IMSolo-IV Forensics User Guide v3.1

IMSolo-IV Forensics
Users Guide
Intelligent
Computer
Solutions
Intelligent Computer Solutions

9350 Eton Avenue
Chatsworth, CA 91311
Rev. 3.1
May 2010
Printed in the USA
Sales/Technical Support
Phone: 1-818-998-5805
Fax: 1-818-998-3190
E-Mail: sales@ics-iq.com
E-Mail: support@ics-iq.com
Home Page: http://www.ics-iq.com
Copyright 2009, Intelligent Computer Solutions. All rights reserved. The Image MASSter and associated
software are copyrighted and registered in accordance with the laws and regulations of the State of California and
the United States of America. IBM and OS/2 are registered trademarks of the International Business Machines
Corporation. DOS , Windows , Windows NT , and Windows 95/98/2000 Windows ME , Windows XP ,
Windows VISTA are registered trademarks of the Microsoft Corporation. All other brand and product names are
trademarks of their respective owners.
P
Contents
CONTENTS
CHAPTER 1: INTRODUCTION ........................................... 8
Overview .............................................................................................9
Features ............................................................................................10
About this User Guide............................................................................................................................. 11
Typical Conventions Used ...................................................................................................................... 11
CHAPTER 2: QUICK START SETUP ............................... 12

CHAPTER 3: INSTALLATION .......................................... 17
Setup.................................................................................................18
System Specifications............................................................................................................................. 18
CHAPTER 4: OPERATION ............................................... 26

User Interface ...................................................................................27
IMSolo-IV Forensics Wizard Interface Control Console....................28
Wizard - Main Menu................................................................................................................................ 29
Operational Mode Selection ............................................................................................. 29

Navigation Bar .................................................................................................................. 29
Wizard - Seize Drives Menu ................................................................................................................... 31
Single Capture................................................................................................................... 31
LinuxDD Capture.............................................................................................................. 32
Wizard - WipeOut Drives Menu .............................................................................................................. 33
WipeOut-DoD................................................................................................................... 33
WipeOut -Fast................................................................................................................... 33
Wizard - Suspect Drive Select Menu...................................................................................................... 34
Wizard - Evidence Drive Select Menu .................................................................................................... 35
Wizard - Operator Main Menu ................................................................................................................ 36
Operational Status Information......................................................................................... 37

Station ........................................................................................................................... 37
Speed............................................................................................................................. 37
Operational Mode ......................................................................................................... 37
Load Size ...................................................................................................................... 37
Percent Completion....................................................................................................... 37
Elapsed Time ................................................................................................................ 37
Estimated Time Left ..................................................................................................... 37
Operation Control Functions............................................................................................. 38
Start ............................................................................................................................... 38
Abort ............................................................................................................................. 38
IMSolo-IV Forensics Advanced Interface Control Console ...............39

Advanced Drive Detect Menu ................................................................................................................. 40
Drive Selection Panel........................................................................................................ 40

Suspect 1-2 Drive Select............................................................................................... 40
Evidence 1-2 Drive Select ............................................................................................ 40
Detect Drives ................................................................................................................ 41
Remove Drives.............................................................................................................. 41
Add Network Location ................................................................................................. 41
Detect Remote Drives ................................................................................................... 41
Drive Status Panels ........................................................................................................... 42
Active Suspect Drive Panel .......................................................................................... 42
Active Evidence Drives Panel ...................................................................................... 42
Other Detected Drives................................................................................................... 42
Operational Mode Select Menu ........................................................................................ 43
Single Capture............................................................................................................... 43
LinuxDD Capture.......................................................................................................... 43
LinuxDD Restore .......................................................................................................... 44
LinuxDD Hash .............................................................................................................. 44
E01 Capture .................................................................................................................. 44
E01 Restore................................................................................................................... 45
E01 Hash....................................................................................................................... 45
Format Drives ............................................................................................................... 45
WipeOut........................................................................................................................ 46
Hash .............................................................................................................................. 46
Event Log Window ........................................................................................................... 46
Advanced Operation Settings Menu....................................................................................................... 47
Single Capture Settings..................................................................................................... 47

Read Back-Verify ......................................................................................................... 48
Hash Targets ................................................................................................................. 48
Hashing Methods .......................................................................................................... 48
Wipe Remainder ........................................................................................................... 49
Encrypt/Decrypt............................................................................................................ 50
WipeOut Settings .............................................................................................................. 51
Mode ............................................................................................................................. 51
Iterations ....................................................................................................................... 51
Pattern (0-255) .............................................................................................................. 51
Read Back-Verify ......................................................................................................... 52
Format Drives Settings ..................................................................................................... 53
Linux DD Capture Settings............................................................................................... 54
Capture File Size........................................................................................................... 54
Custom File Size (MB) ................................................................................................. 54
File Name...................................................................................................................... 54
LinuxDD Hash Settings .................................................................................................... 56
LinuxDD or E01 Restore Settings .................................................................................... 57
Hash Settings .................................................................................................................... 58
Sectors to Hash ............................................................................................................. 58
E01 Capture Settings......................................................................................................... 59
Capture File Size........................................................................................................... 59
4
Contents
Custom File Size (MB) ................................................................................................. 59
File Name...................................................................................................................... 59
Advanced Settings Main Menu ............................................................................................................... 60
Automation Settings.......................................................................................................... 60
Start Operation after Detection ..................................................................................... 61
Confirm Master and Target drives after Power up/Detection and Before starting
Operation....................................................................................................................... 61
Auto Run....................................................................................................................... 61
Bad Sector Handling ......................................................................................................... 61
Log and skip.................................................................................................................. 61
Abort drive .................................................................................................................... 61
Start View ......................................................................................................................... 61
Wizard Screen............................................................................................................... 61
Operator Screen ............................................................................................................ 62
Advanced Screen .......................................................................................................... 62
Add/Remove Optional Features........................................................................................ 62
Apply Settings................................................................................................................... 62
Advanced Drive Detection Settings Menu .............................................................................................. 63
Drive Detection Mode....................................................................................................... 63

Auto............................................................................................................................... 63
Fast Detection ............................................................................................................... 63
Sequential Detection ..................................................................................................... 64
Fast Detection Settings ..................................................................................................... 64
Wait Time After Powering Up Each Drive................................................................... 64
Wait Time Between Powering Up Each Drive and Starting Drive Detection.............. 64
Max Scanning /Detection Time allowed by Application (Sec) .................................... 64
Auto Calibrate Detection of All Drives ........................................................................ 64
Calibration Starts From Drive....................................................................................... 64
Calibrate Detection of a Selected Drive........................................................................ 65
Sequential Detection Settings ........................................................................................... 65
Max Detect Time .......................................................................................................... 65
Max Detect Power Time ............................................................................................... 65
Calibrate Current Threshold ......................................................................................... 65
Diagnostics and Tools Settings Menu .................................................................................................... 66
Slow Drive Filter Speed Threshold................................................................................... 66

Speed Threshold............................................................................................................ 66
Speed Optimization........................................................................................................... 67
Transfer Buffer Size (in 64 kb)..................................................................................... 67
Speed Sampling rate ..................................................................................................... 67
Forced Power off............................................................................................................... 67
Power off selected drives .............................................................................................. 67
Diagnostic ......................................................................................................................... 67
Instantaneous Drive Transfer Speed ............................................................................. 67
Advanced Case Info Menu ..................................................................................................................... 68
Advanced Mount Drive Menu ................................................................................................................. 69
Write-Protect the Drive..................................................................................................... 70

Mount Volumes on the Drive ........................................................................................... 70
Simulate Drive Signature When Mounting Volumes ....................................................... 70
Apply................................................................................................................................. 70
Refresh .............................................................................................................................. 70
Advanced HPA/DCO Menu .................................................................................................................... 71
Protected Area Type ......................................................................................................... 71

Protected Area Support ..................................................................................................... 72
New Capacity.................................................................................................................... 72
Current Capacity ............................................................................................................... 72
Native Capacity................................................................................................................. 72
Set Capacity ...................................................................................................................... 72
Reset Capacity .................................................................................................................. 72
Volatile.............................................................................................................................. 72
Advanced LOG Menu ............................................................................................................................. 73
Print Logs.......................................................................................................................... 74
Copy Logs......................................................................................................................... 74
Open Log Folder ............................................................................................................... 74
Set Audit Trail Logo ......................................................................................................... 74
Advanced Tools Menu ............................................................................................................................ 75
Disable Password .............................................................................................................. 75
CHAPTER 5: OPERATIONAL PROCEDURES ............... 76

Prepare for Operation .......................................................................77
Capturing Drives using Single Capture Mode ...................................79
Capturing using LinuxDD Capture Mode ..........................................81
Capturing using E01 Capture Mode..................................................83
Capturing from an Unopened PC or Notebook .................................85
Capturing to a Shared Folder............................................................87
Encrypting Data During Data Capture...............................................89
Decrypting Data During Data Transfer..............................................91
Restoring from LinuxDD or E01 Segmented File Format..................93
Sanitizing Drives Using WipeOut DoD ..............................................94
Sanitizing Drives Using WipeOut - User ...........................................95
Sanitizing Drives Using WipeOut Secure Erase ............................96
Transferring Audit Trail and Log Information.....................................97
Running Multiple Operational Modes Simultaneously.......................98
6
Contents
Previewing Write-Protected Drive Data.............................................99

Enabling Manual Write-Access to Evidence Drive Positions ..........100
APPENDIX A: OPERATIONAL NOTES ......................... 101

Image MASSter Solo-IV Internet/Network Connection Disclaimer102
USB-to-Ethernet Connection...........................................................103
USB LinkMASSter Setup ................................................................104
USB LinkMASSter Usage ...............................................................104
IMSOLO-IV USB FLASH RESTORE INSTRUCTIONS ..................105
Prepare the USB Flash Device............................................................................................................. 105
Prepare the IMSolo-IV BIOS and Start Restore ...................................................................................106
LinuxDD and E01 Capture exFAT Usage .......................................107

DEFINITIONS .................................................................................108
APPENDIX B: PRODUCT INFORMATION.................... 110

Limited Warranty .............................................................................110
What is Not Covered: ......................................................................111
Limitation of Liability........................................................................111
Technical Support ...........................................................................111
Chapter 1: Introduction
Chapter 1 - Introduction
Overview
Designed exclusively for Forensic applications, the Image MASSter Solo-IV Forensics
system is a versatile light weight, portable, high speed data acquisition device.
Suspects data can be seized at speeds exceeding 6GB per minute. Using the units on
the fly hashing capabilities, the transferred data can be guaranteed to be an exact
replica of the Suspects data without modification, re-arrangement or corruption. The
unit provides Native interface support for SAS, S-ATA and External USB drives in
addition to supporting P-ATA 1 , including ATA compatible solid state and flash devices.
Provides flexible Capture mode formats including Segmented File and Mirror image
formats. Capable of capturing two Suspect drives simultaneously. The units advanced
touch screen user interface provides ease of use.
IMSolo-IV Forensics
Figure 1
Optional P-ATA Adapters required.
Features
High Speed Operation:
Transfer rates can exceed 6GB/min.
Supports Multiple Sessions:
Simultaneously seize data from two Suspect drives. Hash or Wipe drives
while Seizing Data.
Multiple Media Support:
Provides Native support for SATA and SAS drives, including external USB
devices. Provides support for PATA and SCSI drives using optional adapters.
Multiple File Format Support:
Seize Data using a Mirror capture format or using a Segment file format.
Preview Suspects Data:
View Suspects Data in a write-protected environment.
Multiple Operational Modes:
Seize, Hash or Wipe Data.
Multiple Hash Modes:
Hash using SHA-1, SHA-2 (Hardware Accelerated), MD5, CRC32
Write Protection:
Protect Suspect drives data against accidental overwrites.
WipeOut:
Sanitize drives using the DoD standard.
Log Information:
Store and print detail operational Event Log and Audit Trail information.
LCD Touch Screen Display:
Large, 8 Color LCD Touch Screen Display.

10
Chapter 1 - Introduction
About this User Guide

The IMSolo-IV Forensics User Guide will be updated as needed to reflect hardware and
software modifications. Therefore, descriptions of features may be subject to change.
The document makes use of hyperlinks to provide shortcut links.
Typical Conventions Used

Convention
Meaning
Highlighted
This is a hyperlink: shortcut link to a referred topic. Select it to jump

to the topic. Use the MS Word Back
tool to jump back to
previous location.
Bold
Indicates a screen menu item or function such as a setting or

control button.
Italic
Indicates the name of a IMSolo-IV Forensics feature, system,

mode, or other important reference.
Note
Identifies additional important information regarding a topic or task.
Indicates a warning or caution
11
Chapter 2: Quick Start

Setup
12
Chapter 2 Quick Start
1. Place the IMSolo-IV Forensics on a level surface.

2. Attach the units Power Adapter to the unit's DC Power-In port, located on the unit's
back panel, and to an electrical outlet. The voltage may be either 110v or 220v.
The Power Adapter will automatically switch to use either voltage.
3. Power ON the unit by pressing the units Power ON button, located on top corner of
the units back panel. The IMSolo-IV Forensics Advanced Interface Control Console
will be displayed.
Advanced Interface Control Console

Figure 2
13
4. Attach the ICS supplied SATA/SAS drive data/power cables to the units Suspect
and Evidence connectors (See Fig. 5 through Fig. 9) and to the SATA or SAS drives.
For PATA drives use the supplied ICS SATA-to-PATA Adapter and connect the
supplied PATA data cables Unit Side connector to the Adapters data connector
and the HDD Side connector to the drive.
Suspect 2
Port
Suspect 1
Port
Drive Positions
Figure 3
Evidence 1
Port
14
Evidence 2
Port
Chapter 2 Quick Start
5. Select the Mode of Operation from the Operations pull down menu.
Drive Selection
Panel
Figure 4
6. Select the drives to be used for the selected operation from the Drive Selection
Panel.
7. Verify all remaining applicable settings and optionally enter Case Information using
the CASE INFO screen functions. It is recommended to enable the Hash Targets
function. Selecting Hash Targets will result in the Capture operation generating the
Hash value for the data read from the Suspect drive and the data written to the
Evidence drive. After all the data is written to the Evidence drive, the Capture
operation will generate the Hash value for the data read from the Evidence drive.
Hash values generated during the capture operation are generated for the data
read from the Suspects drive not from the data read from the Evidence (target)
drive, unless the unit is instructed to hash the Evidence drive(s) by enabling the
Hash Targets function.
8. Select START to begin the operation.
displayed during an operation.
Operational status information will be

15
9. After the operation completes, the drives will be powered OFF and the drives can be
safely removed. The simulated drive status LEDs will be set to GREEN if the
operation passes or RED if the operation fails. Log files will automatically be stored
internally and can be transferred to external media using the units USB ports,
located on the back of the unit.
NOTE: Audit Trails are saved in both a standard text format and a PDF format using
128-bit password encryption protection, so the Audit Trail contents cannot
be changed. The Company Logo can be added to the Audit Trail PDF by
selecting its location using the "SET AUDIT TRAIL LOGO" function, located
in the LOG menu screen.
The unit can be powered OFF by pressing and releasing the units Power
button, located on the top corner of the units back panel.
16
Chapter 3 - Installation
Chapter 3: Installation
17
Setup
1. Carefully remove the IMSolo-IV Forensics unit from its shipping box.
2. Use the supplied parts list (Table 1) to complete an inventory check.
3. Follow the outlined steps in the Quick Start Setup Chapter.
Part
Part Number
IMSolo-IV Forensics Unit
DC Power Adapter and AC Power Cord
SAS/SATA Data/Power Cable
SATA-to-PATA Adapter
PATA 2.5 44-Pin Adapter
PATA Data Cable
PATA Power Cable
Stylus
Restore DVD
IMSolo-IV Forensics Users Guide
Quick-Reference Parts List
Table 1
Quantity
1
1
4
1
1
1
1
1
1
1
System Specifications
Supply Voltage
Power Consumption
Operating Temperature
Relative Humidity
Net Weight
Overall Dimensions
18
100 - 240V / 50 - 60 Hz 400Watt Universal Auto switching input voltage

9W
5 degrees - 55 degrees C
20% - 60% non-condensing
5.35 lbs
10.5 x 4 x 7.6
Chapter 3 - Installation
Hardware Accessories
The following section provides a description of the Hardware Accessories that are
available for the IMSolo-IV Forensics unit.
Drive Bay with Fan Assembly

The "Drive Bay with Fan Assembly" is designed to provide a convenient location to
mount drives for use with the IMSolo-IV unit. Cooling fans are provided to keep the
drives operating at proper temperatures.
Figure 5
19
Hardware Description
This section describes the hardware of the IMSolo-IV Forensics unit.
Components and Functions
Top Panel (Fig. 6)
Display
Front Panel (Fig.10)
Evidence 1 and 2
SATA/SAS Hard Disk
Drive Data/Power
Connector
Used to connect the Evidence SATA/SAS

drive(s) directly to the Forensics unit for
Direct data seizure operations.
Evidence 1 and 2 USB

Connectors
Used to connect the USB Evidence device(s)

directly to the Forensics unit for Direct data
seizure operations.
Back Panel (Fig. 7)

eSATA Port
Mouse Port
Keyboard Port
Power ON Button
DC-IN Power Socket
USB Connectors
LAN Ports
L-out, L-in, MIC
Expansion Port Panel
20
LCD Touch Screen Color Display.
Used to connect External Storage Device.

Optional. Connect the mouse (not supplied)
to the port.
Optional. Connect the keyboard (not
supplied) to this port.
Used to power the unit ON and OFF.
Connect DC Power Adapter to this socket.
Provides USB v2.0 ports used to connect
external USB devices.
Provides 2GB Ethernet Network Interface.
Provides Audio Line input/output ports and
Microphone port.
Provides access to units Expansion Ports.
Left Side Panel (Fig. 8)

Suspect 1
SATA/SAS Hard Disk
Drive Data/Power
Connector
Used to connect the Suspects SATA/SAS

drive directly to the Forensics unit for Direct
data seizure operations.
Suspect 1 USB
Connectors
Used to connect the Suspects USB device

seizure operations.
Chapter 4 - Operation
Right Side Panel
(Fig. 9)
Suspect 2
SATA/SAS Hard Disk
Drive Data/Power
Connector
Suspect 2 USB
Connectors
Bottom Panel
(Fig. 11)
Hard Drive Bay Panel
Expansion Card Slot
Panel
Used to connect the Suspects SATA/SAS

drive directly to the Forensics unit for Direct
data seizure operations.
Used to connect the Suspects USB device
seizure operations.
Provides access to the units Host S-ATA

Hard Drive.
Provides access to the units Expansion Card
Slot.
21
Touch
Screen
Display
Top View
Figure 6
22
ON/OFF
Power
Button
DC
Power-IN
Mouse
and
Keyboard
Ports
Ethernet
and
USB 2.0
Ports
External
Drive
Power Port
Back View
Heat
Exhaust
Fan
Expansion
Ports
Line-Out, Line-In, Mic
Figure 7
Suspect 1
SAS/SATA
Port
Suspect 1
USB
Port
Left View
Figure 8
23
Suspect 2
USB
Port
Suspect 2
SAS/SATA
Port
Right View
Figure 9
24
Evidence 1
SAS/SATA
USB
USBPorts
Port
Front View
Figure 10
Evidence 2
SAS/SATA
USB Ports
Expansion
Card Bay
Hard Drive
Bay
Bottom View
Figure 11
25
Chapter 4: Operation
26
User Interface
The IMSolo-IV Forensics provides Windows based Graphical User Interface
applications, which the user can use to setup and control the units various functions.
All of the units menus and functions are controlled through the units Touch Screen
Display. Screen menu items can be selected by touch or with use of the included
Touch Screen Stylus Pen. An On-Screen Keyboard is available for an easy method to
enter text related information. Optionally, an external keyboard, mouse or display 2 can
be connected. The IMSolo-IV unit provides a Wizard Interface and an Advanced
Interface. By default the units Advanced Interface will run at start up and can also be
activated from Windows START/PROGRAMS menu or by selecting the IMSolo-IV
applications Desktop Shortcut ICON. The Advanced Interface screens are available to
customize operations. The Wizard Interface provides the user with simple navigational
menu screens to quickly setup and start operations. Multiple instances of the IMSolo-IV
application can be activated to allow multiple operations to be performed
simultaneously.
This chapter provides a detail description of the available functions.
USB Monitor Required
27
IMSolo-IV Forensics Wizard Interface Control

Console
The IMSolo-IV Forensics Wizard Interface Control Console guides the Operator
through the process of selecting the mode of operation and the drives and drive
positions for the selected operation. The Wizard provides all the functions and controls
necessary to setup and perform the units most common Forensic data transfer
operations. The functional descriptions of the Wizard Interface items are discussed in
the following section. Multiple instances of the Wizard can be activated, which allows
more than one operation to be performed simultaneously.
Operational Mode
Menu
Navigation Bar
28
MAIN MENU
Figure 12
Wizard - Main Menu

The IMSolo-IV Forensics Wizard Main Menu screen can be activated by selecting the
Wizard Screen function from the Navigation Bar. It provides access to all of the units
main functions. The following Wizard functions are available from the Main Menu:
Operational Mode Selection

Navigation Bar
Operational Mode Selection

The Operational Mode Selection menu provides the user with Data Seizure or
WipeOut Operational Mode options.
Duplicate Drives
Selecting Duplicate Drives provides the User with the option to select from one of
the two common Data Seizure modes of operation.
Wipeout Drives
Selecting Wipeout Drives provides the User with the option to select from one of
the two common Wipeout modes of operation.
Navigation Bar
The Navigation Bar menu provides the user with functions to select the various User
Interfaces and IM support functions.
The following functions are provided by the Navigation Bar.
Advanced Screen
Provides access to the Advanced User Interface Screen functions. These functions
include access to advanced settings and advanced operational modes.
Operator Screen
Provides access to the Operator User Interface Screen functions. Allows the
Operator to start or abort common operations.
29
Wizard Screen
Provides access to the Wizard Main Screen. The Wizard provides the Operator with
a short series of multiple choice menu selections to assist the Operator too easily
and quickly setup and start an operation.
On-Screen Keyboard
Provides access to an On-Screen-Keyboard. The On-Screen-Keyboard allows for

an easy method to enter text related information. A keyboard and mouse can also
be connected to the IMSolo-IV Forensics unit.
New Copy Session
Selecting this function results in starting a new session of the IMSolo-IV Forensics
Wizard Interface Control Console. Multiple sessions allow more than one operation
to be performed simultaneously.
Next Copy Session
Switches between the different active session views.
Desktop
Allows access to Windows Desktop while running session(s)
Exit
Terminates the active visible session. The function automatically releases all
detected drives before exiting the session.
About
Selecting About, displays information about the IMSolo-IV Forensics unit, such as
serial number and software version in use.
30
Wizard - Seize Drives Menu

The IMSolo-IV Forensics Wizard Duplicate Drives Menu screen is displayed by
selecting the Duplicate Drives function from the Wizard Main Menu screen. It provides
access to the units Copy Mode functions. The following Copy Mode functions options
are provided:
Single Capture
LinuxDD Capture
Figure 13
Single Capture
The Single Capture operational mode will seize the entire contents of the Suspects
drive to the Evidence drive. The operation will create an exact duplicate of all of the
Suspects drive partitioned and un-partitioned areas as well as all used and unused
sectors on the Suspects drive. The process of acquiring the data from the Suspects
drive is methodical and contiguous, beginning from the first byte of the first sector on the
drive, and ending on the last byte of the last sector of the drive. The data is copied to
the corresponding sector on the Evidence drive. Only one seizure operation can be
performed to the same Evidence drive.
31
LinuxDD Capture
The LinuxDD Capture method will copy the entire contents of the Suspects drive to the
Evidence drive. The data will be written as individual segmented LinuxDD files and
stored in an individual subdirectory on the Evidence drive. The size of the individual
LinuxDD files can be set by selecting a value within the Fragment pull down menu.
The default setting is 650MB(CD). The Case Name information entered by the user will
be used as the name of the subdirectory where the Suspects LinuxDD files will be
stored. This Case Name will also be used as the filename of all LinuxDD files
associated with this seizure. The Linux DD files will begin with the extension 001, and
incremented by 1 for each additional file.
Any number of seizures can be performed to the same Evidence drive provided there is
adequate space to save the seized data on the Evidence drive.
32
Wizard - WipeOut Drives Menu

The IMSolo-IV Forensics Wizard WipeOut Drives Menu screen is displayed by
selecting the WipeOut Drives function from the Wizard Main Menu screen. It provides
access to the units WipeOut Mode functions. The following WipeOut Mode functions
options are provided:
WipeOut-DoD
WipeOut-Fast
WipeOut-DoD
The WipeOut DoD Operational mode provides a method of sanitizing a drive that meets
the U.S. Department of Defense specification DOD 5220-22M for sanitizing drives.
Using ordinary DELETE and ERASE commands, data on a hard drive remains
accessible to a variety of intrusive procedures. The WipeOut DoD erasure technique
provides a solution to this problem using a series of null-coded overwrites that
completely removes all data from the hard drive. The process is performed in three
iterations and two individual passes that completely over writes the drive connected to
the internal drive position. Each iteration makes two write-passes over the entire drive.
The first pass writes ONEs (Hex 0xFF) over the entire drive surface. The second pass
writes ZEROes (Hex 0x00) over the entire drive surface. After the third iteration, a
seventh pass writes the government designated code 246 (Hex 0xF6) across the
entire drive surface, which is then followed by an eighth pass that inspects the drive with
a Read-Verify review.
WipeOut -Fast
The Wipeout Fast Operational mode provides a quick non-DoD method of sanitizing a
drive of all previously stored data. The process involves writing a user defined hex
pattern to the drive connected in the Target drive position, for a number of user defined
iterations. The process is methodical and contiguous, beginning from the first byte of
the first sector on the drive, and ending on the last byte of the last sector of the drive.
33
Wizard - Suspect Drive Select Menu

The IMSolo-IV Forensics Wizard Suspect Drive Select Menu screen is displayed after
selecting the Operational mode from the Wizard Seize Drives Menu. It provides the
user with a graphical view of the source drive positions and the ability to select the
source drive to be used for the selected operation using the units Touch Screen
display. The selected drive positions graphical color code will change from Grey to
Yellow, indicating that it has been activated for use. The Grey color code status
indicates that the drive position is inactive.
Suspect Drive
Select Control
Icons
Figure 14
34
Wizard - Evidence Drive Select Menu

The IMSolo-IV Forensics Wizard Evidence Drive Select Menu screen is displayed
after selecting the Suspect Drive from the Wizard Evidence Drive Select Menu. It
provides the user with a graphical view of the Evidence drive positions and the ability to
select the Evidence drive(s) to be used for the selected operation using the units Touch
Screen display. The selected drive positions graphical color code will change from
Grey to Yellow, indicating that it has been activated for use. The Grey color code status
indicates that the drive position is inactive.
Evidence
Drive Select
Control Icons
Figure 15
35
Wizard - Operator Main Menu

The IMSolo-IV Forensics Wizard Operator Menu screen is displayed after selecting the
Evidence Drive(s) from the Wizard Evidence Drive Select Menu. The Operator Menu
provides all the functions and controls necessary to start or stop the selected
operations. It provides the user with a graphical view of the Suspect and Evidence drive
positions and the ability to change the active drive(s) for the selected operation using
the units Touch Screen display. The following Wizard functions are available from the
Operation Menu.
Operation Status Information

Operation Controls
Navigation Bar
Operational Status
Information
Operation
Controls
Drive Select
Control Icons
Figure 16
Navigation Bar
36
Operational Status Information

The Control Console provides Operational Status Information supplying the user-with
real time event log data.
The following Operation Status Information fields are available:
Station
Speed
Operational Mode
Load Size
Percent Completion
Elapsed Time
Estimated Time Left
Station
Displays the Computer Name of the IMSolo-IV Forensics unit.
Speed
The Speed field displays the average transfer rate in megabytes per minute.
Operational Mode
Displays the selected Operational Mode.
Load Size
The Load Size field displays the total data required to be transferred.
Percent Completion
Displays the percent of completion for the active operation.
Elapsed Time
Refers to the time elapsed during an operation. This field will also display the
total elapsed time at the end of an operation.
Estimated Time Left
Refers to the time remaining to complete the operation.
37
Operation Control Functions

The Control Console provides the functions necessary to start or stop the selected
operation.
The following Control Functions are available:
Start
Abort
Start
Selecting Start will instruct the Control Console to turn ON the drives and begin
the selected operation.
Abort
Selecting Abort will instruct the Control Console to turn OFF the drives and
terminate the selected operation.
38
IMSolo-IV Forensics Advanced Interface Control

Console
The IMSolo-IV Forensics Advanced Interface Control Console provides all the
functions and controls necessary to setup, customize and perform the units common
and advanced Forensic operations. It can be used as an alternative to the Wizard
Interface Control Console which provides limited functions for ease of use. Multiple
instances of the Advanced Console can be activated, which allows more than one
operation to be performed simultaneously. The functional descriptions of the units
Advanced Interface Control Console functions are discussed in the following section.
Drive Selection Panel

Drive Status Panels
Operational Mode Select Menu
Operation Status Information
Operation Controls
Navigation Bar
Operational
Settings Tabs
Active Drive
Status Panels
Drive Selection
Panel
Non-Active
Drive Panel
Event Log
Window
Operational
Mode Select
Menu
Figure 17
Navigation
Bar
Operation
Status
Information
39
Advanced Drive Detect Menu

The IMSolo-IV Forensics Advanced Drive Detect Menu will provide a list of the
detected drives and allows detected drives to be configured as active or inactive drives.
The menu screen will also allow drives connected in Evidence positions to be
configured as Suspect Drives. The menu is displayed by selecting the Detection Tab
from the Advanced Interface Control Console. The descriptions of the available
Advanced Drive Detect Menu functions are discussed in the following section.
Drive Selection Panel

The Drive Selection Panel provides the settings and functions used to detect drives
connected to the units dedicated Suspect and Evidence drive positions, including
devices connected to the dedicated USB ports located on the back of the unit. The
Drive Select Panel allows the operator to select the drive position(s) to scan during a
drive detect operation.
Suspect 1-2 Drive Select
Select the Suspect Check Box to select the drive(s) in the Suspect position(s) for
detection.
The unit provides two dedicated Write-Protected Suspect drive
positions. The drives positions are referenced by the drives physical location on
the unit. The Suspect 1 position is located on the left side of the unit, labeled
Suspect 1. The Suspect 2 position is located on the right side of the unit, labeled
Suspect 2.
Evidence 1-2 Drive Select
Select the Evidence Check Box to select the drive(s) in the Evidence position(s) for
detection. The unit provides two dedicated Evidence drive positions. The drives
positions are referenced by the drives physical location on the unit. The
Evidence 1 position is located as the left drive slot on the front of the unit. The
Evidence 2 position is located as the right drive slot on the front of the unit.
NOTE: The Drive Select menu provides a power indicator for each drive position.
The indicator will be GREY prior to drive detection, GREEN if the drive is
detected or the operation passed, and RED if the drive is not detected or if
the operation was not successful.
40
Detect Drives
Select the Detect Drives Button to turn ON and detect the selected the drive(s).
NOTE: By default, all ports are Write-Protected. The drives Write-Protect
property will automatically be disabled if the selected operational mode
requires writing to the drive(s).
Remove Drives
Select Remove Drives to turn OFF and remove the selected the drive(s).
Add Network Location
Allows a Suspects drive contents to be captured and stored in a Network or Locally
Shared Folder. The Shared Folder location can be designated as the Evidence
drive using the Add Network Location function. The Add Network Location function
is available when running the LinuxDD or E01 Capture operations. The descriptions
of the available settings are discussed in the following section.
Browse
Figure 18
Browse
Select Browse to select the Shared Folder Location.
Detect Remote Drives

The Detect Remote Drives function allows capturing data from a drive installed in a
Notebook or PC 3 , using the units Ethernet port.
The Detect Remote Drives Option requires purchase
41
Drive Status Panels

The Active Drive Status Panels lists the drives detected and their respective locations.
The Panels will also indicate the drives burst transfer rate during operation. Detected
drives are listed in their respective Drive Status Panels.
NOTE: Drives can be manually transferred between Drive Panels by selecting and
dragging the listed drive using the Touch Screen or using an attached mouse.
Suspects Drives cannot be moved to Evidence locations.
Active Suspect Drive Panel
The Suspect Drive Panel will list the detected and active Suspect drives for the
active session. Drives listed in the Other Detected Drives Panel can be manually
transferred to the Active Suspect Drive Panel. The drive listed in this panel is
considered an active drive and will be used as the Suspects drive during the
operation.
NOTE: Drive(s) in the Suspect position(s) cannot be configured as Destination
drives.
Active Evidence Drives Panel
The Active Evidence Drives Panel will list the detected and active Evidence
drive(s) for the active session. Drives listed in the Other Detected Drives Panel
can be manually transferred to the Active Evidence Drives Panel. The drive listed
in this panel is considered an active drive and will be used as the Evidence drive
during the operation.
NOTE: Evidence drives can be configured as Suspect drives by transferring the
drive from the Active Evidence Drive Panel to the Active Suspect Drive
Panel.
Other Detected Drives
The Other Detected Drives Panel will list the non-active drives detected on all
ports other than the dedicated Suspect and Evidence ports. Drives listed in the
Suspect Drive or Evidence Drive Panels can be manually transferred to the Other
Detected Drives Panel. The drive(s) listed in this panel are non-active drives, and
will not be used during an operation.
42
Operational Mode Select Menu

The Operational Mode Select Menu provides a list of the available Operational Modes.
The functional descriptions of the available Operational Modes are discussed in the
following section.
Single Capture
LinuxDD Capture
LinuxDD Restore
LinuxDD Hash
E01 Capture
E01 Restore
E01 Hash
Hash
WipeOut
Format Drives
Single Capture
The Single Capture operational mode will seize the entire contents of the Suspects
drive to the Evidence drive. The operation will create an exact duplicate of all of the
Suspects drive partitioned and un-partitioned areas as well as all used and unused
sectors on the Suspects drive. The process of acquiring the data from the
Suspects drive is methodical and contiguous, beginning from the first byte of the
first sector on the drive, and ending on the last byte of the last sector of the drive.
The data is copied to the corresponding sector on the Evidence drive. Only one
seizure operation can be performed to the same Evidence drive. See Single
Capture Settings for more details.
LinuxDD Capture
The LinuxDD Capture Mode will copy the entire contents of the Suspects drive to
the Destination drives. The data will be written as individual segmented LinuxDD
files and stored in an individual subdirectory on the Destination drive(s). The size of
the individual LinuxDD files can be set by selecting a value within the Capture File
Size pull down menu. The default setting is 650MB (CD). The File Name
information entered by the user will be used as the name of the subdirectory where
the Suspects LinuxDD files will be stored. This File Name will also be used as the
filename of all LinuxDD files associated with this seizure. The Linux DD files will
begin with the extension 000, and incremented by 1 for each additional file.
The Destination drive will be inspected prior to transferring data. The operation will
verify if the first partition on the Evidence drive is based on the exFAT 4 File System
and will have EVIDENCE as the volume label. A Destination drive that meets
these criteria will be a valid Destination drive, a new subdirectory will be created,
4
The exFAT File System was introduced with version 4.2.54.0. Prior versions used NTFS.
43
and the transfer will begin. A Destination drive that fails these criteria will cause the
user to be prompted with a message asking whether or not to overwrite the current
contents of the Destination drive in order to make it a valid LinuxDD Destination
drive. The operation will abort unless the user agrees to overwrite the Destination
drive.
Any number of Loads can be placed on the same Destination drive provided there
is adequate space to save the transferred data on the Destination drive. See
LinuxDD Capture Settings for more details.
LinuxDD Restore
This function allows restoring the captured LinuxDD formatted Case to its original file
format. This function requires the LinuxDD drive, containing the LinuxDD Case files,
to be connected to one of the units Suspect positions and the Destination drive to
be connected to the units Evidence position.
LinuxDD Hash
This function will generate a Hash value for the selected LinuxDD Case.
LinuxDD drive can be connected to either the Suspect or Evidence position.
The
E01 Capture
The E01 Capture Mode will capture the entire contents of the Suspects drive to the
Destination drives using Guidance Softwares EnCase Forensic format. The data
will be written as individual segmented EnCase formatted files and stored in an
individual subdirectory on the Destination drive(s). The size of the individual E01
files can be set by selecting a value within the Capture File Size pull down menu.
The default setting is 650MB (CD). The EnCase format limits the File Size to 2GB.
The File Name information entered by the user will be used as the name of the
subdirectory where the Suspects files will be stored. This File Name will also be
used as the filename of all files associated with this seizure. The E01 files will begin
with the extension E01, and incremented by 1 for each additional file. The
Compression Level can be set between 0 and 9, with 0 defined as No
Compression, and 9 defined as Highest Compression.
The Destination drive will be inspected prior to transferring data. The operation will
verify if the first partition on the Evidence drive is based on the exFAT 5 File System
and will have EVIDENCE as the volume label. Otherwise, the operation will
prompt the User that the Evidence drive will be overwritten.
Any number of Loads can be placed on the same Destination drive provided there
is adequate space to save the transferred data on the Destination drive. See
E01 Capture Settings for more details.
NOTE: The E01 Capture Mode will result in reduced transfer rates when compared
with other Capture Modes.
The exFAT File System was introduced with version 4.2.54.0. Prior versions used NTFS.
44
E01 Restore
This function allows restoring the captured E01 formatted Case to its original file
format. This function requires the E01 drive, containing the E01 Case files, to be
connected to one of the units Suspect positions and the Destination drive to be
connected to the units Evidence position.
E01 Hash 6
This function will generate a Hash value for the selected E01 Case. The E01 drive
can be connected to either the Suspect or Evidence position.
Format Drives
This function can be used to quickly format drives and to prepare drives as exFAT
LinuxDD or exFAT E01 Evidence drives. It may be necessary to manually transfer
LinuxDD or E01 Evidence files from an NTFS based Evidence drive to an exFAT
based Evidence drive.
Pending development as of release of this document (11/09).
45
WipeOut
The WipeOut-User Mode of operation provides a quick non-DoD method of
sanitizing a drive of all previously stored data. The process involves writing a user
defined hex pattern to the destination drive for a number of user defined iterations.
The process is methodical and contiguous, beginning from the first byte of the first
sector on the drive, and ending on the last byte of the last sector of the drive.
The WipeOut-DoD Mode of operation provides a method of sanitizing a drive that
meets the U.S. Department of Defense specification DOD 5220-22M for sanitizing
drives.
Using ordinary DELETE and ERASE commands, data on a hard drive remains
accessible to a variety of intrusive procedures. The WipeOut DoD erasure
technique provides a solution to this problem using a series of null-coded overwrites
that completely removes all data from the hard drive.
The process is performed in three iterations and two individual passes that
completely overwrites the destination drives. Each iteration makes two write-passes
over the entire drive. The first pass writes ONEs (Hex 0xFF) over the entire drive
surface. The second pass writes ZEROes (Hex 0x00) over the entire drive surface.
After the third iteration, a seventh pass writes the government designated code 246
(Hex 0xF6) across the entire drive surface, which is then followed by an eighth pass
that inspects the drive with a Read-Verify review. See Wipeout Settings for more
details.
The WipeOut-Secure Erase option uses the drives own built-in firmware Secure
Erase function to erase data. The WipeOut-Secure Erase option offers two modes
which are automatically selected if the drive supports the modes. Normal Erase and
Enhanced Erase. Normal Erase will erase drives using the 0x00 pattern. The
Enhanced Erase mode will erase drives with a predetermined pattern and will clear
Relocation List Sectors.
NOTE:
Not all drives provide support for the Secure Erase command. Secure
erase is recognized by NIST 800-88 as an effective and secure way to
meet legal data sanitization requirements
Hash
The Hash operation provides a method of generating a hash value for either the
entire area of a drive or for a selected number of sectors of a drive. No data is
written to the selected drives during this operation. When hashing the entire drive
the process is methodical and contiguous, beginning with the first sector on the drive
and ending with the last sector of the drive. See Hash Settings for more details.
Event Log Window

The Event Log Window displays real time operational event log information.
46
Advanced Operation Settings Menu

The IMSolo-IV Forensics Advanced Operation Settings Menu provides access to the
Operational Mode settings. The menu is displayed by selecting the Main Tab from the
Advanced Interface Control Console. The Advanced Operation Settings Menu
provides the Operator with a menu of Operational Mode Settings for the selected
Operation. The Settings menu list is dynamic, and will change to reflect the selected
Operational Mode. The descriptions of the available Operational Mode Settings are
discussed in the following section.
Single Capture Settings

Hash Settings
LinuxDD Capture Settings
LinuxDD Hash Settings
LinuxDD Restore Settings
E01 Capture Settings
E01 Hash Settings
E01 Restore Settings
WipeOut Settings
Format Drives Settings
Single Capture Settings

The Single Capture Settings menu provides the Operator with a list of settings available
for the selected operation. The menu is selected when the Operational Mode is selected
from the Operational Mode Select Menu.
Read Back-Verify
Hash Targets
Hashing Methods
Encryption/Decryption
Wipe Remainder
Figure 19
47
Read Back-Verify
Provides additional data integrity checks during data transfers. When Read BackVerify is selected the operation will verify each block of data transferred during the
data transfer process. Data written to the Evidence drive is read back and
compared to the data read from the Suspects drive. Enabling this option results in
reducing the transfer rate.
Disabling this option will result in the data transfer
process to make use of the drive's own Ultra DMA Mode error-detection handling
mechanism known as cyclical redundancy checking (CRC-16) to check for Data
Integrity. In most cases the CRC-16 error checking algorithm is sufficient. CRC is
an algorithm that calculates an order and value sensitive checksum used to detect
errors in a stream of data. Both the Suspects drive and the Evidence drives
calculate a CRC value for each Ultra DMA burst. After the Suspects data is sent,
the Evidence drive calculates a CRC value and this is compared to the original
Suspects CRC value. If a difference is reported, the unit may be required to select
a slower transfer mode and re-try the original request for data. The transfer rate will
not be affected when using the drives CRC-16 mechanism for checking data
integrity.
Hash Targets
The Hash Targets function provides a method of generating Hash values for the
Source drives data and for the data written to the Target drives, in the same
operation. The data is read back and hashed from the target drive(s) after each
transferred block. Since data is read back during the operation the average transfer
rate will decrease and the total time of completion will increase when this function is
enabled.
Hashing Methods
The Hashing Methods menu selection provides the user with list of different Hash
Algorithms to generate a Hash value for the Source drives data. Hashing is a
process that calculates a "unique signature" value for the contents of an entire drive.
CRC32
Selecting CRC32 will result in the operation generating the CRC32
32-bit hash value for the data read from the source drive(s). Selecting the Hash
Targets function will result in the operation generating the CRC32 Hash values for
the data read from the Source drive and the data written to the Target drive.
MD5
Selecting MD5 will result in the operation generating the MD5 128-bit hash value
for the data read from the source drives. Selecting the Hash Targets function will
result in the operation generating the MD5 Hash values for the data read from the
Source drive and the data written to the Target drive.
48
SHA-1
Selecting SHA-1 will result in the operation generating the SHA-1 160-bit hash
value for the data read from the source drives. Selecting the Hash Targets
function will result in the operation generating the SHA-1 Hash values for the data
read from the Source drive and the data written to the Target drive.
NOTE: The SHA-1 Hash function uses Hardware Acceleration for calculations and
therefore effects on transfer rates are limited.
SHA-2 (224,384,256,512)
Selecting SHA-2 (224,384,256,512) will result in the operation generating the SHA2 (224,384,256,512)-bit hash value for the data read from the source drives.
Selecting the Hash Targets function will result in the operation generating the
Hash values for the data read from the Source drive and the data written to the
Target drive.
NOTE: The SHA-2(256) Hash function uses Hardware Acceleration for
calculations and therefore effects on transfer rates are limited.
Wipe Remainder
The Wipe Remainder function instructs the capture operation to wipe (erase)
remaining sectors after a capture operation is performed, if the Evidence drive is
larger than the Suspects drive.
49
Encrypt/Decrypt
The Encrypt/Decrypt menu selection provides the user with the functions and
settings necessary to configure an operation to Encrypt or Decrypt captured data.
AES Key Length (bits)

Provides the user with the list of three AES Key Sizes to choose from.
choices are 128, 192, and 256 bits.
The
AES Mode
Provides the user with the list of AES Modes to choose from. The choices are
ECB, CBC, CFB, 0FB, and CTR.
Action - None
Instructs the operation to transfer data without Encrypting or Decrypting data.
Action - Encrypt
Instructs the operation to Encrypt data during the data transfer operation.
Action - Decrypt
Instructs the operation to Decrypt data during the data transfer operation.
Save Key
The Encryption Key used to Encrypt the Suspect drives data is generated and
saved.
Load Key
Provides the function to allow the User to select and load the Encryption Key which
can be used to Decrypt the Evidence drives Encrypted data.
NOTE:
50
For compatibility with the IMSolo-III Encryption and ICS DiskCypher

hardware, choose 192 as the AES Key Length and ECB as the AES
Mode.
WipeOut Settings
The WipeOut Settings menu provides the Operator with a list of settings available for
the selected operation. The menu is selected when the Operational Mode is selected
from the Operational Mode Select Menu.
User
DoD
Secure Erase
Iterations
Pattern (0-255)
Read Back-Verify
Figure 20
Mode
The WipeOut Mode provides the Operator with two methods of sanitizing drives.
User
The Wipeout User option provides a quick non-DoD method of sanitizing a
drive of all previously stored data. The process involves writing a user
defined pattern to the drive connected in the Target drive position, for a
number of user defined drive passes (iterations). The process is methodical
and contiguous, beginning from the first byte of the first sector on the drive,
and ending on the last byte of the last sector of the drive.
Iterations
Allows the Operator to define the number of WipeOut-User iterations or
passes to perform. Selecting 0 instructs the operation to sanitize the drive in
one pass.
Pattern (0-255)
Allows the Operator to define the WipeOut-User Pattern to be used to sanitize
the Target drive(s). The available range is 0-255.
51
DoD
The Wipeout DoD function provides a method of sanitizing a drive that meets
the U.S. Department of Defense specification DOD 5220-22M for sanitizing
drives.
The operation is performed in three iterations and two individual passes that
completely overwrites the destination drives. Each iteration makes two writepasses over the entire drive. The first pass writes ONEs (Hex 0xFF) over the
entire drive surface. The second pass writes ZEROes (Hex 0x00) over the
entire drive surface. After the third iteration, a seventh pass writes the
government designated code 246 (Hex 0xF6) across the entire drive
surface, which is then followed by an eighth pass that inspects the drive with
a Read-Verify review.
Secure Erase
The WipeOut-Secure Erase option uses the drives own built-in firmware
Secure Erase function to erase data. The WipeOut-Secure Erase option
offers two modes which are automatically selected if the drive supports the
modes. Normal Erase and Enhanced Erase. Normal Erase will erase drives
using the 0x00 pattern. The Enhanced Erase mode will erase drives with a
predetermined pattern and will clear Relocation List Sectors.
NOTE:
Not all drives provide support for the Secure Erase command.
Secure erase is recognized by NIST 800-88 as an effective and
secure way to meet legal data sanitization requirements
Read Back-Verify
Use Link for previous description.
52
Format Drives Settings

The Format Drives Settings menu provides the Operator with a list of settings
available for the selected operation. The menu is selected when the Operational Mode
is selected from the Operational Mode Select Menu. The exFAT setting instructs the
Format Drive operation to use the exFAT File System to format drives.
53
Linux DD Capture Settings

The LinuxDD Capture Settings menu provides the Operator with a list of settings
is selected from the Operational Mode Select Menu.
Capture File Size

Custom File Size (MB)
File Name
Read Back-Verify
Hash Targets
Hash Methods
Figure 21
Capture File Size

The size of the individual LinuxDD files can be set by selecting predefined values
within the Capture File Size menu. The options are 640MB, 1GB, 2GB, 4.7GB,
Whole Drive, and Custom. The default setting is 640MB.
The size of the individual LinuxDD files can manually entered in Megabytes. The
entry is active when the Custom value is selected in the Capture File Size menu.
File Name
The File Name entry will be used as the name for the LinuxDD subdirectory, where
the individual LinuxDD files will be stored. This File Name will also be used as the
name of all LinuxDD files associated with the selected operation.
54
NOTE: If the File Name field is left blank, the operation will use a default LinuxDD
file name referenced as CASE<DATE><TIME>.
55
LinuxDD Hash Settings

The LinuxDD Hash Settings menu provides the Operator with a list of settings
is selected from the Operational Mode Select Menu.
Hash Methods
File Name
Figure 22
56
LinuxDD or E01 Restore Settings

The LinuxDD or E01 Restore Settings menu provides the Operator with a list of
settings available for the selected operation. The menu is selected when the
Operational Mode is selected from the Operational Mode Select Menu.
Hash Methods
File Name
Read Back-Verify
Hash Targets
Figure 23
57
Hash Settings
The Hash Settings menu provides the Operator with a list of settings available for the
selected operation. The menu is selected when the Operational Mode is selected from the
Operational Mode Select Menu.
Sectors to Hash
Hash Methods
Figure 24
Sectors to Hash
Allows the Operator to define the number of sectors to hash. The default value of 0
will instruct the Hash operation to hash the entire drive.
58
E01 Capture Settings

The E01 Capture Settings menu provides the Operator with a list of settings available
for the selected operation. The menu is selected when the Operational Mode is
selected from the Operational Mode Select Menu.
Capture File Size

Hash Methods
File Name
Figure 25
Capture File Size

The size of the individual E01 files can be set by selecting predefined values within
the Capture File Size menu. The default setting is 650MB (CD).
The size of the individual E01 files can manually entered in Megabytes. The entry is
active when the Custom value is selected in the Capture File Size menu.
File Name
The File Name will be used as the name for the E01 Case subdirectory, where the
individual E01 files will be stored. This File Name will also be used as the name of
all E01 files associated with the selected operation.
NOTE: If the File Name field is left blank, the operation will use a default E01 file
name referenced as CASE<DATE><TIME>.
59
Advanced Settings Main Menu

The IMSolo-IV Forensics Advanced Settings Main Menu provides access to the
common Operational Mode settings. The menu is displayed by selecting the Main Tab
from the Advanced Settings Menu. The descriptions of the available settings are
Automation Settings
Bad Sector Handling
Start View
Add/Remove Optional Features
Figure 26
Automation Settings
The Automation Settings menu provides the Operator with a list of settings common to
each of the available Operational Modes.
60
Start Operation after Detection
Instructs the Operation to automatically power ON and detect the selected drives
when selecting START. When disabled, the selected drives would need to be
manually detected prior to selecting START, using the DETECT DRIVES function.
Confirm Master and Target drives after Power up/Detection and Before starting
Operation
Instructs the Operation to prompt the Operator and confirm if the detected Source
and Target drives are the correct drives to use before starting the selected
Operation. When the setting is disabled, the Operation will use the selected drives
without prompting.
Auto Run
Instructs the selected Operation to continuously run until the Operation is manually
aborted. This function can be used to test drives or units hardware.
Bad Sector Handling

This setting allows the user to select from a list of two methods of handling bad sectors
when they are encountered on the source drive.
Log and skip
The operation will log the location of the bad sector on the source drive and the bad
sector will be skipped.
Abort drive
The operation will abort when encountering a bad sector on the source drive.
Start View
The Start View menu provides optional Start Up View options.
Wizard Screen
Instructs the RI unit to Start Up using the Wizard Interface Control Console. The
Wizard Interface provides the user with simple navigational menu screens to quickly
setup and start operations.
61
Operator Screen
Instructs the RI unit to Start Up using the Operator Interface Control Console. The
Operator Interface provides all the functions and controls necessary to start or stop
the operations pre-selected using the Wizard Interface or Advanced Interface. It
provides the user with a graphical view of the Source and Target drive positions and
the ability to change the active drive(s) for the selected operation using the units
Touch Screen display.
Advanced Screen
Instructs the RI unit to Start Up using the Advanced Interface Control Console. The
Advanced Interface provides all the functions and controls necessary to setup,
customize and perform the units common and advanced IT operations.
Add/Remove Optional Features

This function allows adding or removing Software Options
Apply Settings
Used to apply the settings selected.
62
Advanced Drive Detection Settings Menu

The IMSolo-IV Forensics Advanced Drive Detection Settings provides the Operator
with User-Defined settings to customize the units drive detect handling functions.
Drive Detection Mode

Fast Detection
Sequential Detection
Figure 27

Allows the Operator to choose between the three available Drive Detect methods.
Auto
Automatically selects Drive Detection method based on the hardware detected. This
mode will automatically select Fast Detection for the IMSolo-IV Forensics systems.
Fast Detection
Selects use of the Fast Detection method to detect drives. This method identifies
the drive by the SAS/S-ATA controllers physical address location used by polling
the drive. It is the quickest method to detect drives.
63
Sequential Detection
Selects the Sequential Detection method to detect drives. This method identifies the
drive by sensing the drives current load. The selected drives are detected in turn
by powering Up the individual drive and then waiting for each individual drive to be
detected before powering Up the next selected drive. This method is slower than
the Fast Detection method to detect drives.
Fast Detection Settings

The Fast Detection Settings menu provides optional Fast Detection User-Defined
settings.
Wait Time After Powering Up Each Drive
This is the time allocated before powering Up the next selected drive. The default
value is 2 seconds.
Wait Time Between Powering Up Each Drive and Starting Drive Detection
This is the time allocated after powering Up each drive, and before checking the
controller and O/S for detected drives. The default value is 20 seconds.
Max Scanning /Detection Time allowed by Application (Sec)
This is the time allocated for the O/S to detect New Hardware or discover each
selected drive. The default value is 60 seconds.
NOTE: Some drives may take longer to be discovered by the O/S. This setting
limits the wait time.
Auto Calibrate Detection of All Drives
Used to restore the map which links the units SAS/SATA controllers physical
addresses to the units assigned drive positions, listed in the Drive Detection menu
screen, for all connected drives. The Calibration starts with the drive specified in the
Calibration Starts From Drive input box.
NOTE: Calibration would only be necessary if the unit can no longer detect
drives.
Calibration Starts From Drive
The Auto Calibration starts with the drive number specified in the Calibration Starts
From Drive input box. The drive number starts with 0 and follows the order of the
drive positions listed in the Drive Detection menu screen.
64
Calibrate Detection of a Selected Drive

Used to restore the map which links the units SAS/SATA controllers physical
addresses to the units assigned drive positions, for individually selected drives.
NOTE: Calibration would only be necessary if the unit can no longer detect
drives.
Sequential Detection Settings

The Sequential Detection Settings menu provides optional Sequential Detection UserDefined settings.
Max Detect Time
This is the time allocated for the O/S to detect New Hardware or discover each
selected drive. The default value is 60 seconds.
NOTE: Some drives may take longer to be discovered by the O/S. This setting
limits the wait time.
Max Detect Power Time
Maximum time allowed for the drives applied current load to be detected. After the
set time, if the drives applied current load is not detected, the drive will be powered
OFF.
Calibrate Current Threshold
The Calibrate Current Threshold function will measure the idle current used by the
units power control board. A current level measured that is greater than the
Calibrated Current Threshold value will indicate that a device is connected.
NOTE: Verify that NO drive is connected, while calibrating the current
thresholds.
65
Diagnostics and Tools Settings Menu

The IMSolo-IV Forensics Advanced Diagnostic and Tools Settings provides access
to the Operational Mode settings. The menu is displayed by selecting the Operation
Settings Tab from the Advanced Interface Control Console. The Operational Mode
Settings Menu provides the Operator with a menu of Operational Mode Settings for the
selected Operation. The Settings menu list is dynamic, and will change to reflect the
selected Operational Mode. The descriptions of the available Operational Mode
Settings are discussed in the following section.
Slow Drive Filter

Speed Optimization
Diagnostics
Forced Power Off
Figure 28
Slow Drive Filter Speed Threshold

The Slow Drive Filter menu allows the operation to abort individual drives which would
cause slow transfer rates. After aborting the individual drive, the operation would
continue for the remaining drives, without reducing the transfer rate.
Speed Threshold
Minimum transfer rate accepted before the drive is aborted. The decision to abort a
drive is based on the individual drive speed and not on the average speed of the
process.
66
Speed Optimization
Used to obtain optimal transfer rates.
Transfer Buffer Size (in 64 kb)
The default setting of (10) instructs to operation to use a Transfer Buffer size of
640KB. In most cases a Transfer Buffer size of 640KB is optimal; however with
some drive combinations it might be useful to change the value in order to achieve
faster transfer rates.
Speed Sampling rate
The value sets the rate with which the speed of each drive is sampled. The sampled
value is used by the Slow Down Filter and is displayed in the Detected Drives
panel. A low sampling rate would slow down the average transfer rate of operation.
The default value is 100.
Forced Power off

Provides a function to manually power OFF all selected drives.
Power off selected drives
Manually powers OFF the selected drives. The function should only be used if the
Remove Drives function does not power off the selected drives.
NOTE: Exit all applications which may be using the drives prior to manually
powering OFF the drives.
Diagnostic
Provides a Diagnostic function to isolate drives which can result in slow transfer rates.
Instantaneous Drive Transfer Speed
Instructs the operation to display drives speed at the moment of sampling.
67
Advanced Case Info Menu

The IMSolo-IV Forensics Advanced Case Info Menu provides the user with a list of
specific Case Information to enter for the Capture Operation. This Case Information will
be stored for Audit Trail output. The menu is displayed by selecting the Case Info Tab
from the Advanced Main Menu.
Figure 29
68
Advanced Mount Drive Menu

The IMSolo-IV Forensics Advanced Mount Drive Menu provides access to the
functions and controls necessary to change the state of the detected device Write
Protection and Mount Volume properties. By default, all ports including the Evidence
Drive ports and units USB ports are Write-Protected. In addition, the detected drives
partitions or volumes are hidden from the units O/S. The drives properties will
automatically be configured for the common Operational Modes. The recommended
state of each device will depend on the operation to be performed with the detected
devices. The menu is displayed by selecting the Mount Drive Tab from the Advanced
Interface Control Console. The descriptions of the available Mount Drive Settings are
Write-Protection
Mount Volumes
Simulate Drive Signature
Apply
Refresh
Figure 30
69
Write-Protect the Drive

When selected (checked), the detected drive will be Write-Protected. This setting
should be enabled only when it is necessary to allow the units O/S or 3rd party
application write access to the drives volume. The detected drives Write-Protect
property can be changed by first selecting the detected drive then using the Mount Drive
Menu, Write-Protect function.
NOTE: By default, all ports are Write-Protected. The Write-Protect property of drives
detected in the Suspect positions cannot be disabled.
Mount Volumes on the Drive

When selected (checked), the detected drives volume will be accessible by the units
Operating System. This setting should be enabled only when it is necessary to allow
the units O/S or 3rd party application preview access to the drives volume. The
detected drives Mount Volume property can be changed by first selecting the detected
drive then using the Mount Drive, Menu Mount Volume function.
Simulate Drive Signature When Mounting Volumes

When selected (checked), the O/S will be provided with a simulated Device Signature
for the selected drive. The O/S requires each drive to have a different Device
Signature. After the duplication operation, drives may have the same Device Signature.
The drives volume may not mount properly when attempting to mount the drives
volume under the units O/S if the same Drive Signatures are detected. If the setting is
not selected, the Drives unaltered Device Signature is presented to O/S or applications.
Apply
Applies the selected Drive Property settings.
Refresh
Selecting Refresh, displays the drive properties of the currently selected drive.
70
Advanced HPA/DCO Menu

The IMSolo-IV Forensics Advanced HPA Menu provides the functions to view and
modify the drives Host Protected Area (HPA) and Device Configuration Overlay (DCO)
Capacity feature set. The menu is displayed by selecting the HPA Tab from the
Advanced Interface Control Console. The descriptions of the available HPA Menu
Settings are discussed in the following section.
Protected Area Type

Protected Area Support
Set Capacity
Reset
New Capacity
Volatile
Figure 31
Protected Area Type

Allows the User to select use of either HPA or DCO Support functions.
71
Protected Area Support

When selected, this function instructs the selected Operation to determine if a Suspects
drive is configured with an HPA or DCO Area. If an HPA or DCO area exists on a
Suspects drive, the Operation will seize all of drives data including the data stored in
the drives HPA or DCO area.
New Capacity
Value in sectors which will define the drives programmed HPA or DCO capacity.
Current Capacity
Displays drives current DCO or HPA programmed capacity in sectors.
Native Capacity
Displays drives Native capacity in sectors.
Set Capacity
Provides the function to program the Evidence drives capacity using the HPA or DCO
User Defined values.
Reset Capacity
Provides the function to reset the Evidence drives capacity to its Native Capacity.
Volatile
Instructs the Set Capacity function to modify the drives capacity only when the drive is
power cycled.
72
Advanced LOG Menu

The IMSolo-IV Forensics LOG Menu provides the functions for viewing, transferring and
printing Event Log and Audit information. The menu is displayed by selecting the LOG
Tab from the Advanced Interface Control Console. Event Log and Audit files are
automatically stored in the units local file folder.
Files are stored using a
DATE_TIME.TXT naming convention. The Audit Trail file will be referenced as such.
The descriptions of the available LOG functions are discussed in the following section.
Print Logs
Copy Logs
Open Log Folder
Set Audit Trail Logo
Figure 32
73
Print Logs
Provides the functions to print Event Log files and Audit Trail Log files to a connected
printer.
Copy Logs
Provides the function to copy Event Log files and Audit Trail Log files to an external
device.
Open Log Folder

Provides access to the folder used to store the Log files, for viewing.
Set Audit Trail Logo

Provides the function to add a Company Logo onto the generated PDF Audit Trail.
74
Chapter 5 Operational Procedures
Advanced Tools Menu

The IMSolo-IV Forensics Advanced Tools Menu provides the functions to Disable an
Evidence drives User Password.
Disable Password
Disable Password
Provides the function to Disable the drives User Password. It may be necessary to
Disable the ics password which is set on the drive during Secure Erase if the operation
is aborted prior to completion. If the User Password is not reset, the drive will block
Read and Write commands.
NOTE: It is not necessary to disable the drives User Password if Secure Erase is used
to erase the drive.
75
Chapter 5:
Operational Procedures
76
Prepare for Operation

This section describes the recommended procedure to follow when preparing to perform
an operation with drives connected directly to the unit. References to P-ATA drive
setup in this section, requires use of S-ATA-to-PATA adapters.
1. Prepare Suspects Drive
When using PATA drives, verify that the Suspects drive jumper block is properly
configured. For P-ATA drives the jumper block should be set for Single/Master
operation. For SAS or SATA drives, the drives default jumper block settings are
recommended.
Connect the Suspects drive to the units SUSPECT-1 SAS/SATA or USB data
connector located on the units Left Panel (Fig. 8). Use of P-ATA drives requires
use of the supplied S-ATA-to-P-ATA Adapters.
NOTE:
The drive detected in this position will be listed in the Active Source
Drive Panel.
If necessary, connect a second Suspects drive to the units SUSPECT-2

SAS/SATA or USB data connector located on the units Right Panel (Fig. 9).
NOTE: A second instance of the Control Console will be required to capture
data from two Suspect drives simultaneously. Refer to the section titled
Running Multiple Operational Modes Simultaneously in Chapter 5 for
additional information.
2. Prepare the Evidence Drive(s)
Connect the Evidence drive to the units EVIDENCE-1 SAS/SATA or USB data
connector located on the units Front Panel (Fig. 10). Use of P-ATA drives
requires use of the supplied S-ATA-to-P-ATA Adapters.
NOTE: The drive detected in this position will be listed in the Active Destination
Drive Panel.
If necessary, connect a second Evidence drive to the units EVIDENCE-2

SAS/SATA or USB data connector located on the units Front Panel (Fig. 10).
The Evidence drive(s) should be sanitized prior to performing a Capture

operation.
NOTE: By default, all ports including the dedicated Evidence drive ports are WriteProtected. The Write-Protection feature of all Evidence drive ports will
automatically be disabled if the selected operational mode requires writing to
the Evidence drive(s).
77
3. Connect the printer (optional).

