Upload
tranminh
View
235
Download
4
Embed Size (px)
Citation preview
Protecting Your Digital AssetsTM
Wiebetech Branding
2c85m76yPMS 711C
66c7m7yPMS 299C
Product Name:Univers 73 Black Extended
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
CRU® WiebeTech® Ditto® DX Forensic FieldStationUser Manual
Features
• Createlocal,remote,ornetworkeddiskclonesandimages
• ConfigureandmanageDittoDXviaaVPN,network,orontheunititself
• TimesavinglogicalimagingtwiceasfastastheoriginalDittoForensicFieldStation
• Nativelysupportswrite-blockedSATA,eSATA,PATA,andUSB3.0/2.0
• Write to dual destinations simultaneously -Any combination of eSATA,USB 3.0, orGigabitEthernet
• OutputimagestoportableRAIDenclosures,NASunits,andothernetworkdestinations
• Dataacquisitionmodes–Clone,DD,E01,L01,andsimultaneousclone&image
• Hashtypes–MD5,SHA-1,MD5+SHA-1,SHA-256,MD5+SHA-256
• Securelysanitizedriveswithpreseterasemodesorauserconfigurablepattern
• StealthModeavailableforusewithnightvisiongoggles(notincluded)
2
Protecting Your Digital AssetsTM
Ditto DX Forensic FieldStation User Manual
TABLE OF CONTENTS1GeneralInformation 3
1.1PackageContents 3
1.2IdentifyingParts 3
1.3LightbarStatus 4
1.4ThermalManagement 4
2Setup 4
3BrowserInterface 5
3.1AccessingtheBrowserInterface 5
3.2IconsUsedintheBrowserInterface 7
3.3UserAccounts 8
4HomeScreen 8
4.1Action 9
4.1.1CloneSourceDisk 9
4.1.2PhysicalImageSourceDisk 9
4.1.3LogicalImageSourceDisk 10
4.1.4CloneandImageSourceDisk 12
4.1.5RestorePhysicalImage 13
4.1.6EraseDestinationDisk 14
4.1.7HashDisk 14
4.1.8SnapshotDisk 15
4.1.9NetViewScan 15
4.2InvestigationInfo 15
4.3SystemSettings 16
4.4CurrentStatus 16
4.5Disks 16
4.5.1PreviewingandBrowsingDisks 17
4.5.2ViewHexidecimalData 18
4.5.3ViewSnapshotData 18
4.6SystemLog 18
5ConfigureScreen 19
5.1System 19
5.2Network 21
5.3Clone 25
5.4PhysicalImage 25
5.5LogicalImage 27
5.6Restore 28
5.7Erase 28
5.8Hash 30
5.9Naming 30
5.10QuickStart 31
6AdminScreen 31
6.1UserAccounts 31
6.2Permissions 31
6.3AddingaNewUser 32
6.4EditinganExistingUser 32
6.5DeletingaUser 33
7LogsScreen 33
8UtilitiesScreen 34
9UsingtheFrontPanelInterfaceinStandaloneMode 35
10StealthMode 40
11AdvancedFeaturesandFunctions 41
11.1NetviewScan 41
11.2TargetMode:RemotelyAccessDisksAttachedtotheDittoDXForensicFieldStationwithThirdPartySoftware
43
11.3UsingiSCSIDevices 44
11.4UsingNFSandSMB(Samba)Shares 47
11.5AddingaNewAutoSelectLogicalImageProfile 48
12UpgradingFirmware 49
13TechnicalSpecifications 51
3
Protecting Your Digital AssetsTM
Ditto DX Forensic FieldStation User Manual
1 GENERAL INFORMATION
1.1 PACKAGE CONTENTS
Thefollowing listcontains the itemsthatare included in the
completeconfigurationforthisdevice.PleasecontactCRUif
anyitemsaremissingordamaged:
DittoDXForensicFieldStationUnit 1
UnitizedSAS-to-eSATA+Mini-Fitpowercable 3
IDEcable 1
12Vpowersupply 1
Powercord 1
Legacypower-to-Mini-Fitcable 1
Ethernetcable(RJ45) 1
Poweradapter,legacy-to-SATA 1
Velcrocablewrap 6
eSATAcable 2
8GBSDcard(pre-installed) 1
1.2 IDENTIFYING PARTS
Take amoment to familiarize yourself with the parts of the
Ditto DX Forensic FieldStation.This will help you to better
understandthefollowinginstructions.
SOURCE INPUTS(allinputsarewrite-blocked)
DESTINATION OUTPUTS
CONTROL INTERFACE
TOP OF UNIT
4
Protecting Your Digital AssetsTM
Ditto DX Forensic FieldStation User Manual
1.3 LIGHTBAR STATUS
COLOR STATE DESCRIPTION
Teal Solid Idle
Magenta Solid Anactionisinprogress
Green Solid Anactionhassuccessfullycompleted
Red Solid Anerrorhasbeendetectedortherunningactionhasbeenabortedbytheuser
Amber
Solid Theprocessorisclosetoreachingitsrecommendedthermallimit.CRUsuggeststhatyouusetheDittoDXexternalfan(soldseparately).
BlinkingThecurrentlyrunningactionhasbeensuspendedbytheDittoDXForensicFieldStation’sthermalmanagementandwillautomaticallyresumefromwhereitleftoffwhentemperatureshavesufficientlylowered.
1.4 THERMAL MANAGEMENT
TheDittoDXForensicFieldStationisapassivelycooledsystemthatpullsheatoutoftheprocessorandother
electronicsintothealuminumhousingwhereitdissipates.TheheatgeneratedbytheDittoDXForensicField-
Stationisanintendeddesignfeaturethateliminatestheneedofanoisyinternalcoolingfananddrastically
reducestheamountofparticulatesthatarepulledthroughthesystem.
Thepassivelycooledsystemincludesautomaticthermalmonitoringandprotection.IftheDittoDXForensic
FieldStationdetectsthattheinternaltemperatureisreachingaspecificthreshold,theLightbarwillchange
toamberandamessagewillbepresentedonthefrontpanelLCDsuggestingthatanexternalfanmaybe
required.Ifthetemperaturecontinuestoincreaseandreachesthesecondarythreshold,theDittoDXForensic
FieldStationwillsuspendanycurrentlyrunningactionandtheLightbarwillbeginblinkingamber.Oncethe
internaltemperaturelowers,theactionwillresumeautomaticallyfromwhereitleftoff.
IfyouareoperatingtheDittoDXForensicFieldStationinanenvironmentwarmerthan95°F/35°C,CRUrec-
ommendstheuseofanexternalfan(verylittleairmovementisrequired).CRUofferssuchafanspecifically
designedforusewithDittoDX(PartNumber:30000-0100-0001).TheDittoDXfanispoweredfromoneofthe
USB2portsonthecontrolinterfaceandoperatesveryquietly.
2 SETUPTheControl InterfacesideoftheDittoDXForensicFieldStationhasapowerswitchand12Vinputfortheincluded
powersupply,anSDcardslot,twoUSB2.0portsforusewithakeyboardorwifiadapter,anRJ45gigabitEthernet
porttoallownetworkaccesstotheDittoDX’sbrowserinterface(seeSection3),andastealthswitchthatwillturn
offallexternallightsandenablenightvisionmode(seeSection10).
Plugthe“suspect”disksordevicesintotheSource InputssideoftheDittoDXForensicFieldStation.Allsource
inputsarewrite-blockedtopreventalteration.ThesourceinputsincludeaUSB3.0portforUSBdevices,anRJ45
gigabitEthernetport,anIDE/PATAdiskport,aneSATAportforSATAdisksoraneSATAdevice,andaPCIex4
portwhichcanbeusedwiththeDittoDXPCIeAdapterBundle,andtheSASandFireWireexpansionmodules,
allsoldseparately.
UsetheDestination OutputssideoftheDittoDXForensicFieldStationtostoreacquireddata.Thedestination
outputconnectionsincludetwoUSB3.0portsforUSBdevices,anRJ45gigabitEthernetport,atwoeSATAports
forSATAdisksoreSATAdevices,andaPCIex4portwhichcanalsobeusedwiththeabovementionedPCIe
adapterbundleandexpansionmodules.
CRUrecommendsthatyouswitchthepowerofftotheDittoDXwhenyouaddorremoveadevicefromitinordertoavoiddiskdamageanddatacorruption.
NOTE
5
Protecting Your Digital AssetsTM
Ditto DX Forensic FieldStation User Manual
3 BROWSER INTERFACETheDittoDXForensicFieldStationcanbeconfiguredandoperatedeither fromtheFront
Panel(seeSection9)orthroughawebbrowser.
3.1 ACCESSING THE BROWSER INTERFACE
3.1.1 Accessing Via Network
a. PluganEthernetcableintotheEthernetportonthe“ControlInterface”sideof
theDittoDXForensicFieldStation.
b. ConnecttheotherendoftheEthernetcabletoyournetwork.Thisusuallymeans
pluggingitintoarouterorhub.Inanofficeenvironment,youmayhaveanetwork
jackbuiltintoyourofficewall.
c. ConnectthepowercabletotherearoftheDittoDXForensicFieldStationandto
theprovidedACadapter.
d. TurnontheDittoDXForensicFieldStation’spowerusingtheswitchontherear
panel.(0=off,1=on)
e. IfyouhavepreviouslyconfiguredtheDittoDXandyouknowtheIPaddressit
uses,godowntothelaststepofthissection.IfyouhavenotconfiguredtheDitto
DX,useoneofthetwofollowingwaystoconfigureit.
Configure Ditto to Use DHCP
DHCPis theprotocolusedbymostnetworkenvironmentstoday.Unlessyour
networkadministratordirectsotherwise,youshouldprobablyfollowthesesteps.
a. PresstheDownnavigationbuttonontheDittoDXForensicFieldStationuntil
youreachthe“Settings”menu(seeFigure1).ThenpresstheRight naviga-
tionbuttontoviewtheSettings.
b. PressUporDownuntilyoureachthe“CtlNetworkSettings”screenshown
inFigure2andpressRight.
c. PressUporDownuntilyoureachthe“CtlNetwork”screenshowninFigure
3.
d. Ifthetextonthesecondlinesays“Disabled”,presstheRightbuttontoedit
thesetting.PressUponceandthenRighttocommitthechange.Ifthetext
says“Enabled”,continuetothenextstep.
e. PressUporDownuntilyoureachthe“CtlNetworkMode”screenshown
inFigure4.
f. Ifthetextonthesecondlinesaysanythingotherthan“Client(DHCP)”,press
Righttoeditthesetting.PressUpuntilthesecondlinesays“Client(DHCP)”
andthenpressRighttocommitthechange.Ifthetextalreadysays“Client
(DHCP)”,continueontothenextstep.
g. PressUp orDown until you reach the“Ctl IPAddress” screen shown in
Figure5.
h. ContinuetoStepGbelowtologintothebrowserinterface.
CtlNetworkSettings
View/Edit>
Figure 2. A depiction of the “Ctl Network Settings”screenontheDittoDXForensicFieldStation.
CtlNetworkMode:
Client(StaticIP)
Edit>
Figure 4. A depiction of the “Ctl Network Mode”screenontheDittoDXForensicFieldStation.
CtlIPAddress:
10.10.0.1
Edit>
Figure 5.Adepictionofthe“CtlIPAddress”screenontheDittoDXForensicFieldStation.
CtlNetwork:
Disabled
Edit>
Figure 3.Adepictionofthe“CtlNetwork”screenontheDittoDXForensicFieldStation.
Settings
View/Edit>
Figure 1.A depiction of the“Settings”menu on theDittoDXForensicFieldStation.
6
Protecting Your Digital AssetsTM
Ditto DX Forensic FieldStation User Manual
Configure Ditto to Use a Static IP Address
IfyournetworkadministratordirectsyoutouseastaticIPaddress,followthesesteps.
a. PresstheDownnavigationbuttonontheDittoDXForensicFieldStationuntilyoureachthe“Set-
tings”menu(seeFigure1).ThenpresstheRight navigationbuttontoviewtheSettings.
b. PressUporDownuntilyoureachthe“CtlNetworkSettings”screenshowninFigure2andpress
Right.
c. PressUporDownuntilyoureachthe“CtlNetwork”screenshowninFigure3.
d. Ifthetextonthesecondlinesays“Disabled”,presstheRightbuttontoeditthesetting.PressUp
onceandthenRighttocommitthechange.Ifthetextsays“Enabled”,continuetothenextstep.
e. PressUporDownuntilyoureachthe“CtlNetworkMode”screenshowninFigure4.
f. Ifthetextonthesecondlinesaysanythingotherthan“Client(StaticIP)”,pressRighttoeditthe
setting.PressUpuntilthesecondlinesays“Client(StaticIP)”andthenpressRighttocommitthe
change.Ifthetextalreadysays“Client(StaticIP)”,continueontothenextstep.
g. PressUporDownuntilyoureachthe“CtlIPAddress”screenshowninFigure5.
h. PressRighttoedittheIPaddress.Youcanuseakeyboardthatyou’veattachedtotheUSB2.0
portsonthe“ControlInterface”sideoftheDittoDXtoenterthestaticIPaddressyournetwork
administratorgaveyou.
Ifyoudonothaveakeyboard,pressRightandLefttoscrollthecursorrightandleft,andpressUp
orDowntoincreaseordecreasethenumberhighlightedbythecursor.
Whenyouhavefinished,pressRight tocommitthechanges.
f. TypetheIPaddressshownintoyourwebbrowser.
g. Logintothebrowserinterface(thedefaultusernameandpasswordfortheadministratoraccountare
both“admin”).
CRUrecommendsthatyouchangetheadminaccountpasswordandcreateuseraccountsforindividualusersasbestdatamanagementpractices.
Youarenowreadytousethebrowserinterfacetoconfiguresettingsandpreview,image,orcloneattached
disks.
