Professional Documents
Culture Documents
Users Guide
Intelligent
Computer
Solutions
Rev. 3.1
May 2010
Sales/Technical Support
Phone: 1-818-998-5805
Fax: 1-818-998-3190
E-Mail: sales@ics-iq.com
E-Mail: support@ics-iq.com
Home Page: http://www.ics-iq.com
Copyright 2009, Intelligent Computer Solutions. All rights reserved. The Image MASSter and associated
software are copyrighted and registered in accordance with the laws and regulations of the State of California and
the United States of America. IBM and OS/2 are registered trademarks of the International Business Machines
Windows VISTA are registered trademarks of the Microsoft Corporation. All other brand and product names are
trademarks of their respective owners.
P
Contents
CONTENTS
CHAPTER 1: INTRODUCTION ........................................... 8
Overview .............................................................................................9
Features ............................................................................................10
About this User Guide............................................................................................................................. 11
Typical Conventions Used ...................................................................................................................... 11
Single Capture................................................................................................................... 31
LinuxDD Capture.............................................................................................................. 32
Wizard - WipeOut Drives Menu .............................................................................................................. 33
WipeOut-DoD................................................................................................................... 33
WipeOut -Fast................................................................................................................... 33
Wizard - Suspect Drive Select Menu...................................................................................................... 34
Wizard - Evidence Drive Select Menu .................................................................................................... 35
Wizard - Operator Main Menu ................................................................................................................ 36
Contents
Custom File Size (MB) ................................................................................................. 59
File Name...................................................................................................................... 59
Advanced Settings Main Menu ............................................................................................................... 60
Automation Settings.......................................................................................................... 60
Start Operation after Detection ..................................................................................... 61
Confirm Master and Target drives after Power up/Detection and Before starting
Operation....................................................................................................................... 61
Auto Run....................................................................................................................... 61
Bad Sector Handling ......................................................................................................... 61
Log and skip.................................................................................................................. 61
Abort drive .................................................................................................................... 61
Start View ......................................................................................................................... 61
Wizard Screen............................................................................................................... 61
Operator Screen ............................................................................................................ 62
Advanced Screen .......................................................................................................... 62
Add/Remove Optional Features........................................................................................ 62
Apply Settings................................................................................................................... 62
Advanced Drive Detection Settings Menu .............................................................................................. 63
Refresh .............................................................................................................................. 70
Advanced HPA/DCO Menu .................................................................................................................... 71
Print Logs.......................................................................................................................... 74
Copy Logs......................................................................................................................... 74
Open Log Folder ............................................................................................................... 74
Set Audit Trail Logo ......................................................................................................... 74
Advanced Tools Menu ............................................................................................................................ 75
Contents
Chapter 1: Introduction
Chapter 1 - Introduction
Overview
Designed exclusively for Forensic applications, the Image MASSter Solo-IV Forensics
system is a versatile light weight, portable, high speed data acquisition device.
Suspects data can be seized at speeds exceeding 6GB per minute. Using the units on
the fly hashing capabilities, the transferred data can be guaranteed to be an exact
replica of the Suspects data without modification, re-arrangement or corruption. The
unit provides Native interface support for SAS, S-ATA and External USB drives in
addition to supporting P-ATA 1 , including ATA compatible solid state and flash devices.
Provides flexible Capture mode formats including Segmented File and Mirror image
formats. Capable of capturing two Suspect drives simultaneously. The units advanced
touch screen user interface provides ease of use.
IMSolo-IV Forensics
Figure 1
Features
High Speed Operation:
Transfer rates can exceed 6GB/min.
Supports Multiple Sessions:
Simultaneously seize data from two Suspect drives. Hash or Wipe drives
while Seizing Data.
Multiple Media Support:
Provides Native support for SATA and SAS drives, including external USB
devices. Provides support for PATA and SCSI drives using optional adapters.
Multiple File Format Support:
Seize Data using a Mirror capture format or using a Segment file format.
Preview Suspects Data:
View Suspects Data in a write-protected environment.
Multiple Operational Modes:
Seize, Hash or Wipe Data.
Multiple Hash Modes:
Hash using SHA-1, SHA-2 (Hardware Accelerated), MD5, CRC32
Write Protection:
Protect Suspect drives data against accidental overwrites.
WipeOut:
Sanitize drives using the DoD standard.
Log Information:
Store and print detail operational Event Log and Audit Trail information.
Chapter 1 - Introduction
Meaning
Highlighted
Bold
Italic
Note
11
12
13
4. Attach the ICS supplied SATA/SAS drive data/power cables to the units Suspect
and Evidence connectors (See Fig. 5 through Fig. 9) and to the SATA or SAS drives.
For PATA drives use the supplied ICS SATA-to-PATA Adapter and connect the
supplied PATA data cables Unit Side connector to the Adapters data connector
and the HDD Side connector to the drive.
Suspect 2
Port
Suspect 1
Port
Drive Positions
Figure 3
Evidence 1
Port
14
Evidence 2
Port
5. Select the Mode of Operation from the Operations pull down menu.
Drive Selection
Panel
Figure 4
6. Select the drives to be used for the selected operation from the Drive Selection
Panel.
7. Verify all remaining applicable settings and optionally enter Case Information using
the CASE INFO screen functions. It is recommended to enable the Hash Targets
function. Selecting Hash Targets will result in the Capture operation generating the
Hash value for the data read from the Suspect drive and the data written to the
Evidence drive. After all the data is written to the Evidence drive, the Capture
operation will generate the Hash value for the data read from the Evidence drive.
Hash values generated during the capture operation are generated for the data
read from the Suspects drive not from the data read from the Evidence (target)
drive, unless the unit is instructed to hash the Evidence drive(s) by enabling the
Hash Targets function.
8. Select START to begin the operation.
displayed during an operation.
9. After the operation completes, the drives will be powered OFF and the drives can be
safely removed. The simulated drive status LEDs will be set to GREEN if the
operation passes or RED if the operation fails. Log files will automatically be stored
internally and can be transferred to external media using the units USB ports,
located on the back of the unit.
NOTE: Audit Trails are saved in both a standard text format and a PDF format using
128-bit password encryption protection, so the Audit Trail contents cannot
be changed. The Company Logo can be added to the Audit Trail PDF by
selecting its location using the "SET AUDIT TRAIL LOGO" function, located
in the LOG menu screen.
The unit can be powered OFF by pressing and releasing the units Power
button, located on the top corner of the units back panel.
16
Chapter 3 - Installation
Chapter 3: Installation
17
Setup
1. Carefully remove the IMSolo-IV Forensics unit from its shipping box.
2. Use the supplied parts list (Table 1) to complete an inventory check.
3. Follow the outlined steps in the Quick Start Setup Chapter.
Part
Part Number
IMSolo-IV Forensics Unit
DC Power Adapter and AC Power Cord
SAS/SATA Data/Power Cable
SATA-to-PATA Adapter
PATA 2.5 44-Pin Adapter
PATA Data Cable
PATA Power Cable
Stylus
Restore DVD
IMSolo-IV Forensics Users Guide
Quick-Reference Parts List
Table 1
Quantity
1
1
4
1
1
1
1
1
1
1
System Specifications
Supply Voltage
Power Consumption
Operating Temperature
Relative Humidity
Net Weight
Overall Dimensions
18
Chapter 3 - Installation
Hardware Accessories
The following section provides a description of the Hardware Accessories that are
available for the IMSolo-IV Forensics unit.
Figure 5
19
Hardware Description
This section describes the hardware of the IMSolo-IV Forensics unit.
Components and Functions
Top Panel (Fig. 6)
Display
Front Panel (Fig.10)
Evidence 1 and 2
SATA/SAS Hard Disk
Drive Data/Power
Connector
20
Suspect 1 USB
Connectors
Chapter 4 - Operation
Right Side Panel
(Fig. 9)
Suspect 2
SATA/SAS Hard Disk
Drive Data/Power
Connector
Suspect 2 USB
Connectors
Bottom Panel
(Fig. 11)
Hard Drive Bay Panel
Expansion Card Slot
Panel
21
Touch
Screen
Display
Top View
Figure 6
22
Chapter 4 - Operation
ON/OFF
Power
Button
DC
Power-IN
Mouse
and
Keyboard
Ports
Ethernet
and
USB 2.0
Ports
External
Drive
Power Port
Back View
Heat
Exhaust
Fan
Expansion
Ports
Figure 7
Suspect 1
SAS/SATA
Port
Suspect 1
USB
Port
Left View
Figure 8
23
Suspect 2
USB
Port
Suspect 2
SAS/SATA
Port
Right View
Figure 9
24
Chapter 4 - Operation
Evidence 1
SAS/SATA
USB
USBPorts
Port
Front View
Figure 10
Evidence 2
SAS/SATA
USB Ports
Expansion
Card Bay
Hard Drive
Bay
Bottom View
Figure 11
25
Chapter 4: Operation
26
Chapter 4 - Operation
User Interface
The IMSolo-IV Forensics provides Windows based Graphical User Interface
applications, which the user can use to setup and control the units various functions.
All of the units menus and functions are controlled through the units Touch Screen
Display. Screen menu items can be selected by touch or with use of the included
Touch Screen Stylus Pen. An On-Screen Keyboard is available for an easy method to
enter text related information. Optionally, an external keyboard, mouse or display 2 can
be connected. The IMSolo-IV unit provides a Wizard Interface and an Advanced
Interface. By default the units Advanced Interface will run at start up and can also be
activated from Windows START/PROGRAMS menu or by selecting the IMSolo-IV
applications Desktop Shortcut ICON. The Advanced Interface screens are available to
customize operations. The Wizard Interface provides the user with simple navigational
menu screens to quickly setup and start operations. Multiple instances of the IMSolo-IV
application can be activated to allow multiple operations to be performed
simultaneously.
This chapter provides a detail description of the available functions.
27
Operational Mode
Menu
Navigation Bar
28
MAIN MENU
Figure 12
Chapter 4 - Operation
Navigation Bar
The Navigation Bar menu provides the user with functions to select the various User
Interfaces and IM support functions.
Advanced Screen
Provides access to the Advanced User Interface Screen functions. These functions
include access to advanced settings and advanced operational modes.
Operator Screen
Provides access to the Operator User Interface Screen functions. Allows the
Operator to start or abort common operations.
29
Wizard Screen
Provides access to the Wizard Main Screen. The Wizard provides the Operator with
a short series of multiple choice menu selections to assist the Operator too easily
and quickly setup and start an operation.
On-Screen Keyboard
Selecting this function results in starting a new session of the IMSolo-IV Forensics
Wizard Interface Control Console. Multiple sessions allow more than one operation
to be performed simultaneously.
Desktop
Exit
Terminates the active visible session. The function automatically releases all
detected drives before exiting the session.
About
Selecting About, displays information about the IMSolo-IV Forensics unit, such as
serial number and software version in use.
30
Chapter 4 - Operation
Single Capture
LinuxDD Capture
Figure 13
Single Capture
The Single Capture operational mode will seize the entire contents of the Suspects
drive to the Evidence drive. The operation will create an exact duplicate of all of the
Suspects drive partitioned and un-partitioned areas as well as all used and unused
sectors on the Suspects drive. The process of acquiring the data from the Suspects
drive is methodical and contiguous, beginning from the first byte of the first sector on the
drive, and ending on the last byte of the last sector of the drive. The data is copied to
the corresponding sector on the Evidence drive. Only one seizure operation can be
performed to the same Evidence drive.
31
LinuxDD Capture
The LinuxDD Capture method will copy the entire contents of the Suspects drive to the
Evidence drive. The data will be written as individual segmented LinuxDD files and
stored in an individual subdirectory on the Evidence drive. The size of the individual
LinuxDD files can be set by selecting a value within the Fragment pull down menu.
The default setting is 650MB(CD). The Case Name information entered by the user will
be used as the name of the subdirectory where the Suspects LinuxDD files will be
stored. This Case Name will also be used as the filename of all LinuxDD files
associated with this seizure. The Linux DD files will begin with the extension 001, and
incremented by 1 for each additional file.
Any number of seizures can be performed to the same Evidence drive provided there is
adequate space to save the seized data on the Evidence drive.
32
Chapter 4 - Operation
WipeOut-DoD
WipeOut-Fast
WipeOut-DoD
The WipeOut DoD Operational mode provides a method of sanitizing a drive that meets
the U.S. Department of Defense specification DOD 5220-22M for sanitizing drives.
Using ordinary DELETE and ERASE commands, data on a hard drive remains
accessible to a variety of intrusive procedures. The WipeOut DoD erasure technique
provides a solution to this problem using a series of null-coded overwrites that
completely removes all data from the hard drive. The process is performed in three
iterations and two individual passes that completely over writes the drive connected to
the internal drive position. Each iteration makes two write-passes over the entire drive.
The first pass writes ONEs (Hex 0xFF) over the entire drive surface. The second pass
writes ZEROes (Hex 0x00) over the entire drive surface. After the third iteration, a
seventh pass writes the government designated code 246 (Hex 0xF6) across the
entire drive surface, which is then followed by an eighth pass that inspects the drive with
a Read-Verify review.
WipeOut -Fast
The Wipeout Fast Operational mode provides a quick non-DoD method of sanitizing a
drive of all previously stored data. The process involves writing a user defined hex
pattern to the drive connected in the Target drive position, for a number of user defined
iterations. The process is methodical and contiguous, beginning from the first byte of
the first sector on the drive, and ending on the last byte of the last sector of the drive.
33
Suspect Drive
Select Control
Icons
Figure 14
34
Chapter 4 - Operation
Evidence
Drive Select
Control Icons
Figure 15
35
Operation
Controls
Drive Select
Control Icons
Figure 16
Navigation Bar
36
Chapter 4 - Operation
Station
Speed
Operational Mode
Load Size
Percent Completion
Elapsed Time
Estimated Time Left
Station
Displays the Computer Name of the IMSolo-IV Forensics unit.
Speed
The Speed field displays the average transfer rate in megabytes per minute.
Operational Mode
Displays the selected Operational Mode.
Load Size
The Load Size field displays the total data required to be transferred.
Percent Completion
Displays the percent of completion for the active operation.
Elapsed Time
Refers to the time elapsed during an operation. This field will also display the
total elapsed time at the end of an operation.
Estimated Time Left
Refers to the time remaining to complete the operation.
37
Start
Abort
Start
Selecting Start will instruct the Control Console to turn ON the drives and begin
the selected operation.
Abort
Selecting Abort will instruct the Control Console to turn OFF the drives and
terminate the selected operation.
38
Chapter 4 - Operation
Operational
Settings Tabs
Active Drive
Status Panels
Drive Selection
Panel
Non-Active
Drive Panel
Event Log
Window
Operational
Mode Select
Menu
Figure 17
Navigation
Bar
Operation
Status
Information
39
NOTE: The Drive Select menu provides a power indicator for each drive position.
The indicator will be GREY prior to drive detection, GREEN if the drive is
detected or the operation passed, and RED if the drive is not detected or if
the operation was not successful.
40
Chapter 4 - Operation
Detect Drives
Select the Detect Drives Button to turn ON and detect the selected the drive(s).
NOTE: By default, all ports are Write-Protected. The drives Write-Protect
property will automatically be disabled if the selected operational mode
requires writing to the drive(s).
Remove Drives
Select Remove Drives to turn OFF and remove the selected the drive(s).
Add Network Location
Allows a Suspects drive contents to be captured and stored in a Network or Locally
Shared Folder. The Shared Folder location can be designated as the Evidence
drive using the Add Network Location function. The Add Network Location function
is available when running the LinuxDD or E01 Capture operations. The descriptions
of the available settings are discussed in the following section.
Browse
Figure 18
Browse
41
42
Chapter 4 - Operation
Single Capture
LinuxDD Capture
LinuxDD Restore
LinuxDD Hash
E01 Capture
E01 Restore
E01 Hash
Hash
WipeOut
Format Drives
Single Capture
The Single Capture operational mode will seize the entire contents of the Suspects
drive to the Evidence drive. The operation will create an exact duplicate of all of the
Suspects drive partitioned and un-partitioned areas as well as all used and unused
sectors on the Suspects drive. The process of acquiring the data from the
Suspects drive is methodical and contiguous, beginning from the first byte of the
first sector on the drive, and ending on the last byte of the last sector of the drive.
The data is copied to the corresponding sector on the Evidence drive. Only one
seizure operation can be performed to the same Evidence drive. See Single
Capture Settings for more details.
LinuxDD Capture
The LinuxDD Capture Mode will copy the entire contents of the Suspects drive to
the Destination drives. The data will be written as individual segmented LinuxDD
files and stored in an individual subdirectory on the Destination drive(s). The size of
the individual LinuxDD files can be set by selecting a value within the Capture File
Size pull down menu. The default setting is 650MB (CD). The File Name
information entered by the user will be used as the name of the subdirectory where
the Suspects LinuxDD files will be stored. This File Name will also be used as the
filename of all LinuxDD files associated with this seizure. The Linux DD files will
begin with the extension 000, and incremented by 1 for each additional file.
The Destination drive will be inspected prior to transferring data. The operation will
verify if the first partition on the Evidence drive is based on the exFAT 4 File System
and will have EVIDENCE as the volume label. A Destination drive that meets
these criteria will be a valid Destination drive, a new subdirectory will be created,
4
The exFAT File System was introduced with version 4.2.54.0. Prior versions used NTFS.
43
and the transfer will begin. A Destination drive that fails these criteria will cause the
user to be prompted with a message asking whether or not to overwrite the current
contents of the Destination drive in order to make it a valid LinuxDD Destination
drive. The operation will abort unless the user agrees to overwrite the Destination
drive.
Any number of Loads can be placed on the same Destination drive provided there
is adequate space to save the transferred data on the Destination drive. See
LinuxDD Capture Settings for more details.
LinuxDD Restore
This function allows restoring the captured LinuxDD formatted Case to its original file
format. This function requires the LinuxDD drive, containing the LinuxDD Case files,
to be connected to one of the units Suspect positions and the Destination drive to
be connected to the units Evidence position.
LinuxDD Hash
This function will generate a Hash value for the selected LinuxDD Case.
LinuxDD drive can be connected to either the Suspect or Evidence position.
The
E01 Capture
The E01 Capture Mode will capture the entire contents of the Suspects drive to the
Destination drives using Guidance Softwares EnCase Forensic format. The data
will be written as individual segmented EnCase formatted files and stored in an
individual subdirectory on the Destination drive(s). The size of the individual E01
files can be set by selecting a value within the Capture File Size pull down menu.
The default setting is 650MB (CD). The EnCase format limits the File Size to 2GB.
The File Name information entered by the user will be used as the name of the
subdirectory where the Suspects files will be stored. This File Name will also be
used as the filename of all files associated with this seizure. The E01 files will begin
with the extension E01, and incremented by 1 for each additional file. The
Compression Level can be set between 0 and 9, with 0 defined as No
Compression, and 9 defined as Highest Compression.
The Destination drive will be inspected prior to transferring data. The operation will
verify if the first partition on the Evidence drive is based on the exFAT 5 File System
and will have EVIDENCE as the volume label. Otherwise, the operation will
prompt the User that the Evidence drive will be overwritten.
Any number of Loads can be placed on the same Destination drive provided there
is adequate space to save the transferred data on the Destination drive. See
E01 Capture Settings for more details.
NOTE: The E01 Capture Mode will result in reduced transfer rates when compared
with other Capture Modes.
The exFAT File System was introduced with version 4.2.54.0. Prior versions used NTFS.
44
Chapter 4 - Operation
E01 Restore
This function allows restoring the captured E01 formatted Case to its original file
format. This function requires the E01 drive, containing the E01 Case files, to be
connected to one of the units Suspect positions and the Destination drive to be
connected to the units Evidence position.
E01 Hash 6
This function will generate a Hash value for the selected E01 Case. The E01 drive
can be connected to either the Suspect or Evidence position.
Format Drives
This function can be used to quickly format drives and to prepare drives as exFAT
LinuxDD or exFAT E01 Evidence drives. It may be necessary to manually transfer
LinuxDD or E01 Evidence files from an NTFS based Evidence drive to an exFAT
based Evidence drive.
45
WipeOut
The WipeOut-User Mode of operation provides a quick non-DoD method of
sanitizing a drive of all previously stored data. The process involves writing a user
defined hex pattern to the destination drive for a number of user defined iterations.
The process is methodical and contiguous, beginning from the first byte of the first
sector on the drive, and ending on the last byte of the last sector of the drive.
The WipeOut-DoD Mode of operation provides a method of sanitizing a drive that
meets the U.S. Department of Defense specification DOD 5220-22M for sanitizing
drives.
Using ordinary DELETE and ERASE commands, data on a hard drive remains
accessible to a variety of intrusive procedures. The WipeOut DoD erasure
technique provides a solution to this problem using a series of null-coded overwrites
that completely removes all data from the hard drive.
The process is performed in three iterations and two individual passes that
completely overwrites the destination drives. Each iteration makes two write-passes
over the entire drive. The first pass writes ONEs (Hex 0xFF) over the entire drive
surface. The second pass writes ZEROes (Hex 0x00) over the entire drive surface.
After the third iteration, a seventh pass writes the government designated code 246
(Hex 0xF6) across the entire drive surface, which is then followed by an eighth pass
that inspects the drive with a Read-Verify review. See Wipeout Settings for more
details.
The WipeOut-Secure Erase option uses the drives own built-in firmware Secure
Erase function to erase data. The WipeOut-Secure Erase option offers two modes
which are automatically selected if the drive supports the modes. Normal Erase and
Enhanced Erase. Normal Erase will erase drives using the 0x00 pattern. The
Enhanced Erase mode will erase drives with a predetermined pattern and will clear
Relocation List Sectors.
NOTE:
Not all drives provide support for the Secure Erase command. Secure
erase is recognized by NIST 800-88 as an effective and secure way to
meet legal data sanitization requirements
Hash
The Hash operation provides a method of generating a hash value for either the
entire area of a drive or for a selected number of sectors of a drive. No data is
written to the selected drives during this operation. When hashing the entire drive
the process is methodical and contiguous, beginning with the first sector on the drive
and ending with the last sector of the drive. See Hash Settings for more details.
Chapter 4 - Operation
Read Back-Verify
Hash Targets
Hashing Methods
Encryption/Decryption
Wipe Remainder
Figure 19
47
Read Back-Verify
Provides additional data integrity checks during data transfers. When Read BackVerify is selected the operation will verify each block of data transferred during the
data transfer process. Data written to the Evidence drive is read back and
compared to the data read from the Suspects drive. Enabling this option results in
reducing the transfer rate.
Disabling this option will result in the data transfer
process to make use of the drive's own Ultra DMA Mode error-detection handling
mechanism known as cyclical redundancy checking (CRC-16) to check for Data
Integrity. In most cases the CRC-16 error checking algorithm is sufficient. CRC is
an algorithm that calculates an order and value sensitive checksum used to detect
errors in a stream of data. Both the Suspects drive and the Evidence drives
calculate a CRC value for each Ultra DMA burst. After the Suspects data is sent,
the Evidence drive calculates a CRC value and this is compared to the original
Suspects CRC value. If a difference is reported, the unit may be required to select
a slower transfer mode and re-try the original request for data. The transfer rate will
not be affected when using the drives CRC-16 mechanism for checking data
integrity.
Hash Targets
The Hash Targets function provides a method of generating Hash values for the
Source drives data and for the data written to the Target drives, in the same
operation. The data is read back and hashed from the target drive(s) after each
transferred block. Since data is read back during the operation the average transfer
rate will decrease and the total time of completion will increase when this function is
enabled.
Hashing Methods
The Hashing Methods menu selection provides the user with list of different Hash
Algorithms to generate a Hash value for the Source drives data. Hashing is a
process that calculates a "unique signature" value for the contents of an entire drive.
CRC32
Selecting CRC32 will result in the operation generating the CRC32
32-bit hash value for the data read from the source drive(s). Selecting the Hash
Targets function will result in the operation generating the CRC32 Hash values for
the data read from the Source drive and the data written to the Target drive.
MD5
Selecting MD5 will result in the operation generating the MD5 128-bit hash value
for the data read from the source drives. Selecting the Hash Targets function will
result in the operation generating the MD5 Hash values for the data read from the
Source drive and the data written to the Target drive.
48
Chapter 4 - Operation
SHA-1
Selecting SHA-1 will result in the operation generating the SHA-1 160-bit hash
value for the data read from the source drives. Selecting the Hash Targets
function will result in the operation generating the SHA-1 Hash values for the data
read from the Source drive and the data written to the Target drive.
NOTE: The SHA-1 Hash function uses Hardware Acceleration for calculations and
therefore effects on transfer rates are limited.
SHA-2 (224,384,256,512)
Selecting SHA-2 (224,384,256,512) will result in the operation generating the SHA2 (224,384,256,512)-bit hash value for the data read from the source drives.
Selecting the Hash Targets function will result in the operation generating the
Hash values for the data read from the Source drive and the data written to the
Target drive.
NOTE: The SHA-2(256) Hash function uses Hardware Acceleration for
calculations and therefore effects on transfer rates are limited.
Wipe Remainder
The Wipe Remainder function instructs the capture operation to wipe (erase)
remaining sectors after a capture operation is performed, if the Evidence drive is
larger than the Suspects drive.
49
Encrypt/Decrypt
The Encrypt/Decrypt menu selection provides the user with the functions and
settings necessary to configure an operation to Encrypt or Decrypt captured data.
The
AES Mode
Provides the user with the list of AES Modes to choose from. The choices are
ECB, CBC, CFB, 0FB, and CTR.
Action - None
Instructs the operation to transfer data without Encrypting or Decrypting data.
Action - Encrypt
Instructs the operation to Encrypt data during the data transfer operation.
Action - Decrypt
Instructs the operation to Decrypt data during the data transfer operation.
Save Key
The Encryption Key used to Encrypt the Suspect drives data is generated and
saved.
Load Key
Provides the function to allow the User to select and load the Encryption Key which
can be used to Decrypt the Evidence drives Encrypted data.
NOTE:
50
Chapter 4 - Operation
WipeOut Settings
The WipeOut Settings menu provides the Operator with a list of settings available for
the selected operation. The menu is selected when the Operational Mode is selected
from the Operational Mode Select Menu.
User
DoD
Secure Erase
Iterations
Pattern (0-255)
Read Back-Verify
Figure 20
Mode
The WipeOut Mode provides the Operator with two methods of sanitizing drives.
User
The Wipeout User option provides a quick non-DoD method of sanitizing a
drive of all previously stored data. The process involves writing a user
defined pattern to the drive connected in the Target drive position, for a
number of user defined drive passes (iterations). The process is methodical
and contiguous, beginning from the first byte of the first sector on the drive,
and ending on the last byte of the last sector of the drive.
Iterations
Allows the Operator to define the number of WipeOut-User iterations or
passes to perform. Selecting 0 instructs the operation to sanitize the drive in
one pass.
Pattern (0-255)
Allows the Operator to define the WipeOut-User Pattern to be used to sanitize
the Target drive(s). The available range is 0-255.
51
DoD
The Wipeout DoD function provides a method of sanitizing a drive that meets
the U.S. Department of Defense specification DOD 5220-22M for sanitizing
drives.
The operation is performed in three iterations and two individual passes that
completely overwrites the destination drives. Each iteration makes two writepasses over the entire drive. The first pass writes ONEs (Hex 0xFF) over the
entire drive surface. The second pass writes ZEROes (Hex 0x00) over the
entire drive surface. After the third iteration, a seventh pass writes the
government designated code 246 (Hex 0xF6) across the entire drive
surface, which is then followed by an eighth pass that inspects the drive with
a Read-Verify review.
Secure Erase
The WipeOut-Secure Erase option uses the drives own built-in firmware
Secure Erase function to erase data. The WipeOut-Secure Erase option
offers two modes which are automatically selected if the drive supports the
modes. Normal Erase and Enhanced Erase. Normal Erase will erase drives
using the 0x00 pattern. The Enhanced Erase mode will erase drives with a
predetermined pattern and will clear Relocation List Sectors.
NOTE:
Not all drives provide support for the Secure Erase command.
Secure erase is recognized by NIST 800-88 as an effective and
secure way to meet legal data sanitization requirements
Read Back-Verify
Use Link for previous description.
52
Chapter 4 - Operation
53
Figure 21
Chapter 4 - Operation
NOTE: If the File Name field is left blank, the operation will use a default LinuxDD
file name referenced as CASE<DATE><TIME>.
55
Hash Methods
File Name
Encryption/Decryption
Figure 22
56
Chapter 4 - Operation
Hash Methods
File Name
Read Back-Verify
Hash Targets
Encryption/Decryption
Figure 23
57
Hash Settings
The Hash Settings menu provides the Operator with a list of settings available for the
selected operation. The menu is selected when the Operational Mode is selected from the
Operational Mode Select Menu.
Sectors to Hash
Hash Methods
Encryption/Decryption
Figure 24
Sectors to Hash
Allows the Operator to define the number of sectors to hash. The default value of 0
will instruct the Hash operation to hash the entire drive.
58
Chapter 4 - Operation
Figure 25
59
Automation Settings
Bad Sector Handling
Start View
Add/Remove Optional Features
Figure 26
Automation Settings
The Automation Settings menu provides the Operator with a list of settings common to
each of the available Operational Modes.
60
Chapter 4 - Operation
Start Operation after Detection
Instructs the Operation to automatically power ON and detect the selected drives
when selecting START. When disabled, the selected drives would need to be
manually detected prior to selecting START, using the DETECT DRIVES function.
Confirm Master and Target drives after Power up/Detection and Before starting
Operation
Instructs the Operation to prompt the Operator and confirm if the detected Source
and Target drives are the correct drives to use before starting the selected
Operation. When the setting is disabled, the Operation will use the selected drives
without prompting.
Auto Run
Instructs the selected Operation to continuously run until the Operation is manually
aborted. This function can be used to test drives or units hardware.
Start View
The Start View menu provides optional Start Up View options.
Wizard Screen
Instructs the RI unit to Start Up using the Wizard Interface Control Console. The
Wizard Interface provides the user with simple navigational menu screens to quickly
setup and start operations.
61
Operator Screen
Instructs the RI unit to Start Up using the Operator Interface Control Console. The
Operator Interface provides all the functions and controls necessary to start or stop
the operations pre-selected using the Wizard Interface or Advanced Interface. It
provides the user with a graphical view of the Source and Target drive positions and
the ability to change the active drive(s) for the selected operation using the units
Touch Screen display.
Advanced Screen
Instructs the RI unit to Start Up using the Advanced Interface Control Console. The
Advanced Interface provides all the functions and controls necessary to setup,
customize and perform the units common and advanced IT operations.
Apply Settings
Used to apply the settings selected.
62
Chapter 4 - Operation
Figure 27
Sequential Detection
Selects the Sequential Detection method to detect drives. This method identifies the
drive by sensing the drives current load. The selected drives are detected in turn
by powering Up the individual drive and then waiting for each individual drive to be
detected before powering Up the next selected drive. This method is slower than
the Fast Detection method to detect drives.
64
Chapter 4 - Operation
65
Figure 28
66
Chapter 4 - Operation
Speed Optimization
Used to obtain optimal transfer rates.
Transfer Buffer Size (in 64 kb)
The default setting of (10) instructs to operation to use a Transfer Buffer size of
640KB. In most cases a Transfer Buffer size of 640KB is optimal; however with
some drive combinations it might be useful to change the value in order to achieve
faster transfer rates.
Speed Sampling rate
The value sets the rate with which the speed of each drive is sampled. The sampled
value is used by the Slow Down Filter and is displayed in the Detected Drives
panel. A low sampling rate would slow down the average transfer rate of operation.
The default value is 100.
Diagnostic
Provides a Diagnostic function to isolate drives which can result in slow transfer rates.
Instantaneous Drive Transfer Speed
Instructs the operation to display drives speed at the moment of sampling.
67
Figure 29
68
Chapter 4 - Operation
Write-Protection
Mount Volumes
Simulate Drive Signature
Apply
Refresh
Figure 30
69
Apply
Applies the selected Drive Property settings.
Refresh
Selecting Refresh, displays the drive properties of the currently selected drive.
70
Figure 31
71
New Capacity
Value in sectors which will define the drives programmed HPA or DCO capacity.
Current Capacity
Displays drives current DCO or HPA programmed capacity in sectors.
Native Capacity
Displays drives Native capacity in sectors.
Set Capacity
Provides the function to program the Evidence drives capacity using the HPA or DCO
User Defined values.
Reset Capacity
Provides the function to reset the Evidence drives capacity to its Native Capacity.
Volatile
Instructs the Set Capacity function to modify the drives capacity only when the drive is
power cycled.
72
Print Logs
Copy Logs
Open Log Folder
Set Audit Trail Logo
Figure 32
73
Print Logs
Provides the functions to print Event Log files and Audit Trail Log files to a connected
printer.
Copy Logs
Provides the function to copy Event Log files and Audit Trail Log files to an external
device.
74
Disable Password
Disable Password
Provides the function to Disable the drives User Password. It may be necessary to
Disable the ics password which is set on the drive during Secure Erase if the operation
is aborted prior to completion. If the User Password is not reset, the drive will block
Read and Write commands.
NOTE: It is not necessary to disable the drives User Password if Secure Erase is used
to erase the drive.
75
Chapter 5:
Operational Procedures
76
Connect the Suspects drive to the units SUSPECT-1 SAS/SATA or USB data
connector located on the units Left Panel (Fig. 8). Use of P-ATA drives requires
use of the supplied S-ATA-to-P-ATA Adapters.
NOTE:
The drive detected in this position will be listed in the Active Source
Drive Panel.
Connect the Evidence drive to the units EVIDENCE-1 SAS/SATA or USB data
connector located on the units Front Panel (Fig. 10). Use of P-ATA drives
requires use of the supplied S-ATA-to-P-ATA Adapters.
NOTE: The drive detected in this position will be listed in the Active Destination
Drive Panel.
NOTE: By default, all ports including the dedicated Evidence drive ports are WriteProtected. The Write-Protection feature of all Evidence drive ports will
automatically be disabled if the selected operational mode requires writing to
the Evidence drive(s).
77
Setting
Enable
Enable
Disable
Log and Skip
Advanced Screen
Fast Detection
2
20
60
60
0
10
100
Enable Power Board
5. Removing Drives
The Drive Select menu provides a power indicator for each drive position. The
indicator will be GREY prior to drive detection, GREEN if the drive is detected or
if the operation passed, and RED if the drive is not detected or if the operation
was not successful. Drives are powered OFF after an operation completes.
Drives can be physically removed after an operation completes and the drive is
removed from its assigned Active Drive Status Panel.
6. Follow the Operational Procedure instructions, in this chapter for the required
operation.
78
79
10. If capturing from two Suspects drives start a second instance of the IMSolo-IV
Forensic Capture application and follow steps 2 through 9.
NOTE: Refer to the section titled Running Multiple Operational Modes
Simultaneously in Chapter 5 for additional information.
Hash values generated during the capture operation are generated for the data
read from the Suspects drive not from the data read from the Evidence (target)
drive unless the operation is instructed to hash the Evidence drive by enabling
the Hash Targets function.
Single Capture Recommended Settings
Table 3
Menu Item
Operational Modes
Hash Method
Hash Targets
Read Back-Verify
80
Setting
Single Capture
SHA-2
Enable (Optional)
Disable (Optional)
81
10. If capturing from two Suspects drives start a second instance of the IMSolo-IV
Forensic Capture application by selecting New Copy Session from the
Navigation Bar and follow steps 2 through 9.
NOTE: Refer to the section titled Running Multiple Operational Modes
Simultaneously in Chapter 5 for additional information.
Hash values generated during the capture operation are generated for the data
read from the Suspects drive not from the data read from the Evidence (target)
drive unless the operation is instructed to hash the Evidence drive by enabling
the Hash Targets function.
LinuxDD Capture Recommended Settings
Table 4
Menu Item
Operational Modes
Hash Method
Hash Targets
Read Back-Verify
Capture File Size
82
Setting
LinuxDD Capture
SHA-2
Enable (Optional)
Disable (Optional)
4GB
83
10. If capturing from two Suspects drives start a second instance of the IMSolo-IV
Forensic Capture application by selecting New Copy Session from the
Navigation Bar and follow steps 2 through 10.
NOTE: Refer to the section titled Running Multiple Operational Modes
Simultaneously in Chapter 5 for additional information.
Hash values generated during the capture operation are generated for the data
read from the Suspects drive not from the data read from the Evidence (target)
drive unless the operation is instructed to hash the Evidence drive by enabling
the Hash Targets function.
E01 Capture Recommended Settings
Table 5
Menu Item
Operational Modes
Hash Method
Hash Targets
Read Back-Verify
Capture File Size
Compression
84
Setting
E01 Capture
SHA-1
Enable (Optional)
Disable (Optional)
2GB
0
11. After Initializing the Environment, the LinkMASSter application will display a
prompt indicating Do you want to prepare a USB Flash? Select NO to
continue.
NOTE: To configure a USB device for LinkMASSter usage, see the instructions
titled USB LinkMASSter Setup and Usage, for additional details.
12. The LinkMASSter Network Capture Agent Screen is display with the computers
detected drive information.
13. Select Detect Drives from the IMSolo-IV Forensics Advanced Interface Control
Console screen. The Suspect drive, located in the Suspects computer, will be
listed in the Source Drive panel list and the Evidence drive will be listed in the
Destination Drives panel list.
14. Select START to begin the operation. Operational status information will be
displayed during an operation.
15. After the operation completes, the Evidence drive will be powered OFF and can
be safely removed. Remove the LinkMASSter CD from the Suspects computer
prior to powering OFF the computer. The simulated drive status LEDs will be set
to GREEN if the operation passes or RED if the operation fails. Log files will
automatically be stored internally and can be transferred to external media using
the units USB ports, located on the back of the unit.
NOTE: Prior to saving logs to external media, disable the DETECT REMOTE
DRIVES function from the Drive Selection Panel.
86
87
11. Select Add Network Location from the Drive Selection Panel. The Add Network
Location menu screen is displayed.
12. Select Browse from the Add Network Location menu screen.
13. Select My Network Places to locate and select the Shared Network Folder. The
Shared Network Folder will be listed in the Evidence Drives Panel.
14. Select Detect Drives from the IMSolo-IV Forensics Advanced Interface Control
Console screen. The Suspect drive will be listed in the Source Drive Panel list
and the Shared Network Folder will be listed in the Evidence Drives Panel.
15. Select CASE INFO from the Main Screen and enter the required information.
16. Select Start from the Main Screen to begin the operation. A prompt will be
displayed requesting the Operator to verify that the detected drives are listed in
the appropriate Drive Status panels.
Hash values generated during the capture operation are generated for the data
read from the Suspects drive not from the data read from the Evidence (target)
drive unless the operation is instructed to hash the Evidence drive by enabling
the Hash Targets function.
88
E01 Capture Encryption Support was pending development at time of this documents (Rev 2.1) release.
89
13. Select Start from the Main Screen to begin the operation. A prompt will be
displayed requesting the Operator to verify that the detected drives are listed in
the appropriate Drive Status panels. The Suspect drive should be listed in the
Source Drive panels list, and the Evidence drive should be listed in the
Destination Drives panels list.
NOTE: If necessary, select non-active drive(s) listed in the Other Detected
Drives panel and move them to either the Source Drive or Destination
Drives panels. The drive(s) listed in the Source Drive or Destination
Drives panels are considered active drives and will be used during data
transfer operations. If necessary, also transfer active drives from the
Source Drive or Destination Drives panel to the Other Detected Drives
panel. If capturing from two Suspects drives start a second instance of
the IMSolo-IV Forensic Capture application and follow steps 1 through
13.
NOTE: Refer to the section titled Running Multiple Operational Modes
Simultaneously in Chapter 5 for additional information.
Hash values generated during the capture operation are generated for the data
read from the Suspects drive not from the data read from the Evidence (target)
drive unless the operation is instructed to hash the Evidence drive by enabling
the Hash Targets function.
Encryption Capture Recommended Settings
Table 6
Menu Item
Operational Modes
Hash Method
Hash Targets
Read Back-Verify
AES Key Length
AES Mode
Encrypt
Setting
Single Capture/
LinuxDD Capture/
E01 Capture 8
SHA-2
Enable (Optional)
Disable (Optional)
192
ECB
Enable
E01 Capture Encryption Support was pending development at time of this documents release.
90
E01 Decryption Support was pending development at time of this documents (Rev 2.1) release.
91
Hash values generated during the capture operation are generated for the data
read from the Suspects drive not from the data read from the Evidence (target)
drive unless the operation is instructed to hash the Evidence drive by enabling
the Hash Targets function.
Decryption Capture Recommended Settings
Table 7
Menu Item
Operational Modes
Hash Method
Hash Targets
Read Back-Verify
AES Key Length
AES Mode
Decrypt
10
Setting
Single Capture/
LinuxDD Restore/
E01 Restore 10
SHA-2
Enable (Optional)
Disable (Optional)
N/A
N/A
Enable
E01 Decryption Support was pending development at time of this documents (Rev 2.1) release.
92
Setting
LinuxDD Restore/E01
Restore
Disable (Optional)
Disable (Optional)
Disable (Optional)
Not Applicable
93
Menu Item
Copy Mode
ReadBack-Verify
WipeOut Mode
94
Recommended Setting
WipeOut
Disable (Optional)
DoD
WipeOut-User SETTINGS
Table 10
Menu Item
Copy Mode
ReadBack-Verify
WipeOut Mode
Iterations
Pattern
Recommended Setting
WipeOut
Disable (Optional)
User
0
0
95
Menu Item
Copy Mode
WipeOut Mode
96
Recommended Setting
WipeOut
Secure Erase
97
98
99
100
Appendix A
Appendix A:
Operational Notes
101
102
Appendix A
USB-to-Ethernet Connection
The IMSolo-IV LinkMASSter Option will also include a Gigabit USB-to-Ethernet
Network Adapter (CSAR-0265-000A) to allow connecting to a Notebook or PC
which does not have an Ethernet port, or if drivers are unavailable for the
computers network interface. For improved performace, the Gigabit USB-toEthernet Network Adapter would also be recommended when connecting to a
Notebook or PC which uses an Ethernet interface that offers less than a
1 Gigabit connection.
NOTE: When using the Gigabit USB-to-Ethernet Network Adapter, connect the
Ethernet connector to the IMSolo-IV unit and connect the USB connector
to the computer.
1. Connect the ICS supplied Crossover Ethernet Cable to the IMSolo-IV units
Ethernet port.
2. Connect the Crossover Ethernet Cable to the Gigabit USB-to-Ethernet
Network Adapter.
3. Connect the ICS supplied USB 8 Cable to the Gigabit USB-to-Ethernet
Network Adapter.
4. Connect the USB 8 Cable to the Notebook/PC USB port.
Connect to
IMSolo-IV
Connect to
PC
103
11
The USB Flash Drive is not supplied with the LinkMASSter Option
104
Appendix A
1.
Configure the PCs BIOS to boot from the PCs DVD Drive.
2.
Insert the IMSolo-IV Restore Tools DVD into a PCs DVD Drive.
3.
Insert a blank USB Flash Device (2GB minimum) into the PCs USB port.
4.
Boot the PC from the IMSolo-IV Restore Tools DVD. A progress bar will be
displayed indicating Loading ICS Recovery, followed by the IMSolo-IV Splash
screen and USB Preparation screen. The Select Disk screen will then be
displayed listing the detected USB Flash Device.
NOTE: The IMSolo-IV Restore Tools DVD is designed to protect the PCs local
drive from any over write operations.
5.
Select YES from the Select Disk screen to select the USB Device for formatting.
The Confirm screen will be displayed with a message indicating All the data on
the selected disk will be erased.
6.
Select YES from the Confirm screen to begin formatting the USB Flash Device.
7.
8.
The PC will automatically power OFF. The USB Flash Device is now ready to be
used for the IMSolo-IV Restore process. To continue, follow the instructions below
titled Prepare the IMSolo-IV BIOS and Start Restore
105
1.
Insert the IMSolo-IV Restore USB Flash Device to one of the available
general purpose USB ports, located on the back of the unit.
2.
Access the IMSolo-IV BIOS SETUP by pressing <DEL> during Power ON.
3.
4.
5.
6.
Select Advanced BIOS Features from the BIOS SETUP Main Screen.
7.
8.
Highlight USB Device and press <PgUp> until the USB Device is the first
device.
9.
10. The Restore process will automatically start after the IMSolo-IV boots from
the IMSolo-IV Restore USB Flash Device. The Restore process will take
approximately 5 minutes.
A message will be displayed indicating
Success. When the message is displayed, remove the USB Flash Device
and press any key to reboot the unit.
11. Verify that the current IMSolo-IV Forensic Software version is in use, by
selecting ABOUT from the IMSolo-IV applications main screen.
NOTE: It may be necessary to upgrade the IMSolo-IV Forensic Software
with the current Software version after the Restore Process
completes.
106
Appendix A
Provides improved data security when transferring data between the Suspect
drive and Evidence drive during the LinuxDD Capture or E01 Capture operation.
The data is isolated from the unit's O/S environment.
Support for volumes that are larger than 32 GB when compared with FAT32. The
theoretical maximum volume size is 64 ZB.
Support for files that are larger than 4 GB when compared with FAT32. The
theoretical maximum file size is 64 ZB.
NOTE: Use of previously formatted NTFS LinuxDD or E01 Evidence drives cannot be
used with the current version which requires exFAT LinuxDD or E01 Evidence
drives.
To preview exFAT LinuxDD or exFAT E01 Evidence drives using WIN-XP Workstations
or IMSolo-IV units configured with S/W versions prior to v4.2.54.0, it will be necessary to
load the exFAT File System driver (WindowsXP-KB955704-x86-ENU), which can be
downloaded using the ICS FTP Link IMSolo-IV Support Files. The exFAT File System
is currently supported by Win-VISTA and Windows 7.
107
DEFINITIONS
HASHING
Hashing is a process that calculates a "unique signature" value for the contents of an
entire drive.
MD5 Hash
Message Digest Algorithm is a 128-bit cryptographic hash function.
SHA-1
Secure Hash Algorithm is a 160-bit cryptographic hash function. Designed by the NSA.
SHA-2
Variant of SHA-1 with increased output ranges.
256-bit cryptographic hash function.
CRC32
Cyclic Redundancy Check Algorithm based on a 32-bit size hash value.
Sanitize
Sanitize refers to the process of clearing a drive of all previously stored data. The
WipeOut function can be used to sanitize a drive.
108
Appendix A
Device Configuration Overlay (DCO)
DCO allows systems to modify the apparent features provided by a hard disk drive
device. DCO provides a set of commands that allows a utility or program to modify
some of the modes, commands and feature sets supported by the hard disk drive. DCO
can be used to hide and protect a portion of the drives area from the operating system
and file system. If DCO is detected on a Suspects drive, the IMSolo-IV Forensics
seizure operation will capture all the contents of the drives sectors, including all the
DCO hidden sectors, to the Evidence drive.
Advanced Encryption Standard (AES)
AES is a 128-bit block cipher Encryption Standard, which supports a choice of three key
sizes (128, 192 and 256-bits) according to the level of security required. AES has
become the encryption algorithm of choice for applications requiring a high degree of
data security.
AES Modes
AES Modes provide a method of implementing different AES properties. The AES
modes provided by the IMSolo-IV Forensics unit are described as follows:
Counter (CTR)
Counter mode turns a block cipher into a stream cipher. It generates the next
keystream block by encrypting successive values of a "counter".
NOTE:
109
Appendix B:
Product Information
Limited Warranty
Intelligent Computer Solutions, Inc. warrants that our products are free from defects in materials and
workmanship for a period of twelve (12) months from the date of purchase by the original buyer. If you
discover physical defects or malfunction, Intelligent Computer Solutions, Inc. will, at our discretion, repair
or replace the product. You must return the defective product to Intelligent Computer Solutions, Inc. within
the warranty period accompanied by an RMA number that has been issued by Intelligent Computer
Solutions, Inc.
All products purchased from Intelligent Computer Solutions, Inc. include a seven-day unconditional
money-back guarantee.
Intelligent Computer Solutions, Inc.s products are shipped in cardboard boxes that have been designed
and tested to ensure that our products can endure standard commercial shipping methods and still arrive
in working order. We advise you to save your box and original packing materials in case you need to
return the product(s) for any reason. If product(s) are returned without proper protective packaging, the
warranty may be void.
When you received your product(s), please note the following:
-That the shipping box does not have dents or visible damage.
-What you have received conforms to the packing list.
-There is no apparent damage to the product(s) or accessories.
If any shipping damage is found:
-Please contact the shipper immediately to inspect.
-Please contact our Technical Support Department to report the damage.
110
Appendix B
Limitation of Liability
The following limitations of ICS liability apply:
ICS is not liable for any incidental or consequential damages, including, but not limited to
property damage, loss of time, loss resulting from use of an ICS product, or any other damages
resulting from breakdown or failure of a serviced product or from delays in servicing or inability
to render service on ICS product. ICS will make every effort to ensure proper operation of its
product. It is, however, the Customers responsibility and obligation to verify that the output of
ICS product meets the Customers quality requirement. Customer acknowledges that improper
operation of ICS product and/or software, or hardware problems, can cause defective formatting
or data loading to target drive. It is the customer, not ICS, who is responsible for verifying that
the drive meets the Customers quality standards. ICS will make efforts to solve any problems
identified by Customer.
Technical Support
For help in resolving a problem, contact ICS Technical Support at:
Phone: 1-818-998-5805 between 7 a.m. and 6 p.m. Pacific Time.
Please be prepared with the following information:
9
111