Forensics 101

How To: Multitask With Logicube’s Forensic Falcon NEO

Welcome to Logicube’s tutorial on the Forensic Falcon NEO. In this session we’ll show you how to multitask.

For this tutorial I have connected the Falcon NEO to a network, and from a PC on the same network I’ve logged into the unit using a web browser so that I can operate remotely. I’ve already started an imaging task, and we can easily add more tasks and start them simultaneously, streamlining the evidence collection process.

The Falcon NEO supports a total of up to five tasks of each operation type. To set a second, third or even fourth imaging task, click on the upper right icon ‘Add New Task’. A tab will pop up. Click on that tab and you’ll see that all of the icons for settings and mode and source and destination will appear in the centre of the screen.

We’ll click on ‘Mode’, and for this task I’m going to choose ‘Drive To Drive’, which is a bit-for-bit copy of the source drive. I’ll click on ‘Source’, we’re going to choose the PCIE drive in S1. Click ‘OK’. Our settings: we’ll maintain the 100% clone.

Case information: you can add case information here, and all of this information will then appear on the log file for this particular task. We’ll keep the defaults for HPA and DCO, which means that they are unlocked and available to clone. For air handling, we’ll choose ‘Skip’, and for air granularity we’ll choose ‘One Sector’, and for reverse read, we’ll choose ‘No’.

For your hash verification in this case, with this clone, I will choose none, and have no verify. Click ‘OK’. ‘OK’ again. And then select your destination drive. In this case I’ll select D1. All drives that are connected to the Falcon NEO destination side will appear in this list.

Once you have all of your settings completed, just press ‘Start’. A confirmation prompt will appear; click ‘Yes’, and now we have a second imaging task running. I can add a third task, again the tab will pop up, click on that, select your mode – in this case we’ll use our default, Drive To File. For our source drive I’m going to choose S1, click ‘OK’. For settings we’ll use the default settings, so E01, hash method SHA-1, click ‘OK’, choose the destination: in this case I’m going to choose D1. Click ‘OK’ and just press ‘Start’.

And again, a progress bar will appear. We have three imaging tasks running. And in the upper left-hand corner at the top of the screen, you’ll see icons for each of the tasks that are running on the Falcon NEO. And these will fill in with green areas as the tasks proceed.

We can now add a Wipe / Format task if we wanted to. So again, [from] the icons in the middle of the screen, choose a destination. In this case we’re going to choose D4. Click ‘OK’. For settings we’re going to choose Secure Erase, because I know that this drive does support secure erase. If it did not, we could choose to use a wipe pattern – it could be a seven-pass wipe, or a custom wipe with a custom number of passes.

We want to have this drive formatted, so we’re going to click on ‘Settings’. Click ‘On’. And then choose the file system – in this case we’re going to choose NTFS, but you can choose EXT4, EXFAT or FAT32. You could also choose to have the destination drive encrypted; in this case we’re clicking ‘Off’. Click ‘OK’. ‘OK’ again. You could also add case information if you wanted to.

We’ll click ‘Start’, and now you’ll see ‘W’ has been added to this upper area here, showing that there is a wipe task.

You can add a second wipe task if you wanted by clicking on ‘Add’; we could also add a hash verify task if we wanted to. The mode in this case is either drive hash or case verify; we’ll choose case verify. Click ‘OK’.

We’ll choose the case, which would be on D3. Click ‘OK’. You’ll see that there is a case here – E01 Capture – we’re going to select that, click ‘OK’. Your settings will be to verify the primary hash. You could add case information if you wanted to. We’ll click ‘Start’, click ‘Yes’, and now we have a hash task running.

Again, all of the information appears up here, just see all of the tasks that are running. If you go back to imaging you can toggle between each of the tasks to see the full progress of that particular task, for example in image 1 we’re about 64% done. It is showing the number of bytes being processed. In this case you’ll see even though this is a 1 TB drive, it is showing 2 TB being processed because we’ve chosen ‘Verify’. The speed for this particular task is running at 48.5; that’ll increase as the drive continues to be processed. The elapsed time will be shown as well as the remaining time for this particular task to be finished.

We hope you found this tutorial of interest. To learn more about the Falcon NEO please visit our website at logicube.com, or contact our sales team at sales@logicube.com.

About scar

Scar de Courcier is an assistant editor at Forensic Focus.

Discussion

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 1,152 other followers

%d bloggers like this: