Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Introducing the CRU WiebeTech ™ Ditto Forensic FieldStation © Copyright 2013 CRU Acquisitions Group LLC August 28, 2013 The New Standard for Digital Data Exploitation and Forensic Acquisition • Browser-based remote operation & preview • Network source & destination • Dual drive destination • Battery operation • Customize activity logs • All aluminum construction • No fan noise Hardware Overview • LCD • Navigation pad • LEDs Hardware Overview – Source Side • SATA/eSATA • PATA • USB 2.0 • GbE • PCIe Expansion Module • Mini-fit drive power Hardware Overview - Destination Side • Dual SATA/eSATA • GbE • Mini-fit drive power • Stealth switch – blackout mode for low visibility operations Hardware Overview – Top Side • Power in – barrel or SATA 15-pin • Power switch • SD card • Hook System Overview Image Destination Options • GbE • SATA Drive – single or mirrored • SD card • eSATA Mass Storage Supported Drive File System (Destination) • EXT2, EXT3, EXT4, XFS • NTFS (Sept 2013) • HFS+ • FAT32 Supported Drive File System (Source) • EXT2, EXT3, EXT4, XFS • NTFS • HFS+ • FAT32, exFAT System Overview Gigabit Ethernet Ports • Source side – client only, DHCP or Static IP, iSCSI initiator • Destination side – server or client, DHCP or Static IP, iSCSI initiator • Network file system types – NFS, SAMBA/CIFS • Network firewall with NAT and port forward capabilities: Connect Laptop to Destination GbE and access Source GbE attached Network for triage, access to network shares, access to Internet, etc. HPA/DCO Options • Indicate only (front panel LED and Activity Log) • Temporarily bypass HPA • Permanently unhide HPA • Permanently unhide HPA/DCO System Overview Expansion Modules • PCIe-based to speed development of newer interfaces • USB3 – Now Shipping • SAS – October 2013 • FireWire – November 2013 • Media Cards – November 2013 • SCSI – December 2013 • ThunderBolt – TBD (issues with chip availability for this application) Action Functions Clone – to one or two “mirrored” destination drives Image DD – to one or two “mirrored” destination drives, Network Image E01 – to one or two “mirrored” destination drives, Network Verify – enable to automatically hash destination drive after acquisition Clone and Image in one pass (DD or E01) Hash – MD5, SHA1, MD5+SHA1 (during acquisition or standalone) Erase – 8 standard presets plus user configurable pattern / # passes Snapshot (capture) HDPARM and SMART Data to log Web Based Menu Overview Web Based Menu Overview LOG-IN • HTTP and HTTPS • User name and password HOME • Action – specify, control and monitor activity • Disk View – suspect drive “preview” (PreView, HexView, HDPARM, SMART) • Settings – summary listing of configuration • System Log – time sequenced listing of all activity • Network Mounts (iSCSI, NFS, SAMBA/CIFS) • Target Mode Web Based Menu Overview CONFIGURE • System – Investigator name, case number, other static defaults • Network – Source and Destination IP, Gateway, DNS Information • Clone – hash, HPA/DCO, fill, sector control • Image – DD/E01, hash, file name, seg size, HPA/DCO, sector control • Erase – presets, HPA/DCO, custom pattern/passes • Hash – type, sector control ADMIN • Create and Manage User Accounts • Enable Features Accessible by each User (permissions) • Enable Features Accessible by the Front Panel Web Based Menu Overview LOGS • Action Logs – one per each Action • Purge All Logs / Delete Individual Logs • XML format, optional enable HTML format • Log data on SD Card (no SD card, no Log saved after power cycle) UTILITIES • Firmware Update – via HTTP, HTTPS, FTP, USB 2.0, Upload from Host • Import/Export Configuration • Reboot • System Verify • Date & Time • Factory Reset – option to purge all logs Benchmarks Source drive: Seagate Momentus XT (ST750LX003), 2.5” Destination drives: Seagate Barracuda ES.2 (ST3100034NS), 3.5” Destination format: EXT4 E01 Compression: None Results shown in: MB/s (GB/m) Action Results: MB/s (GB/m) 1 Drive 1 Drive MD5 1 Drive SHA1 2 Drives 2 Drives MD5 2 Drives SHA1 Clone Verify 105 (6.3) --- 94 (5.6) 90 (5.4) 83 (5.0) 82 (4.9) 104 (6.2) --- 93 (5.6) --- 82 (4.9) --- Image DD Verify 89 (5.4) --- 74 (4.5) 85 (5.1) 73 (4.4) 81 (4.9) 88 (5.3) --- 74 (4.5) --- 73 (4.4) --- Image E01 Verify 75 (4.4) ---- 63 (3.8) 64 (3.8) 63 (3.8) 64 (3.8) 74 (4.4) --- 63 (3.8) --- 63 (3.8) --- Clone and Image DD --- --- --- 75 (4.5) 64 (3.8) 64 (3.8) Erase Destination 109 (6.5) --- --- --- --- --- Benchmarks Source drive: Seagate Momentus XT (ST750LX003), 2.5” Destination drives: Seagate Barracuda ES.2 (ST3100034NS), 3.5” Destination format: EXT4 E01 Compression: Empty Block Results shown in: MB/s (GB/m) Action 25% Utilization 50% Utilization 75% Utilization No Compression E01 / No Hash Verify 99 (5.9) --- 89 (5.3) --- 80 (4.8) --- 72 (4.3) --- E01 / MD5 Verify 83 (5.0) 63 (3.8) 75 (4.5) 61 (3.7) 68 (4.1) 62 (3.7) 63 (3.8) 61 (3.7) E01 / SHA1 Verify 77 (4.6) 63 (3.8) 72 (4.3) 59 (3.6) 67 (4.0) 61 (3.7) 61 (3.7) 60 (3.6) Ditto Basic Setup and Operation • Suspect drive, one or two destination drives, laptop (optional) • Customized Activity Reports (XML Parser) • Optional battery operation (low-power image to SD Card) Remote and Wireless Operation • Local network or VPN • Remote maintenance and firmware upgrade • Video link • Target Mode Network Operation Lab Workflow Push images to network storage Field Workflow Capture multiple Suspect drives in parallel Firmware Updates – September/October 2013 • Logical Imaging (L01, TAR, ZIP) – Manually select files and folders • NetView™ (NMAP) – map network, select resources Logical Imaging • Verify Dual Drive Actions (none, eSATA-A, eSATA-B, Both) • Enable Logging of PreView file names • Configurable File/Folder Naming Convention • High performance NTFS Support for Destination Drives • DittoBoot (x86) Firmware Updates – November/December 2013 • SmartImage™ - Select files L01 (LightGrep, File Ext, File Signatures) • Destination GbE Target Mode (NFS, SMB) • DiskView Interface for Partition, Format and HPA/DCO Manipulation • New Actions: Restore Image and Validate File Signature/Extensions • Drive Wiping – Two destination drive support, Erase Verify • Client WiFi Access – Via USB 2.0 Adapter • Notifications – Buzzer, Email/SMS • Queued Actions – Create list of actions to be performed • “Commit Changes” Verification Firmware Updates – Q1 2014 • StringGrab™ – Search source data for given strings (Data Carving) • HashGrab™ – Search source data for user supplied hashes (File Carving) • SDK – Linux VM, plug-in architecture to allow user to operate own tools • Management Console - Monitor multiple Ditto devices on network • Multiple Destinations for Images (Drives, Networks) • Destination Drives – “Dynamic Span” support (fill and spill) • Add PGP Sign to XML/HTML Log Files • WiFi Hotspot - Via USB 2.0 Adapter New Firmware Features NetGrab™ - PCAP file acquisition • Ditto becomes transparent man-in-the-middle (bridge mode) • IP Address and Port filtering • Select type of network traffic to acquire • Based on LIBPCAP • Fill and Spill offers long-term data collection and retrieval ImageGrab™ - Real-time search criteria for Logical Imaging Questions? Thank You for your participation today. Contact Information James Wiebe – 316-393-5477 – [email protected] Randy Barber – 360-816-1804 – [email protected] Aaron Tyger – 360-816-1759 – [email protected] Sales: 360-816-1800 / 1-800-260-9800 - [email protected]