4. Configure the units Settings.
Select the required operation from the Control Consoles Operation pull down
menu located in the Advanced Interface Control Console.
Verify Settings of selected Operation. See Chapter 5 for Operational Mode
recommended settings.
Verify units Common Settings (See Table 2). The Common Settings are located
in the Advanced Settings Screen.
Common Settings
Table 2
Menu Item
Start Operation After
Detection
Confirm Master and Target
Drives
Auto Run
Bad Sector Handling
Start View
Wait Time After Powering
Up Each Drive
Wait Time Between
Powering Up Drives
Maximum
Scanning/Detection Time
Max Detect Drive Time
Max Detect Drive Power
Time
Transfer Buffer Size
Speed Sampling Rate
Diagnostics
Setting
Enable
Enable
Disable
Log and Skip
Advanced Screen
Fast Detection
2
20
60
60
0
10
100
Enable Power Board
5. Removing Drives
The Drive Select menu provides a power indicator for each drive position. The
indicator will be GREY prior to drive detection, GREEN if the drive is detected or
if the operation passed, and RED if the drive is not detected or if the operation
was not successful. Drives are powered OFF after an operation completes.
Drives can be physically removed after an operation completes and the drive is
removed from its assigned Active Drive Status Panel.
6. Follow the Operational Procedure instructions, in this chapter for the required
operation.
78
Capturing Drives using Single Capture Mode

The following section describes the procedure to use the Single Capture
mode for Capturing Suspects data from drive(s) that have been removed
from its PC or Notebook.
1. The Advanced Interface Control Console will be displayed after the unit is
powered ON.
2. Connect and configure the drives as outlined in the Quick Start and Prepare to
Capture sections of the manual.
NOTE: By default, all ports including the dedicated Evidence drive ports are
Write-Protected. The ports Write-Protection will automatically be
disabled if the selected operational mode requires writing to the
Evidence drive(s).
3. Select Single Capture from the Operation pull down menu, located in the Main
Screen.
4. Set the Operational Mode Settings which are dynamically displayed in the
Operations Main Screen. See Table 3 for recommended settings.
5. Verify the Common Settings located in the Settings Screen. See Table 2 for
6. Select CASE INFO from the Main Screen and enter the required information.
Panel.
8. Select the drives to be used for the selected Operation using the Drive Selection
Panel.
9. Select Start from the Main Screen to begin the operation. A prompt will be
displayed requesting the Operator to verify that the detected drives are listed in
the appropriate Drive Status panels. The Suspect drive should be listed in the
Source Drive panels list, and the Evidence drive should be listed in the
Destination Drives panels list.
NOTE: If necessary, select non-active drive(s) listed in the Other Detected
Drives panel and move them to either the Source Drive or Destination
Drives panels. The drive(s) listed in the Source Drive or Destination
Drives panels are considered active drives and will be used during data
transfer operations. If necessary, also transfer active drives from the
Source Drive or Destination Drives panel to the Other Detected Drives
panel.
79
10. If capturing from two Suspects drives start a second instance of the IMSolo-IV
Forensic Capture application and follow steps 2 through 9.
NOTE: Refer to the section titled Running Multiple Operational Modes
Simultaneously in Chapter 5 for additional information.
drive unless the operation is instructed to hash the Evidence drive by enabling
the Hash Targets function.
Single Capture Recommended Settings
Table 3
Menu Item
Operational Modes
Hash Method
Hash Targets
Read Back-Verify
80
Setting
Single Capture
SHA-2
Enable (Optional)
Disable (Optional)
Capturing using LinuxDD Capture Mode

The following section describes the procedure to use the LinuxDD Capture
mode for Capturing Suspects data from drive that has been removed from
its PC or Notebook.
Evidence drive(s).
2. Select LinuxDD Capture from the Operation pull down menu, located in the
Main Screen.
4. Select File Name and enter the name of the file which will be used by the
operation for creating the LinuxDD directory and segmented files.
5. Set the LinuxDD file fragment size by selecting the size from the Capture File
Size pull down menu.
Panel.
panel.
81
Forensic Capture application by selecting New Copy Session from the
Navigation Bar and follow steps 2 through 9.
LinuxDD Capture Recommended Settings
Table 4
Menu Item
Operational Modes
Hash Method
Hash Targets
Read Back-Verify
Capture File Size
82
Setting
LinuxDD Capture
SHA-2
Enable (Optional)
Disable (Optional)
4GB
Capturing using E01 Capture Mode

The following section describes the procedure to use the E01 Capture
mode for Capturing Suspects data from drive that has been removed from
its PC or Notebook.
Evidence drive(s).
2. Select E01 Capture from the Operation pull down menu, located in the Main
Screen.
operation for creating the E01 directory and segmented files.
5. Set the E01 file fragment size by selecting the size from the Capture File Size
pull down menu.
Panel.
panel.
83
Forensic Capture application by selecting New Copy Session from the
Navigation Bar and follow steps 2 through 10.
E01 Capture Recommended Settings
Table 5
Menu Item
Operational Modes
Hash Method
Hash Targets
Read Back-Verify
Capture File Size
Compression
84
Setting
E01 Capture
SHA-1
Enable (Optional)
Disable (Optional)
2GB
0
Capturing from an Unopened PC or Notebook

The following section describes the procedure for Capturing Suspects data
from an Unopened PC or Notebook.
1. Connect and configure the Evidence drives as outlined in the Quick Start and
Prepare to Capture sections of the manual.
Evidence drive(s).
2. Select the Operational Mode from the Operation pull down menu, located in the
Main Screen.
Operations Main Screen.
5. Select DETECT REMOTE DRIVES from the Drive Selection Panel.
NOTE: Do not select any Suspect position from the Drive Selection Panel.
6. Select the Evidence Drive(s) to be used for the selected operation from the Drive
Selection Panel.
7. Verify all remaining applicable settings and optionally enter Case Information
using the CASE INFO screen functions.
NOTE: Hash values generated during the capture operation are generated for
the data read from the Suspects drive not from the data read from the
Evidence (target) drive, unless the unit is instructed to hash the
Evidence drive(s) by enabling the Hash Targets function. As an
alternative, the Evidence Drives can also be hashed after the capture
operation using the Hash mode of operation.
8. Connect the ICS supplied Crossover Ethernet Cable to the IMSolo-IV units
Ethernet port and to the Notebook/PC Ethernet port. Alternately, connect the
Gigabit USB-to-Ethernet Network Adapter to the Notebook/PC USB port and the
Ethernet Cable connector end to the IMSolo-IV units Ethernet port. See the
instructions titled USB-to-Ethernet Connection, for additional details.
9. Configure the Suspects PC or Notebook BIOS to boot from its CD-ROM or DVD
drive. Most BIOS have a section titled Boot Order to perform this function.
NOTE: Various PC or Notebook BIOS require deferent key combinations at boot
up to change the default Boot Order. It is the users responsibility to
correctly setup the Suspects PC or Notebook BIOS.
10. Insert the LinkMASSter Bootable CD and allow the Suspects PC or Notebook to
boot from the LinkMASSter CD.
85
11. After Initializing the Environment, the LinkMASSter application will display a
prompt indicating Do you want to prepare a USB Flash? Select NO to
continue.
NOTE: To configure a USB device for LinkMASSter usage, see the instructions
titled USB LinkMASSter Setup and Usage, for additional details.
12. The LinkMASSter Network Capture Agent Screen is display with the computers
detected drive information.
13. Select Detect Drives from the IMSolo-IV Forensics Advanced Interface Control
Console screen. The Suspect drive, located in the Suspects computer, will be
listed in the Source Drive panel list and the Evidence drive will be listed in the
Destination Drives panel list.
14. Select START to begin the operation. Operational status information will be
displayed during an operation.
15. After the operation completes, the Evidence drive will be powered OFF and can
be safely removed. Remove the LinkMASSter CD from the Suspects computer
prior to powering OFF the computer. The simulated drive status LEDs will be set
to GREEN if the operation passes or RED if the operation fails. Log files will
automatically be stored internally and can be transferred to external media using
the units USB ports, located on the back of the unit.
NOTE: Prior to saving logs to external media, disable the DETECT REMOTE
DRIVES function from the Drive Selection Panel.
86
Capturing to a Shared Folder

The following section describes the procedure to use the LinuxDD or E01
Capture modes for capturing and storing Suspects data to a Shared
Network Folder.
1. Connect and configure the Suspect drives as outlined in the Quick Start and
Prepare to Capture sections of the manual.
NOTE: Attach an Evidence drive if capturing to both a local Evidence drive and
a Network Shared Folder.
2. Configure a Shared Network Folder on the Network PC.
3. Connect the appropriate Ethernet Cable to the IMSolo-IV unit and to the Network
PC.
NOTE: An Ethernet Cross-Over cable would be required for direct connection.
4. Establish a Network Connection between the IMSolo-IV and the Destination
Network PC using the IMSolo-IV O/S DESKTOP/CONTROL PANEL/NETWORK
and INTERNET CONNETIONS Tools.
NOTE: It is the responsibility of the User to properly configure the Network for
proper connectivity and to properly configure the Shared Network Folder.
The Shared Network Folder requires write access.
If properly
configured, the Shared Network Folder should be accessible from the
IMSolo-IV.
5. Select LinuxDD or E01 Capture from the Operation pull down menu, located in
the Main Screen.
Operations Main Screen.
operation for creating the LinuxDD or E01 directory and segmented files.
8. Set the file fragment size by selecting the size from the Capture File Size pull
down menu.
10. Select the Suspect drive to be used for the selected Operation using the Drive
Selection Panel.
NOTE: Do not select any Evidence position from the Drive Selection Panel
unless an Evidence drive will also be used as a Destination drive.
87
11. Select Add Network Location from the Drive Selection Panel. The Add Network
Location menu screen is displayed.
12. Select Browse from the Add Network Location menu screen.
13. Select My Network Places to locate and select the Shared Network Folder. The
Shared Network Folder will be listed in the Evidence Drives Panel.
14. Select Detect Drives from the IMSolo-IV Forensics Advanced Interface Control
Console screen. The Suspect drive will be listed in the Source Drive Panel list
and the Shared Network Folder will be listed in the Evidence Drives Panel.
the appropriate Drive Status panels.
88
Encrypting Data During Data Capture

The following section describes the procedure to Encrypt data seized from
the Suspects drive.
Write-Protected.
The ports Write-Protection will automatically be
Evidence drive(s).
2. Select the Capture Mode from the Operation pull down menu, located in the
Main Screen.
NOTE: Sanitize (WipeOut) the Evidence drive(s) prior to Encrypting data. Do
not use LinuxDD or E01 7 Evidence drives which contain previously
captured cases which were not Encrypted.
3. Select On-Screen Keyboard from the Navigation Bar.
4. Select Encrypt/Decrypt from the Operations dynamically displayed settings
menu.
5. Select the AES Key Length and AES Mode.
NOTE: For compatibility with the IMSolo-III Encryption and ICS Disk Cypher
hardware, choose 192 as the AES Key Length and ECB as the AES
Mode.
6. Select Encrypt.
7. Select Save Key. Select a name for the Encryption Key. which will be required
NOTE: In addition to unique password information, the saved Encryption Key
will also contain the selected AES Key Length and AES Mode settings.
8. Select Exit Encryption Dialog.
9. Verify the Operational Mode Settings and Common Settings located in the
Settings Screen. See Table 2 and 6 for recommended settings.
11. If LinuxDD Capture or E01 Capture is in use, select File Name and enter the
name of the file which will be used by the operation for creating the Case
directory and segmented files. Set the File Fragment Size by selecting the size
from the Capture File Size pull down menu.
Panel.
E01 Capture Encryption Support was pending development at time of this documents (Rev 2.1) release.
89
panel. If capturing from two Suspects drives start a second instance of
the IMSolo-IV Forensic Capture application and follow steps 1 through
13.
Encryption Capture Recommended Settings
Table 6
Menu Item
Operational Modes
Hash Method
Hash Targets
Read Back-Verify
AES Key Length
AES Mode
Encrypt
Setting
Single Capture/
LinuxDD Capture/
E01 Capture 8
SHA-2
Enable (Optional)
Disable (Optional)
192
ECB
Enable
E01 Capture Encryption Support was pending development at time of this documents release.
90
Decrypting Data During Data Transfer

The following section describes the procedure to Decrypt data from an
Encrypted Evidence drive.
1. Connect the Evidence drive with the Encrypted Case data to one of the units
Suspect positions.
2. Connect a blank Destination drive to one of the units Evidence positions.
Write-Protected.
The ports Write-Protection will automatically be
Evidence drive(s).
3. Select the Operational Mode from the Operation pull down menu, located in the
Main Screen.
NOTE: The supported Operational modes for Decryption are Single Capture,
LinuxDD Restore and E01 Restore 9 . The Hash Only modes would
also be supported to generate hash values based on decrypted data.
4. Select On-Screen Keyboard from the Navigation Bar.
5. Select Encrypt/Decrypt from the Operations dynamically displayed settings
menu.
6. Select Decrypt.
7. Select Load Key to select the saved Encryption Key which was used to Encrypt
the Case data.
NOTE: Since the saved Encryption Key also contains the original AES Key
Length and AES Mode settings, it is not necessary to manually enter
these settings.
8. Select Exit Encrypt/Decrypt Dialog.
9. Verify the Operational Mode Settings and Common Settings located in the
Settings Screen. See Table 2 and 8 for recommended settings.
11. If LinuxDD Restore or E01 Restore is in use, select File Name and enter the
name of the file which will be used by the operation for selecting the Case
directory and segmented files.
Panel.
the appropriate Drive Status panels.
9
E01 Decryption Support was pending development at time of this documents (Rev 2.1) release.
91
Decryption Capture Recommended Settings
Table 7
Menu Item
Operational Modes
Hash Method
Hash Targets
Read Back-Verify
AES Key Length
AES Mode
Decrypt
10
Setting
Single Capture/
LinuxDD Restore/
E01 Restore 10
SHA-2
Enable (Optional)
Disable (Optional)
N/A
N/A
Enable
E01 Decryption Support was pending development at time of this documents (Rev 2.1) release.
92
Restoring from LinuxDD or E01 Segmented File

Format
The following section describes the procedure to use the LinuxDD or E01
Restore mode to restore the captured Linux-DD or E01 segmented file
formatted case to its original drive format.
powered ON.
Copy sections of the manual.
3. Select LinuxDD Restore or E01 Restore from the Operation pull down menu,
located in the Main Screen.
5. Select File Name and enter the name of the file which was used by the LInuxDD
or E01 Capture operation for creating the segmented Case files.
Panel.
the appropriate Drive Status panels. The Source drive should be listed in the
Source Drive panels list, and the Target drive should be listed in the Destination
Drives panels list.
Restore Recommended Settings
Table 8
Menu Item
Operational Modes
Hash Method
Hash Targets
Read Back-Verify
Capture File Size
Setting
LinuxDD Restore/E01
Restore
Disable (Optional)
Disable (Optional)
Disable (Optional)
Not Applicable
93
Sanitizing Drives Using WipeOut DoD

Use the Wipe Out DoD mode to sanitize drives using the U.S. Department
of Defense DoD 5220-22M specification.
powered ON.
3. Select WipeOut from the Operation pull down menu, located in the Main
Screen.
4. Select DoD as the Operational Mode setting.
Panel.
8. Select Start from the Main Screen to begin the operation. The Suspect drive
should be listed in the Suspect Drive panels list, and the Evidence drive(s)
should be listed in the Destination Drives panels list.
WipeOut DoD SETTINGS

Table 9
Menu Item
Copy Mode
ReadBack-Verify
WipeOut Mode
94
Recommended Setting
WipeOut
Disable (Optional)
DoD
Sanitizing Drives Using WipeOut - User

The Wipe Out User operation can be used to sanitize drives in one pass
rather than 7 passes which is required using the DoD Wipe Out method.
powered ON.
Screen.
4. Select User as the Operational Mode setting.
Panel.
WipeOut-User SETTINGS
Table 10
Menu Item
Copy Mode
ReadBack-Verify
WipeOut Mode
Iterations
Pattern
Recommended Setting
WipeOut
Disable (Optional)
User
0
0
95
Sanitizing Drives Using WipeOut Secure Erase

The Wipe Out Secure Erase operation can be used to sanitize drives in one
pass using the drives built-in Erase functions.
powered ON.
Screen.
4. Select Secure Erase as the Operational Mode setting.
Panel.
NOTE: It may be necessary to Disable the ics password which is set on the drive
during Secure Erase if the operation is aborted prior to completion. If the
User Password is not reset, the drive will block Read and Write commands.
It is not necessary to disable the drives User Password if Secure Erase is
used to erase the drive after an aborted operation.
WipeOut-Secure Erase SETTINGS

Table 11
Menu Item
Copy Mode
WipeOut Mode
96
Recommended Setting
WipeOut
Secure Erase
Transferring Audit Trail and Log Information

The following section describes the procedure to transfer Audit Trail and
Log information from the units internal storage to an External USB Storage
Device.
1. Select the LOG Tab function, located in the Advanced Interface Control
Console.
2. Select Copy Logs to a Removable Device. A message will be displayed
prompting the User to insert a USB Storage Device.
3. Insert a USB Storage Device on one of the units available USB general purpose
ports, located on the back of the unit. Select OK to continue.
4. The USB Storage Device Volume will be mounted and the Device will be listed in
the Other Detected Drives Panel. Disregard the Windows AutoPlay prompt and
wait for the prompt indicating Select Files to Copy. Select the Event Log and
Audit file(s) to copy.
NOTE: If the USB Device is not properly detected, remove the USB Device and
repeat steps 3-7.
5. Select OPEN from the Select Files to Copy prompt, to continue.
6. Select the destination folder on the USB Device to store the selected file(s) and
select OK to store the selected files.
7. The USB Storage Device can be removed after the Device is removed from the
Other Detected Drives Panel.
NOTE: Audit Trails are saved in both a standard text format and a PDF format using
128-bit password encryption protection, so the Audit Trail contents cannot
be changed. The Company Logo can be added to the Audit Trail PDF by
selecting its location using the "SET AUDIT TRAIL LOGO" function, located
in the LOG menu screen.
97
Running Multiple Operational Modes

Simultaneously
The following section describes the general procedure to use the IMSolo-IV
Forensic Application to run multiple operations simultaneously.
2. Select the required Operation from the Operation pull down menu, located in the
Main Screen.
4. Verify the Operational Mode Settings and Common Settings.
5. Select only the drives to be used for the selected operation from the Drive
Selection Panel.
6. Select Start from the Main Screen to begin the operation using the current active
instance of the IMSolo-IV Forensic Capture application.
7. Verify that the detected drives are in their respective Drive Status Panels. The
drives listed in the Source Drive and, Destination Drives Panels are considered
Active drives and will be used by the current instance of the IMSolo-IV Forensic
Capture application.
8. Select New Copy Session from the Navigation Bar to begin a new instance of
the IMSolo-IV Forensic Capture application.
NOTE: The second instance of the IMSolo-IV Forensic Capture application can
be started before or after beginning an operation using a prior instance
of the application.
9. Repeat steps 1 to 7.
NOTE: The number of operations which can be performed in parallel is limited by
the available ports and units available resources.
98
Previewing Write-Protected Drive Data

The following section describes the procedure to securely view data from
the drive(s) connected to the IMSolo-IV ports.
1. Connect and configure the drive as outlined in the Prepare for Operation
section of the manual.
Panel.
3. Select Detect Drives from the Consoles main menu.
4. Select the Mount Drive function Tab from the Advanced Interface Control
Console.
5. Highlight and Select the drive to be previewed from the Consoles Drive Status
Panel.
6. Verify that the Write-Protect function is Enabled (checked) in the Mount Drive
Screen Menu.
7. Select (check) the Mount Volumes setting in the Mount Drive Screen Menu.
8. Select APPLY. This operation will allow preview access to the drives volume
using the units O/S or 3rd party application.
9. Select DESKTOP from the Navigation Bar to preview the drives volume.
10. To turn OFF the drive after previewing the drives volume, select the drive from
the Drive Selection Panel and select REMOVE DRIVES.
99
Enabling Manual Write-Access to Evidence Drive

Positions
The following section describes the procedure to allow write operations to
be performed manually to drives connected in the Evidence drive positions.
1. Connect and configure the Evidence drive as outlined in the Prepare for
Operation section of the manual.
Panel.
3. Select Detect Drives from the Consoles main menu.
4. Select the Mount Drive function Tab from the Advanced Interface Control
Console.
5. Highlight and Select the drive to be accessed from the Consoles Drive Status
Panel.
6. Select (check) the Write-Protect setting in the Mount Drive Screen Menu.
7. Select (check) the Mount Volumes setting in the Mount Drive Screen Menu.
8. Select APPLY. This operation will allow preview and write access to the
Evidence drives volume using the units O/S or 3rd party application.
9. Select DESKTOP from the Navigation Bar to access the drives volume.
10. To turn OFF the drive after accessing the drives volume, select the drive from
the Drive Selection Panel and select REMOVE DRIVES.
100
Appendix A
Appendix A:
Operational Notes
101
Image MASSter Solo-IV Internet/Network

Connection Disclaimer
Intelligent Computer Solutions, Inc. (ICS) assumes no liability for the security of the
customers computer/network systems. ICS assumes no liability for the security of the
Image MASSter Solo-4 when it is connected to either the Internet or another Network.
Utilizing the Image MASSter Solo-4 for data seizure from a network or uploading data
to a network requires the unit to be connected to the network and this may cause a risk
of the system being compromised. The user is responsible for taking the necessary
steps to ensure the safety of both the Image MASSter Solo-4 and the network in use
when the unit is utilized to either seize or upload data to/from a network.
The security of the Image MASSter Solo-4 when connected to the Internet or a
network relies on the users discretion; however, ICS recommends, at a minimum, to the
user to take the following steps:
1) The Image MASSter Solo-4 is set to have Internet Connection and Automatic
Windows Updates disabled as default. Users will need to enable Internet
Connection when seizing or uploading data from/to a network. It is highly
recommended that the user install anti-virus and firewall Hardware Device
protection prior to connecting the Image MASSter Solo-4 to either the Internet
or a network. A lesser protection can be achieved with personal firewall
software. Continuously running an updated version of anti-virus software with
the Image MASSter Solo-4 may help prevent an intrusion into the unit or
network. ICS recommends updating the anti-virus software program every time
the Image MASSter Solo-4 is connected to the Internet or a network.
2) Users should always utilize a clean (scanned for viruses) USB Thumb Drive
when updating the Image MASSter Solo-4 unit Software or Firmware.
3) Users should ONLY connect the Image MASSter Solo-4 to a network when
either seizing or uploading data. It is imperative for users to REMOVE the Image
MASSter Solo-4 connection when not actively performing these tasks.
These recommendations are provided to the user as a reference; however ICS cannot
assure that the Image MASSter Solo-4 will not become compromised when
connected to the Internet or a network. User assumes all responsibility for the data and
security of the Network.
Customers understand and agree that the use of the Image MASSter Solo-4 implies
acceptance to the terms and conditions specified in this disclaimer.
102
Appendix A
USB-to-Ethernet Connection
The IMSolo-IV LinkMASSter Option will also include a Gigabit USB-to-Ethernet
Network Adapter (CSAR-0265-000A) to allow connecting to a Notebook or PC
which does not have an Ethernet port, or if drivers are unavailable for the
computers network interface. For improved performace, the Gigabit USB-toEthernet Network Adapter would also be recommended when connecting to a
Notebook or PC which uses an Ethernet interface that offers less than a
1 Gigabit connection.
NOTE: When using the Gigabit USB-to-Ethernet Network Adapter, connect the
Ethernet connector to the IMSolo-IV unit and connect the USB connector
to the computer.
1. Connect the ICS supplied Crossover Ethernet Cable to the IMSolo-IV units
Ethernet port.
2. Connect the Crossover Ethernet Cable to the Gigabit USB-to-Ethernet
Network Adapter.
3. Connect the ICS supplied USB 8 Cable to the Gigabit USB-to-Ethernet
Network Adapter.
4. Connect the USB 8 Cable to the Notebook/PC USB port.
Connect to
IMSolo-IV
Connect to
PC
103
USB LinkMASSter Setup

The LinkMASSter-NET CD provides the function to configure a bootable USB Flash
device for LinkMASSter usage. Use of a USB Flash device may be necessary if the
computer does not have a CD or DVD drive.
1. Connect a spare USB Flash Drive 11 to your PC or Notebook.

2. Insert the LinkMASSter Bootable CD and allow the PC or Notebook to boot from the
LinkMASSter CD.
3. After Initializing the Environment, the LinkMASSter application will display a prompt
indicating Do you want to prepare a USB Flash? Select Y to continue.
4. The USB Flash Drive will be detected and its information will be displayed. Verify
that the correct device is listed and select YES to the prompt indicating Format this
Disk?
5. The USB Flash Disk will be formatted and the LinkMASSter image will be transferred
from the CD to the USB Flash Disk. The USB Flash Disk has been prepared for
LinkMASSter usage. Press a key to power-OFF the computer.
USB LinkMASSter Usage

1. Follow the LinkMASSter Quick Start Steps 1-9, previously outlined.
2. Connect the LinkMASSter USB Flash Drive to the Suspects PC or Notebook.
3. Configure the Suspects PC or Notebook BIOS to boot from the USB Flash Drive.
NOTE: Various PC or Notebook BIOS require deferent key combinations at boot up
to change the default Boot Order. It is the users responsibility to correctly
setup the Suspects PC or Notebook BIOS.
4. Allow the Suspects PC or Notebook to boot from the LinkMASSter USB Flash Drive.
5. Follow the LinkMASSter Quick Start Steps 13-16, previously outlined.
11
The USB Flash Drive is not supplied with the LinkMASSter Option
104
Appendix A
IMSOLO-IV USB FLASH RESTORE

INSTRUCTIONS
Prepare the USB Flash Device
The following are instructions to prepare a USB Flash Device for the
IMSolo-IV Restore Operation.
NOTE: The instructions involve formatting the USB Flash Device to configure the
device as a bootable device.
The following hardware is required:
PC with DVD Drive.

