image of the Suspect’s drive. o LinuxDD Capture: Supports storing one or multiple Suspect drive images on a single

“Evidence” drive using the standard Linux DD Segmented File Format. o E01 Capture: Supports storing one or multiple Suspect drive images on a single

“Evidence” drive using the Encase® Forensics Segmented File Formats E01 and EX01. o IQ Copy: Optional Non-Forensic Format used to capture only the allocated data of a

Suspect’s drive, greatly reducing the time required to capture data. In addition, it can be used to duplicate drives for IT purposes such as backup, deploy and upgrade to larger capacity drives.

o WipeOut: Sanitize drives using Single Pass, DoD Standard, or Secure Erase. The unit has the ability to capture and wipe hidden HPA or DCO areas which may exist on hard drives.

* The IQCopy Option is purchased separately.

Multi-Op Mode: Allows LinuxDD and Single Capture operations to be performed in one operation using the same Suspect drive.

Multiple Hash Verification Methods: The Image MASSter™ IMSolo-5 Forensic G3 supports SHA-1 and SHA-2 Hash Acceleration and Software based MD5 Hashing.

External Storage: Images can be stored externally to a Shared Network folder, e-SATA drive, USB drive or an ICS DFSS External Storage Module.

Upload and Download Images to Network Storage Area: Images files can be uploaded and downloaded to a Network Storage Area allowing the user to take advantage of large storage platforms for the purpose of processing and archiving images. With the use of the Optional 10 Gigabit Ethernet connection, units can copy and upload at speeds exceeding 4GB/min.

Optional Expansion Box: The Image MASSter™ IMSolo-5 Forensic G3 is designed with built-in support to connect the optional Expansion Box module, providing the capability to capture data from additional devices which have interfaces not natively available on the Image MASSter IMSolo-5 Forensic G3 unit. The Expansion Option includes the following hardware:

o SCSI Ultra320 PCI-Express card for connecting SCSI mass storage devices. IMSolo-5 Forensic G3 can capture 2 SCSI Suspect drives simultaneously,

o PCI-Express to Express Card 34 Reader for connecting a broad range of Express Card compliant cards**.

* External Multi-Output Power Adapter (not supplied) is required to power the second SCSI drive when capturing 2 SCSI drives to 2 Evidence drives simultaneously. It is also recommended to use the


13

External Multi-Output Power Adapter to power two or more external drives connected to the Expansion Box.

**Express Cards are not supplied with the Expansion Option.

“On the fly” Drive Image Encryption*: Utilizing the built- in AES 256 Encryption Technology the Image MASSter™ IMSolo-5 Forensic G3 encrypts with minimal speed degradation all digital data during the Cloning Process for the purpose of safe guarding sensitive information. The Image MASSter™ IMSolo-5 Forensic G3 creates a secure key with a user-chosen pass phrase. An AES 256 encryption key is then generated by the unit and can be saved to any USB thumb drive. The encrypted drive can be decrypted on the fly utilizing the Image MASSter™ IMSolo-5 Forensic G3 or with any PC loaded with the free ICS Decryption utility and USB thumb drive containing the saved key.

* This process is NOT compatible with the DiskCypher product line

ICS Digital Forensic Storage Solutions (DFSS): The Image MASSter™ IMSolo-5 Forensic G3 supports the use of the Optional ICS DFSS Modules to provide additional Storage capacity.


14

About this User Guide The IMSolo-5 Forensics User Guide will be updated as needed to reflect hardware and software modifications. Therefore, descriptions of features may be subject to change. The document makes use of hyperlinks to provide shortcut links.

Typical Conventions Used Convention Meaning

Highlighted This is a hyperlink: shortcut link to a referred topic. Select it to jump to the topic.

Use the MS Word Back tool to jump back to previous location. Bold Indicates a screen menu item or function such as a setting or control button.

Italic Indicates the name of a IMSolo-5 Forensics feature, system, mode, or other

important reference. Note Identifies additional important information regarding a topic or task.

Indicates a warning or caution


15

Setup 1. Carefully remove the IMSolo-5 Forensics unit from its shipping box.

2. Use the supplied parts list (Table 1) to complete an inventory check.

3. Follow the outlined steps in the Quick Start Setup Chapter.

Part Part Number Quantity

IMSolo-5 Forensics Unit 1 DC Power Adapter and AC Power Cord 1 SAS/SATA Data/Power Cable 4 SATA-to-PATA Adapter 1 PATA 2.5” 44-Pin Adapter 1 PATA Data Cable 1 PATA Power Cable 1 Stylus 1 USB Restore Media 1 IMSolo-5 Forensics User’s Guide 1

Quick-Reference Parts List Table 1

System Specifications Supply Voltage 100 - 240V / 50 - 60 Hz 400Watt Universal Auto switching input voltage Power Consumption 9W Operating Temperature 5 degrees - 55 degrees C Relative Humidity 20% - 60% non-condensing Net Weight 5.35 lbs Overall Dimensions 10.5” x 4” x 7.6””

Chapter 2 – Quick Start

11

Chapter 2: Quick Start Setup


17

1. Place the IMSolo-5 Forensics on a level surface.

2. Attach the unit’s Power Adapter to the unit's DC Power-In port, located on the unit's back panel, and to an electrical outlet. The voltage may be either 110v or 220v. The Power Adapter will automatically switch to use either voltage.

3. Power ON the unit by pressing the unit’s Power ON button, located on top corner of the unit’s back panel. The IMSolo-5 Forensics Advanced Interface Control Console will be displayed.

Advanced Interface Control Console Figure 2


18

4. Attach the ICS supplied SATA/SAS drive data/power cables to the unit’s Suspect and Evidence connectors and to the SATA or SAS drives. For PATA drives use the supplied ICS SATA-to-PATA Adapter and connect the supplied PATA data cable’s “Unit Side” connector to the Adapter’s data connector and the “HDD Side” connector to the drive.

Drive Positions

Figure 3


19

5. Select the Mode of Operation from the Operations pull down menu.

Figure 4

6. Select the drives to be used for the selected operation from the Drive Selection Panel.

7. Verify all remaining applicable settings and optionally enter Case Information using the CASE INFO screen functions. It is recommended to enable the Hash Targets function. Selecting Hash Targets will result in the Capture operation generating the Hash value for the data read from the Suspect drive and the data written to the Evidence drive. After all the data is written to the Evidence drive, the Capture operation will generate the Hash value for the data read from the Evidence drive.

Hash values generated during the capture operation are generated for the data read from the Suspect’s drive not from the data read from the Evidence (target) drive, unless the unit is instructed to hash the Evidence drive(s) by enabling the Hash Targets function.

8. Select START to begin the operation. Operational status information will be displayed during an operation.

Drive Selection Panel

In-active Drive Panel


20

9. After the operation completes, the drives will be powered OFF and the drives can be safely removed. The simulated drive status LEDs will be set to GREEN if the operation passes or RED if the operation fails. Log files will automatically be stored internally and can be transferred to external media using the unit’s USB ports, located on the back of the unit.

NOTE: Audit Trails are saved in both a standard text format and a PDF format using 128-bit password encryption protection, so the Audit Trail contents cannot be changed. The Company Logo can be added to the Audit Trail PDF by selecting its location using the "SET AUDIT TRAIL LOGO" function, located in the LOG menu screen.

The unit can be powered OFF by pressing and releasing the unit’s Power button, located on the top corner of the unit’s back panel.


21

Chapter 3: Installation


22

Hardware Accessories The following section provides a description of the Hardware Accessories that are available for the IMSolo-5 Forensics unit.

M.2 PCIe Adapter Module

The M.2 PCIe Adapter Module Option adds the option to connect two PCIe M.2 drives. The M.2 PCIe Adapter Module supports varying M.2 form factor lengths of 30, 42, 60, 80 and 110 mm and is designed for easy and safe insertion and release of M.2 PCIe Drives.

Figure 5


23

Hardware Description This section describes the hardware of the IMSolo-5 Forensics unit.

Components and Functions

Top Panel (Fig. 8)

Display LCD Touch Screen Color Display.

Front Panel (Fig.8)

Suspect and Evidence

SATA/SAS Hard Disk

Drive Data/Power

Connectors

Used to connect the Suspect and Evidence SATA/SAS drives directly to the Forensics unit for “Direct” data seizure operations.

Suspect 1 and Suspect 2 USB 3.0 Ports

Used to connect the Suspect USB drives.

Back Panel (Fig. 6)

Evidence 1 and 2 USB 3.0

Connectors

Used to connect the USB 2.0/3.0 Evidence device(s) directly to the Forensics unit for “Direct” data seizure operations.

eSATA Ports Used to connect External Storage Device.

Power ON Button Used to power the unit ON and OFF.

DC-IN Power Socket Connect DC Power Adapter to this socket.

USB 3.0 Connectors Provides 2 General Purpose USB v2.0/3.0 ports.

LAN Port Provides a GBit Ethernet Network Interface.

L-out, L-in, MIC Provides Audio Line input/output ports and Microphone port.

HDMI Port Used to connect to an external monitor.

External Power Connector Used to power an external drive.

Left Side Panel (Fig. 7)

Firewire Ports Used to connect Firewire

4 drives directly to the

Forensics unit for “Direct” data seizure operations.

4 Available only on some models

Chapter 4 - Operation

24

Back View Figure 6


25

Left View Figure 7


26

Front View Figure 8


27

Chapter 4: Operation


28

User Interface

The IMSolo-5 Forensics provides Windows based Graphical User Interface applications, which the user can use to setup and control the unit’s various functions. All of the unit’s menus and functions are controlled through the unit’s Touch Screen Display. Screen menu items can be selected by touch or with use of the included Touch Screen Stylus Pen. An On-Screen Keyboard is available for an easy method to enter text related information. Optionally, an external keyboard, mouse or display can be connected. The IMSolo-5 unit provides an Advanced Interface Control Console which will run at start up and can also be activated from Windows START/PROGRAMS menu or by selecting the IMSolo-5 application’s Desktop Shortcut ICON. The Advanced Interface screens are available to customize operations. Multiple instances of the IMSolo-5 application can be activated to allow multiple operations to be performed simultaneously. This chapter provides a detail description of the available functions.


29

IMSolo-5 Forensics Advanced Interface Control Console The IMSolo-5 Forensics Advanced Interface Control Console provides all the functions and controls necessary to setup, customize and perform the unit’s common and advanced Forensic operations. It can be used as an alternative to the Wizard Interface Control Console which provides limited functions for ease of use. Multiple instances of the Advanced Console can be activated, which allows more than one operation to be performed simultaneously. The functional descriptions of the unit’s Advanced Interface Control Console functions are discussed in the following section.

Drive Selection Panel Drive Status Panels

Operational Mode Select Menu

Operation Status Information

Operation Controls

Navigation Bar

Figure 9

Active Drive Status Panels

In-active Drive Panel

Event Log Window

Navigation Bar Operation Status Information

Operational Settings Tabs




30

Advanced Drive Detect Menu

The IMSolo-5 Forensics Advanced Drive Detect Menu will provide a list of the detected drives and allows detected drives to be configured as active or inactive drives. The menu screen will also allow drives connected in Evidence positions to be configured as Suspect Drives. The menu is displayed by

selecting the Detection Tab from the Advanced Interface Control Console. The descriptions of the available Advanced Drive Detect Menu functions are discussed in the following section.


The Drive Selection Panel provides the settings and functions used to detect drives connected to the unit’s dedicated Suspect and Evidence drive positions, including devices connected to the dedicated USB ports located on the back of the unit. The Drive Select Panel allows the operator to select the drive position(s) to scan during a drive detect operation.

