How-Tos

How To Image From A Network Repository Using Logicube’s Forensic Falcon-NEO

Welcome to Logicube’s tutorial on the Falcon-NEO Forensic Imager. The Falcon-NEO allows you to image directly to or from a network repository using SMB or CIFS protocol, and to image from a network location using iSCSI. Two 10GbE ports provide extremely fast network imaging performance. In this episode, we’ll show you how to image from a network repository to a physical drive connected to the Falcon-NEO.

Before creating a network repository on the Falcon-NEO, make sure you have full permissions to the shared resource. We strongly suggest that you contact your network administrator to ensure proper permissions have been set up.

We’ve set up a directory on the C drive of a computer that is connected to the same network as the Falcon-NEO. By right-clicking on the directory, I can verify that I have full permissions to this share.

We’ll now create and mount the repository on the Falcon-NEO. Navigate to the ‘Manage Repositories’ icon from the left side menu of the Falcon-NEO interface. On the ‘Add/Remove’ tab, you’ll see a list of all available repositories, including all drives attached to the Falcon-NEO destination ports and any network repository. Tap the ‘Add Repository’ button at the bottom of the screen; tap ‘Name’ to set the name of the repository; click ‘OK’; then tap ‘Drive’ to select a network share to set as a repository. Then tap ‘Network Source’ to select the network source: either LAN1, LAN2, or ‘Any’.

Next, tap ‘Destination Settings’ to enter the network settings. You’ll need to enter the path of the share. This will include the IP address and share name. Make sure you use the forward slash, not the backward slash. Then enter the domain of the share, if the shared resource is in a domain. If not, use the work group name. Then enter the username that has full permissions to the shared resource, both read and write access. Then enter the password for the username. Click ‘OK’.

Next, tap ‘Role.’ The repository can be set as a source, or a destination, or both. Once the repository has been set up, it will appear under the repository list. In order for a repository to remain configured when the Falcon-NEO is turned off, the changes must be saved and loaded to a profile on the Falcon-NEO. Refer to the users’ manual on how to do this.

Once a repository has been added, you can proceed to use it as a source or destination for whatever imaging task you require. For this task, we’ll select the File To File mode; then we’ll select the source; we’ll select the repository we just set up.

Next, choose your settings. Here you can enter a case name and other information, including an evidence ID. Click ‘OK’ and set the output format. In this case, we’ll choose ‘Directory Tree.’ For filter settings, we’ll choose not to include any filters, and leave the default settings. Next, choose your hash method, and choose whether you want to verify or not. Next, select your destination: in this case a hard drive that is connected to the Falcon-NEO.

Once all your settings have been chosen, press ‘Start’ and the imaging task will begin. Upon completion of the imaging task, you can review the log file associated with the task by navigating to the ‘Logs’ icon from the left side menu bar. The log file includes all of the chosen settings, and the file information from the network repository that was captured for this task.

Thank you for your interest in the Falcon-NEO. We hope you have found this tutorial informative. To learn more about the Falcon-NEO visit our website at logicube.com, or contact our sales team at sales@logicube.com.

About scar

Scar de Courcier is an assistant editor at Forensic Focus.

Discussion

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 1,209 other followers

%d bloggers like this: