Download Introducing the CRU WiebeTech Ditto™ Forensic FieldStation

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
Document related concepts

Wake-on-LAN wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Network tap wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

USB flash drive wikipedia , lookup

Airborne Networking wikipedia , lookup

List of wireless community networks by region wikipedia , lookup

Transcript 
Introducing the CRU WiebeTech
™
Ditto Forensic FieldStation
© Copyright 2013 CRU Acquisitions Group LLC
August 28, 2013
The New Standard for Digital Data Exploitation
and Forensic Acquisition
• Browser-based remote
operation & preview
• Network source & destination
• Dual drive destination
• Battery operation
• Customize activity logs
• All aluminum construction
• No fan noise
Hardware Overview
• LCD
• Navigation pad
• LEDs
Hardware Overview – Source Side
• SATA/eSATA
• PATA
• USB 2.0
• GbE
• PCIe Expansion Module
• Mini-fit drive power
Hardware Overview - Destination Side
• Dual SATA/eSATA
• GbE
• Mini-fit drive power
• Stealth switch – blackout mode for low visibility operations
Hardware Overview – Top Side
• Power in – barrel or SATA 15-pin
• Power switch
• SD card
• Hook
System Overview
Image Destination Options
• GbE
• SATA Drive – single or mirrored
• SD card
• eSATA Mass Storage
Supported Drive File System (Destination)
• EXT2, EXT3, EXT4, XFS
• NTFS (Sept 2013)
• HFS+
• FAT32
Supported Drive File System (Source)
• EXT2, EXT3, EXT4, XFS
• NTFS
• HFS+
• FAT32, exFAT
System Overview
Gigabit Ethernet Ports
• Source side – client only, DHCP or Static IP, iSCSI initiator
• Destination side – server or client, DHCP or Static IP, iSCSI initiator
• Network file system types – NFS, SAMBA/CIFS
• Network firewall with NAT and port forward capabilities:
Connect Laptop to Destination GbE and access Source GbE attached
Network for triage, access to network shares, access to Internet, etc.
HPA/DCO Options
• Indicate only (front panel LED and Activity Log)
• Temporarily bypass HPA
• Permanently unhide HPA
• Permanently unhide HPA/DCO
System Overview
Expansion Modules
• PCIe-based to speed development of newer interfaces
• USB3 – Now Shipping
• SAS – October 2013
• FireWire – November 2013
• Media Cards – November 2013
• SCSI – December 2013
• ThunderBolt – TBD (issues with chip availability for this application)
Action Functions
Clone – to one or two “mirrored” destination drives
Image DD – to one or two “mirrored” destination drives, Network
Image E01 – to one or two “mirrored” destination drives, Network
Verify – enable to automatically hash destination drive after acquisition
Clone and Image in one pass (DD or E01)
Hash – MD5, SHA1, MD5+SHA1 (during acquisition or standalone)
Erase – 8 standard presets plus user configurable pattern / # passes
Snapshot (capture) HDPARM and SMART Data to log
Web Based Menu Overview
Web Based Menu Overview
LOG-IN
• HTTP and HTTPS
• User name and password
HOME
• Action – specify, control and monitor activity
• Disk View – suspect drive “preview”
(PreView, HexView, HDPARM, SMART)
• Settings – summary listing of configuration
• System Log – time sequenced listing of all activity
• Network Mounts (iSCSI, NFS, SAMBA/CIFS)
• Target Mode
Web Based Menu Overview
CONFIGURE
• System – Investigator name, case number, other static defaults
• Network – Source and Destination IP, Gateway, DNS Information
• Clone – hash, HPA/DCO, fill, sector control
• Image – DD/E01, hash, file name, seg size, HPA/DCO, sector control
• Erase – presets, HPA/DCO, custom pattern/passes
• Hash – type, sector control
ADMIN
• Create and Manage User Accounts
• Enable Features Accessible by each User (permissions)
• Enable Features Accessible by the Front Panel
Web Based Menu Overview
LOGS
• Action Logs – one per each Action
• Purge All Logs / Delete Individual Logs
• XML format, optional enable HTML format
• Log data on SD Card (no SD card, no Log saved after power cycle)
UTILITIES
• Firmware Update – via HTTP, HTTPS, FTP, USB 2.0, Upload from Host
• Import/Export Configuration
• Reboot
• System Verify
• Date & Time
• Factory Reset – option to purge all logs
Benchmarks
Source drive: Seagate Momentus XT (ST750LX003), 2.5”
Destination drives: Seagate Barracuda ES.2 (ST3100034NS), 3.5”
Destination format: EXT4
E01 Compression: None
Results shown in: MB/s (GB/m)
Action
Results: MB/s (GB/m)
1 Drive
1 Drive
MD5
1 Drive
SHA1
2 Drives
2 Drives
MD5
2 Drives
SHA1
Clone
Verify
105 (6.3)
---
94 (5.6)
90 (5.4)
83 (5.0)
82 (4.9)
104 (6.2)
---
93 (5.6)
---
82 (4.9)
---
Image DD
Verify
89 (5.4)
---
74 (4.5)
85 (5.1)
73 (4.4)
81 (4.9)
88 (5.3)
---
74 (4.5)
---
73 (4.4)
---
Image E01
Verify
75 (4.4)
----
63 (3.8)
64 (3.8)
63 (3.8)
64 (3.8)
74 (4.4)
---
63 (3.8)
---
63 (3.8)
---
Clone and Image DD
---
---
---
75 (4.5)
64 (3.8)
64 (3.8)
Erase Destination
109 (6.5)
---
---
---
---
---
Benchmarks
Source drive: Seagate Momentus XT (ST750LX003), 2.5”
Destination drives: Seagate Barracuda ES.2 (ST3100034NS), 3.5”
Destination format: EXT4
E01 Compression: Empty Block
Results shown in: MB/s (GB/m)
Action
25%
Utilization
50%
Utilization
75%
Utilization
No
Compression
E01 / No Hash
Verify
99 (5.9)
---
89 (5.3)
---
80 (4.8)
---
72 (4.3)
---
E01 / MD5
Verify
83 (5.0)
63 (3.8)
75 (4.5)
61 (3.7)
68 (4.1)
62 (3.7)
63 (3.8)
61 (3.7)
E01 / SHA1
Verify
77 (4.6)
63 (3.8)
72 (4.3)
59 (3.6)
67 (4.0)
61 (3.7)
61 (3.7)
60 (3.6)
Ditto Basic Setup and Operation
• Suspect drive, one or two destination drives, laptop (optional)
• Customized Activity Reports (XML Parser)
• Optional battery operation (low-power image to SD Card)
Remote and Wireless Operation
• Local network or VPN
• Remote maintenance and firmware upgrade
• Video link
• Target Mode
Network Operation
Lab Workflow
Push images to
network storage
Field Workflow
Capture multiple
Suspect drives in
parallel
Firmware Updates – September/October 2013
• Logical Imaging (L01, TAR, ZIP) – Manually select files and folders
• NetView™ (NMAP) – map network, select resources Logical Imaging
• Verify Dual Drive Actions (none, eSATA-A, eSATA-B, Both)
• Enable Logging of PreView file names
• Configurable File/Folder Naming Convention
• High performance NTFS Support for Destination Drives
• DittoBoot (x86)
Firmware Updates – November/December 2013
• SmartImage™ - Select files L01 (LightGrep, File Ext, File Signatures)
• Destination GbE Target Mode (NFS, SMB)
• DiskView Interface for Partition, Format and HPA/DCO Manipulation
• New Actions: Restore Image and Validate File Signature/Extensions
• Drive Wiping – Two destination drive support, Erase Verify
• Client WiFi Access – Via USB 2.0 Adapter
• Notifications – Buzzer, Email/SMS
• Queued Actions – Create list of actions to be performed
• “Commit Changes” Verification
Firmware Updates – Q1 2014
• StringGrab™ – Search source data for given strings (Data Carving)
• HashGrab™ – Search source data for user supplied hashes (File Carving)
• SDK – Linux VM, plug-in architecture to allow user to operate own tools
• Management Console - Monitor multiple Ditto devices on network
• Multiple Destinations for Images (Drives, Networks)
• Destination Drives – “Dynamic Span” support (fill and spill)
• Add PGP Sign to XML/HTML Log Files
• WiFi Hotspot - Via USB 2.0 Adapter
New Firmware Features
NetGrab™ - PCAP file acquisition
• Ditto becomes transparent man-in-the-middle (bridge mode)
• IP Address and Port filtering
• Select type of network traffic to acquire
• Based on LIBPCAP
• Fill and Spill offers long-term data collection and retrieval
ImageGrab™ - Real-time search criteria for Logical Imaging
Questions?
Thank You for your participation today.
Contact Information
James Wiebe – 316-393-5477 – [email protected]
Randy Barber – 360-816-1804 – [email protected]
Aaron Tyger – 360-816-1759 – [email protected]
Sales: 360-816-1800 / 1-800-260-9800 - [email protected]
Related documents
THE IMPORTANCE OF INTERNET MARKETING
THE IMPORTANCE OF INTERNET MARKETING
Network Layer
Network Layer
RE: Designated Marketing Organization
RE: Designated Marketing Organization
Lecture 5 Powerpoint presentation
Lecture 5 Powerpoint presentation
International Moving Checklist
International Moving Checklist
EC310 Hwk 11
EC310 Hwk 11
The Impacts of Internal Migration
The Impacts of Internal Migration
Lecture 7 Brand Communication
Lecture 7 Brand Communication
Assignment: Travel Name: Go to The Carbon Cycle Game website:
Assignment: Travel Name: Go to The Carbon Cycle Game website:
Data Communications and Networking
Data Communications and Networking
Electrical Drives and Power Electronics - EDPE 2013
Electrical Drives and Power Electronics - EDPE 2013