Suspect 1-2 Drive Select

Select the Suspect Check Box to select the drive(s) in the “Suspect” position(s) for detection. The unit provides two dedicated Write-Protected “Suspect” SAS/SATA drive and USB positions. The drive’s positions are referenced by the drive’s physical location on the unit. The “Suspect 1” position is located on the left side of the unit, labeled “Suspect 1”. The “Suspect 2” position is located on the right side of the unit, labeled “Suspect 2”.

Evidence 1-2 Drive Select

Select the Evidence Check Box to select the drive(s) in the “Evidence” position(s) for detection. The unit provides two dedicated SAS/SATA drive positions and two USB “Evidence” drive positions. The drive’s positions are referenced by the drive’s physical location on the unit. The SAS/SATA “Evidence 1” position is located as the left drive slot on the front of the unit. The SAS/SATA “Evidence 2” position is located as the right drive slot on the front of the unit. The “Evidence 1 and 2 USB” positions are located on the unit’s back panel.

NOTE: The Drive Select menu provides a power indicator for each drive position. The indicator will be GREY prior to drive detection, GREEN if the drive is detected or the operation passed, and RED if the drive is not detected or if the operation was not successful.


31

Detect Drives

Select the Detect Drives Button to turn ON and detect the selected the drive(s).

NOTE: By default, all ports are Write-Protected. The drive’s Write-Protect property will automatically be disabled if the selected operational mode requires writing to the drive(s).

Remove Drives

Select Remove Drives to turn OFF and remove the selected the drive(s).

Add Network Location

Allows a Suspect’s drive contents to be captured and stored in a Network or Locally Shared Folder. The Shared Folder location can be designated as the “Evidence” drive using the Add Network Location function. The Add Network Location function is available when running the LinuxDD or E01 Capture operations. The descriptions of the available settings are discussed in the following section.

Browse

Figure 10

Browse

Select Browse to select the Shared Folder Location.

Detect Remote Drives

The Detect Remote Drives function allows capturing data from a drive installed in a Notebook or PC5, using the unit’s Ethernet port.

5 The Detect Remote Drives Option requires purchase


32

Drive Status Panels

The Active Drive Status Panels lists the drives detected and their respective locations. The Panels will also indicate the drive’s “burst” transfer rate during operation. Detected drives are listed in their respective Drive Status Panels. NOTE: Drives can be manually transferred between Drive Panels by selecting and

“dragging” the listed drive using the Touch Screen or using an attached mouse. Suspect’s Drives cannot be moved to Evidence locations.

Active Suspect Drive Panel

The Suspect Drive Panel will list the detected and active Suspect drives for the active session. Drives listed in the Other Detected Drives Panel can be manually transferred to the Active Suspect Drive Panel. The drive listed in this panel is considered an “active” drive and will be used as the Suspect’s drive during the operation.

NOTE: Drive(s) in the Suspect position(s) cannot be configured as Destination

drives.

Active Evidence Drives Panel

The Active Evidence Drives Panel will list the detected and active Evidence drive(s) for the active session. Drives listed in the Other Detected Drives Panel can be manually transferred to the Active Evidence Drives Panel. The drive listed in this panel is considered an “active” drive and will be used as the Evidence drive during the operation.

NOTE: Evidence drives can be configured as Suspect drives by transferring the

drive from the Active Evidence Drive Panel to the Active Suspect Drive Panel.

Other Detected Drives

The Other Detected Drives Panel will list the “non-active” drives detected on all ports other than the dedicated Suspect and Evidence ports. Drives listed in the Suspect Drive or Evidence Drive Panels can be manually transferred to the Other Detected Drives Panel. The drive(s) listed in this panel are “non-active” drives, and will not be used during an operation.


33


The Operational Mode Select Menu provides a list of the available Operational Modes. The functional descriptions of the available Operational Modes are discussed in the following section.

Single Capture LinuxDD Capture LinuxDD Restore LinuxDD Hash E01 Capture E01 Restore E01 Hash LinuxDD and Single Capture E01 and Single Capture Hash WipeOut Format Drives

Single Capture

The Single Capture operational mode will seize the entire contents of the Suspect’s drive to the Evidence drive. The operation will create an exact duplicate of all of the Suspect’s drive partitioned and un-partitioned areas as well as all used and unused sectors on the Suspect’s drive. The process of acquiring the data from the Suspect’s drive is methodical and contiguous, beginning from the first byte of the first sector on the drive, and ending on the last byte of the last sector of the drive. The data is copied to the corresponding sector on the Evidence drive. Only one seizure operation can be performed to the same Evidence drive. See Single Capture Settings for more details.

LinuxDD Capture

The LinuxDD Capture Mode will copy the entire contents of the Suspect’s drive to the Destination drives. The data will be written as individual segmented LinuxDD files and stored in an individual subdirectory on the Destination drive(s). The size of the individual LinuxDD files can be set by selecting a value within the Capture File Size pull down menu. The default setting is 650MB (CD). The File Name information entered by the user will be used as the name of the subdirectory where the Suspect’s LinuxDD files will be stored. This File Name will also be used as the filename of all LinuxDD files associated with this seizure. The Linux DD files will begin with the extension 000, and incremented by 1 for each additional file.

The Destination drive will be inspected prior to transferring data. The operation will verify if the first partition on the Evidence drive is based on the exFAT or NTFS File System and will have “EVIDENCE” as the volume label. A Destination drive that meets these criteria will be a valid Destination drive, a new subdirectory will be created, and the transfer will begin. A Destination drive that fails these criteria will cause the user to be prompted with a message asking whether or not to overwrite the current contents of the Destination drive in order to make it a valid LinuxDD


34

Destination drive. The operation will abort unless the user agrees to overwrite the Destination drive.

Any number of “Loads” can be placed on the same Destination drive provided there is adequate space to save the transferred data on the Destination drive. See LinuxDD Capture Settings for more details.

LinuxDD and Single Capture

Provides “Multi-Op Mode” support, allowing LinuxDD and Single Capture operations to be performed in one operation using the same Suspect drive.

o The drive connected to the last Evidence drive position will be configured using the Single Capture format. The remaining Evidence drive(s) will be configured with the LinuxDD Capture format.

LinuxDD Restore

This function allows restoring the captured LinuxDD formatted Case to its original file format. This function requires the LinuxDD drive, containing the LinuxDD Case files, to be connected to one of the unit’s Suspect positions and the “Destination” drive to be connected to the unit’s Evidence position.

LinuxDD Hash

This function will generate a Hash value for the selected LinuxDD Case. The LinuxDD drive can be connected to either the Suspect or Evidence position.

E01 Capture

The E01 Capture Mode will capture the entire contents of the Suspect’s drive to the Destination drives using Guidance Software’s EnCase® Forensic format. The data will be written as individual segmented EnCase® formatted files and stored in an individual subdirectory on the Destination drive(s). The size of the individual E01 files can be set by selecting a value within the Capture File Size pull down menu. The default setting is 650MB (CD). The EnCase® format limits the File Size to 2GB. The File Name information entered by the user will be used as the name of the subdirectory where the Suspect’s files will be stored. This File Name will also be used as the filename of all files associated with this seizure. The E01 files will begin with the extension E01, and incremented by 1 for each additional file. The Compression Level can be set as “Disabled”, “Minimum” and “Maximum”.

The Destination drive will be inspected prior to transferring data. The operation will verify if the first partition on the Evidence drive is based on the exFAT or NTFS File System and will have “EVIDENCE” as the volume label. Otherwise, the operation will prompt the User that the Evidence drive will be overwritten.

Any number of “Loads” can be placed on the same Destination drive provided there is adequate space to save the transferred data on the Destination drive. See E01 Capture Settings for more details.


35

NOTE: The E01 Capture Mode will result in reduced transfer rates when compared with other Capture Modes.

E01 and Single Capture

Provides “Multi-Op Mode” support, allowing E01 and Single Capture operations to be performed in one operation using the same Suspect drive.

o The drive connected to the last Evidence drive position will be configured using the Single Capture format. The remaining Evidence drive(s) will be configured with the E01 Capture format.


36

E01 Restore

This function allows restoring the captured E01 formatted Case to its original file format. This function requires the E01 drive, containing the E01 Case files, to be connected to one of the unit’s Suspect positions and the “Destination” drive to be connected to the unit’s Evidence position.

E01 Hash6

This function will generate a Hash value for the selected E01 Case. The E01 drive can be connected to either the Suspect or Evidence position.

Format Drives

This function can be used to quickly format drives as exFAT or NTFS drives, if necessary.

6 Pending development as of release of this document (11/09).


37

WipeOut-DoD

The WipeOut DoD Operational mode provides a method of sanitizing a drive that meets the U.S. Department of Defense specification DOD 5220-22M for sanitizing drives. Using ordinary “DELETE” and “ERASE” commands, data on a hard drive remains accessible to a variety of intrusive procedures. The WipeOut DoD erasure technique provides a solution to this problem using a series of null-coded overwrites that completely removes all data from the hard drive. The process is performed in three iterations and two individual passes that completely over writes the drive connected to the internal drive position. Each iteration makes two write-passes over the entire drive. The first pass writes ONEs (Hex 0xFF) over the entire drive surface. The second pass writes ZEROes (Hex 0x00) over the entire drive surface. After the third iteration, a seventh pass writes the government designated code “246” (Hex 0xF6) across the entire drive surface, which is then followed by an eighth pass that inspects the drive with a Read-Verify review.

WipeOut –Fast

The Wipeout Fast Operational mode provides a quick non-DoD method of sanitizing a drive of all previously stored data. The process involves writing a user defined hex pattern to the drive connected in the Target drive position, for a number of user defined iterations. The process is methodical and contiguous, beginning from the first byte of the first sector on the drive, and ending on the last byte of the last sector of the drive.

WipeOut –Secure Erase

The WipeOut-Secure Erase option uses the drive’s own built-in firmware ”Secure Erase” function to erase data. The WipeOut-Secure Erase option offers two modes which are automatically selected if the drive supports the modes. Normal Erase and Enhanced Erase. Normal Erase will erase drives using the 0x00 pattern. The Enhanced Erase mode will erase drives with a predetermined pattern and will clear Relocation List Sectors.

NOTE: Not all drives provide support for the Secure Erase command. Secure erase is recognized by NIST 800-88 as an effective and secure way to meet legal data sanitization requirements

Partial Wipe with ICS Signature

Performs a partial Wipe of the Evidence drive and writes an ICS signature.


38

Hash

The Hash operation provides a method of generating a hash value for either the entire area of a drive or for a selected number of sectors of a drive. No data is written to the selected drives during this operation. When hashing the entire drive the process is methodical and contiguous, beginning with the first sector on the drive and ending with the last sector of the drive. See Hash Settings for more details.

Event Log Window

The Event Log Window displays real time operational event log information.

Navigation Bar

The Navigation Bar menu provides the user with functions to select the various User Interfaces and IM support functions.

The following functions are provided by the Navigation Bar.

Advanced Screen

Provides access to the Advanced User Interface Screen functions. These functions include

access to advanced settings and advanced operational modes.

Operator Screen

Provides access to the Operator User Interface Screen functions. Allows the Operator to start or

abort common operations.

Keyboard Provides access to an On-Screen-Keyboard. The On-Screen-Keyboard allows for an easy method to enter text related information. A keyboard and mouse can also be connected to the IMSolo-5 Forensics unit.

New Copy Session Selecting this function results in starting a new session of the IMSolo-5 Forensics Wizard Interface Control Console. Multiple sessions allow more than one operation to be performed simultaneously.

Next Copy Session Switches between the different active session views.

Explorer Allows access to Windows Desktop while running session(s)


39

Exit Terminates the active visible session. The function automatically releases all detected drives before exiting the session.