USB Flash Device (2GB or greater - Not Supplied).
IMSolo-IV Restore Tools DVD (Supplied).
1.
Configure the PCs BIOS to boot from the PCs DVD Drive.
2.
Insert the IMSolo-IV Restore Tools DVD into a PCs DVD Drive.
3.
Insert a blank USB Flash Device (2GB minimum) into the PCs USB port.
4.
Boot the PC from the IMSolo-IV Restore Tools DVD. A progress bar will be
displayed indicating Loading ICS Recovery, followed by the IMSolo-IV Splash
screen and USB Preparation screen. The Select Disk screen will then be
displayed listing the detected USB Flash Device.
NOTE: The IMSolo-IV Restore Tools DVD is designed to protect the PCs local
drive from any over write operations.
5.
Select YES from the Select Disk screen to select the USB Device for formatting.
The Confirm screen will be displayed with a message indicating All the data on
the selected disk will be erased.
6.
Select YES from the Confirm screen to begin formatting the USB Flash Device.
7.
After approximately 5 minutes, a message will be displayed indicating The USB

Disk has been prepared to recover SOLO4. Press any key to continue.
8.
The PC will automatically power OFF. The USB Flash Device is now ready to be
used for the IMSolo-IV Restore process. To continue, follow the instructions below
titled Prepare the IMSolo-IV BIOS and Start Restore
105
Prepare the IMSolo-IV BIOS and Start Restore

The following are instructions to prepare the IMSolo-IV BIOS SETUP to allow the
IMSolo-IV to boot from the USB Flash Device to begin the IMSolo-IV Restore
process
1.
Insert the IMSolo-IV Restore USB Flash Device to one of the available
general purpose USB ports, located on the back of the unit.
2.
Access the IMSolo-IV BIOS SETUP by pressing <DEL> during Power ON.
3.
Select Integrated Peripherals from the BIOS SETUP Main Screen.
4.
Select USB Device Setting.
5.
Set the USB MASS Storage Device setting to HDD Mode.
6.
Select Advanced BIOS Features from the BIOS SETUP Main Screen.
7.
Select Hard Disk Priority.
8.
Highlight USB Device and press <PgUp> until the USB Device is the first
device.
9.
Press <F10> to Save and Exit. The unit will reboot.
10. The Restore process will automatically start after the IMSolo-IV boots from
the IMSolo-IV Restore USB Flash Device. The Restore process will take
approximately 5 minutes.
A message will be displayed indicating
Success. When the message is displayed, remove the USB Flash Device
and press any key to reboot the unit.
11. Verify that the current IMSolo-IV Forensic Software version is in use, by
selecting ABOUT from the IMSolo-IV applications main screen.
NOTE: It may be necessary to upgrade the IMSolo-IV Forensic Software
with the current Software version after the Restore Process
completes.
106
Appendix A
LinuxDD and E01 Capture exFAT Usage

The exFAT File System provides enhanced drive data security for LinuxDD and E01
Evidence drives. The following are the benefits of using the exFAT File System:
Provides improved data security when transferring data between the Suspect
drive and Evidence drive during the LinuxDD Capture or E01 Capture operation.
The data is isolated from the unit's O/S environment.
Provides for a quicker format of drives and uses less overhead.
The exFAT file system uses 64 bits to define file size.
Support for volumes that are larger than 32 GB when compared with FAT32. The
theoretical maximum volume size is 64 ZB.
Support for files that are larger than 4 GB when compared with FAT32. The
theoretical maximum file size is 64 ZB.
Support for more than 1000 files in a single directory.
NOTE: Use of previously formatted NTFS LinuxDD or E01 Evidence drives cannot be
used with the current version which requires exFAT LinuxDD or E01 Evidence
drives.
To preview exFAT LinuxDD or exFAT E01 Evidence drives using WIN-XP Workstations
or IMSolo-IV units configured with S/W versions prior to v4.2.54.0, it will be necessary to
load the exFAT File System driver (WindowsXP-KB955704-x86-ENU), which can be
downloaded using the ICS FTP Link IMSolo-IV Support Files. The exFAT File System
is currently supported by Win-VISTA and Windows 7.
107
DEFINITIONS
HASHING
Hashing is a process that calculates a "unique signature" value for the contents of an
entire drive.
MD5 Hash
Message Digest Algorithm is a 128-bit cryptographic hash function.
SHA-1
Secure Hash Algorithm is a 160-bit cryptographic hash function. Designed by the NSA.
SHA-2
Variant of SHA-1 with increased output ranges.
256-bit cryptographic hash function.
Secure Hash Algorithm-2 is a
CRC32
Cyclic Redundancy Check Algorithm based on a 32-bit size hash value.
Sanitize
Sanitize refers to the process of clearing a drive of all previously stored data. The
WipeOut function can be used to sanitize a drive.
Host Protected Area (HPA)

HPA is defined as a reserved area for data storage outside the normal operating file
system. This area is hidden from the operating system and file system and is normally
used for specialized applications. Systems may wish to store configuration data or save
memory to the hard disk drive device in a location that the operating systems cannot
change. If an HPA area exists on a Suspects drive, the IMSolo-IV Forensics seizure
operation will detect this area and capture all the contents of the drives sectors,
including all the HPA hidden sectors, to the Evidence drive.
108
Appendix A
Device Configuration Overlay (DCO)
DCO allows systems to modify the apparent features provided by a hard disk drive
device. DCO provides a set of commands that allows a utility or program to modify
some of the modes, commands and feature sets supported by the hard disk drive. DCO
can be used to hide and protect a portion of the drives area from the operating system
and file system. If DCO is detected on a Suspects drive, the IMSolo-IV Forensics
seizure operation will capture all the contents of the drives sectors, including all the
DCO hidden sectors, to the Evidence drive.
Advanced Encryption Standard (AES)
AES is a 128-bit block cipher Encryption Standard, which supports a choice of three key
sizes (128, 192 and 256-bits) according to the level of security required. AES has
become the encryption algorithm of choice for applications requiring a high degree of
data security.
AES Modes
AES Modes provide a method of implementing different AES properties. The AES
modes provided by the IMSolo-IV Forensics unit are described as follows:
Electronic Code Book (ECB)

The message is divided into blocks and each block is encrypted separately.
Cipher Block Chaining (CBC)

Each block of plaintext is XORed with the previous ciphertext block before being
encrypted.
Cipher FeedBack (CFB)

Makes a block cipher into a self-synchronizing stream cipher. A stream cipher is
a symmetric key cipher where plaintext bits are combined with a pseudorandom
cipher bit stream (keystream), typically by an xor operation.
Output FeedBack (OFB)

Makes a block cipher into a synchronous stream cipher: it generates keystream
blocks, which are then XORed with the plaintext blocks to get the ciphertext
Counter (CTR)
Counter mode turns a block cipher into a stream cipher. It generates the next
keystream block by encrypting successive values of a "counter".
NOTE:
For IMSolo-III Encryption/Decryption Compatibility and ICS DiskCypher usage,

it is recommended to use the IMSolo-IV AES 192 Key Length and AES CBC
Mode settings.
109
Appendix B:
Product Information
Limited Warranty
Intelligent Computer Solutions, Inc. warrants that our products are free from defects in materials and
workmanship for a period of twelve (12) months from the date of purchase by the original buyer. If you
discover physical defects or malfunction, Intelligent Computer Solutions, Inc. will, at our discretion, repair
or replace the product. You must return the defective product to Intelligent Computer Solutions, Inc. within
the warranty period accompanied by an RMA number that has been issued by Intelligent Computer
Solutions, Inc.
All products purchased from Intelligent Computer Solutions, Inc. include a seven-day unconditional
money-back guarantee.
Intelligent Computer Solutions, Inc.s products are shipped in cardboard boxes that have been designed
and tested to ensure that our products can endure standard commercial shipping methods and still arrive
in working order. We advise you to save your box and original packing materials in case you need to
return the product(s) for any reason. If product(s) are returned without proper protective packaging, the
warranty may be void.
When you received your product(s), please note the following:
-That the shipping box does not have dents or visible damage.
-What you have received conforms to the packing list.
-There is no apparent damage to the product(s) or accessories.
If any shipping damage is found:
-Please contact the shipper immediately to inspect.
-Please contact our Technical Support Department to report the damage.
110
Appendix B
What is Not Covered:

This limited warranty provided by Intelligent Computer Solutions, Inc. does not cover:
- Products which have been subjected to abuse, accident, alteration, modification, tampering,
negligence, misuse, faulty installation, lack of reasonable care, or if repaired or serviced by
anyone without prior authorization from Intelligent Computer Solutions, or if the model or serial
number has been altered, tampered with, defaced or removed.
- Normal maintenance.
- Damage that occurs in shipment due to act of God and/or cosmetic damage.
- Accessories
Please note that External cables are covered by a 30-day warranty.
This Agreement also does not include service (whether parts or labor) necessitated by any natural cause
such as flood, tornado, earthquake or other acts of nature.
Limitation of Liability
The following limitations of ICS liability apply:
ICS is not liable for any incidental or consequential damages, including, but not limited to
property damage, loss of time, loss resulting from use of an ICS product, or any other damages
resulting from breakdown or failure of a serviced product or from delays in servicing or inability
to render service on ICS product. ICS will make every effort to ensure proper operation of its
product. It is, however, the Customers responsibility and obligation to verify that the output of
ICS product meets the Customers quality requirement. Customer acknowledges that improper
operation of ICS product and/or software, or hardware problems, can cause defective formatting
or data loading to target drive. It is the customer, not ICS, who is responsible for verifying that
the drive meets the Customers quality standards. ICS will make efforts to solve any problems
identified by Customer.
Technical Support
For help in resolving a problem, contact ICS Technical Support at:
Phone: 1-818-998-5805 between 7 a.m. and 6 p.m. Pacific Time.
Please be prepared with the following information:
9
serial number of the IMSolo-IV unit
nature of the problem
steps you have taken
your phone and fax numbers
error messages displayed on the screen
111

IMSolo-IV Forensics User Guide v3.1

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

IMSolo-IV Forensics User Guide v3.1

Uploaded by

Copyright:

Available Formats

IMSolo-IV Forensics

Intelligent Computer Solutions

Printed in the USA

Corporation. DOS , Windows , Windows NT , and Windows 95/98/2000 Windows ME , Windows XP ,

CHAPTER 2: QUICK START SETUP ............................... 12

CHAPTER 4: OPERATION ............................................... 26

Operational Mode Selection ............................................................................................. 29

Operational Status Information......................................................................................... 37

IMSolo-IV Forensics Advanced Interface Control Console ...............39

Drive Selection Panel........................................................................................................ 40

Single Capture Settings..................................................................................................... 47

Drive Detection Mode....................................................................................................... 63

Slow Drive Filter Speed Threshold................................................................................... 66

Write-Protect the Drive..................................................................................................... 70

Protected Area Type ......................................................................................................... 71

Disable Password .............................................................................................................. 75

CHAPTER 5: OPERATIONAL PROCEDURES ............... 76

Previewing Write-Protected Drive Data.............................................99

APPENDIX A: OPERATIONAL NOTES ......................... 101

LinuxDD and E01 Capture exFAT Usage .......................................107

APPENDIX B: PRODUCT INFORMATION.................... 110

Optional P-ATA Adapters required.

LCD Touch Screen Display:

Large, 8 Color LCD Touch Screen Display.

About this User Guide

Typical Conventions Used

This is a hyperlink: shortcut link to a referred topic. Select it to jump

Indicates a screen menu item or function such as a setting or

Indicates the name of a IMSolo-IV Forensics feature, system,

Identifies additional important information regarding a topic or task.

Indicates a warning or caution

Chapter 2: Quick Start

Chapter 2 Quick Start

1. Place the IMSolo-IV Forensics on a level surface.

Advanced Interface Control Console

Chapter 2 Quick Start

Operational status information will be

100 - 240V / 50 - 60 Hz 400Watt Universal Auto switching input voltage

Drive Bay with Fan Assembly

Used to connect the Evidence SATA/SAS

Evidence 1 and 2 USB

Used to connect the USB Evidence device(s)

Back Panel (Fig. 7)

LCD Touch Screen Color Display.

Used to connect External Storage Device.

Left Side Panel (Fig. 8)

Used to connect the Suspects SATA/SAS

Used to connect the Suspects USB device

Used to connect the Suspects SATA/SAS

Provides access to the units Host S-ATA

Line-Out, Line-In, Mic

USB Monitor Required

IMSolo-IV Forensics Wizard Interface Control

Wizard - Main Menu

Operational Mode Selection

Operational Mode Selection

The following functions are provided by the Navigation Bar.

Provides access to an On-Screen-Keyboard. The On-Screen-Keyboard allows for

New Copy Session

Next Copy Session

Switches between the different active session views.

Allows access to Windows Desktop while running session(s)

Wizard - Seize Drives Menu

Wizard - WipeOut Drives Menu