3.1.2 Accessing Via Direct Connection to Your Computer
a. PluganEthernetcableintotheEthernetportonthe“ControlInterface”sideoftheDittoDXForensic
FieldStation.
b. ConnecttheotherendoftheEthernetcabletoyourcomputer’sEthernetport.
ThecontrolEthernetportcanbeconfiguredtoactasaserver.AttachingaDittoDXForensicFieldStationactingasaservertoanexistingnetworkthroughthecontrolEthernetportwillcausenetworkconflicts.ThereforeitisimportanttoattachtheDittoDXForensicFieldStationdirectlytoyourcomputerinstead.TochangethissettingsothattheDittoDXForensicFieldStationnolongeractsasaserver,seeSection5.2.3.
NOTE
STOP!
7
Protecting Your Digital AssetsTM
Ditto DX Forensic FieldStation User Manual
c. Connect thepowercable to the rearof theDittoDXForensicFieldStationand to theprovidedAC
adapter.
d. TurnontheDittoDXForensicFieldStation’spowerusingtheswitchontherearpanel.(0=off,1=on)
e. PresstheDownnavigationbuttonontheDittoDXForensicFieldStationuntilyoureachthe“Settings”
menu(seeFigure1).ThenpresstheRight navigationbuttontoviewtheSettings.
f. PressUporDownuntilyoureachthe“CtlNetworkSettings”screenshowninFigure2andpress
Right.
g. PressUporDownuntilyoureachthe“CtlNetwork”screenshowninFigure3.
h. Ifthetextonthesecondlinesays“Disabled”,presstheRightbuttontoeditthesetting.PressUponce
andthenRighttocommitthechange.Ifthetextsays“Enabled”,continuetothenextstep.
i. PressUporDownuntilyoureachthe“CtlNetworkMode”screenshowninFigure4.
j. Ifthetextonthesecondlinesaysanythingotherthan“Server”,pressRighttoeditthesetting.Press
Upuntilthesecondlinesays“Server”andthenpressRighttocommitthechange.Ifthetextalready
says“Server,continueontothenextstep.
k. PressUporDownuntilyoureachthe“CtlIPAddress”screenshowninFigure5.
l. ThedefaultIPaddressforthecontrolEthernetportis10.10.0.1.Ifyouwishtochangetheaddress,
pressRighttodoso.OtherwiseproceedtoStepN.
m. Youcanuseakeyboardthatyou’veattachedtotheUSB2.0portsonthe“ControlInterface”sideof
theDittoDXtoenterthestaticIPaddressyournetworkadministratorgaveyou.
Ifyoudonothaveakeyboard,pressRightandLefttoscrollthecursorrightandleft,andpressUpor
Downtoincreaseordecreasethenumberhighlightedbythecursor.
Whenyouhavefinished,pressRight tocommitthechanges.
n. TypetheDittoDXForensicFieldStation’scontrolIPaddressintoyourwebbrowser.
o. Logintothebrowserinterface(thedefaultusernameandpasswordfortheadministratoraccountare
both“admin”).
CRUrecommendsthatyouchangetheadminaccountpasswordandcreateuseraccountsforindividualusersasbestdatamanagementpractices.
Youarenowreadytousethebrowserinterfacetoconfiguresettingsandpreview,image,orcloneattached
disks.
3.2 ICONS USED IN THE BROWSER INTERFACE
Thebrowserinterfaceusesseveraliconsthatmaybeclickedontoperformcertainactions.
ICON ACTION
InformationOpensawindowwithabriefdescriptionofthesettingtheinformationiconappearsnextto.
Refresh Refreshesthefieldthattheiconappearsnexttoinordertogiveupdatedinformation.
Moreiconsaredetailedonthenextpage.
NOTE
8
Protecting Your Digital AssetsTM
Ditto DX Forensic FieldStation User Manual
Icons Used in the Browser Interface, continued...
ICON ACTION
Reset LoadsthedefaultsforthesettingthattheRefreshiconappearsnextto.
Add Addsauserdefinedfieldtoalistofitems.
Remove Removesauserdefinedfieldfromalistofitems.
3.3 USER ACCOUNTS
TheDittoDXForensic FieldStation employs a user account system to control access to its features.The
“Login”screenpresentsyouwiththeabilitytologinthroughhttp,oryoucanclicktheSecure Login (HTTPS)
linktologinsecurely.Acceptthecertificateand/orcontinuetothewebsite,evenifyourbrowsertellsyouit
doesnotrecognizeit.
ThedefaultusernameandpasswordfortheAdministratoraccountareboth“admin”.CRUrecommendsthat
youchangetheadminaccountpasswordandcreateuseraccountsforindividualusersasbestdatamanage-
mentpractices.
ClickontheLog Out buttonatthetoprightofthebrowserinterfacetologout.
4 HOME SCREENThe“Home”screeniswhereyouwillperformmostofyouroperationswiththeDittoDXForensicFieldStation,
andisthedefaultscreentoloaduponloggingintothebrowserinterface.ClickontheHome tabtoaccessthe
“Home”sceenfromanyotherareaofthebrowserinterface.
Figure 6. The“Home”screen.
9
Protecting Your Digital AssetsTM
Ditto DX Forensic FieldStation User Manual
4.1 ACTION
The“Action”panelletsyoustart,abort,anddocumentthefollowingactions.The“Start”buttonbeginsthe
action.The“Abort”buttonstopstheactioninprogress.ClicktheComment buttontowriteanotethatwill
beappendedtothelog.ClicktheConfigure buttontomodifythedefaultsettingsforeachaction,whichcan
alsobemodifiedonthe“Configure”screen(SeeSection5).
4.1.1 Clone Source Disk
TheDittoDXForensicFieldStationmakesanexactduplicateofthesourcediskononeortwodestination
disks.
Whilecloningthesourcedisk,theDittoDXForensicFieldStationcanalsohashthesourcediskusingtheMD5,SHA-1,SHA-256,MD5&SHA-1,orMD5&SHA-256algorithms.Selectthehashtypeunderthe“SystemSettings”panelonthe“Home”screen.SeeSection4.3.
Toclone,followthesesteps:
a. Usingthebrowserinterface,selectClone Source Diskfromthe“ActiontoPerform”drop-downbox.
b. Selectthesourcedisktoclonefromthe“Source”drop-downbox.
c. Selectthedestinationdiskfromthe“Destination”drop-downbox.
Destinationdisksdonothavetobethesamephysicalmediaasthesourcedisk,buteachmustbelargerthanthesourcedisk.
d. ClicktheStart button.A“Completed”messageboxwillpopupwhentheactionhasfinished.Click
onthemessagetocontinue.
Youcanincreasetheperformanceoftheoperationbyclickingoffofthebrowserinterfacewindowsothatitisnotcontinuallyupdated.
Youcanviewtheresultsofthecloneactionbyscrollingdowntothe“SystemLog”panelonthe“Home”
screen.Findandclickonthelatestlink,whichwillbedenotedbyafilenamewithadate/timestampformat:
“S_yyyymmddhhmmss”.Alternatively,youcanclickontheLogs button fromthetopmenubar.
4.1.2 Physical Image Source Disk
TheDittoDXForensicFieldStationcreatesanE01orDDimageofthesourcediskononeortwodestina-
tiondisks.
Whileimagingthesourcedisk,theDittoDXForensicFieldStationcanalsohashthesourcediskusingtheMD5,SHA-1,SHA-256,MD5&SHA-1,orMD5&SHA-256algorithms.Selectthehashtypeunderthe“SystemSettings”panelonthe“Home”screen.SeeSection4.3.
Figure 7. The“Action”sectiononthe“Home”screen,showingtheoptionsavailableforthe“CloneSourceDisk”action.
Figure 8.The“Action”sectiononthe“Home”screen,showingtheoptionsavailableforthe“PhysicalImageSourceDisk”action.
NOTE
NOTE
NOTE
10
Protecting Your Digital AssetsTM
Ditto DX Forensic FieldStation User Manual
Forthefastestperformance,werecommendutilizinganNTFSfilesystemforWindows,HFS+forMac,or
XFSforLinuxmachines.Tocreateaphysicalimage,followthesesteps:
a. Usingthebrowserinterface,selectPhysical Image Source Disk fromthe“ActiontoPerform”drop-
downbox.
b. Selectwhichtypeofphysical imageyouwouldliketocreatefromthe“PhysicalImageType”drop-
downbox.The imagetypesavailableareE01orDD.Youcanmodifywhich imagetypeappearsby
defaultinthedrop-downboxonthe“Home”screen’s“SystemSettings”section(seeSection4.3),or
onthe“Configure”screen’s“System”tab(seeSection5.1).
c. Selectthesourcedisktoimagefromthe“Source”drop-downbox.
d. Selectwhichpartition(s)toimagefromthe“Partition”drop-downbox.ChooseAlltoimagetheentire
sourcedisk.
e. Selectthedestinationdiskfromthe“Destination”drop-downbox.
Toimagetotwodestinationdisksatthesametime,“DualDestinations”mustbeenabledinthe“Con-
figure”screen→“System”tab→“AdvancedSettings”section.Onceenabled,thefirstdestination
diskanditspartitioncanbechosenfromthe“Destination”and“Partition”drop-downboxes,andthe
seconddestinationanditspartitioncanbechosenfromthe“Destination2”and“Partition2”drop-
downboxes.
Destinationdisksdonothavetobethesamephysicalmediaasthesourcedisk,buteachmustbelargerthanthesourcedisk.UsingE01compressioncanhelp.
f. ClicktheStart button.A“Completed”messageboxwillpopupwhentheactionhasfinished.Click
onthemessagetocontinue.
Youcanincreasetheperformanceoftheoperationbyclickingoffofthebrowserinterfacewindowsothatitisnotcontinuallyupdated.
Youcanviewtheresultsoftheimageactionbyscrollingdowntothe“SystemLog”panelonthe“Home”
screen.Findandclickonthelatestlink,whichwillbedenotedbyafilenamewithadate/timestampformat:
“S_yyyymmddhhmmss”.Alternatively,youcanclickontheLogs buttonfromthetopmenubar.
4.1.3 Logical Image Source Disk
Logicalimagingallowsaninvestigatortoquicklyscanthecontentsofaharddiskandimageonlythefiles
andfoldersrelevanttotheinvestigationintoanL01,ZIP,TAR,orLISTfileformat.Datacanbeimagedto
oneortwodestinationdisks.Tocreatealogicalimage,followthesesteps:
a. SelectLogical Image Source Diskfromthe“ActiontoPerform”drop-downbox.
NOTE
NOTE
Figure 9.The“Action” sectionon the“Home”screen, showingtheoptionsavailableforthe“LogicalImageSourceDisk”action.
11
Protecting Your Digital AssetsTM
Ditto DX Forensic FieldStation User Manual
b. Selectwhichtypeoflogicalimageyouwouldliketocreatefromthe“LogicalImageType”drop-down
box.TheformatoptionsavailableareL01,TAR,ZIP,orLIST.(Youcanmodifywhichlogicalimagetype
appearsbydefaultinthedrop-downboxonthe“Configure”screen’s“System”tab.SeeSection5.1.)
“LogicalImageSourceDisk”actionscreateareportofdirectoriesandfileschosenfromthesourcediskaswellastheirfilesizesandanyerrormessagesencountered.ThisreportcanbeviewedfromwithinthebrowserinterfaceandcanbeexportedasanExcelspreadsheet.SeeSection7.1.4.
c. SelecttheLogicalImageModefromthe“LogicalImageMode”drop-downbox.Seethelistoflogical
imagemodesattheendofthissubsectionforinformationonwhateachmodedoes.
d. Selectthesourcedisktoimagefromthe“Source”drop-downbox,thenchoosewhichpartition(s)to
imagefromthe“Partition”drop-downboxunderneaththe“Source”drop-downbox.Ifyouselect“All”,
partitionswillbeimagedsequentially.
e. Selectthedestinationdiskforthelogicalimagefromthe“Destination”drop-downbox,thenchoose
thedestinationdiskpartitionfromthe“Partition”drop-downboxunderneath.
f. IfyouchoseanyotherLogicalImageModebesides“ManualSelect”,clicktheStart buttonatthetop
ofActionsection.A“Completed”messageboxwillpopupwhentheactionhasfinished.Clickonthe
messagetocontinue.
Ifyouchose“ManualSelect”,followthesesteps:
i. ClickonSelect Files & Dirs.Adialogboxwillopen.
ii. Usethenavigationtreetoselectthefilesandfoldersyouwishtoimage(seeFigure10).
iii. ClicktheStart button atthebottomofthedialogbox.A“Completed”messageboxwillpopup
whentheactionhasfinished.Clickonthemessagetocontinue.
Youcanview the resultsof the logical imageactionbyscrollingdown to the“SystemLog”panelon
the“Home”screen.Findandclickonthelatest link,whichwillbedenotedbyafilenamewithadate/
timestampformat:“S_yyyymmddhhmmss”.Alternatively,youcanclickontheLogs buttonfromthetop
menubar.
Figure 10.Thefilenavigationtree.
NOTE
12
Protecting Your Digital AssetsTM
Ditto DX Forensic FieldStation User Manual
Logical Image Modes
TheLogicalImageactioncanautomaticallysearchforfilesthatfitthefollowingLogicalImageModes.
TheactionwillsearchforspecificfileextensionsspecifiedbytheLogicalImageMode.
• Manual Select: Enablesthe“SelectFiles&Dirs”buttonsothatyoucanmanuallyselectwhich
filestologicallyimage.
• All Files and Dirs: Imagesallfilesanddirectories.
• All Except Windows: ImagesallfilesanddirectoriesexceptfortheWindowsdirectory.
• All Except Windows and Programs: ImagesallfilesanddirectoriesexceptfortheWindows,
ProgramFiles,ProgramFiles(x86),andProgramDatadirectories.
• All Users - Windows: ImagestheWindows“Users”directory.
• All Temporary - Windows: ImagestheWindows/TempandTempdirectories.
• All Except Swap and Hibernate:Imagesallfilesanddirectoriesexceptfilesnamedhiberfil.sys,
pagefile.sys,Win386.swp,and386part.par.
• All Media Files: Imagesall.avi,.jpeg,.jpg,.wav,and.movfiles,aswellasallfileswithexten-
sionsbeginningin“.mp”(.mpeg,.mp4,.mp3,etc.)andallfileswithextensionsbeginningin“.m4”
(.m4a,.m4v,etc.).
• All Office Files: Imagesall.txtand.pdffiles,aswellasallfileswithextensionsbeginningin“.doc”,
“.xls”,“.ppt”(.doc,.docx,.xlsx,.pptx,etc.).
• All Financial Files:Imagesall.ifx,.ofx,.qfx,.qif,and.taxfiles.
Youmayalsoaddyourowncustomizedlogicalimagemodeprofilestothisdrop-downlist.Todoso,
seeSection11.5.
4.1.4 Clone and Image Source Disk
Thisactionsimultaneouslycreatesacloneofthesourcediskononedestinationdiskandcreatesanimage
onaseconddestinationdisk.Two destination disks are required for this action.
Whilecloningandimagingthesourcedisk,theDittoDXForensicFieldStationcanalsohashthesourcediskusingtheMD5,SHA-1,SHA-256,MD5&SHA-1,orMD5&SHA-256algorithms.Selectthehashtypeunderthe“SystemSettings”panelonthe“Home”screen.SeeSection4.3.
Tosimultaneouslycreateacloneandaphysicalimageofthesourcedisk,followthesesteps:
a. SelectClone & Image Source Diskfromthe“ActiontoPerform”drop-downbox.
b. Selectthesourcedisktocloneandimagefromthe“Source”drop-downbox.
Figure 11. The“Action”sectiononthe“Home”screen,showingtheoptionsavailableforthe“Clone&ImageSourceDisk”action.
NOTE
13
Protecting Your Digital AssetsTM
Ditto DX Forensic FieldStation User Manual
c. Selectthedestinationdiskfortheclonefromthe“CloneDestination”drop-downboxandthedestina-
tiondiskfortheimagefromthe“ImageDestination”drop-downbox.
Destinationdisksdonothavetobethesamephysicalmediaasthesourcedisk,buteachmustbelargerthanthesourcedisk.
d. Selectthedestinationdiskpartitiononwhichtosavetheimagefilefromthe“ImagePartition”drop-
downbox.
e. Selectwhichtypeofphysical imageyouwouldliketocreatefromthe“PhysicalImageType”drop-
downbox.TheimagetypesavailableareE01orDD.(Youcanmodifywhichimagetypeappearsby
defaultinthedrop-downboxonthe“Configure”screen’s“System”tab.SeeSection5.1.)
f. ClicktheStart button.A“Completed”messageboxwillpopupwhentheactionhasfinished.Click
onthemessagetocontinue.
Youcanviewtheresultsofthecloneandimageactionbyscrollingdowntothe“SystemLog”panelon
the“Home”screen.Findandclickonthelatestlinks,whichwillbedenotedbyafilenamewithadate/
timestampformat:“S_yyyymmddhhmmss”.Alternatively,youcanclickontheLogs buttonfromthetop
menubar.
4.1.5 Restore Physical Image
Imagefilesofanentirediskorpartitioncanberestoredtoanewdiskusingthisaction.Theimagefile
mustbeineitherE01orDDformat.Imagefilesofasinglepartitionwillberestoredasiftheoriginalhad
nopartitions.Thedestinationdiskmustalsobethesamesizeasorlargerthantheoriginal.
Torestoreaphysicalimage,followthesesteps:
a. SelectRestore Physical Imagefromthe“ActiontoPerform”drop-downbox.
b. From the“Source” drop-downbox, select the source diskwhere the physical image youwish to
restoreresides.
c. Fromthe“Partition”drop-downbox,choosethepartitiononthesourcediskwherethephysicalimage
resides.
d. Selectthedestinationdiskfortheimagefromthe“Destination”drop-downbox.
Destinationdisksmustbelargerthanthesourceimage.
e. ClicktheSelect Image to Restorebutton,navigatetothephysicalimageyouwishtorestore,select
theimagefiletorestore.
Figure 12.The“Action”sectiononthe“Home”screen,showingtheoptionsavailableforthe“RestorePhysicalImage”action.
NOTE
NOTE
14
Protecting Your Digital AssetsTM
Ditto DX Forensic FieldStation User Manual
Iftheimagewasoriginallycreatedasasetoffiles,selectthefirstfileintheset.
f. ClicktheStart Restorebutton.TheDittoDXwillbeingrestoringtheimagetothedestinationdisk.
4.1.6 Erase Destination Disk
TheDittoDXForensicFieldStationerasesthedestinationdiskusingyourpreferredEraseMode.TheErase
ModesavailableareClearPartitionTable,QuickErase,LBA/OffsetPattern,CustomErase,SecureErase
Normal,SecureEraseEnhanced,DODClear,DODSanitize,NIST800-88Clear,andNIST800-88Purge.
Toeraseadisk,followthesesteps:
a. SelectErase Destination Diskfromthe“ActiontoPerform”drop-downbox.
b. SelecttheEraseModetousefromthe“EraseMode”drop-downbox.(Youcanmodifywhicherase
modeappearsbydefaultinthedrop-downboxonthe“Configure”screen’s“System”tab.SeeSec-
tion5.1.)
c. Selectthetargetdestinationdisk(s)fromthe“Target”drop-downbox.
d. ClicktheStart button.A“Completed”messageboxwillpopupwhentheactionhasfinished.Click
onthemessagetocontinue.
Youcanviewtheresultsoftheerasureactionbyscrollingdowntothe“SystemLog”panelonthe“Home”
screen.Findandclickonthelatestlink,whichwillbedenotedbyafilenamewithadate/timestampformat:
“S_yyyymmddhhmmss”.Alternatively,youcanclickontheLogs buttonfromthetopmenubar.
Format After Erase
YoucanconfiguretheDittoDXForensicFieldStationtoautomaticallyformatadiskafteryoueraseit.
ClickontheConfigure tabtogotothe“Configure”screen.ThenclickontheErase tabmakesurethat
“FormatAfterErase”ischeckedforeachoftheerasemodesonwhichyou’dliketoenablethissetting.
4.1.7 Hash Disk
TheDittoDXForensicFieldStationwillhashanysourceoradestinationdiskusingyourpreferredalgo-
rithm.HashvaluesaresavedintheSystemLog.TheavailablealgorithmsareMD5,SHA-1,SHA-256,MD5
&SHA-1,orMD5&SHA-256.
Tohashadisk,followthesesteps:
a. SelectHash Disk fromthe“ActiontoPerform”drop-downbox.
b. Selectyourpreferredhashalgorithmfromthe“HashType”drop-downbox. (Youcanmodifywhich
hashalgorithmappearsbydefaultinthedrop-downboxonthe“Configure”screen’s“System”tab.
SeeSection5.1.)
c. Selectthetargetdiskfromthe“Target”drop-downbox.
Figure 14. The“Action”sectiononthe“Home”screen,showingtheoptionsavailableforthe“HashDisk”action.
Figure 13.The“Action”sectiononthe“Home”screen,showingtheoptionsavailableforthe“EraseDestinationDisk”action.
NOTE
15
Protecting Your Digital AssetsTM
Ditto DX Forensic FieldStation User Manual
d. Selectthepartitionyouwanttohashfromthe“Partition”drop-downbox.
e. ClicktheStart button.A“Completed”messageboxwillpopupwhentheactionhasfinished.Click
onthemessagetocontinue.
Youcanviewtheresultsofthehashactionbyscrollingdowntothe“SystemLog”panelonthe“Home”
screen.Findandclickonthelatestlink,whichwillbedenotedbyafilenamewithadate/timestampformat:
“S_yyyymmddhhmmss”.Alternatively,youcanclickontheLogs buttonfromthetopmenubar.
4.1.8 Snapshot Disk
TheDittoDXForensicFieldStationprovidesS.M.A.R.T.andhdparminformationforanysourceordestina-
tiondiskconnectedtoitself.Nocloneorimagerequestneedstobedone.
Tocreateasnapshotofadisk,followthesesteps:
a. SelectSnapshot Disk fromthe“ActiontoPerform”drop-downbox.
b. Selectthetargetdiskfromthe“Target”drop-downbox.
c. ClicktheStart button.A“Completed”messageboxwillpopupwhentheactionhasfinished.Click
onthemessagetocontinue.
Youcanview the resultsof thesnapshotactionbyscrollingdown to the“SystemLog”panelon the
“Home”screen.Findandclickonthelatestlink,whichwillbedenotedbyafilenamewithadate/time-
stampformat:“S_yyyymmddhhmmss”.Alternatively,youcanclickontheLogs buttonfromthetopmenu
bar.
Scrollto“eSATAExtendedDiskInfo”toseerecordeddata,includingS.M.A.R.T.andhdparminformation.
4.1.9 NetView Scan
NetViewisanetworktoolthatcanbeusedtodiscovermachinesonanetworkand
evenprobethemforspecificservicesthattheymayberunning.Thiscapabilitycan
helpaninvestigatorlocatephysicallyhiddencomputersorquicklydeterminewhether
amachineisactingasadatastoragedevicethattheDittoDXForensicFieldStation
canimage.
SeeSection11.1formoreinformationabouttheNetViewScanfeature.
4.2 INVESTIGATION INFO
TheInvestigationInfopanelgroupsrelatedinformationthatmayalsobeusedincreating
customdirectoriesandfilenames (seeSection5.9).The“Hide”buttonallowsyouto
minimizethepanel.
ClicktheEdit buttontoenterinformationabouttheInvestigator,CaseNumber,EvidenceNumber,Descrip-
tion,Notes,Basedirectoryprefix,andaBasefilenameprefixforanE01orDDimage.
Figure 15.The“Action”sectiononthe“Home”screen,showingtheoptionsavailable for the“NetviewScan”action.
Figure 16. The“Action”sectiononthe“Home”screen,showingtheoptionsavailableforthe“SnapshotDisk”action.
16
Protecting Your Digital AssetsTM
Ditto DX Forensic FieldStation User Manual
Eachfield isfilteredtoblocknon-printableASCIIcharacters.Anycharactersat thefile
systemlevelthatmaynotbesafeforadirectorynameorfilenamewillbefilteredout
andreplacedwithanunderscore.OnlyprintableASCIIcharactersarecurrentlyallowed
fordirectoryandfilenames.Multipleunderscoreswillalsobereducedtoasingleunder-
scorepernamingitem.
TheDittoDXForensicFieldStationwillgenerateanerrormessageifyouenteranon-
printableASCIIcharacterorifyourmessageexceedsthe58characterlimit.Additionally,
whenthefinaldirectoryorfilenamethatusesanyofthesefieldsiscreated,anotherlevel
offilteringisapplied.
Usingapostrophes(‘)inthenamefieldswillcauseanerrorwhenthefileorfoldernameiscreated.TheyshouldnotbeusedintheInvestigationInfofields.
4.2.1 User Defined Fields
Clickonthegreen plus sign icontoopenthe“AddUserDefinedField”window(see
Figure18).Youmayaddasmanyuserdefinedfieldsasyouwish.Eachuserdefined
fieldmusthaveatitle,XMLtag,andvalue.
ThetitleidentifiesthevalueintheDittoDXForensicFieldStation’sbrowserandLCD
interfaces,andtheXMLtagonlyappearsintheconfigurationandlogfiles.
Toremoveauserdefinedfield,clickonthegreen minus sign icon.
4.3 SYSTEM SETTINGS
DisplaysthemostcommonlyusedconfigurationsettingsoftheDittoDXForensicField-
Station.Thesesettingsareloadedasthedefaultsettingsfortheactionsyouperformin
the“Action”panel.The“Hide”buttonallowsyoutominimizethepanel.ClicktheEdit
buttontocustomizethesesettingsaswellasadditionaladvancedsettings.SeeSection
5.1fordetailsoneachoption.
4.4 CURRENT STATUS
Reportseitheras“Idle”ordisplaysinfoabouttheactionthattheDittoDXForensicField-
Stationiscurrentlyperforming.
4.5 DISKS
DisplaysinformationabouttheattatcheddisksthatarecurrentlyconnectedtotheDitto
DXForensicFieldStation.The“Hide”buttonallowsyoutominimizethepanel.Toseethe
availablespaceadiskhas,clickthegreen double arrow iconnextinthe“Used”column
header(seeFigure21).Thediskusagewillrefreshandgiveanupdatedamount.
The“TargetMode” button allows you to present the disks attached to theDittoDX
ForensicFieldStationasiSCSIdisksonanetwork.Thisisusefulifyouwishtousethird
partydataacquisition toolsagainst thediskswithoutcreatingan image.The“Source
Network”and“SourceDestination”buttonsareusedformountingiSCSIdevicesaswell
asNFSandSMBsharestotheDittoDXForensicFieldStation.Formoreinformation,see
Section11.
Figure 20. The“CurrentStatus”section,displayingathestatusofaPhysicalImageaction.
Figure 19.The“SystemSettings”section.
Figure 18. The“AddUserDefinedField”window.
Figure 21. Clickingthegreendoublearrowicondisplaysandupdatesamountofspacecurrentlyusedandavail-able.
STOP!
Figure 17. The“InvestigationInfo”section.
17
Protecting Your Digital AssetsTM
Ditto DX Forensic FieldStation User Manual
4.5.1 Previewing and Browsing Disks
Tobrowseordownloaddiskdata,ortoselectfilesandfoldersfor logical imaging,clickonapartition’s
numberunderthedisk’s“Partition”columnandthenselectPreview(seeFigure23).Thisopensupafile
explorerwindowwhereyoucannavigatethroughthefilesandfoldersonthedisk.
Directory Toolbar and Right-Click Context Menu Items
ICON ACTION
CollapseFolderTreeCollapsestheentirefoldertreesothatonlythepreviewedpartition’sfolderisvisible.
Refresh Refreshesthefoldercontentsinordertogiveupdatedinformation.
Up Movesuptotheparentfolder.
Back Movesbacktothepreviouslyviewedfolder.
Folders Toggleswhetherfoldersaredisplayedinthecontentspanel.
SelectMode Togglestheabilitytoselectindividualfilesforlogicalimaging.
DetailView/ListViewToggleswhethertheSize,Type,DateCreated,DateModfied,andDateAccessedcolumnsarevisible.
SizeFormatChangeswhetherfilesizesinthe“Size”columnaremeasuredasbytesorasmegabytes,gigabytes,etc.
ViewOpenstheselectedfile.ImagesandPDFfileswillopeninapreviewwindow.Otherfileswillopenadialogboxtodownloadthefiletoyourcomputer.
Download Opensadialogboxtodownloadtheselectedfiletoyourcomputer.
HashOpensaninfowindowwiththeselectedfile’sname,MD5hash,andfilesizeinbytes.
HexViewOpensthefileintheDittoDXForensicFieldStation’sbuilt-inhexadeci-malviewer.
Figure 22. The“Disks”sectiononthe“Home”screen.
18
Protecting Your Digital AssetsTM
Ditto DX Forensic FieldStation User Manual
Logically Image Data
Tologicallyimagedatausingthe“Preview”window,clickontheSelect Mode buttonandthencheck
theboxnexttoeachfileorfolderyouwantto logically image.Whenyouarefinished,clickonthe
Stage buttoninthelowerrightcornerofthe“Preview”window.Youwillbetakenbacktothe“Home”
screen.Usethe“Action”controlpanelasdirectedinSection4.1.3.Whenyouclickon“SelectFiles&
Dirs”,youwillbeaskedtoconfirmwhethertologicallyimagethefilesandfoldersyouhaveselected,
ortoselectnewfilesandfolders.
4.5.2 View Hexidecimal Data
Toviewadisk’shexidecimaldata,clickonthedisknameunderthe“Port”column
andthenselectHexView. Toviewadiskpartition’shexidecimaldata,clickonthe
partition’snumberunderthedisk’s“Partition”columnandthenselectHexView (see
Figure23).
4.5.3 View Snapshot Data
Toviewadisk’ssnapshotinformation,clickonthedisknameunderthe“Port”columnandthenselect
Snapshot.
4.6 SYSTEM LOG
ShowstheactionsthattheDittoDXForensicFieldStationhasperformed(seeFigure24).The“Hide”button
allowsyoutominimizethepanel.The“Comment”buttonallowsyoutowriteanotethatisappendedtothe
Systemlog.
IfthereisnoSDcardpresentintheSDcardslot,thispaneldisplaysthelogsthathavebeenstoredinvolatile
memorysincetheDittoDXForensicFieldStation’slastpowercycle.TheselogsaredeletedwhentheDitto
DXForensicFieldStationispowereddown.IfthereisanSDcardpresent,thispaneldisplaysallactionssaved
ontheSDCard.
Toviewthe logdetailsofaparticularaction,clickonthe linkunderthe“Message”column.whichwillbe
denotedbyafilenamewithadate/timestampformat:“S_yyyymmddhhmmss”.Alternatively,youcanclickon
theLogs buttonfromthetopmenubar.
Figure 24. The“SystemLogs”sectiononthe“Home”screen.
Figure 23. Drop-down menus for a disk (left) and adisk’spartition(right).
19
Protecting Your Digital AssetsTM
Ditto DX Forensic FieldStation User Manual
5 CONFIGURE SCREENThe“Configure”screenallowsyoutomodifythewaytheDittoDXForensicFieldStationfunctionstosuityour
specificneeds.ClickontheConfigure tabtoaccessthe“Configure”screenfromthebrowserinterface.
5.1 SYSTEM
The“System”taballowsyoutoviewandcustomizethefollowingsettings.Thisinformationisalsodisplayed
inthe“SystemSettings”panelonthe“Home”screen.Whenyouarefinished,clicktheCommit Changes
buttontosavethechanges.
5.1.1 Typical Settings
• Default Format: Thisisthedefaultfilesystemthatwillbeusedtoformatdestinationdiskswhen
theyareusedinactionsthattheDittoDXForensicFieldStationperforms.
• Physical Image Type: Setsthedefaultphysicalimagetypeforallactionsthatcreateaphysicalimage.
• Logical Image Type: Setsthedefaultlogicalimagetypeforthe“LogicalImageSourceDisk”action.
• Verify Single: Determineswhetherindividualdestinationdisksarehashedandcomparedtothehash
valueofthesourcedisk.
• Verify Dual: Requiresthatthe“DualDestinations”optionbelowisenabled(seeSection5.1.2).Com-
paresthehashvalueofbothdestinationstothehashvalueofthesource.Youcanchoosetoverify
Destination1orDestination2individually,both,ornone.Destination1andDestination2areselected
fromthe“Action”sectionofthe“Home”screen.
• Verify Clone & Image: Determineswhetherclonedandimageddisksarehashedandcomparedto
thehashvalueofthesourcedisk’shashvalueduringa“Clone&ImageSourceDisk”action.Youcan
choosetoverifytheclone,theimage,both,ornone.
• Hash Type: Setsthedefaulthashalgorithmthatwillbeusedfordiskverificationandthe“HashDisk”
action.TheavailablealgorithmsareNone,MD5,SHA-1,SHA-256,MD5&SHA-1,orMD5&SHA-256.
Moresettingsareavailableonthenextpage.
Figure 25. The“Configure”screen,showingthe“System”tab.
20
Protecting Your Digital AssetsTM
Ditto DX Forensic FieldStation User Manual
Typical Settings, continued...
• Erase Mode: Setsthedefaulterasemodethatwillbeusedforallactionsthatrequireerasingdisks.
• Logical Image Mode:SetsthedefaultLogical ImageModefor the“Logical ImageSourceDisk”
action.
• Stealth Mode: Turns off all LEDs and LCDs on theDittoDX Forensic FieldStation.The physical
“StealthMode”Switchservesthesamepurpose(seeSection1.2).IfStealthModeisenabledfrom
thebrowserinterface,thephysicalswitchcannotoverrideit.
• LCD/LED Brightness:SetstherelativebrightnessoftheLCDsandLEDsonthefaceoftheDitto
DXForensicFieldStationonascaleof0to6.Settingavalueof“0”willturnoffallLCDsandLEDs
ontheunit.
• Audible Buzzer: Alerts theuser to various actions that occurwhenusing theDittoDXForensic
FieldStation.
5.1.2 Advanced Settings
• CPU Speed: SetsthespeedoftheDittoDXForensicFieldStation’sCPU.Theavailablesettingsfrom
fastesttoslowestareTurbo,Default,Economy,andPowerSaver.
• Dual Destinations: Enablessoftwaremirroringmodetowritethesamedatatotwodestinationsat
thesametime.
• Log Disk Info: DetermineswhetherS.M.A.R.T.andhdparmdiskinformationisloggedbeforerunning
anaction,afterrunninganaction,both,ornotatall.CRUrecommendsthatyoulogdiskinformation
beforeandafteranaction.
• HTML Logging: Logsarealwayssavedin.XMLformat.ThisoptioncausestheDittoDXForensic
FieldStationtosavelogsinHTMLformataswell.
• DiskView Logging: Logsanyactiontopreviewadiskoractionsperformedwhilepreviewingadisk
(i.e.startingorfinishingapreviewofadisk,startingorfinishingaHexViewaction).
• Lightbar Mode: EnablesordisablesthelightbaronthefaceoftheDittoDXForensicFieldStation.
TheavailablesettingsareOffandColor.
• Quick Start: Enablesthe“QuickStart”screenontheLCDthatappearsafteryoubootorrebootthe
DittoDXForensicFieldStation.Thesettingsforthismodemaybemodifiedinthe“QuickStart”tab.
SeeSection5.10.
• Prompt Invest. Info: Opens a“Configure Investigation Info”window after the user has hit the
“Start”buttoninthe“Action”sectiononthe“Home”screen.Thisallowstheusertocustomizethe
Investigator,CaseNumber,EvidenceNumber,Description,Notes,BaseDirectoryName,and the
BaseFileNameinformationpriortoperformingtherequestedaction.
• LCD Prompt Case: Fiveoptionsmaybechosentomodifythecasenumberspecifiedinthe“Investi-
gationInfo”sectionofthe“Home”screen.Thecasenumberisincludedinthelogfortherequested
action.“Disabled”leavesthecasenumberasitis.“Inc/Dec”allowsyoutomanuallyincrementthe
casenumberupordownusingthenavigationbuttonsonthefaceoftheDittoDXForensicField-
Station.“AutoInc” automatically increments the case number, and“AutoInc/Pause” automatically
incrementsthecasenumber,butdisplaysaconfirmationprompttheLCDscreenbeforebeginning
21
Protecting Your Digital AssetsTM
Ditto DX Forensic FieldStation User Manual
therequestedaction.TheseoptionsrequireanumbertobepresentontheendoftheCaseNumber
specifiedinthe“InvestigationInfo”section.
• LCD Prompt Evidence: Fiveoptionsmaybechosentomodifytheevidencenumberspecifiedinthe
“InvestigationInfo”sectionofthe“Home”screen.Theevidencenumberisincludedinthelogforthe
requestedaction.“Disabled”leavestheevidencenumberasitis.“Inc/Dec”allowsyoutomanually
incrementtheevidencenumberupordownusingthenavigationbuttonsonthefaceoftheDitto
DXForensicFieldStation.“AutoInc”automatically incrementstheevidencenumber,and“AutoInc/
Pause”automaticallyincrementstheevidencenumber,butdisplaysaconfirmationprompttheLCD
screenbeforebeginningtherequestedaction.Theseoptionsrequireanumbertobepresentonthe
endoftheEvidenceNumberspecifiedinthe“InvestigationInfo”section.
5.2 NETWORK
The“Network”taballowsyoutoviewandcustomizethefollowingsettings.Ifyouareunsureorhaveques-
tionsaboutchangingyournetworksettings,contactyournetworkadministrator.Whenyouarefinished,click
theCommit Changes buttontosavethechanges.
5.2.1 Host Name
AllowsyoutochangewhatnamefortheDittoDXForensicFieldStationwillbedisplayedonanetwork.
Hostnamesarenotcasesensitive,butmustbeginwithanyletter“A-Z”.Theycancontainthetheletters
Figure 26. The“Network”tabonthe“Configure”screen,showingthe“SourceNetwork”,“Destination Network”, “Control Network” and“Wifi Network” settings.The“Wifi Net-work”sectiononlyappearswhenaUSBwirelessnetworkadapterhasbeenpluggedin.
22
Protecting Your Digital AssetsTM
Ditto DX Forensic FieldStation User Manual
A-Z,numbers0-9,underscore“_”,anddash“-”characters.Hostnamesmustalsobelimitedto64char-
acters.
5.2.2 Source Network
The“SourceNetwork”sectiondisplaysthesourceEthernetport’sMACAddressaswellasitsnetwork
mode.Youcanenableordisableitusingthecheckbox.
Tosetthenetworkmode,chooseeither“DHCP(AutoConfig)”or“StaticIP(ManualSettings)”fromthe
topdrop-downbox.
The“RemoteAccessibility”drop-downboxallowsyoutochoosewhetherornottheDittoDXForensic
FieldStationrespondstoanynetworktrafficviathesourceEthernetport.
5.2.3 Destination Network
The“DestinationNetwork”sectiondisplaysthedestinationEthernetport’sMACAddressaswellasits
networkmode.Youcanenableordisableitusingthecheckbox.
Tosetthenetworkmode,chooseeither“Server”,“Client(DHCP)”,or“Client(StaticIP)”fromthedrop-
downbox.
Server
“Server”allowsyoutoconfiguretheDittoDXForensicFieldStationforuseasaserver.Thiscanbe
helpfulifyouareconnectinganiSCSIdevicetothedestinationEthernetport,forexample(seeSec-
tion11.3.2),oryouareconnectingDittoDXdirectlytoyourcomputerinsteadofthroughyouroffice
network.Thedefaultsettingsbelowwillworkformostenvironments.Thisisanadvancedoption,so
donotcustomizethedefaultserverconfigurationbelowunlessdirectedtodosobyyournetwork
administrator.
IP Address: 10.10.10.1
Subnet Mask: 255.255.255.0
DHCP Server: Enabled
DHCP Start Address: 10.10.10.100
DHCP End Address: 10.10.10.199
DNS Server: Enabled
DNS Domain Name: ditto.local
NTP Server: Enabled
NAT Gateway: Disabled
DonotconnecttheDittoDXForensicFieldStationtoanothernetworkwhileitisconfiguredasaserver.Doingsowillcausenetworkconflictsandmaydisruptnetworktraffic.
Client (DHCP)
ThisoptionautomaticallyconfiguresthedestinationEthernetporttoconnecttotheattachednetwork.
Client (Static IP)
ThisoptionallowsyoutomanuallyconfigurethedestinationEthernetporttoconnecttotheattached
network.
STOP!
23
Protecting Your Digital AssetsTM
Ditto DX Forensic FieldStation User Manual
5.2.4 Control Network
The“ControlNetwork”sectiondisplaysthecontrolEthernetport’sMACAddressaswellasitsnetwork
mode.Youcanenableordisableitusingthecheckbox.
Tosetthenetworkmode,chooseeither“Server”,“Client(DHCP)”,or“Client(StaticIP)”fromthedrop-
downbox.