About

Selecting About, displays information about the IMSolo-5 Forensics unit, such as serial number and software version in use.


40

Operational Status Information

The Control Console provides Operational Status Information supplying the user-with real time event log data.

The following Operation Status Information fields are available:

Station Speed Operational Mode Load Size Percent Completion Elapsed Time Estimated Time Left

Station

Displays the Computer Name of the IMSolo-5 Forensics unit.

Speed

The Speed field displays the average transfer rate in megabytes per minute.

Operational Mode

Displays the selected Operational Mode.

Load Size

The Load Size field displays the total data required to be transferred.

Percent Completion

Displays the percent of completion for the active operation.

Elapsed Time

Refers to the time elapsed during an operation. This field will also display the total elapsed time at the end of an operation.

Estimated Time Left

Refers to the time remaining to complete the operation.


41

Operation Control Functions

The Control Console provides the functions necessary to start or stop the selected operation. The following Control Functions are available:

Start Abort

Start

Selecting Start will instruct the Control Console to turn ON the drives and begin the selected operation.

Abort

Selecting Abort will instruct the Control Console to turn OFF the drives and terminate the selected operation.


42

Advanced Operation Settings Menu The IMSolo-5 Forensics Advanced Operation Settings Menu provides access to the Operational Mode settings. The menu is displayed by selecting the Main Tab from the Advanced Interface Control Console.

The Advanced Operation Settings Menu provides the Operator with a menu of Operational Mode Settings for the selected Operation. The Settings menu list is dynamic, and will change to reflect the selected Operational Mode. The descriptions of the available Operational Mode Settings are discussed in the following section.

Single Capture Settings Hash Settings LinuxDD Capture Settings LinuxDD Hash Settings LinuxDD Restore Settings E01 Capture Settings E01 Hash Settings E01 Restore Settings WipeOut Settings Format Drives Settings

Single Capture Settings

The Single Capture Settings menu provides the Operator with a list of settings available for the selected operation. The menu is selected when the Operational Mode is selected from the Operational Mode Select Menu.

Read Back-Verify

Hash Targets

Hashing Methods

Encryption/Decryption

Wipe Remainder

Figure 11


43

Read Back-Verify

Provides additional data integrity checks during data transfers. When Read Back-Verify is selected the operation will verify each block of data transferred during the data transfer process. Data written to the Evidence drive is read back and compared to the data read from the Suspect’s drive. Enabling this option results in reducing the transfer rate. Disabling this option will result in the data transfer process to make use of the drive's own Ultra DMA Mode error-detection handling mechanism known as cyclical redundancy checking (CRC-16) to check for Data Integrity. In most cases the CRC-16 error checking algorithm is sufficient. CRC is an algorithm that calculates an order and value sensitive checksum used to detect errors in a stream of data. Both the Suspect’s drive and the Evidence drives calculate a CRC value for each Ultra DMA burst. After the Suspect’s data is sent, the Evidence drive calculates a CRC value and this is compared to the original Suspect’s CRC value. If a difference is reported, the unit may be required to select a slower transfer mode and re-try the original request for data. The transfer rate will not be affected when using the drive’s CRC-16 mechanism for checking data integrity.

Hash Targets

The Hash Targets function provides a method of generating Hash values for the Source drive’s data and for the data written to the Target drives, in the same operation. The data is read back and hashed from the target drive(s) after each transferred block. Since data is read back during the operation the average transfer rate will decrease and the total time of completion will increase when this function is enabled.

Hashing Methods

The Hashing Methods menu selection provides the user with list of different Hash Algorithms to generate a Hash value for the Source drive’s data. Hashing is a process that calculates a "unique signature" value for the contents of an entire drive.

CRC32

Selecting CRC32 will result in the operation generating the CRC32 32-bit hash value for the data read from the source drive(s). Selecting the Hash Targets function will result in the operation generating the CRC32 Hash values for the data read from the Source drive and the data written to the Target drive.

MD5

Selecting MD5 will result in the operation generating the MD5 128-bit hash value for the data read from the source drives. Selecting the Hash Targets function will result in the operation generating the MD5 Hash values for the data read from the Source drive and the data written to the Target drive.


44

SHA-1

Selecting SHA-1 will result in the operation generating the SHA-1 160-bit hash value for the data read from the source drives. Selecting the Hash Targets function will result in the operation generating the SHA-1 Hash values for the data read from the Source drive and the data written to the Target drive.

NOTE: The SHA-1 Hash function uses Hardware Acceleration for calculations and therefore effects on transfer rates are limited.

SHA-2 (224,384,256,512)

Selecting SHA-2 (224,384,256,512) will result in the operation generating the SHA-2 (224,384,256,512)-bit hash value for the data read from the source drives. Selecting the Hash Targets function will result in the operation generating the Hash values for the data read from the Source drive and the data written to the Target drive.

NOTE: The SHA-2(256) Hash function uses Hardware Acceleration for calculations and therefore effects on transfer rates are limited.

Wipe Remainder

The Wipe Remainder function instructs the capture operation to wipe (erase) remaining sectors after a capture operation is performed, if the Evidence drive is larger than the Suspect’s drive.


45

Encrypt/Decrypt

The Encrypt/Decrypt menu selection provides the user with the functions and settings necessary to configure an operation to Encrypt or Decrypt captured data.

Figure 12

AES Key Length (bits)

Provides the user with the list of two AES Key Sizes to choose from. The choices are 192, and 256 bits.

AES Mode

Provides the user with the list of AES Modes to choose from. The IMSolo-5 uses the ECB Mode.

Action - None

Instructs the operation to transfer data without Encrypting or Decrypting data.

Action - Encrypt

Instructs the operation to Encrypt data during the data transfer operation.

Action - Decrypt

Instructs the operation to Decrypt data during the data transfer operation.

Save Key

The Encryption Key used to Encrypt the Suspect drive’s data is generated and saved.


46

Load Key

Provides the function to allow the User to select and load the Encryption Key which can be used to Decrypt the Evidence drive’s Encrypted data.

NOTE: For compatibility with the IMSolo-III Encryption and ICS DiskCypher hardware, choose 192 as the AES Key Length and ECB as the AES Mode.


47

WipeOut Settings

The WipeOut Settings menu provides the Operator with a list of settings available for the selected operation. The menu is selected when the Operational Mode is selected from the Operational Mode Select Menu.

User DoD Secure Erase Partial Wipe with ICS Signature

Iterations

Pattern (0-255)

Read Back-Verify

Write ICS Signature

Figure 13

Mode

The WipeOut Mode provides the Operator with two methods of sanitizing drives.

User

The Wipeout User option provides a quick non-DoD method of sanitizing a drive of all previously stored data. The process involves writing a user defined pattern to the drive connected in the Target drive position, for a number of user defined drive passes (iterations). The process is methodical and contiguous, beginning from the first byte of the first sector on the drive, and ending on the last byte of the last sector of the drive.

Iterations

Allows the Operator to define the number of WipeOut-User iterations or passes to perform. Selecting 0 instructs the operation to sanitize the drive in one pass.


48

Pattern (0-255)

Allows the Operator to define the WipeOut-User Pattern to be used to sanitize the Target drive(s). The available range is 0-255.

DoD

The Wipeout DoD function provides a method of sanitizing a drive that meets the U.S. Department of Defense specification DOD 5220-22M for sanitizing drives.

The operation is performed in three iterations and two individual passes that completely overwrites the destination drives. Each iteration makes two write-passes over the entire drive. The first pass writes ONEs (Hex 0xFF) over the entire drive surface. The second pass writes ZEROes (Hex 0x00) over the entire drive surface. After the third iteration, a seventh pass writes the government designated code “246” (Hex 0xF6) across the entire drive surface, which is then followed by an eighth pass that inspects the drive with a Read-Verify review.

Secure Erase

The WipeOut-Secure Erase option uses the drive’s own built-in firmware ”Secure Erase” function to erase data. The WipeOut-Secure Erase option offers two modes which are automatically selected if the drive supports the modes. Normal Erase and Enhanced Erase. Normal Erase will erase drives using the 0x00 pattern. The Enhanced Erase mode will erase drives with a predetermined pattern and will clear Relocation List Sectors.

NOTE: Not all drives provide support for the Secure Erase command. Secure erase is recognized by NIST 800-88 as an effective and secure way to meet legal data sanitization requirements

Partial Wipe with ICS Signature

Performs a partial Wipe of the Evidence drive and writes an ICS signature.

Write ICS Signature

Performs a Wipe of the Evidence drive and writes an ICS signature.

Read Back-Verify

Use Link for previous description.


49

Format Drives Settings

The Format Drives Settings menu provides the Operator with a list of settings available for the selected operation. The menu is selected when the Operational Mode is selected from the Operational Mode Select Menu. The exFAT setting instructs the Format Drive operation to use the exFAT File System to format drives.

Figure 14


50

Linux DD Capture Settings

The LinuxDD Capture Settings menu provides the Operator with a list of settings available for the selected operation. The menu is selected when the Operational Mode is selected from the Operational Mode Select Menu.

Capture File Size

Custom File Size (MB) File Name

Read Back-Verify

Hash Targets Hash Methods


Figure 15

Capture File Size

The size of the individual LinuxDD files can be set by selecting predefined values within the Capture File Size menu. The options are 640MB, 1GB, 2GB, 4.7GB, Whole Drive, and Custom. The default setting is 640MB.

Custom File Size (MB)

The size of the individual LinuxDD files can manually entered in Megabytes. The entry is active when the Custom value is selected in the Capture File Size menu.

File Name

The File Name entry will be used as the name for the LinuxDD subdirectory, where the individual LinuxDD files will be stored. This File Name will also be used as the name of all LinuxDD files associated with the selected operation.

NOTE: If the File Name field is left blank, the operation will use a default LinuxDD file name referenced as “CASE<DATE><TIME>.”


51

LinuxDD Hash Settings

The LinuxDD Hash Settings menu provides the Operator with a list of settings available for the selected operation. The menu is selected when the Operational Mode is selected from the Operational Mode Select Menu.

Hash Methods

File Name


Figure 16


52

LinuxDD or E01 Restore Settings

The LinuxDD or E01 Restore Settings menu provides the Operator with a list of settings available for the selected operation. The menu is selected when the Operational Mode is selected from the Operational Mode Select Menu.

Hash Methods

File Name

Read Back-Verify

Hash Targets Encryption/Decryption

Figure 17

Figure 18


53

Hash Settings

The Hash Settings menu provides the Operator with a list of settings available for the selected operation. The menu is selected when the Operational Mode is selected from the Operational Mode Select Menu.

Sectors to Hash

Hash Methods


Figure 19

Sectors to Hash

Allows the Operator to define the number of sectors to hash. The default value of 0 will instruct the Hash operation to hash the entire drive.


54

E01 Capture Settings

The E01 Capture Settings menu provides the Operator with a list of settings available for the selected operation. The menu is selected when the Operational Mode is selected from the Operational Mode Select Menu.

Capture File Size

Custom File Size (MB) Hash Methods File Name

Figure 20

Capture File Size

The size of the individual E01 files can be set by selecting predefined values within the Capture File Size menu. The default setting is 650MB (CD).

Custom File Size (MB)

The size of the individual E01 files can manually entered in Megabytes. The entry is active when the Custom value is selected in the Capture File Size menu.

Ex01

Instructs the operation to use the Ex01 format instead of the E01 format.

File Name

The File Name will be used as the name for the E01 Case subdirectory, where the individual E01 files will be stored. This File Name will also be used as the name of all E01 files associated with the selected operation.

NOTE: If the File Name field is left blank, the operation will use a default E01 file name referenced as “CASE<DATE><TIME>.”


55

Settings Main Menu The IMSolo-5 Forensics Advanced Settings Main Menu provides access to the common Operational Mode settings. The menu is displayed by selecting the Main Tab from the Advanced Settings Menu. The descriptions of the available settings are discussed in the following section.

Bad Sector Handling Start View Add/Remove Optional Features Drive Handling Functions User Interface Culture Read Back-Verify Protected Area Support Enabled

Figure 21

User Interface Culture

The User Interface Culture menu provides the Operator with a list of available User Interface Languages.

Additional Operational Mode Settings

The Additional Operational Mode Settings menu provides the Operator with a list of additional settings available for the selected operation.

Read Back-Verify


56

Protected Area Support Enabled

When selected, this function instructs the selected Operation to determine if a Source drive is configured with an HPA or DCO Area. If an HPA or DCO area exists on a Source drive, the Operation will copy all of drive’s data including the data stored in the drive’s HPA or DCO area.

Bad Sector Handling

This setting allows the user to select from a list of three methods of handling bad sectors when they are encountered on the source drive.

Skip Block

When enabled, the bad sector handling process time is reduced by skipping the entire transferred block in which the bad sector was encountered. Each transferred block is composed of 1280 sectors. When the block is skipped it results in writing ‘0’s to Evidence drive’s corresponding block. This process is significantly faster but would not capture any data that may exist in any of the good sectors of the block(s) containing bad sectors.

Skip Sector

The operation will log the location of the bad sector on the source drive and the bad sector will be skipped.

Abort drive

The operation will abort when encountering a bad sector on the source drive.

Start View

The Start View menu provides optional Start Up View options.

Operator Screen

Instructs the unit to Start Up using the Operator Interface Control Console. The

Operator Interface provides all the functions and controls necessary to start or stop the operations pre-selected using the Wizard Interface or Advanced Interface. It provides the user with a graphical view of the Source and Target drive positions and the ability to change the active drive(s) for the selected operation.

Advanced Screen

Instructs the unit to Start Up using the Advanced Interface Control Console. The Advanced Interface provides all the functions and controls necessary to setup, customize and perform the unit’s common and advanced IT operations.


57

Add/Remove Optional Features

This function allows adding or removing Software Options.


58

Advanced Drive Detection Settings Menu The IMSolo-5 Forensics Advanced Drive Detection Settings provides the Operator with User-Defined settings to customize the unit’s drive detect handling functions.

Drive Detection Mode Fast Detection Sequential Detection Drive Detection Warning Test Drive Detection

Figure 22

Drive Detection Mode

Allows the Operator to choose between the three available Drive Detect methods.

Auto

Automatically selects Drive Detection method based on the hardware detected. This mode will automatically select Fast Detection for the IMSolo-5 Forensics systems.


59

Fast Detection

Selects use of the Fast Detection method to detect drives. This method identifies the drive by the SAS/S-ATA controller’s physical address location used by polling the drive. It is the quickest method to detect drives.

Sequential Detection

Selects the Sequential Detection method to detect drives. This method identifies the drive by sensing the drive’s “current load”. The selected drives are detected in turn by powering Up the individual drive and then waiting for each individual drive to be detected before powering Up the next selected drive. This method is slower than the Fast Detection method to detect drives.

Fast Detection Settings

The Fast Detection Settings menu provides optional Fast Detection User-Defined settings.

Wait Time After Powering Up Each Drive

This is the time allocated before powering Up the next selected drive. The default value is 2 seconds.

Wait Time Between Powering Up Each Drive and Starting Drive Detection

This is the time allocated after powering Up each drive, and before checking the controller and O/S for detected drives. The default value is 20 seconds.

Max Scanning /Detection Time allowed by Application (Sec)

This is the time allocated for the O/S to detect “New Hardware” or discover each selected drive. The default value is 60 seconds.

NOTE: Some drives may take longer to be discovered by the O/S. This setting

limits the wait time.

Auto Calibrate Detection of All Drives

Used to restore the “map” which links the unit’s SAS/SATA controller’s physical addresses to the unit’s assigned drive positions, listed in the Drive Detection menu screen, for all connected drives. The Calibration starts with the drive specified in the Calibration Starts From Drive input box.

NOTE: Calibration would only be necessary if the unit can no longer detect

drives.

Calibration Starts From Drive

The Auto Calibration starts with the drive number specified in the Calibration Starts From Drive input box. The drive number starts with 0 and follows the order of the drive positions listed in the Drive Detection menu screen.


60

Calibrate Detection of a Selected Drive

Used to restore the “map” which links the unit’s SAS/SATA controller’s physical addresses to the unit’s assigned drive positions, for individually selected drives.

NOTE: Calibration would only be necessary if the unit can no longer detect

drives.

Sequential Detection Settings

The Sequential Detection Settings menu provides optional Sequential Detection User-Defined settings.

Max Detect Time

This is the time allocated for the O/S to detect “New Hardware” or discover each selected drive. The default value is 60 seconds.

NOTE: Some drives may take longer to be discovered by the O/S. This setting

limits the wait time.

Max Detect Power Time

Maximum time allowed for the drive’s applied “current load” to be detected. After the set time, if the drive’s applied “current load” is not detected, the drive will be powered OFF.

Calibrate Current Threshold

The Calibrate Current Threshold function will measure the idle current used by the unit’s power control board. A current level measured that is greater than the Calibrated Current Threshold value will indicate that a device is connected.

NOTE: Verify that NO drive is connected, while calibrating the current

thresholds.

Drive Detection Warning

Warns the Operator when one of the selected drive positions could not detect a drive.

Test Drive Detection

Powers on each drive port to test for proper drive detection. Requires drives to be connected to each port.


61

Advanced Settings Menu The IMSolo-5 Forensics Advanced Settings provides the Operator with User-Defined settings to enable or disable displayed prompts, active the Auto Run function and provides some additional Drive Handling functions. The menu is displayed by selecting the Settings/Advanced Tab. The descriptions of the available settings are discussed in the following section.

Drive Detection Prompts Secure Erase Setting Target Protected Area Force Power Off Auto Run Verify Location of Suspect Drive

Figure 23

Warn if Drive is not Inserted

When enabled, this function will prompt the User if a selected drive is not connected.


62

Use Master Password for Secure Erase

When enabled, this function instructs Secure Erase to use the drive’s Master Password to access the drive.

Hash Advisory

When enabled, this function will prompt the User if the Hash Method is not enabled.

Confirm Drives

When enabled, this function will prompt the User if the operation should proceed with the detected drives.

Set Target Protected Area

When enabled, this function instructs the operation to set the HPA or DCO Area of the Target drive if the Source drive is detected as having an HPA or DCO Area.

Forced Power off

Provides a function to manually power OFF all selected drives.

Power off selected drives

Manually powers OFF the selected drives. The function should only be used if the Remove Drives function does not power off the selected drives.

NOTE: Exit all applications which may be using the drives prior to manually

powering OFF the drives.

Auto Run

Instructs the selected Operation to continuously run until the Operation is manually aborted. This function can be used to test drives or unit’s hardware.

Verify Location of Suspect Drive

Instructions the Operation to check if the drive connected in the Evidence position

contains the pre-wiped ICS Signature. If the signature is not located, the operation will

display a warning indicating “Possible Suspect Drive Detected in the Evidence Position.

Operation will be aborted.”


63

More Settings Menu The IMSolo-5 Forensics More Settings provides the Operator with User-Defined settings to configure some of the unit’s hardware and software settings. The menu is displayed by selecting the Settings/More Tab. The descriptions of the available settings are discussed in the following section.

Slow Drive Filter Enable IMAccess Speed Optimization Fan Control Launch Drive Port Assignment SAS/SATA Controller Settings Disable Destination Writes

Figure 24

Slow Drive Filter Speed Threshold

The Slow Drive Filter menu allows the operation to abort individual drives which would cause slow transfer rates. After aborting the individual drive, the operation would continue for the remaining drives, without reducing the transfer rate.

Speed Threshold

Minimum transfer rate accepted before the drive is aborted. The decision to abort a drive is based on the individual drive speed and not on the average speed of the process.


64

Speed Optimization

Used to obtain optimal transfer rates.

Transfer Buffer Size (in 64 kb)

The default setting of (10) instructs to operation to use a Transfer Buffer size of 640KB. In most cases a Transfer Buffer size of 640KB is optimal; however with some drive combinations it might be useful to change the value in order to achieve faster transfer rates.

Fan Control

Controls Drive Bay Fan Speeds.

Launch Drive Port Assignment

Opens the Drive Port Assignment Screen which provides interface to change default port assignments.

Enable IMAccess

Provides function for proprietary 3rd Party applications to access USB drive volumes connected in the unit’s general purpose USB ports.

SAS/SATA Controller Settings

Provides function to set the minimum and maximum negotiating transfer rate of the unit’s SAS/SATA Controller.

Disable Destination Writes

Allows to disable writing of Log, Audit or other Drive information files to the Destination drive.


65

Advanced Case Info Menu The IMSolo-5 Forensics Advanced Case Info Menu provides the user with a list of specific Case Information to enter for the Capture Operation. This Case Information will be stored for Audit Trail output. The menu is displayed by selecting the Case Info Tab from the

Advanced Main Menu.

Figure 25


66

Advanced Mount Drive Menu The IMSolo-5 Forensics Advanced Mount Drive Menu provides access to the functions and controls

necessary to change the state of the detected device Write Protection and Mount Volume properties. By default, all ports including the Evidence Drive ports and unit’s USB ports are Write-Protected. In addition, the detected drive’s partitions or volumes are “hidden” from the unit’s O/S. The drive’s properties will automatically be configured for the common Operational Modes. The recommended state of each device will depend on the operation to be performed with the detected devices. The menu is displayed by selecting

the Mount Drive Tab from the Advanced Interface Control Console. The descriptions of the available Mount Drive Settings are discussed in the following section.

Write-Protection Mount Volumes Simulate Drive Signature Apply Refresh

Figure 26


67

Write-Protect the Drive

When selected (checked), the detected drive will be Write-Protected. This setting should be enabled only when it is necessary to allow the unit’s O/S or 3rd party application write access to the drive’s volume. The detected drive’s Write-Protect property can be changed by first selecting the detected drive then using the Mount Drive Menu, Write-Protect function.

NOTE: By default, all ports are Write-Protected. The Write-Protect property of drives detected in the Suspect positions cannot be disabled.

Mount Volumes on the Drive

When selected (checked), the detected drive’s volume will be accessible by the unit’s Operating System. This setting should be enabled only when it is necessary to allow the unit’s O/S or 3rd party application preview access to the drive’s volume. The detected drive’s Mount Volume property can be changed by first selecting the detected drive then using the Mount Drive, Menu Mount Volume function.

Simulate Drive Signature When Mounting Volumes

When selected (checked), the O/S will be provided with a “simulated” Device Signature for the selected drive. The O/S requires each drive to have a different Device Signature. After the duplication operation, drives may have the same Device Signature. The drive’s volume may not mount properly when attempting to mount the drive’s volume under the unit’s O/S if the same Drive Signatures are detected. If the setting is not selected, the Drive’s unaltered Device Signature is presented to O/S or applications.

Apply

Applies the selected Drive Property settings.

Refresh

Selecting Refresh, displays the drive properties of the currently selected drive.

68

Advanced HPA/DCO Menu The IMSolo-5 Forensics Advanced HPA Menu provides the functions to view and modify the drive’s Host Protected Area (HPA) and Device Configuration Overlay (DCO) Capacity feature set. The menu is displayed by selecting the HPA Tab from the Advanced Interface Control Console.

The descriptions of the available HPA Menu Settings are discussed in the following section.

Protected Area Type Protected Area Support Set Capacity Reset New Capacity Volatile

Figure 27

Protected Area Type

Allows the User to select use of either HPA or DCO Support functions.

69

Protected Area Support

When selected, this function instructs the selected Operation to determine if a Suspect’s drive is configured with an HPA or DCO Area. If an HPA or DCO area exists on a Suspect’s drive, the Operation will seize all of drive’s data including the data stored in the drive’s HPA or DCO area.

New Capacity

Value in sectors which will define the drive’s programmed HPA or DCO capacity.

Current Capacity

Displays drive’s current DCO or HPA programmed capacity in sectors.

Native Capacity

Displays drive’s Native capacity in sectors.

Set Capacity

Provides the function to program the Evidence drive’s capacity using the HPA or DCO User Defined values.

Reset Capacity

Provides the function to reset the Evidence drive’s capacity to its Native Capacity.

Volatile

Instructs the Set Capacity function to modify the drive’s capacity only when the drive is power cycled.

70

Advanced LOG Menu The IMSolo-5 Forensics LOG Menu provides the functions for viewing, transferring and printing Event Log and Audit information. The menu is displayed by selecting the LOG Tab from the Advanced Interface Control Console. Event Log and Audit files are automatically stored in the unit’s local file folder. Files are stored using a DATE_TIME.TXT naming convention. The Audit Trail file will be

referenced as such. The descriptions of the available LOG functions are discussed in the following section.

Print Logs Copy Logs Open Log Folder Set Audit Trail Logo

Figure 28

71

Print Logs

Provides the functions to print Event Log files and Audit Trail Log files to a connected printer.

Copy Logs

Provides the function to copy Event Log files and Audit Trail Log files to an external device.

Open Log Folder

Provides access to the folder used to store the Log files, for viewing.

Set Audit Trail Logo

Provides the function to add a Company Logo onto the generated PDF Audit Trail.

Chapter 5 – Operational Procedures

72

Advanced Tools Menu The IMSolo-5 Forensics Advanced Tools Menu provides the functions to Disable an Evidence drive’s User Password.

Disable Password

Figure 29

Disable Password

Provides the function to Disable the drive’s User Password. It may be necessary to Disable the “ics” password which is set on the drive during Secure Erase if the operation is aborted prior to completion. If the User Password is not reset, the drive will block Read and Write commands.

NOTE: It is not necessary to disable the drive’s User Password if Secure Erase is used to erase the drive.


73

Chapter 5: Operational Procedures


74

Prepare for Operation This section describes the recommended procedure to follow when preparing to perform an operation with drives connected directly to the unit. References to P-ATA drive setup in this section, requires use of S-ATA-to-PATA adapters.

1. Prepare Suspect’s Drive

When using PATA drives, verify that the Suspect’s drive jumper block is properly configured. For P-ATA drives the jumper block should be set for “Single/Master” operation. For SAS or SATA drives, the drive’s default jumper block settings are recommended.

Connect the Suspect’s drive to the unit’s SUSPECT-1 SAS/SATA or USB position, located on the unit’s Left Panel (Fig. 8). Use of P-ATA drives requires use of the supplied S-ATA-to-P-ATA Adapters.

NOTE: The drive detected in this position will be listed in the Active Source Drive Panel.

If necessary, connect a second Suspect’s drive to the unit’s SUSPECT-2 SAS/SATA or USB position, located on the unit’s Right Panel (Fig. 9). NOTE: A second instance of the Control Console will be required to capture data from two

Suspect drives simultaneously. Refer to the section titled Running Multiple Operational Modes Simultaneously in Chapter 5 for additional information.

2. Prepare the Evidence Drive(s)

Connect the Evidence drive to the unit’s EVIDENCE-1 SAS/SATA position located on the unit’s Front Panel (Fig. 10) or to the EVIDENCE-1 USB position, located on the unit’s Back Panel. Use of P-ATA drives requires use of the supplied S-ATA-to-P-ATA Adapters.

NOTE: The drive detected in this position will be listed in the Active Destination Drive Panel.

If necessary, connect a second Evidence drive to the unit’s EVIDENCE-2 SAS/SATA data connector located on the unit’s Front Panel (Fig. 10).

The Evidence drive(s) should be sanitized prior to performing a Capture operation.

NOTE: To configure the Capture Operation to verify the location of the Suspect Drive, refer to the section titled “Verify Location of Suspect Drive Configuration”

NOTE: By default, all ports including the dedicated Evidence drive ports are Write-Protected. The Write-Protection feature of all Evidence drive ports will automatically be disabled if the selected operational mode requires writing to the Evidence drive(s).


75

3. Connect the printer (optional).

4. Configure the unit’s Settings.

Select the required operation from the Control Console’s Operation pull down menu located in the Advanced Interface Control Console.

Verify Settings of selected Operation. See Chapter 5 for Operational Mode recommended

settings.

Verify unit’s Common Settings (See Table 2). The Common Settings are located in the Advanced Settings Screen.

Common Settings

Table 2

Menu Item Setting

Read Back-Verify Disable

Confirm Drives Before Operation

Enable

Auto Run Disable

Bad Sector Handling Skip Sector

Transfer Buffer Size 10

Drive Detection Mode Sequential Detection

Max Detect Drive Time 60

Max Detect Drive Power Time

0

Verify Location of Suspect Drive

Enable

Hash Advisory Enable

Protected Area Support Enable

Start View Advanced Screen

5. Removing Drives

The Drive Select menu provides a power indicator for each drive position. The indicator will be GREY prior to drive detection, GREEN if the drive is detected or if the operation passed, and RED if the drive is not detected or if the operation was not successful. Drives are powered OFF after an operation completes. Drives can be physically removed after an operation completes and the drive is removed from its assigned Active Drive Status Panel.


76

Capturing Drives using Single Capture Mode The following section describes the procedure to use the Single Capture mode for Capturing Suspect’s data from drive(s) that have been removed from its PC or Notebook.

1. The Advanced Interface Control Console will be displayed after the unit is powered ON.

2. Connect and configure the drives as outlined in the “Quick Start” and “Prepare to Capture” sections of the manual.

NOTE: By default, all ports including the dedicated Evidence drive ports are Write-Protected. The port’s Write-Protection will automatically be disabled if the selected operational mode requires writing to the Evidence drive(s).

3. Select Single Capture from the Operation pull down menu, located in the Main Screen.

4. Set the Operational Mode Settings which are dynamically displayed in the Operation’s Main

Screen. See Table 3 for recommended settings.

5. Verify the Common Settings located in the Settings Screen. See Table 2 for recommended

settings.

6. Select CASE INFO from the Main Screen and enter the required information.


8. Select the drives to be used for the selected Operation using the Drive Selection Panel.

9. Select Start from the Main Screen to begin the operation. A prompt will be displayed requesting

the Operator to verify that the detected drives are listed in the appropriate Drive Status panels. The Suspect drive should be listed in the Source Drive panel’s list, and the Evidence drive should be listed in the Destination Drives panel’s list.

NOTE: If necessary, select “non-active” drive(s) listed in the Other Detected Drives panel and move them to either the Source Drive or Destination Drives panels. The drive(s) listed in the Source Drive or Destination Drives panels are considered “active” drives and will be used during data transfer operations. If necessary, also transfer “active” drives from the Source Drive or Destination Drives panel to the Other Detected Drives panel.


77

10. If capturing from two Suspect’s drives start a second instance of the IMSolo-5 Forensic Capture application and follow steps 2 through 9.

NOTE: Refer to the section titled Running Multiple Operational Modes Simultaneously in Chapter 5 for additional information.

Hash values generated during the capture operation are generated for the data read from the

Suspect’s drive not from the data read from the Evidence (target) drive unless the operation is instructed to hash the Evidence drive by enabling the Hash Targets function.

Single Capture Recommended Settings

Table 3

Menu Item Setting

Operational Modes Single Capture

Hash Method SHA-2

Hash Targets Enable (Optional)

Read Back-Verify Disable (Optional)


78

Capturing using LinuxDD Capture Mode The following section describes the procedure to use the LinuxDD Capture mode for Capturing Suspect’s data from drive that has been removed from its PC or Notebook.



2. Select LinuxDD Capture from the Operation pull down menu, located in the Main Screen.



4. Select File Name and enter the name of the file which will be used by the operation for creating the LinuxDD directory and segmented files.

5. Set the LinuxDD file fragment size by selecting the size from the Capture File Size pull down menu.


settings.







79

10. If capturing from two Suspect’s drives start a second instance of the IMSolo-5 Forensic Capture application by selecting New Copy Session from the Navigation Bar and follow steps 2 through 9.




LinuxDD Capture Recommended Settings

Table 4

Menu Item Setting

Operational Modes LinuxDD Capture

Hash Method SHA-2



Capture File Size 4GB


80

Capturing using E01 Capture Mode The following section describes the procedure to use the E01 Capture mode for Capturing Suspect’s data from drive that has been removed from its PC or Notebook.



2. Select E01 Capture from the Operation pull down menu, located in the Main Screen.



4. Select File Name and enter the name of the file which will be used by the operation for creating the E01 directory and segmented files.

5. Set the E01 file fragment size by selecting the size from the Capture File Size pull down menu.


settings.







81

10. If capturing from two Suspect’s drives start a second instance of the IMSolo-5 Forensic Capture application by selecting New Copy Session from the Navigation Bar and follow steps 2 through 10.




E01 Capture Recommended Settings

Table 5

Menu Item Setting

Operational Modes E01 Capture

Hash Method SHA-1



Capture File Size 2GB

Compression 0


82

Capturing from a PCIe M.2 Drive. The following section describes the procedure to connect and use the M.2 Adapter Module to acquire data from a PCIe M.2 Drive.

1. Please refer to the embedded instructional video to install the M.2 Adapter Module and to connect the PCIe M.2 drive(s).

Power OFF the unit before connecting the M.2 Adapter Module and inserting or removing PCIe M.2 drives.

2. Connect the SAS/SATA Evidence drive to the unit’s EVIDENCE-1 SAS/SATA position located on the unit’s Front Panel.

NOTE: This step is optional if one of the connected PCIe M.2 drives will be used as the only connected Evidence drive.

3. If a SAS/SATA Evidence drive is connected, select the Evidence drive position from the Drive Selection Panel, otherwise do not select any Evidence drive positions.

NOTE: Do not select any Suspect position from the Drive Selection Panel.

4. Select the Mode of Operation from the Operation pull down menu.

5. Configure the Operational Mode using the dynamically displayed settings.

6. Verify that the recommended Common Settings are in use. See Table 2 for recommended settings.

7. Select Detect Drives from the Console’s main menu.

a. The detected PCIe M.2 drive(s) will be listed in the Other Detected Drives (In-active Drives) Panel. The SAS/SATA Evidence drive will be listed in the Destination Drives Panel list.

8. Identify the PCIe M.2 Suspect drive by the listed Serial Number. Using the touch screen display, select and move the PCIe M.2 Suspect drive from the Other Detected Drives (In-active Drive) Panel to the Suspect Drive Panel.

9. If connected, identify the PCIe M.2 Evidence drive by the listed Serial Number. Using the touch screen display, select and move the PCIe M.2 Evidence drive from the Other Detected Drives (In-active Drives) Panel to the Destination Drives Panel



83

11. Select Start from the Main Screen to begin the operation. A prompt will be displayed requesting the Operator to verify that the detected drives are listed in the appropriate Drive Status panels.

Hash values generated during the capture operation are generated for the data read from the Suspect’s drive not from the data read from the Evidence (target) drive unless the operation is instructed to hash the Evidence drive by enabling the Hash Targets function.

12. After the operation completes, the PCIe M.2 drive(s) will remain powered ON and should not be removed until the unit is powered-OFF. The SAS/SATA drive(s) will be powered OFF and the drive(s) can be safely removed. The simulated drive status LEDs will be set to GREEN if the operation passes or RED if the operation fails. Log files will automatically be stored internally and can be transferred to external media using the unit’s USB ports, located on the back of the unit


84

Capturing from an Unopened PC or Notebook The following section describes the procedure for Capturing Suspect’s data from an Unopened PC or Notebook.

1. Connect and configure the Evidence drives as outlined in the “Quick Start” and “Prepare to Capture” sections of the manual.


2. Select the Operational Mode from the Operation pull down menu, located in the Main Screen.


Screen.


settings.

5. Select DETECT REMOTE DRIVES from the Drive Selection Panel.


6. Select the Evidence Drive(s) to be used for the selected operation from the Drive Selection Panel.

7. Verify all remaining applicable settings and optionally enter Case Information using the CASE INFO screen functions.

NOTE: Hash values generated during the capture operation are generated for the data read from the Suspect’s drive not from the data read from the Evidence (target) drive, unless the unit is instructed to hash the Evidence drive(s) by enabling the Hash Targets function. As an alternative, the Evidence Drives can also be hashed after the capture operation using the Hash mode of operation.

8. Connect the ICS supplied Crossover Ethernet Cable to the IMSolo-5 unit’s Ethernet port and to the Notebook/PC Ethernet port. Alternately, connect the Gigabit USB-to-Ethernet Network Adapter to the Notebook/PC USB port and the Ethernet Cable connector end to the IMSolo-5

unit’s Ethernet port. See the instructions titled “USB-to-Ethernet Connection”, for additional

details.

9. Configure the Suspect’s PC or Notebook BIOS to boot from its CD-ROM or DVD drive. Most BIOS have a section titled “Boot Order” to perform this function.

NOTE: Various PC or Notebook BIOS require deferent key combinations at boot up to change the default Boot Order. It is the user’s responsibility to correctly setup the Suspect’s PC or Notebook BIOS.

10. Insert the LinkMASSter Bootable CD and allow the Suspect’s PC or Notebook to boot from the LinkMASSter CD.

11. After “Initializing the Environment”, the LinkMASSter application will display a prompt indicating “Do you want to prepare a USB Flash?” Select “NO” to continue.

NOTE: To configure a USB device for LinkMASSter usage, see the instructions titled USB LinkMASSter Setup and Usage, for additional details.

12. The LinkMASSter Network Capture Agent Screen is display with the computer’s detected drive information.


85

13. Select Detect Drives from the IMSolo-5 Forensics Advanced Interface Control Console screen. The Suspect drive, located in the Suspect’s computer, will be listed in the Source Drive panel list and the Evidence drive will be listed in the Destination Drives panel list.

14. Select START to begin the operation. Operational status information will be displayed during an operation.

15. After the operation completes, the Evidence drive will be powered OFF and can be safely removed. Remove the LinkMASSter CD from the Suspect’s computer prior to powering OFF the computer. The simulated drive status LEDs will be set to GREEN if the operation passes or RED if the operation fails. Log files will automatically be stored internally and can be transferred to external media using the unit’s USB ports, located on the back of the unit.

NOTE: Prior to saving logs to external media, disable the DETECT REMOTE DRIVES function from the Drive Selection Panel.


86

Capturing to a Local Shared Folder The following section describes the procedure to use the LinuxDD or E01 Capture modes for capturing and storing Suspect’s data to a local Shared Folder. A local Shared Folder would be considered a location on an Evidence drive connected directly to the unit’s Evidence-1 or Evidence-2 port.

1. Connect the Evidence drive(s) as outlined in the “Quick Start” and “Prepare to Capture” sections of the Manual.

NOTE: The Evidence drive needs to be preformatted with NTFS or exFAT prior to starting the capture operation. The Evidence drive can be formatted on a PC or using the IMSolo-5. If using a PC Workstation to format the drive, use “EVIDENCE” as the Volume label and skip to step 5.

2. Select the Evidence drive(s) which needs to be formatted, from the Drive Selection Panel.

3. Select FORMAT from the Operation pull down menu, located in the Main Screen and choose either NTFS or exFAT.

4. Select Start from the Main Screen to format the Evidence drive.

5. Select LinuxDD or E01 Capture from the Operation pull down menu, located in the Main Screen.

6. Select the Evidence drive(s) from the Drive Selection Panel.



8. Select the Mount Drive function Tab from the Advanced Interface Control Console.

9. Highlight and Select the detected Evidence drive from the Console’s Drive Status Panel.

10. De-Select (uncheck) the Write-Protect setting in the Mount Drive Screen Menu.

11. Select (check) the Mount Volumes setting in the Mount Drive Screen Menu.

12. Select APPLY.

NOTE: Repeat steps 9-12 for the second Evidence drive if applicable.

13. Select New Copy Session from the Navigation Bar to begin a new session of the IMSolo-5

Forensic Capture application.

14. Connect the Suspect drive(s) as outlined in the “Quick Start” and “Prepare to Capture” sections of the IMSolo-5 User’s Manual.


16. Select the Operational Mode Settings which are dynamically displayed in the Operation’s

Main Screen.


87

17. Select File Name and enter the name of the file which will be used by the operation for creating the LinuxDD or E01 directory and segmented files.

18. Set the file fragment size by selecting the size from the Capture File Size pull down menu.


settings.

20. Select the Suspect drive to be used for the selected Operation using the Drive Selection Panel.

NOTE: Do not select any Evidence position from the Drive Selection Panel.

21. Select Add Network Location from the Drive Selection Panel. The “Add Network Location” menu screen is displayed.

22. Select Browse from the “Add Network Location” menu screen.

23. Select “D:\”. The Shared Drive Letter will be listed in the Evidence Drives Panel.

NOTE: Select “E:\” if “D:\” is in use by a previous session.

24. Select Detect Drives from the IMSolo-5 Forensics Advanced Interface Control Console screen. The Suspect drive will be listed in the Source Drive Panel list and the Shared Drive Letter will be listed in the Evidence Drives Panel.



88


the Operator to verify that the detected drives are listed in the appropriate Drive Status panels.

NOTE: Repeat steps 13-26 to begin a second session.



27. After the operation completes, the Suspect drive(s) will be powered-OFF and can be safely removed but the Evidence drives will remain powered-ON until they are manually powered-OFF. Using the NEXT COPY SESSION function, select the initial Session which was used to mount the physical Evidence drive(s) and select REMOVE DRIVES to power-OFF and safely removed the Evidence drive(s).

NOTE: If more than one operation is running at the same time, do not select REMOVE DRIVES until both operations have completed.


89

Capturing to a Shared Network Folder The following section describes the procedure to use the LinuxDD or E01 Capture modes for capturing and storing Suspect’s data to a Shared Network Folder.

1. Connect and configure the Suspect drives as outlined in the “Quick Start” and “Prepare to Capture” sections of the manual.

NOTE: Attach an Evidence drive if capturing to both a local Evidence drive and a Network Shared Folder.

2. Configure a Shared Network Folder on the Network PC.

3. Connect the appropriate Ethernet Cable to the IMSolo-5 unit and to the Network PC.

NOTE: An Ethernet Cross-Over cable would be required for direct connection.

4. Establish a Network Connection between the IMSolo-5 and the Destination Network PC using the IMSolo-5 O/S DESKTOP/CONTROL PANEL/NETWORK and INTERNET CONNETIONS Tools.

NOTE: It is the responsibility of the User to properly configure the Network for proper connectivity and to properly configure the Shared Network Folder. The Shared Network Folder requires write access. If properly configured, the Shared Network Folder should be accessible from the IMSolo-5.



Screen.

7. Select File Name and enter the name of the file which will be used by the operation for creating the LinuxDD or E01 directory and segmented files.

8. Set the file fragment size by selecting the size from the Capture File Size pull down menu.


settings.

10. Select the Suspect drive to be used for the selected Operation using the Drive Selection Panel.

NOTE: Do not select any Evidence position from the Drive Selection Panel unless an Evidence drive will also be used as a Destination drive.

11. Select Add Network Location from the Drive Selection Panel. The “Add Network Location” menu screen is displayed.

12. Select Browse from the “Add Network Location” menu screen.

13. Select “My Network Places” to locate and select the Shared Network Folder. The Shared Network Folder will be listed in the Evidence Drives Panel.

14. Select Detect Drives from the IMSolo-5 Forensics Advanced Interface Control Console screen. The Suspect drive will be listed in the Source Drive Panel list and the Shared Network Folder will be listed in the Evidence Drives Panel.


90







91

Encrypting Data During Data Capture The following section describes the procedure to Encrypt data seized from the Suspect’s drive.


NOTE: E01 Capture Encryption Support was pending development at time of this document’s (Rev 4.0) release. By default, all ports including the dedicated Evidence drive ports are Write-Protected. The port’s Write-Protection will automatically be disabled if the selected operational mode requires writing to the Evidence drive(s).

2. Select the Capture Mode from the Operation pull down menu, located in the Main Screen.

NOTE: Sanitize (WipeOut) the Evidence drive(s) prior to Encrypting data. Do not use LinuxDD Evidence drives which contain previously captured cases which were not Encrypted.

3. Select On-Screen Keyboard from the Navigation Bar.

4. Select Encrypt/Decrypt from the Operation’s dynamically displayed settings menu.

5. Select the AES Key Length and AES Mode.

NOTE: For compatibility with the IMSolo-III Encryption and ICS Disk Cypher hardware, choose 192 as the AES Key Length and ECB as the AES Mode.

6. Select Encrypt.

7. Select Save Key. Select a name for the Encryption Key. which will be required

NOTE: In addition to unique password information, the saved Encryption Key will also contain the selected AES Key Length and AES Mode settings.

8. Select Exit Encryption Dialog.

9. Verify the Operational Mode Settings and Common Settings located in the Settings

Screen. See Table 2 and 6 for recommended settings.


11. If LinuxDD Capture is in use, select File Name and enter the name of the file which will be used

by the operation for creating the Case directory and segmented files. Set the File Fragment Size by selecting the size from the Capture File Size pull down menu.




NOTE: If necessary, select “non-active” drive(s) listed in the Other Detected Drives panel and move them to either the Source Drive or Destination Drives panels. The drive(s) listed in the Source Drive or Destination


92

Drives panels are considered “active” drives and will be used during data transfer operations. If necessary, also transfer “active” drives from the Source Drive or Destination Drives panel to the Other Detected Drives panel. If capturing from two Suspect’s drives start a second instance of the IMSolo-5

Forensic Capture application and follow steps 1 through 13.




Encryption Capture Recommended Settings

Table 6

Menu Item Setting

Operational Modes Single Capture/ LinuxDD Capture/ E01 Capture

7

Hash Method SHA-2



AES Key Length 192

AES Mode ECB

Encrypt Enable

7 E01 Capture Encryption Support was pending development at time of this document’s release.


93

Decrypting Data During Data Transfer The following section describes the procedure to Decrypt data from an Encrypted Evidence drive.

1. Connect the Evidence drive with the Encrypted Case data to one of the unit’s Suspect positions.

2. Connect a blank Destination drive to one of the unit’s Evidence positions.


3. Select the Operational Mode from the Operation pull down menu, located in the Main Screen.

NOTE: The supported Operational modes for Decryption are Single Capture, LinuxDD Restore and E01 Restore8. The “Hash Only” modes would also be supported to generate hash values based on decrypted data.

4. Select On-Screen Keyboard from the Navigation Bar.

5. Select Encrypt/Decrypt from the Operation’s dynamically displayed settings menu.

6. Select Decrypt.

7. Select Load Key to select the saved Encryption Key which was used to Encrypt the Case data.

NOTE: Since the saved Encryption Key also contains the original AES Key Length and AES Mode settings, it is not necessary to manually enter these settings.

8. Select Exit Encrypt/Decrypt Dialog.

9. Verify the Operational Mode Settings and Common Settings located in the Settings

Screen. See Table 2 and 8 for recommended settings.


11. If LinuxDD Restore or E01 Restore is in use, select File Name and enter the name of the file which will be used by the operation for selecting the Case directory and segmented files.




8 E01 Decryption Support was pending development at time of this document’s (Rev 2.1) release.


94



Decryption Capture Recommended Settings

Table 7

Menu Item Setting

Operational Modes Single Capture/ LinuxDD Restore/ E01 Restore

9

Hash Method SHA-2



AES Key Length N/A

AES Mode N/A

Decrypt Enable

9 E01 Decryption Support was pending development at time of this document’s (Rev 2.1) release.


95

Restoring from LinuxDD or E01 Segmented File Format The following section describes the procedure to use the LinuxDD or E01 Restore mode to restore the captured Linux-DD or E01 segmented file formatted case to its original drive format.


2. Connect and configure the drives as outlined in the “Quick Start” and “Prepare to Copy” sections of the manual.

3. Select LinuxDD Restore or E01 Restore from the Operation pull down menu, located in the Main Screen.



5. Select File Name and enter the name of the file which was used by the LInuxDD or E01 Capture operation for creating the segmented Case files.


settings.



the Operator to verify that the detected drives are listed in the appropriate Drive Status panels. The Source drive should be listed in the Source Drive panel’s list, and the Target drive should be listed in the Destination Drives panel’s list.

Restore Recommended Settings

Table 8

Menu Item Setting

Operational Modes LinuxDD Restore/E01 Restore

Hash Method Disable (Optional)

Hash Targets Disable (Optional)


Capture File Size Not Applicable


96

Sanitizing Drives Using WipeOut DoD Use the Wipe Out DoD mode to sanitize drives using the U.S. Department of Defense DoD 5220-22M specification.



3. Select WipeOut from the Operation pull down menu, located in the Main Screen.

4. Select DoD as the Operational Mode setting.




settings.


8. Select Start from the Main Screen to begin the operation. The Suspect drive should be listed in the Suspect Drive panel’s list, and the Evidence drive(s) should be listed in the Destination Drives panel’s list.

WipeOut DoD SETTINGS

Table 9

Menu Item Recommended Setting

Copy Mode WipeOut

ReadBack-Verify Disable (Optional)

WipeOut Mode DoD


97

Sanitizing Drives Using WipeOut - User The Wipe Out User operation can be used to sanitize drives in one pass rather than 7 passes which is required using the DoD Wipe Out method.




4. Select User as the Operational Mode setting.




settings.



WipeOut-User SETTINGS

Table 10


Copy Mode WipeOut

ReadBack-Verify Disable (Optional)

WipeOut Mode User

Iterations 0

Pattern 0


98

Sanitizing Drives Using WipeOut – Secure Erase The Wipe Out Secure Erase operation can be used to sanitize drives in one pass using the drive’s built-in Erase functions.




4. Select Secure Erase as the Operational Mode setting.


settings.



NOTE: It may be necessary to Disable the “ics” password which is set on the drive during Secure Erase if the operation is aborted prior to completion. If the User Password is not reset, the drive will block Read and Write commands.

It is not necessary to disable the drive’s User Password if Secure Erase is used to erase the drive after an aborted operation.

WipeOut-Secure Erase SETTINGS

Table 11


Copy Mode WipeOut

WipeOut Mode Secure Erase


99

Transferring Audit Trail and Log Information The following section describes the procedure to transfer Audit Trail and Log information from the unit’s internal storage to an External USB Storage Device.

1. Select the LOG Tab function, located in the Advanced Interface Control Console.

2. Select “Copy Logs to a Removable Device”. A message will be displayed prompting the User to insert a USB Storage Device.

3. Insert a USB Storage Device on one of the unit’s available USB general purpose ports, located on the back of the unit. Select OK to continue.

4. The USB Storage Device Volume will be mounted and the Device will be listed in the Other Detected Drives Panel. Disregard the Windows AutoPlay prompt and wait for the prompt indicating Select Files to Copy. Select the Event Log and Audit file(s) to copy.

NOTE: If the USB Device is not properly detected, remove the USB Device and repeat steps 3-7.

5. Select OPEN from the Select Files to Copy prompt, to continue.

6. Select the destination folder on the USB Device to store the selected file(s) and select OK to store the selected files.

7. The USB Storage Device can be removed after the Device is removed from the Other Detected Drives Panel.

NOTE: Audit Trails are saved in both a standard text format and a PDF format using 128-bit password encryption protection, so the Audit Trail contents cannot be changed. The Company Logo can be added to the Audit Trail PDF by selecting its location using the "SET AUDIT TRAIL LOGO" function, located in the LOG menu screen.


100

Running Multiple Operational Modes Simultaneously The following section describes the general procedure to use the IMSolo-5 Forensic Application to run multiple operations simultaneously.


2. Select the required Operation from the Operation pull down menu, located in the Main Screen.


4. Verify the Operational Mode Settings and Common Settings.

5. Select only the drives to be used for the selected operation from the Drive Selection Panel.

6. Select Start from the Main Screen to begin the operation using the current active instance of the IMSolo-5 Forensic Capture application.

7. Verify that the detected drives are in their respective Drive Status Panels. The drives listed in the Source Drive and, Destination Drives Panels are considered “Active” drives and will be used by the current instance of the IMSolo-5 Forensic

Capture application.

8. Select New Copy Session from the Navigation Bar to begin a new instance of the IMSolo-5

Forensic Capture application.

NOTE: The second instance of the IMSolo-5 Forensic Capture application can be started before or after beginning an operation using a prior instance of the application.

9. Repeat steps 1 to 7.

NOTE: The number of operations which can be performed in parallel is limited by the available ports and unit’s available resources.


101

Previewing Write-Protected Drive Data The following section describes the procedure to securely view data from the drive(s) connected to the IMSolo-5 ports.

1. Connect and configure the drive as outlined in the “Prepare for Operation” section of the manual.




5. Highlight and Select the drive to be previewed from the Console’s Drive Status Panel.

6. Verify that the Write-Protect function is Enabled (checked) in the Mount Drive

Screen Menu.


8. Select APPLY. This operation will allow preview access to the drive’s volume using the unit’s O/S or 3rd party application.

9. Select DESKTOP from the Navigation Bar to preview the drive’s volume.

10. To turn OFF the drive after previewing the drive’s volume, select the drive from the Drive Selection Panel and select REMOVE DRIVES.


102

Enabling Manual Write-Access to Evidence Drive Positions The following section describes the procedure to allow write operations to be performed manually to drives connected in the Evidence drive positions.

1. Connect and configure the Evidence drive as outlined in the “Prepare for Operation” section of the manual.




5. Highlight and Select the drive to be accessed from the Console’s Drive Status Panel.

6. De-Select (uncheck) the Write-Protect setting in the Mount Drive Screen Menu.


8. Select APPLY. This operation will allow preview and write access to the Evidence drive’s volume using the unit’s O/S or 3rd party application.

9. Select DESKTOP from the Navigation Bar to access the drive’s volume.

10. To turn OFF the drive after accessing the drive’s volume, select the drive from the Drive Selection Panel and select REMOVE DRIVES.


103

Verify Location of Suspect Drive Configuration The following section describes the procedure to configure an operation to verify the location of the Suspect Drive.

1. Enable the "Verify Location of suspect drive" setting, located in the Settings/Advanced menu.

2. Prior to use, Wipe the Evidence drive using the "Write ICS Signature" setting, which is displayed when the Wipe operation is selected.

NOTE: If the Suspect drive is connected in the Evidence position the operation will abort when the "Verify Location of suspect drive" setting is enabled. If the Evidence drive containing the “ICS Signature” is detected in the Suspect position, the operation will abort. In addition, if an Evidence drive which is not prepared using the Wipe process outlined above is detected in the Evidence position, the operation will abort. The User will be alerted with the following prompt:

"Warning: Possible Suspect Drive Detected in the Evidence Position. Operation will be aborted."

Appendix A

104

Appendix A: Operational Notes

Appendix A

105

Image MASSter™ IMSolo-5 Internet/Network Connection Disclaimer

Intelligent Computer Solutions, Inc. (ICS) assumes no liability for the security of the customer’s computer/network systems. ICS assumes no liability for the security of the Image MASSter™ IMSolo-5 when it is connected to either the Internet or another Network. Utilizing the Image MASSter™ IMSolo-5 for data seizure from a network or uploading data to a network requires the unit to be connected to the network and this may cause a risk of the system being compromised. The user is responsible for taking the necessary steps to ensure the safety of both the Image MASSter™ IMSolo-5 and the network in use when the unit is utilized to either seize or upload data to/from a network.

The security of the Image MASSter IMSolo-5™ when connected to the Internet or a network relies on the user’s discretion; however, ICS recommends, at a minimum, to the user to take the following steps:

1) The Image MASSter™ IMSolo-5 is set to have Internet Connection and Automatic Windows Updates disabled as default. Users will need to enable Internet Connection when seizing or uploading data from/to a network. It is highly recommended that the user install anti-virus and firewall Hardware Device protection prior to connecting the Image MASSter™ IMSolo-5 to either the Internet or a network. A lesser protection can be achieved with personal firewall software. Continuously running an updated version of anti-virus software with the Image MASSter™ IMSolo-5 may help prevent an intrusion into the unit or network. ICS recommends updating the anti-virus software program every time the Image MASSter™ IMSolo-5 is connected to the Internet or a network.

2) Users should always utilize a clean (scanned for viruses) USB Thumb Drive

when updating the Image MASSter™ IMSolo-5 unit Software or Firmware. 3) Users should ONLY connect the Image MASSter™ IMSolo-5 to a network when

either seizing or uploading data. It is imperative for users to REMOVE the Image MASSter™ IMSolo-5 connection when not actively performing these tasks.

These recommendations are provided to the user as a reference; however ICS cannot assure that the Image MASSter™ IMSolo-5 will not become compromised when connected to the Internet or a network. User assumes all responsibility for the data and security of the Network.

Customers understand and agree that the use of the Image MASSter™ IMSolo-5 implies acceptance to the terms and conditions specified in this disclaimer.

Appendix A

106

USB-to-Ethernet Connection

The IMSolo-5 LinkMASSter Option will also include a Gigabit USB-to-Ethernet Network Adapter (CSAR-0265-000A) to allow connecting to a Notebook or PC which does not have an Ethernet port, or if drivers are unavailable for the computer’s network interface. For improved performace, the Gigabit USB-to-Ethernet Network Adapter would also be recommended when connecting to a Notebook or PC which uses an Ethernet interface that offers less than a 1 Gigabit connection. NOTE: When using the Gigabit USB-to-Ethernet Network Adapter, connect the

Ethernet connector to the IMSolo-5 unit and connect the USB connector to the computer.

1. Connect the ICS supplied Crossover Ethernet Cable to the IMSolo-5 unit’s Ethernet port.

2. Connect the Crossover Ethernet Cable to the Gigabit USB-to-Ethernet Network Adapter.

3. Connect the ICS supplied USB 8” Cable to the Gigabit USB-to-Ethernet Network Adapter.

4. Connect the USB 8” Cable to the Notebook/PC USB port.

Figure 36

Connect to IMSolo-5

Connect to PC

Appendix A

107

USB LinkMASSter Setup

The LinkMASSter-NET CD provides the function to configure a bootable USB Flash device for LinkMASSter usage. Use of a USB Flash device may be necessary if the computer does not have a CD or DVD drive.

1. Connect a spare USB Flash Drive10 to your PC or Notebook.

2. Insert the LinkMASSter Bootable CD and allow the PC or Notebook to boot from the LinkMASSter CD.

3. After “Initializing the Environment”, the LinkMASSter application will display a prompt indicating “Do you want to prepare a USB Flash?” Select ‘Y’ to continue.

4. The USB Flash Drive will be detected and its information will be displayed. Verify that the correct device is listed and select ‘YES’ to the prompt indicating “Format this Disk?”

5. The USB Flash Disk will be formatted and the LinkMASSter image will be transferred from the CD to the USB Flash Disk. The USB Flash Disk has been prepared for LinkMASSter usage. Press a key to power-OFF the computer.

USB LinkMASSter Usage

1. Follow the LinkMASSter Quick Start Steps 1-9, previously outlined.

2. Connect the LinkMASSter USB Flash Drive to the Suspect’s PC or Notebook.

3. Configure the Suspect’s PC or Notebook BIOS to boot from the USB Flash Drive.

NOTE: Various PC or Notebook BIOS require deferent key combinations at boot up to change the default Boot Order. It is the user’s responsibility to correctly setup the Suspect’s PC or Notebook BIOS.

4. Allow the Suspect’s PC or Notebook to boot from the LinkMASSter USB Flash Drive.

5. Follow the LinkMASSter Quick Start Steps 13-16, previously outlined.

10

The USB Flash Drive is not supplied with the LinkMASSter Option

Appendix A

108

IMSolo-5 USB Restore Instructions

The following are instructions to restore the unit’s System Drive contents. The following hardware is required:

ICS Supplied USB Restore Drive.

USB Keyboard. 1. Insert the IMSolo-5 USB Restore drive to one of the available general purpose

USB ports, located on the back of the unit and connect a USB Keyboard.

2. Access the IMSolo-5 Boot Device Selection menu by pressing <F12> during Power ON when the POST Startup Screen is displayed.

3. Highlight and selected the listed USB Device.

4. Type “Restore” after the unit boots from the USB Restore drive. Type ‘Y’ to start the Restore process. The Restore process will take approximately 7 minutes. When the message is displayed indicating “Success,” power off the unit and reboot.

NOTE: The request to type “Y” is Case Sensitive. The operation will wait until the proper key is entered.

5. After the unit reboots, Windows SETUP will run for approximately 7 minutes. Once Windows SETUP completes check Device Manager by running devmgmt.msc from the Desktop START function. If Device Manager lists “Unknown Device” in the “Other Devices” Header, follow the Restore Addendum instructions listed below. Otherwise complete the installation by installing the unit’s ImageMASSter application by running s4v4.12.xx.x Setup_x64 located in the root directory of the supplied USB Flash Drive.

Appendix A

109

IMSolo-5 System Drive Removal Instructions

The following are instructions to remove the IMSolo-5 unit’s System drive.

1. Remove the single Drive Bay Screw located on the bottom of the unit as shown in the diagram below.

2. Slide out the drive as shown in the diagram below.

Appendix A

110

LinuxDD and E01 Capture exFAT Usage The exFAT File System provides enhanced drive data security for LinuxDD and E01 Evidence drives. The following are the benefits of using the exFAT File System: • Provides improved data security when transferring data between the Suspect

drive and Evidence drive during the LinuxDD Capture or E01 Capture operation. The data is isolated from the unit's O/S environment.

• Provides for a quicker format of drives and uses less overhead.

• The exFAT file system uses 64 bits to define file size.

• Support for volumes that are larger than 32 GB when compared with FAT32. The theoretical maximum volume size is 64 ZB.

• Support for files that are larger than 4 GB when compared with FAT32. The theoretical maximum file size is 64 ZB.

• Support for more than 1000 files in a single directory.

NOTE: To preview exFAT LinuxDD or exFAT E01 Evidence drives using WIN-XP

Workstations or IMSolo-5 units configured with S/W versions prior to v4.2.54.0, it will be necessary to load the exFAT File System driver (WindowsXP-KB955704-x86-ENU), which can be downloaded using the ICS FTP Link IMSolo-5 Support Files. The exFAT File System is currently supported by Win-VISTA and Windows 7.

ftp://209.132.203.171/Tec Support/IMSolo-IV Forensic/IMSolo-IV Support Files/

Appendix A

111

“Verify Location of Suspect Drive” Usage Notes The following procedure is recommended to use the unit's "Verify Location of Suspect drive" function:

1. Enable the "Verify Location of Suspect drive" setting, located in the Settings/Advanced menu.

2. The function requires Evidence drives to be pre-wiped using the "Write ICS Signature" setting, which is displayed when the Wipe operation is selected.

a. Perform either a "full" Wipe using the "User" or "DoD" mode or a "quick" Wipe using the "Partial Wipe with ICS Signature" mode.

NOTE: If the “full” Wipe operation is aborted prior to completion, the drive

would not be considered a valid Evidence drive.

If the Suspect drive is connected in the Evidence position the operation will abort when the "Verify Location of suspect drive" setting is enabled. If the Evidence drive containing the “ICS Signature” is detected in the Suspect position, the operation will abort. In addition, if an Evidence drive which is not prepared using the Wipe process outlined above is detected in the Evidence position, the operation will abort. The User will be alerted with the following prompt:

"Warning: Possible Suspect Drive Detected in the Evidence Position. Operation will be

aborted."

Appendix A

112

DEFINITIONS HASHING

Hashing is a process that calculates a "unique signature" value for the contents of an entire drive.

MD5 Hash

Message Digest Algorithm is a 128-bit cryptographic hash function.

SHA-1

Secure Hash Algorithm is a 160-bit cryptographic hash function. Designed by the NSA.

SHA-2

Variant of SHA-1 with increased output ranges. Secure Hash Algorithm-2 is a 256-bit cryptographic hash function.

CRC32

Cyclic Redundancy Check Algorithm based on a 32-bit size hash value.

Sanitize

Sanitize refers to the process of clearing a drive of all previously stored data. The WipeOut function can be used to sanitize a drive. Host Protected Area (HPA) HPA is defined as a reserved area for data storage outside the normal operating file system. This area is hidden from the operating system and file system and is normally used for specialized applications. Systems may wish to store configuration data or save memory to the hard disk drive device in a location that the operating systems cannot change. If an HPA area exists on a Suspect’s drive, the IMSolo-5 Forensics seizure operation will detect this area and capture all the contents of the drive’s sectors, including all the HPA hidden sectors, to the Evidence drive.

Appendix A

113

Device Configuration Overlay (DCO) DCO allows systems to modify the apparent features provided by a hard disk drive device. DCO provides a set of commands that allows a utility or program to modify some of the modes, commands and feature sets supported by the hard disk drive. DCO can be used to hide and protect a portion of the drive’s area from the operating system and file system. If DCO is detected on a Suspect’s drive, the IMSolo-5 Forensics seizure operation will capture all the contents of the drive’s sectors, including all the DCO hidden sectors, to the Evidence drive. Advanced Encryption Standard (AES) AES is a 128-bit block cipher Encryption Standard, which supports a choice of three key sizes (128, 192 and 256-bits) according to the level of security required. AES has become the encryption algorithm of choice for applications requiring a high degree of data security. AES Modes AES Modes provide a method of implementing different AES properties. The AES modes provided by the IMSolo-5 Forensics unit are described as follows:

Electronic Code Book (ECB)

The message is divided into blocks and each block is encrypted separately.

Cipher Block Chaining (CBC)

Each block of plaintext is XORed with the previous ciphertext block before being encrypted.

Cipher FeedBack (CFB)

Makes a block cipher into a self-synchronizing stream cipher. A stream cipher is a symmetric key cipher where plaintext bits are combined with a pseudorandom cipher bit stream (keystream), typically by an xor operation.

Output FeedBack (OFB)

Makes a block cipher into a synchronous stream cipher: it generates keystream blocks, which are then XORed with the plaintext blocks to get the ciphertext

Counter (CTR)

Counter mode turns a block cipher into a stream cipher. It generates the next keystream block by encrypting successive values of a "counter".

NOTE: For IMSolo-III Encryption/Decryption Compatibility and ICS DiskCypher usage, it is recommended to use the IMSolo-5 AES CBC Mode settings , and the AES 192 Key Length if DiskCypher-192 is in use or the AES 256 Key Length if DiskCypher-256 is in use.

Appendix A

114

Appendix B: Product Information

Limited Warranty Intelligent Computer Solutions, Inc. warrants that our products are free from defects in materials and workmanship for a period of twelve (12) months from the date of purchase by the original buyer. If you discover physical defects or malfunction, Intelligent Computer Solutions, Inc. will, at our discretion, repair or replace the product. You must return the defective product to Intelligent Computer Solutions, Inc. within the warranty period accompanied by an RMA number that has been issued by Intelligent Computer Solutions, Inc. All products purchased from Intelligent Computer Solutions, Inc. include a seven-day unconditional money-back guarantee. Intelligent Computer Solutions, Inc.’s products are shipped in cardboard boxes that have been designed and tested to ensure that our products can endure standard commercial shipping methods and still arrive in working order. We advise you to save your box and original packing materials in case you need to return the product(s) for any reason. If product(s) are returned without proper protective packaging, the warranty may be void. When you received your product(s), please note the following:

-That the shipping box does not have dents or visible damage. -What you have received conforms to the packing list. -There is no apparent damage to the product(s) or accessories.

If any shipping damage is found:

-Please contact the shipper immediately to inspect. -Please contact our Technical Support Department to report the damage.

Appendix B

115

What is Not Covered: This limited warranty provided by Intelligent Computer Solutions, Inc. does not cover:

- Products which have been subjected to abuse, accident, alteration, modification, tampering, negligence, misuse, faulty installation, lack of reasonable care, or if repaired or serviced by anyone without prior authorization from Intelligent Computer Solutions, or if the model or serial number has been altered, tampered with, defaced or removed.

- Normal maintenance. - Damage that occurs in shipment due to act of God and/or cosmetic damage. - Accessories

Please note that External cables are covered by a 30-day warranty. This Agreement also does not include service (whether parts or labor) necessitated by any natural cause such as flood, tornado, earthquake or other acts of nature.

Limitation of Liability

The following limitations of ICS liability apply:

ICS is not liable for any incidental or consequential damages, including, but not limited to

property damage, loss of time, loss resulting from use of an ICS product, or any other damages

resulting from breakdown or failure of a serviced product or from delays in servicing or inability

to render service on ICS product. ICS will make every effort to ensure proper operation of its

product. It is, however, the Customer’s responsibility and obligation to verify that the output of

ICS product meets the Customer’s quality requirement. Customer acknowledges that improper

operation of ICS product and/or software, or hardware problems, can cause defective formatting

or data loading to target drive. It is the customer, not ICS, who is responsible for verifying that

the drive meets the Customer’s quality standards. ICS will make efforts to solve any problems

identified by Customer.

Technical Support For help in resolving a problem, contact ICS Technical Support at: Phone: 1-818-998-5805 between 7 a.m. and 6 p.m. Pacific Time. Please be prepared with the following information:

serial number of the IMSolo-5 unit nature of the problem steps you have taken your phone and fax numbers error messages displayed on the screen

imsolo-5 forensics user’s guide downloads/imsolo-5...ssd drives in addition to supporting p-ata3,...

Documents