Server
“Server”allowsyoutoconfiguretheDittoDXForensicFieldStationforuseasaserversothatyoucan
connecttheDittoDXForensicFieldStationdirectlytoyourcomputer insteadofthroughyouroffice
network.Thedefaultsettingsbelowwillworkformostenvironments.Thisisanadvancedoption,so
donotcustomizethedefaultserverconfigurationbelowunlessdirectedtodosobyyournetwork
administrator.
IP Address: 10.10.10.1
Subnet Mask: 255.255.255.0
DHCP Server: Enabled
DHCP Start Address: 10.10.10.100
DHCP End Address: 10.10.10.199
DNS Server: Enabled
DNS Domain Name: dittoctl.local
NTP Server: Enabled
NAT Gateway: Disabled
DonotconnecttheDittoDXForensicFieldStationtoanothernetworkwhileitisconfiguredasaserver.Doingsowillcausenetworkconflictsandmaydisruptnetworktraffic.
Client (DHCP)
ThisoptionautomaticallyconfiguresthecontrolEthernetporttoconnecttotheattachednetwork.
Client (Static IP)
Thisoptionallowsyou tomanually configure thecontrolEthernetport to connect to theattached
network.
5.2.5 Wifi Network
The“WifiNetwork”sectionallowsyoutoconfigureathirdpartyUSBwifinetworkadapterthat’sbeen
pluggedintooneofthe“ControlInterface”USBports.Youcanenableordisableitusingthecheckbox.
Thissectionalsodisplaysthatport’sMACAddress.AdapterswithanAtheroschipsetandsomeadapters
withRealtekchipsetsarecompatible.
“WifiMode”allowsyoutodeterminewhethertheDittoDXForensicFieldStationconnectstoawifinet-
workoractsasawifihotspotitself.HotSpotModeishelpfulifyouareworkinginaseparatelocation
fromtheDittoDXForensicFieldStationthatisstillwithinrangeofawirelessnetwork,orifthereisno
hardwirednetworkavailableinthelocation.
Choose“ClientMode”toconnecttoanexistingwifinetworkor“HotSpotMode”tomaketheDittoDX
ForensicFieldStationintoawifihotspot.
STOP!
24
Protecting Your Digital AssetsTM
Ditto DX Forensic FieldStation User Manual
Client Mode
Check“Status:AutoStart”ifyouwanttheDittoDXForensicFieldStationtoconnecttothespecified
wirelessnetworkautomatically.
Toselecttheclientmode’snetworkingmode,youcanchooseeither“Client(DHCP)”or“Client(Static
IP)fromthedrop-downboxunderneaththeMACAddress.“Client(DHCP)”automaticallyconfigures
theUSBwifinetworkadaptertoconnecttoawifinetwork.“Client(StaticIP)”allowsyoutomanually
configuretheconnection.
Hot Spot Mode
Check“Status:AutoStart”ifyouwanttheDittoDXForensicFieldStationtobeginbroadcastingasa
hotspotautomaticallywheneverawifiadapterispluggedin.
Thedefaultsettingsbelowwillworkformostenvironments,withseveralexceptions.
InputyourownkeytoensurethatyourDittoDXForensicFieldStationremainssecure.
Youmayberequiredtoconformtoyourcountry’s lawsandregulationsregardingwirelessradiofre-quencyusage.Selectyourtwo-digitcountrycodefromthe“RegulatoryDomain”dropdownlist,andtheDittoDXForensicFieldStationwill limitthefrequenciesitmaybroadcastontoonlythoseinthepermittedrange(s).
DonotconnecttheDittoDXForensicFieldStationtoawirednetworkwhileitisconfiguredasahotspot.Doingsowillcausenetworkconflictsandmaydisruptnetworktraffic.
SSID: {HostName}-wifi
Regulatory Domain: Global
Band: G-2.4GHz
Channel: Auto
Broadcast: Checked
Security: WPA2Personal
Key: ditto123
Show Key: Unchecked
IP Address: 10.10.10.1
Subnet Mask: 255.255.255.0
DHCP Server: Enabled
DHCP Start Address: 10.10.20.100
DHCP End Address: 10.10.20.199
DNS Server: Enabled
DNS Domain Name: dittowifi.local
NTP Server: Enabled
NAT Gateway: Disabled
STOP!
STOP!
STOP!
25
Protecting Your Digital AssetsTM
Ditto DX Forensic FieldStation User Manual
5.3 CLONE
The“Clone”taballowsyoutoviewandcustomizethefollowingsettingsfordiskcloningactions,including
the“Clone&ImageSourceDisk”action.Whenyouarefinished,clicktheCommit Changes buttontosave
thechanges.
5.3.1 Typical Settings
• Source HPA/DCO: SetswhetherthecloningactionshouldindicateinthelogthatthereisanHPA
(hostprotectedarea)orDCO(deviceconfigurationoverlay)present, temporarilybypasstheHPA,
permanentlyunhidetheHPA,orpermanentlyunhideboththeHPAandDCO.
• Fill to End of Disk: Checkthisboxtoenablezeroestobewrittentotheendofthedisk.
• Reset After Fill: ChoosewhetheranHPAorDCOissetonthedestinationdisksothatthecapacity
ofthedestinationdiskbecomesidenticaltothecapacityonthesourcedisk.
5.3.2 Advanced Settings
Theadvancedsettingsmaybehidden.ClicktheShow buttontorevealthem.
• Buffer Size: Sets the thebuffersizeusedby theDittoDXForensicFieldStationduringacloning
action.Theminimumsizeis512K(kilobytes).Thedefaultsizeof1M(megabyte)worksbestformost
uses.Themaximumsizeislimitedbythetargetfilesystem.
• Exit when a bad sector is encountered: AbortsthecloningactioniftheDittoDXForensicFieldSta-
tionencountersabadsectoronthesourcedisk.
5.4 PHYSICAL IMAGE
The“PhysicalImage”taballowsyoutoviewandcustomizethefollowingsettingsforphysicalimagingactions,
includingthe“Clone&ImageSourceDisk”action.Thereareseparateoptionsavailableforboththe“E01”and
“DD”imagetypes.Whenyouarefinished,clicktheCommit Changes buttontosavethechanges.
5.4.1 E01
ClickontheE01 tab torevealtheE01imagesettings.
Typical Settings
• Image File Segment Size: Allowsyoutospecifythesizeinbytesthat imagefilesegments
shouldbe.Theminimumsizeis1M(megabyte).Themaximumsizeislimitedbythetargetfile
system.Ifthisfieldisleftblank,themaximumsizewillbeused.Clickthe“I”informationicon
formoreinformation.
• Source HPA/DCO: Setswhetherthephysicalimageactionshouldindicateinthelogthatthere
is an HPA (host protected area) or DCO (device configuration overlay) present, temporarily
bypasstheHPA,permanentlyunhidetheHPA,orpermanentlyunhideboththeHPAandDCO.
• Compression Type: Setswhethertheactionshoulduseemptyblockcompressionornocom-
pression.
• EWF File Format: ChoosewhichEnCaseimagefileformatshouldbeusedduringE01physical
images.CRUrecommendsusing“encase6”formostacquisitions.
26
Protecting Your Digital AssetsTM
Ditto DX Forensic FieldStation User Manual
Advanced Settings
Theadvancedsettingsmaybehidden.ClicktheShow buttontorevealthem.
• Buffer Size: SetsthethebuffersizeusedbytheDittoDXForensicFieldStationduringanE01
physicalimageaction.Theminimumsizeis512K(kilobytes).Thedefaultsizeof1M(megabyte)
worksbestformostuses.Themaximumsizeislimitedbythetargetfilesystem.
• Error Granularity: Determineshowmanysectorsareignoredonareaderror.Theminimum
sizeis512bytes.ThedefaultsizeistheBufferSize.Themaximumsizeislimitedbythetarget
filesystem.
• Swap Byte Pairs of the Media Data (endian conversion): Check this box if you need to
convertfrombig-endiantolittle-endianorvice-versa,whichmaybenecessaryfordisksusedin
olderx86orPowerPC-basedsystems.
• Wipe Sectors on Read Error (mimic EnCase-like behavior): Ifareaderror isencountered
duringanE01physicalimageaction,theDittoDXForensicFieldStationwillwriteoutzeroesto
fillthesector.
• Read Error Retries: SpecifiesthenumberoftriestheDittoDXForensicFieldStationwilltryto
readasectorbeforemovingontothenextsector.
5.4.2 DD
ClickontheDD tab toconfiguretheDDimagesettings.
Typical Settings
• Image File Segment Size: Allowsyoutospecifythesizeinbytesthat imagefilesegments
shouldbe.Theminimumsizeis1M(megabyte).Themaximumsizeislimitedbythetargetfile
system.Ifthisfieldisleftblank,themaximumsizewillbeused.Clickthe“I”informationicon
formoreinformation.
• Source HPA/DCO: SetswhetherthephysicalimageactionshouldindicatethatthereisanHPA
(host protected area) orDCO (device configurationoverlay) present, temporarily bypass the
HPA,permanentlyunhidetheHPA,orpermanentlyunhideboththeHPAandDCO.
Advanced Settings
Theadvancedsettingsmaybehidden.ClicktheShow button torevealthem.
• Buffer Size: SetsthethebuffersizeusedbytheDittoDXForensicFieldStationduringaDD
physicalimageaction.Theminimumsizeis512K(kilobytes).Thedefaultsizeof1M(megabyte)
worksbestformostuses.Themaximumsizeislimitedbythetargetfilesystem.
• Exit when a bad sector is encountered: AbortstheDDphysicalimageactioniftheDittoDX
ForensicFieldStationencountersabadsectoronthesourcedisk.
27
Protecting Your Digital AssetsTM
Ditto DX Forensic FieldStation User Manual
5.5 LOGICAL IMAGE
The“Logical Image” tab allowsyou to viewand customize the following settings for the“Logical Image
SourceDisk”action.TherearedifferentoptionsavailableforeachoftheL01,ZIP,TAR,andLISTfiletypes.
Whenyouarefinished,clicktheCommit Changes buttontosavethechanges.
5.5.1 L01
ClickontheL01 tab toconfiguretheL01imagesettings.
Typical Settings
• Image File Segment Size: Allowsyoutospecifythesizeinbytesthat imagefilesegments
shouldbe.Theminimumsizeis1M(megabyte).Themaximumsizeislimitedbythetargetfile
system.Ifthisfieldisleftblank,themaximumsizewillbeused.Clickthe“I”informationicon
formoreinformation.
• Log File Access/Modify/Change Times: Checkthisboxtologtheaccess,modify,andchange
timestampsoffilesanddirectoriesduringanL01logicalimageaction.
• Compression Type: Setswhethertheactionshoulduseemptyblockcompressionornocom-
pression.
• Per File Hash Type: Setsthedefaulthashalgorithmthatwillbeusedforindividualfileverifica-
tion.TheavailablealgorithmsareMD5orSHA-1.Thedefaultsettingis“None”.
Advanced Settings
Theadvancedsettingsmaybehidden.ClicktheShow button torevealthem.
• Buffer Size: SetsthethebuffersizeusedbytheDittoDXForensicFieldStationduringanL01
logicalimageaction.Theminimumsizeis512K(kilobytes).Thedefaultsizeof1M(megabyte)
worksbestformostuses.Themaximumsizeislimitedbythetargetfilesystem.
• Read Error Retries: SpecifiesthenumberoftriestheDittoDXForensicFieldStationwilltryto
readasectorbeforemovingontothenextsector.
5.5.2 ZIP and TAR Settings
ClickontheZIP or TAR tabtoconfigurethesettingsforeitherofthoselogicalimagetypes.
• Log File Access/Modify/Change Times: Check this box to log the access,modify, and change
timestampsoffilesanddirectoriesduringthelogicalimageaction.Thissettingisformat-dependent.
5.5.3 LIST Settings
ClickontheLIST tabtoconfiguretheLISTimagesettings.
• Log File Access/Modify/Change Times: Check this box to log the access,modify, and change
timestampsoffilesanddirectoriesduringthelogicalimageaction.Thissettingisformat-dependent.
• Validate File Extensions: UsesMIMEtomakesure that thefileheadersof thefileswithin the
newlycreatedlogicalimagelistmatchtheirfileextensions.Anyquestionablefilesarehighlightedin
theLogicalImageReport.
28
Protecting Your Digital AssetsTM
Ditto DX Forensic FieldStation User Manual
5.6 RESTORE
The“Restore”taballowsyoutoviewandcustomizethefollowingsettingsforthe“RestorePhysicalImage”
action.Whenyouarefinished,clicktheCommit Changes buttontosavethechanges.
5.6.1 Typical Settings
• Fill to End of Disk: Checkthisboxtoenablezeroestobewrittentotheendofthedisk.
• Reset After Fill: ChoosewhetheranHPAorDCOissetonthedestinationdisksothatthecapacity
ofthedestinationdiskbecomesidenticaltothecapacityonthesourcedisk.
5.6.2 Advanced Settings
Theadvancedsettingsmaybehidden.ClicktheShow buttontorevealthem.
• Buffer Size: Sets the thebuffersizeusedby theDittoDXForensicFieldStationduringa restore
action.Theminimumsizeis512K(kilobytes).Thedefaultsizeof1M(megabyte)worksbestformost
uses.Themaximumsizeislimitedbythetargetfilesystem.
5.7 ERASE
TheDittoDXForensicFieldStationallowsyoutoviewandcustomizesettingsforhowtheDittoDXForensic
FieldStationerasesdisks.
5.7.1 Available Erase Modes
ERASE MODE EXPLANATION
ClearPartitionTable Removesthepartitiontableonthedisk.
QuickErase Performsasinglepasswritingallzeroes.
MoreEraseModesareavailableonthenextpage.
Figure 27. The“Erase”tabonthe“Configure”screen,showingallavailableerasemodesandtheircustomizablesettings.
29
Protecting Your Digital AssetsTM
Ditto DX Forensic FieldStation User Manual
Available Erase Modes, continued...
ERASE MODE EXPLANATION
LBA/OffsetPattern Writesbyte/LBAinfotoeachsector.Each512bytesectoriswrittenwith:B_XXXXXXXXXXXXXXL_DDDDDDDDDDDD‘XXXXXXXXXXXXXX’istheByteoffsetasahexadecimalstring,and‘DDDDDDDDDDDD’istheLBAnumberasadecimalstring.Theremainderofthesectorisfilledwithzero.
CustomErase Performs1-99passes,overwritingthediskwithzeroesorauser-selectedpattern.
SecureEraseNormal Initiatesthedisk’sbuilt-inSecureEraseNormalfunction.
SecureEraseEnhanced Initiatesthedisk’sbuilt-inSecureEraseEnhancedfunction.
DODClear PerformstheU.S.DepartmentofDefense“Clear”standardbywritingallzeroestothediskinonepass.
DODSanitize PerformstheU.S.DepartmentofDefense“Sanitize”standardbyusinga0xAAAAAAApattern,thenitscomplement,andthenanotherunclassifiedpattern.
NIST800-88Clear Performsthe“Clear”standarddefinedbyNISTspecialpublication800-88bywritingallzeroestothedrive.
NIST800-88Purge Performsthe“Purge”standarddefinedbyNISTspecialpublication800-88.byinitiatingthedrive’sbuilt-inSecureErase(Normal)command.
5.7.2 Customizable Settings
SomeEraseModesrequireseveralofthefollowingsettingstobeconfiguredacertainwayaspartoftheir
standard.Inthesecases,thesettingscannotbemodified.
• Mode Name: Thenameoftheerasemode.
• HPA/DCO Handling: SetshoweraseactionsusingthespecifiederasemodeshouldhandleHPAs
andDCOs.ItcanindicateinthelogthatthereisanHPA(hostprotectedarea)orDCO(deviceconfig-
urationoverlay)present,temporarilybypasstheHPA,permanentlyunhidetheHPA,orpermanently
unhideboththeHPAandDCO.
• Passes: Forthe“CustomErase”settingonly,thisallowsyoutospecifythenumberofpassesthe
diskisoverwrittenduringtheeraseaction.Youcanspecifybetween1and99passes.
• Overwrite Method: Forthe“CustomErase”settingonly,youcanspecifyapatternforthediskto
writerepeatedlyacrosstheentiredisk.If“text”isselectedfromthedrop-downbox,the“Pattern”
fieldmustcontainoneormoreASCIIcharacters.If“hex”isselected,the“Pattern”fieldmustcon-
tainanevennumberofASCIIcharactersrepresentinghexadecimaldigits(e.g.17a64F).Leavingthe
“Pattern”fieldblanktellstheDittoDXForensicFieldStationtousezeroes.
• Verify: Thisisaplannedfeaturethatisnotcurrentlyimplemented.The“Verify”drop-downboxwill
allowyoutoverifytheeraseddiskafterithasbeenfullyerased.If“Quick”isselected,thebeginning,
middle,andendofthediskwillbereadtoensurethatthelastpatternwasactuallywritten.If“Full”
isselected,theentirediskwillbereadtoensurethatthelastpatternwasactuallywritten.If“None”
isselected,noverificationwillbeperformed.
• Format After Erase: Checkthisboxtoformatthediskwiththedefaultformat.Thedefaultformatcan
besetinthe“System”tabonthe“Configure”screen(seeSection5.1).
30
Protecting Your Digital AssetsTM
Ditto DX Forensic FieldStation User Manual
5.8 HASH
The“Hash”taballowsyoutoviewandcustomizethefollowingsettingsforallhashactions.Whenyouare
finished,clicktheCommit Changesbuttontosavethechanges.
5.8.1 Advanced Settings
• Buffer Size: SetsthethebuffersizeusedbytheDittoDXForensicFieldStationduringahashaction.
Theminimumsizeis512K(kilobytes).Thedefaultsizeof1M(megabyte)worksbestformostuses.
Themaximumsizeislimitedbythetargetfilesystem.
• Exit when a bad sector is encountered: AbortsthehashdiskactioniftheDittoDXForensicField-
Stationencountersabadsectoronthetargetdisk.
5.9 NAMING
The“Naming” tab allows you to customize how the Ditto DX Forensic FieldStation
names directories and files during imaging actions.When you are finished, click the
Commit Changes button tosavethechanges.
AsshowninFigure28,thefiledirectoryusedinimagingactionscanbeanamethatcon-
tainsuptosixuser-selectablefields,andthefilenameusedinimagingactionscancon-
tainuptofouruser-selectablefields.Asyoucustomizethesefields,the“DirectoryName
Template”,“FinalDirectoryName”,“FileNameTemplate”,and“FinalFileName”fieldswill
update.Thetemplatefieldsshowtheorderofvariableswillappearinthename,whereas
thefinalnamefieldsdisplaythedirectoryorfilenameusingtheactualinformationfrom
the“InvestigationInfo”panelonthe“Home”screenandthesourcedisk.
5.9.1 Variables
Tomodifytheanyoftheuser-customizablevariables,navigatetothe“Investigation
Info”panelonthe“Home”screen(seeSection4.2).
• Timestamp/{Timestamp}: Displaysthetimestamp.Thetimestampisrequired
tobeincludedinalldirectorynames,butitisoptionalforfilenames.
• Base Filename: Displaysthebasefilename.Thisoptionisthedefaultfirstvari-
ableforfilenames,butmaybechanged.Usercustomizable.
• Case Number: Displaysthecasenumber.Usercustomizable.
• Description: Displaysthedescriptionfield.Usercustomizable.
• Evidence Number: Displaystheevidencenumber.Usercustomizable.
• Investigator: Displaystheinvestigator.Usercustomizable.
• Source Drive Model Type: Displaysthemodelnumberofthesourcedisk.
• Source Drive Unique ID: DisplaystheuniqueIDnumberofthesourcedisk.
5.10 QUICK START
The“QuickStart”taballowsyoutocustomizethequickstartmodethatappearsontheLCDoftheDittoDX
ForensicFieldStationwhenthe“QuickStart”optionisenabledinthe“System”tab.Manyofthesettingson
Figure 28. The “Naming” tab on the “Configure”screen.
31
Protecting Your Digital AssetsTM
Ditto DX Forensic FieldStation User Manual
thenextpagearevisibleonlywhencertaintypesofactionsareselectedinthe“Actiontoperform”drop-down
box.
Quick Start Settings
• Action to perform: Setstheactionthatisperformedbythequickstartmode.
• Allowed Sources: PlaceacheckmarknexttoeachsourcewhereyouwanttheDittoDXForensicField-
Stationtosearchforaconnectedsource.
• Allowed Targets: PlaceacheckmarknexttoeachtargetwhereyouwanttheDittoDXForensicFieldSta-
tiontosearchforaconnectedtarget.
• Clone Destination: Forthe“CloneSourceDisk”and“Clone&ImageSourceDisk”actionsonly.Speci-
fiesthetargetdestinationwherethesourcediskwillbecloned.
• Source Partition: Determineswhichpartition(s)will be imaged from thesourcedisk.ChooseAll to
imagetheentiresourcedisk.
• Image Destination: Specifiesthetargetdestinationwheretheimagewillbeplaced.
• Image Partition: Specifiesthepartitiononthetargetdestinationwheretheimagewillbeplaced.
• Action Target: Forthe“EraseDestinationDisk”actiononly.Specifieswhichtargetvolumewillbeerased.
6 ADMIN SCREENThe“Admin”screenallowstheadministratortomanageuseraccountsandassignpermis-
sionlevelsforeachuser.ClickontheAdmin tabtoaccessthe“Admin”screenfromthe
browserinterface.
6.1 USER ACCOUNTS
The Ditto DX Forensic FieldStation contains two permanent accounts; “admin” and
“panel”.The“admin”accountistheAdministratoraccount,andonlytheFullNameand
passwordmaybemodified.The“panel”accountistheFrontPanelaccount,andmodi-
fiesaccesspermissionsforfunctionalitythatcanbeaccessedthroughtheLCDscreen
andnavigationbuttonsontheDittoDXForensicFieldStation.
6.2 PERMISSIONS
6.2.1 Permission Levels
Permissionlevelsonthebrowserinterfacearedisplayedas“FULL”,“AUTH”,orasa
hyphen,andas“FullAccess,“MustAuthenticate”,and“None”, respectively,when
editingorcreatingauser.“FULL”and“FullAccess”indicatethattheuserhascom-
pleteaccesstothefeaturesgovernedbythatpermissionandisnotrequiredtoenter
apassword.“AUTH”and“MustAuthenticate”indicatethattheusermustauthenti-
catehiscredentialswithapasswordinordertochangeasettingorperformanaction
thatthatpermissiongoverns.Ahyphenor“None”indicatesthattheuserdoesnot
haveaccesstothefeaturesgovernedbythatpermission.
Figure 29. The“Admin”screen.
32
Protecting Your Digital AssetsTM
Ditto DX Forensic FieldStation User Manual
6.2.2 Configurable Permissions
The following listofpermissionsspecifieswhateachcontrols,andcanbeconfiguredwhenaddingor
editingauseraccount.SomepermissionsfortheAdministratorandFrontPanelaccountswillbegreyed
outbydefault.
• Admin: “None”allowsaccesstomodifytheUserNameandFullNameoftheAdministrator,Front
Panel, and the user’s own account, and allows the user to change his or her ownpassword, but
blockstheuserfromviewinganyaccount’spermissionlevels.“ModifyUsers”enablestheusertobe
abletomodifyuseraccounts,passwords,andpermissions(exceptforthe“Admin”permission).“Full
Access”additionallyenablestheabilitytocreateanddeleteusersandassignthe“Admin”permission.
• Config: Governsallnon-networkconfigurationsettings, including those found in the“SystemSet-
tings”panelonthe“Home”screenandonalltabsonthe“Configure”screen.
• NetSettings: Controlsaccesstothenetworksettingsonthe“Configure”screen.
• Clone: Controlsaccesstothe“CloneSourceDisk”and“Clone&ImageSourceDisk”actions.
• Physical Image: Controlsaccesstothe“PhysicalImageSourceDisk”and“Clone&ImageSource
Disk”actions.
• Logical Image: Controlsaccesstothe“LogicalImageSourceDisk”action.
• Restore Image: Controlsaccesstothe“RestorePhysicalImage”action.
• Erase: Controlsaccesstothe“EraseDestinationDisk”action.
• Hash: Controlsaccesstothe“HashDisk”action.
• Snapshot: Controlsaccesstothe“SnapshotDisk”action.
• Netview: Controlsaccesstothe“NetviewScan”action.
• Abort: Controlsaccesstotheabilitytoabortactionsinprogress.
• Note: Controlsaccesstothe“Comment”buttonsinthe“Action”and“SystemLog”panelsonthe
“Home”screen.
• Logs: Controlstheabilitytodeletelogfilesfromthe“Logs”screen.
• DiskView: Controlstheabilitytopreviewanddownloadfilesfromthesuspectdriveviathe“Disks”
panelonthe“Home”screen.
6.3 ADDING A NEW USER
Toaddanewuser,clicktheAdd User button,entertheuser’sinformation,andsetthepermissionlevels.
Whenfinished,clickontheCommit Add button.
6.4 EDITING AN EXISTING USER
Toupdateauser’sname,password,orpermissions,clickontheuseraccountunderthe“UserName”column,
updatetheinformation,andthenclicktheCommit Edits button.
6.5 DELETING A USER
Todeleteauser,clickon theuseraccountunder the“UserName”columnandclickon theDelete User
button.Donotclickthisbuttonunlessyouareabsolutelycertainyouwishtodeletetheaccount.
33
Protecting Your Digital AssetsTM
Ditto DX Forensic FieldStation User Manual
7 LOGS SCREENThe“Logs”screenprovidesinformationabouttheDittoDXForensicFieldStation’sactions.ClickontheLogs tab
toaccessthe“Logs”screenfromthebrowserinterface.
Actionlogsshowthetimestamp,thetypeofactionperformed,theuserwhoperformedtheaction,andalinkto
the“ActionLog”screenthatprovidesmoreinformationabouttheperformedaction.
7.1 ACTION LOG
7.1.1 Settings
DisplaysthesettingsoftheDittoDXForensicFieldStationthatwereactivewhentheparticularactionwas
performed.
7.1.2 User Permissions
Displaysthepermissionsoftheuserthatwereinplacewhentheparticularactionwasperformed.
7.1.3 Extended Disk Info
Thisreportdisplaystheinformationofthediskused(whichisnotedinthetitleofthisreport)intheaction,
includingtheinterface,model,serialnumber,capacity,thepresenceofHPAs(hostprotectedareas)or
DCOs(deviceconfigurationoverlays),partitioninformation,hdparminformation,andS.M.A.R.Tinforma-
tion.Ifmultipledisksareusedintheaction,thenmultiplereportsarecreated.
7.1.4 Logical Image Report
Thisreportappearsinactionlogsof“LogicalImageSourceDisk”actionsanddisplayseachdirectoryand
filethatwasimaged,alongwiththeirsizeandanyerrormessagesthatweregenerated.If“ValidateFile
Extensions”isenabledforLISTlogicalimagesinthe“Configure”screen,itwillalsologanyfilesinLIST
logicalimagesthathaveamismatchedfileheaderandextension(seeSection5.5.3).ClickontheExport
buttontosaveacopyofthelogasanExcelspreadsheet.ClickontheExport Suspects buttontosavea
copyofallofthesuspectfileswherethereisamismatchbetweenthefile’sMIMEtypeandfileextension.
Figure 30. The“Logs”screen.
34
Protecting Your Digital AssetsTM
Ditto DX Forensic FieldStation User Manual
7.1.5 Netview Report
Thisreportappearsinactionlogsof“NetviewScan”actionsanddisplayssummariesofthediscovered
hosts,includingtheIPaddress,MACaddress,andthemanufacturerassociatedwiththeMACaddress
ifthatinformationcanbedetermined.The“Hostname”willbeblankifaDNSlookupcouldnotassociate
thehost’sIPaddresstoaname.
8 UTILITIES SCREENThe“Utilities”screenallowsyou toperformvariousmiscellaneous functions, including theability toupgrade
firmware,importcustomizedconfigurations,remotelyreboottheDittoDXForensicFieldStation,modifydateand
timesettings,andperformafactoryreset.ClickontheUtilities tabtoaccessthe“Utilities”screenfromthe
browserinterface.
8.1 SYSTEM MAINTENANCE
8.1.1 Firmware Upgrade
Forinformationonhowtoupgradethefirmware,seeSection12.
8.1.2 Configuration
YoucansaveandloadconfigurationsfortheDittoDXForensicFieldStation.Thefilegeneratedsavesa
copyofeverycustomizablesettingfortheunit.
Save Configuration
Tosaveaconfiguration,clickontheSave Config button.Namethefile,andthenclickContinueto
openaSaveAsdialogboxandsavethefiletoyourcomputer.
Load Configuration
a. ClickontheLoad Config button,browsetothe.xmlconfigurationfileyouwanttoload,highlight
it,andclickOpen.
b. The“ConfirmImport”windowwillopen.Placeachecknexttoeachsettingyouwanttoload,and
thenclick Continue.Byselectingthesesettings,youwillbeoverwritingtheexistingsettings,so
besuretosavethecurrentconfigurationfirst.
c. TheDittoDXForensicFieldStationwill importtheconfigurationsettings.ClickOKwhenit’sfin-
ished.
Figure 31. The“Utilities”screen.
35
Protecting Your Digital AssetsTM
Ditto DX Forensic FieldStation User Manual
8.1.3 Other Buttons
• Reboot: OpensaconfirmationtoreboottheDittoDXForensicFieldStation.
• Date & Time: Allowsyoutosetthecurrentdate,time,andtimezone.ClicktheSynchronize button
tosyncthesesettingswithyourbrowser’soperatingsystem.
• Factory Reset: OpensaconfirmationdialogtoreturntheDittoDXForensicFieldStationtofactoryset-
tings.CheckthePurge Ditto SD card log files boxtoremovealllogfilesfromtheSDcardintheunit.
YoucanalsousetheFrontPaneltoperformafactoryreset.SeeSection9.3.
• System Verify: VerifiesthattheDittoDXForensicFieldStation’soperatingsystemfileshavenotbeen
modifiedandplacesastatementinthesystemlog.Iftheverificationfails,thedetailscanbeviewed
byexportingtheSystemDiagnostics.
• Diagnostics: ExportsadiagnosticslogfileinHTMLformat.Thediagnosticslogcontainsinformation
abouttheDittoDXForensicFieldStation’scurrentconfiguration,includinguseraccounts,kernelmes-
sages,logs,processinformation,disks,PHPerrors,andsystemverifyresults.
8.2 UPGRADE LOG MESSAGES
Thissectiondisplaysthestatuslogoffirmwareupgradesandisonlyvisibleafterafirmwareupgradehasbeen
performed.
8.3 IMPORT LOG MESSAGES
Thissectiondisplaysthestatuslogofconfigurationfileexportsandimportsandisonlyvisibleafteraconfigu-
rationfilehasbeenloaded.
9 USING THE FRONT PANEL INTERFACE IN STANDALONE MODE TheDittoDXForensicFieldStationcanworkasastandalonedevicewithnoadditionalcomputerrequired,which
canbeusefulwhenworkingwithevidencedisksinthefield.
TheFrontPanelinterfaceallowsyoutoclone,physicallyimage,performalogicalimageusingaLogicalImage
Mode,simultaneouslycloneandimage,erase,hashadisk,orperformasnapshotofadisk.Youcanalsoadjust
settings, view information about attached disks, or check on theDittoDX Forensic FieldStation’s operational
status.TheadministratoraccountcanassignaccesspermissionstotheFrontPanel’sactionsandsettingsusing
thebrowserinterface.
9.1 HOW TO NAVIGATE
9.1.1 Using the Navigation Buttons
ThenavigationbuttonsonthefrontoftheDittoDXForensicFieldStationallowyoutonavigatethrough
themenu. UpandDownallowyoutoscrollthroughtheavailableoptionsontheFrontPanel,whileRight
selectstheoptionandLeftgoesbacktothepreviousscreen.IfQuickStartModeisenabled,pressLeft
toexitit.
9.1.2 Using a Keyboard
PlugaPCUSBkeyboardintoaUSBportonthe“ControlInterface”sideoftheDittoDXForensicFieldSta-
tion.Youcannavigateusingthearrowkeys.PressEnter or the Right Arrow keys toselectamenuoption.
Pressthe Left Arrow keytobackoutofamenuorsetting.IfQuickStartModeisenabled,youcanpress
theEscape keytoexitit.
36
Protecting Your Digital AssetsTM
Ditto DX Forensic FieldStation User Manual
9.2 MENU SCREENS
TheDittoDXForensicFieldStationmenuconsistsofthefollowingscreens:
9.2.1 Status
Thestatusscreenisthedefaultscreen.Itshowstheprogressofanycurrentpro-
cesses.WhentheDittoDXForensicFieldStationis“Idle”,thecurrentfirmwareofthe
unitisalsolistedonthisscreen.AnexampleofastatusscreenisshowninFigure32.
9.2.2 Perform Action
Afteryouadjustsettings toyourspecifications,youare ready toput theDittoDX
ForensicFieldStationtowork.The“PerformAction”screenletsyoustartorabortany
oftheDittoDXForensicFieldStation’sactionsusingthecurrentsettings.
a. Onthe“PerformAction”screen,usetheUpandDownbuttonstocyclethroughtheavailableactions.
PressRighttoselecttheoneyouwant.
b. Cyclethroughtheavailablesettingsfortheaction.PressRightifyouwishtomodifythem.
c. Whenyouarefinishedmodifyingsettings,scrolldowntooptionthatasksyoutostarttheaction(ex.
“StartPhysicalImage?”.PressRighttobegin.
ThestatusandremainingtimewillbedisplayedontheLCDscreenastheDittoDXForensicFieldStation
performstheaction.Toabortanaction,presstheLeft.TheLCDscreenwillaskifyouwishtoabortthe
action.PressRighttoconfirm,orLefttocanceltheabortrequest.
9.2.3 Investigation Info
The“InvestigationInfo”liststhecurrentsettingsthatcanbemodifiedinthe“Investi-
gationInfo”sectiononthe“Home”screenofthebrowserinterface.Tomodifythese
settingsfromthebrowserinterface,seeSection4.2.
Editing Fields With A Keyboard
Onthe“InvestigationInfo”menu,an“Edit(Keyboard)”menuitemwillappear
when a keyboard is detected (see Figure 33).You can edit the field currently
displayedontheLCDbypressingtheRight buttononthefaceoftheDittoDX
ForensicFieldStationorbypressingEnter or the Right Arrow keysonthekey-
board,andthenusingthekeystotype.
Usingapostrophes(‘)inthenamefieldswillcauseanerrorwhenthefileorfoldernameiscreated.TheyshouldnotbeusedintheInvestigationInfofields.
Stringslongerthan20charactersaredisplayedwithanellipsescharacter(...)attherightsideofthestring.
TheDittoDXForensicFieldStationcanhandlemultipleUSBdevicesthroughaUSBhubattachedtotheUSBportonthe“SourceInputs”sideoftheForensicFieldStation.However,ifmultiplekeyboardsareconnected,keystrokesfromallkeyboardsareprocessed.
NOTE
STOP!
Ditto-####:IdleVersion:2016Jun01a
2016Jun093:23:02pm(Up/DnforMenu)
Figure 32. The“Status”screenontheFrontPanelLCD.
Investigator:C.Walker
Edit(Keyboard)
Figure 33. The“Investigator”fieldinthe“InvestigationInfo”menuontheFrontPanelLCD,whenaUSBkey-boardisattachedtotheDittoForensicFieldStation.
NOTE
37
Protecting Your Digital AssetsTM
Ditto DX Forensic FieldStation User Manual
Hereisatableofthemostcommonkeyboardcommands:
KEY COMMAND
Escape Cancelsanedit.
Enter Beginsaneditonauser-editablestringorselectsthecurrently-visiblemenuoption.Whenpressedwhileeditingastring,itconfirmstheedit.
Home/End Wheneditingastring,thesekeysmovethecursortothebeginning/endofthestring,respectively.
Up/Down Movesthroughthemenuoptions.Wheneditingastring,theymovethecursortothebeginning/endofthestring,respectively.
Delete Deletesthecharactercurrentlyhighlightedbythecursor.
Backspace Deletesthecharacterimmediatelybehindthecursor.
NumLock Forcesthenumberedarrowkeystotypenumberswhenpressed.
CapsLock Forcesallletterkeystotypecapitalletters.
Tab/Shift+Tab/PageUp/PageDown/Function/Alt/Windows/Control/Insert
Nothandled.
9.2.4 Settings
The“Settings”screenallowsyoutoviewandcustomizethefollowingsettings,whicharegroupedinto
threesubsections.Thesesettingswillbethedefaultsettingsusedinanyactionsperformed.
TheSystemSettingsbelowcannotbemodifiediftheFrontPaneluseraccountdoesnothavefullaccesstothe“Config”permission,andtheSrc,Dst,andCtlNetworkSettingscannotbemodifiediftheFrontPaneluseraccountdoesnothaveaccesstothe“NetSettings”permission.SeeSection6forinforma-tiononhowtocustomizetheFrontPaneluseraccount.
System Settings
• Physical Image Type: Setsthedefaultphysicalimagetypeforallactionsthatcreateaphysical
image.TheimagetypesavailableareE01orDD.
• Logical Image Type: Setsthedefaultlogicalimagetypeforallactionsthatcreatealogicalimage.
ThelogicalimagetypesavailableareL01,TAR,ZIP,andLIST.
• Logical Image Mode: Setsthedefault logical imagemode.Thelogical imagemodesavailable
areAllFilesandDirs,AllExceptWindows,AllExceptWindowsPrograms (abbreviatedas“All
ExceptW...ndPrograms”),AllUsers-Windows,AllTemporary-Windows,AllExceptSwapand
Hibernate(abbreviatedas“AllExceptS..dandHibernate”),AllMediaFiles,AllOfficeFiles,andAll
FinancialFiles.SeeSection4.1.3under“LogicalImageModes”foradescriptionofeachmode.
• Hash Type: Setsthedefaulthashalgorithmthatwillbeusedfordiskverificationandthe“Hash
Disk”action.TheavailableoptionsareNone,MD5,SHA-1,SHA-256,MD5&SHA-1,orMD5&
SHA-256.
• Erase Mode: Setsthedefaulterasemodethatwillbeusedforallactionsthatrequireerasing
disks.TheavailablemodesareClearPartitionTable,QuickErase,LBA/OffsetPattern,Custom
Erase,SecureEraseNormal, SecureEraseEnhanced,DODClear,DODSanitize,NIST800-88
Clear,andNIST800-88Purge.
Moresettingsareavailableonthenextpage.
NOTE
38
Protecting Your Digital AssetsTM
Ditto DX Forensic FieldStation User Manual
System Settings, continued...
• Default Format: Thisisthedefaultfilesystemthatwillbeusedtoformatdestinationdiskswhen
theyareusedinactionsthattheDittoDXForensicFieldStationperforms.Theavailableformats
areHFS+,FAT32,NTFS,EXT2,EXT3,EXT4,andXFS.
• HTML Logging: Logsarealwayssavedin.XMLformat.ThisoptioncausestheDittoDXForensic
FieldStationtosavelogsinHTMLformataswell.TheavailableoptionsareOffandOn.
• DiskView Logging: Logsanyactiontopreviewadiskoractionsperformedwhilepreviewinga
disk(i.e.startingorfinishingapreviewofadisk,startingorfinishingaHexViewaction).Theavail-
ableoptionsareOffandOn.
• LCD/LED Brightness: SetstherelativebrightnessoftheLCDsandLEDsonthefaceoftheDitto
DXForensicFieldStationonascaleof0to6.
• Buzzer: Thisisaplannedfeaturethatisnotcurrentlyimplemented.Theaudiblebuzzerwillalert
theusertovariousactionsthatoccurwhenusingtheDittoDXForensicFieldStation.
• Performance:SetsthespeedoftheDittoDXForensicFieldStation’sCPU.Theavailablesettings
fromfastesttoslowestareTurbo,Default,Economy,andPowerSaver.
• Lightbar Mode: EnablesordisablesthelightbaronthefaceoftheDittoDXForensicFieldStation.
TheavailablesettingsareOffandColor.
• Dual Destinations:Enablessoftwaremirroringmodetowritethesamedatatotwodestination
disksatthesametime.
• Prompt Case: Fiveoptionsmaybechosentomodifythecasenumberspecifiedinthe“Investiga-
tionInfo”sectionofthe“Home”screeninthebrowserinterface.Thecasenumberisincluded
inthelogfortherequestedaction.“Disabled”leavesthecasenumberasitis.“Inc/Dec”allows
you tomanually increment thecasenumberupordownusing thenavigationbuttonson the
faceoftheDittoDXForensicFieldStation.“AutoInc”automaticallyincrementsthecasenumber,
and “AutoInc/Pause” automatically increments the case number, but displays a confirmation
prompttheLCDscreenbeforebeginningtherequestedaction.Theseoptionsrequireanumber
tobepresentontheendoftheCaseNumberspecifiedinthe“InvestigationInfo”sectionofthe
“Home”screeninthebrowserinterface.
• Prompt Evidence: Fiveoptionsmaybechosentomodifytheevidencenumberspecifiedinthe
“InvestigationInfo”sectionofthe“Home”screen.Theevidencenumberisincludedinthelog
fortherequestedaction.“Disabled”leavestheevidencenumberasitis.“Inc/Dec”allowsyou
tomanuallyincrementtheevidencenumberupordownusingthenavigationbuttonsontheface
oftheDittoDXForensicFieldStation.“AutoInc”automaticallyincrementstheevidencenumber,
and“AutoInc/Pause”automaticallyincrementstheevidencenumber,butdisplaysaconfirmation
prompttheLCDscreenbeforebeginningtherequestedaction.Theseoptionsrequireanumber
tobepresentontheendoftheEvidenceNumberspecifiedinthe“InvestigationInfo”sectionof
the“Home”screeninthebrowserinterface.
Moresettingsareavailableonthenextpage.
39
Protecting Your Digital AssetsTM
Ditto DX Forensic FieldStation User Manual
System Settings, continued...
• Quick Start: Enablesthe“QuickStart”screenontheLCDthatappearsafteryoubootorreboot
theDittoDXForensicFieldStation.Thesettings for thismodemaybemodified in the“Quick
Start”tabofthe“Configure”screenonthebrowserinterface.SeeSection5.10.
• Verify Single: Determineswhetherindividualdestinationdiskarehashedandcomparedtothe
hashvalueofthesourcedisk’shashvalue.TheavailableoptionsareYesandNo.
• Verify Dual:Requiresthatthe“DualDestinations”optionaboveisenabled.Determineswhether
mirroreddestinationdisksarehashedandcomparedtothehashvalueofthesourcedisk’shash
value(s).YoucanchoosetoverifyDestination1orDestination2individually,bothdisks,ornone.
Destination1andDestination2areselectedwhensettinguptheactiontobeperformed.
• Verify Clone & Image: Determineswhetherclonedandimageddisksarehashedandcompared
tothehashvalueofthesourcedisk’shashvalueduringa“Clone&ImageSourceDisk”action.
Youcanchoosetoverifynodisks,theclone,theimage,orboth.
• Log Disk Info: DetermineswhetherS.M.A.R.T.andhdparmdisk information is loggedbefore
runninganaction,afterrunninganaction,both,ornotatall.
Src (Source) Network Settings
• Src Network: EnableordisablethesourcenetworkEthernetconnection.
• Src MAC Address: DisplaysthesourceEthernetport’sMACaddress.
• Src IP Assignment:Displays thesourceEthernetport’s IPassignmentmethod.Theavailable
optionsareDHCPorStatic.AnIPaddresscanbemanuallyconfiguringinthebrowserinterface
(seeSection5.2.2).
• Src Network Access: AllowsyoutochoosewhetherornottheDittoDXForensicFieldStation
respondstoanynetworktrafficviathesourceEthernetport.
• Src IP Address: DisplaystheIPaddressassignedtothesourceEthernetport.
• Src Subnet Mask: DisplaysthesubnetmaskaddressassignedtothedestinationEthernetport.
Itisonlyvisibleifthe“SrcIPAssignment”issetto“Static”.
Dst (Destination) Network Settings
• Dst Network: EnableordisablethedestinationnetworkEthernetconnection.
• Dst MAC Address: DisplaysthedestinationEthernetport’sMACaddress.
• Dst Network Mode: Displays thedestinationEthernetport’snetworkingmode.Theavailable
optionsareServer,Client(DHCP),orClient(StaticIP).“Server”allowsyoutoconnecttheDitto
DXForensicFieldStationdirectlytoacomputerwithouttheuseofanintermediarynetwork.The
networkmodecanbefurtherconfiguredinthebrowserinterface(seeSection5.2.3).
• Dst IP Address: DisplaystheIPaddressassignedtothedestinationEthernetport.
• Dst Subnet Mask: DisplaysthesubnetmaskaddressassignedtothedestinationEthernetport.
Itisonlyvisibleif“DstNetworkMode”issetto“Client(StaticIP)”or“Server”.
40
Protecting Your Digital AssetsTM
Ditto DX Forensic FieldStation User Manual
Ctl (Control) Network Settings
• Ctl Network: EnableordisablethecontrolnetworkEthernetconnection.
• Ctl MAC Address: DisplaysthecontrolEthernetport’sMACaddress.
• Ctl Network Mode: DisplaysthecontrolEthernetport’snetworkingmode.Theavailableoptions
are Server, Client (DHCP), or Client (Static IP).“Server” allows you to connect theDittoDX
ForensicFieldStationdirectly toacomputerwithout theuseof an intermediarynetwork.The
networkmodecanbefurtherconfiguredinthebrowserinterface(seeSection5.2.4).
• Ctl IP Address: DisplaystheIPaddressassignedtothecontrolEthernetport.
• Ctl Subnet Mask: DisplaysthesubnetmaskaddressassignedtothecontrolEthernetport.Itis
onlyvisibleif“DstNetworkMode”issetto“Client(StaticIP)”or“Server”.
Date & Time
• Date:Displaysthedate.
• Time:Displaysthetime.
• Timezone:Displaysthetimezone.
9.2.5 Disk Info
The“Disk Info”screen(Figure34)showsallavailabledisksattachedtoeitherthe
sourceordestinationports.Portsareshownonlyifadiskisconnectedthere.Press
RightandthenUporDowntoscrollthroughthefollowinginformationabouteach
connecteddisk:
• Modelnumber
• Diskcapacity
• Filesystem
9.3 FACTORY RESET
ToresettheDittoDXForensicFieldStation’ssettingsbacktotheirfactorydefaults,press
andholdtheUp,Right,andDownnavigationbuttonswhilepoweringtheuniton.The
DittoDXForensicFieldStationwillstartupandthendisplaythetext,“PreparingFactory
Reset”(seeFigure35).
YouwillthenbepromptedtoconfirmyourchoicetoresettheDittoDX.PressRightto
continueorLefttocancel.
Youcanalsousethebrowserinterfacetoperformafactoryreset.SeeSection8.1.3.
10 STEALTH MODEStealthModeturnsoffallLEDsandLCDsontheDittoDXForensicFieldStation.YoucanenableStealthModeby
flippingthephysical“StealthMode”switchontheControlInterfacesideoftheDittoDXForensicFieldStation
(seeSection1.2).
Youcanalsoenableitfromthebrowserinterface.ClickontheConfigure tab,andthenunderthe“System”tab
changethe“StealthMode”drop-downboxto“Enabled.”ThenclickCommit Changes.
IfStealthModeisenabledfromthebrowserinterface,thephysicalswitchcannotoverrideit.
****DITTO****Initializing...
PreparingFactoryReset
Figure 35. The“Preparing Factory Reset” screen ontheFrontPanelLCD.
SourceeSATA:HTS5410806XXXXX79.8GB
Nofilesystem
Figure 34. The“Disk Info”screenon theFrontPanelLCD.
NOTE
41
Protecting Your Digital AssetsTM
Ditto DX Forensic FieldStation User Manual
11 ADVANCED FEATURES AND FUNCTIONS
11.1 NETVIEW SCAN
Thistypeofnetworkprobingisvery noisyandmaytriggeranyITrelatedIntrusionDetectionDevices(IDSs)on
thenetwork.Pleasebesuretorunthisactioninaverycontrolledandisolatedenvironment.
a. SelectNetview Scan fromthe“ActiontoPerform”drop-downbox.
b. Configuretheavailableoptions,whicharedetailedbelowinSection11.1.1.
c. Whenyouarefinished,presstheStart button.Youshouldseeupdateseveryfewsecondsthatdescribe
the current scan being executed, the number of hosts discovered, and the progress of the current
scan.Pleasenotethatprogressestimatesarecrudeandarestillbeingdeveloped.A“Completed”mes-
sageboxwillpopupwhentheactionhasfinished.Clickonthemessagetocontinue.
YoucanviewtheresultsoftheNetviewScanactionbyscrollingdowntothe“SystemLog”panelonthe
“Home”screen.Findandclickonthelatestlink,whichwillbedenotedbyafilenamewithadate/timestamp
format:“S_yyyymmddhhmmss”.Alternatively,youcanclickonthe Logs buttonfromthetopmenubar.
The“NetviewReport”sectioncontainssummariesofthediscoveredhosts,includingtheIPaddress,MAC
address,andthemanufacturerassociatedwiththeMACaddressifthatinformationcanbedetermined.The
“Hostname”willbeblankifaDNSlookupcouldnotassociatethehost’sIPaddresstoaname.
11.1.1 Netview Scan Configuration Options
ThefollowingoptionscanbeconfiguredbeforerunningaNetviewScan:
Interface Selection
The“Interface”drop-downboxallowsyoutotelltheDittoDXForensicFieldStationwhichEthernet
connectiontouseduringtheNetviewScan.YoucanchooseeithertheSource,Destination,orCon-
trolEthernetports.
Theselectedinterfacewillbeusedwhenthescanisstarted.Thismaycreateaheavynetworktrafficloadanddependingonthe“Timing”settinginthe“DiscoveryOptions”subsection,mayalertyourITdepartmentthatthenetworkisundersomesortofthreat.Ensurethattheselectedinterfaceisattachedtoacontrolledandisolatednetwork.
Figure 36. The“Action”sectiononthe“Home”screen,showingtheoptionsavailableforthe“NetviewScan”action.
STOP!
42
Protecting Your Digital AssetsTM
Ditto DX Forensic FieldStation User Manual
IP Scan Range
BydefaultthelastoctetoftheIPaddressoftheselectedinterfacewillbescanned.Youmaychange
thisvalueandenteralistofIPaddress,arangeofIPaddresses,oracombinationofboth.Clickthe
“Reset”icontoresettheIPScanRangebacktoitsdefaultvalue.
Examples:
1. Range:10.10.10.0-255
• Scanstheaddresses10.10.10.0through10.10.10.255.
2. Range2:10.10.10-12.0-255
• Scansaddresses10.10.10.0-255,10.10.11.0-255,and10.10.12.0-255.
3. List:10.10.10.1
• WillonlyscanIPaddress10.10.10.1
4. List2:10.10.10.2,10.10.10.3
• Willscanonlyhosts10.10.10.2and10.10.10.3
5. Combo:10.10.10.1,10.10.10.2,10.10.10.50-100
• Willscanhosts10.10.10.1,10.10.10.2andhosts10.10.10.50through10.10.10.100.
Discovery Options
Therearethreeoptionalhost(machine)discoveryoptionsandone“NoPing”portscanoptionavail-
able.Bydefault,the“PingEcho”optionisenabledandwillsufficeformostusecases.Somemachines
maybeconfiguredtoignorepingsandnotrespond,sotherearetwootherspecializedPingoptions
whichmaybeuseful.Clickthe“Reset”icontoreloadthedefaultsettings.
• Ping Echo: SendsastandardICMPechorequesttoeachIPaddress.
• Ping Timestamp: SendsarequestforatimestampedICMPpacket.
• Ping Netmask: Sendsarequestforthedestination’ssubnetmaskusinganICMPpacket.
• No Ping: Skipshostdiscoveryandforcesaportscan,whichisusefulwhenthehostsappear
tobedown.
• Timing: Selects a timing interval for scanning a network.“3” is the default setting. Lower
numbersareslowerandwillhelpyouavoidtriggeringanintrusiondetectionalert,andhigher
numbersarefasterbutmaybelessaccurate,andmaycauseintrusiondetectionalerts.
TCP Options
NetViewcanoptionallyscan thespecifiedhosts foropenTCPports.Bydefault, this feature isnot
enabled.Checktheboxnextto“TCPOptions”toenablethisfeatureandexpandmoreoptions.Click
the“Reset”icontoresetallTCPOptionsbacktotheirdefaultvalues.
• Ports: Bydefault,TCPportsforcommonlyusedservicesaswellasservicestowhichtheDitto
DXForensicFieldStationmaybeabletoconnectareenteredintothistextbox,includingports
forNFS,iSCSI,andSamba.Onlyportsenteredintothistextboxwillbescanned.NetViewIP
portrangesmaybespecifiedasanycombinationof listsandranges.Validportnumbersare
43
Protecting Your Digital AssetsTM
Ditto DX Forensic FieldStation User Manual
between1and65535(inclusive).Alistisintheform:80,22,23.Arangeisintheform:1-40.
Bothmaybecombinedtoform:22,23,40-50,80,90-91.
• Syn Scan: SynScanisselectedbydefaultandisappropriateformostusecases.TheDittoDX
ForensicFieldStationgeneratesrawIPpacketsandmonitorsforresponses.Thistypeofscanis
alsoknownas“half-openscanning”sinceitdoesnotopenafullTCPconnection.
• Connect Scan: TheDittoDXForensicFieldStationusesafullsystem-levelTCPconnectionin
ordertodeterminewhatportsareavailableonthehostnetwork.Thisscanshouldonlybeper-
formedbyadvancedusers.
Themoreportsbeingscanned,thelongerthescanwilltake.
UDP Options
NetViewcanoptionallyscanthespecifiedhostsforopenUDPports.Bydefault,thisfeature isnot
enabled.Checktheboxnextto“UDPOptions”toenablethisfeature.Clickthe“Reset”icontoreset
theUDPoptionbacktoitsdefaultvalues.
Ports: Bydefault,UDPportsforcommonlyusedservicesaswellasservicestowhichtheDittoDX
ForensicFieldStationmaybeabletoconnectareenteredintothistextbox,includingNFS,iSCSI,and
Samba.Onlyportsenteredintothistextboxwillbescanned.NetViewIPportrangesmaybespeci-
fiedasanycombinationoflistsandranges.Validportnumbersarebetween1and65535(inclusive).
Alistisintheform:80,22,23.Arangeisintheform:1-40.Bothmaybecombinedtoform:22,23,40-
50,80,90-91.
UDPportscanningtakesmuchlongerthanTCPportscanningduetothefactthatopenandfilteredportsdonot typically respond toqueries.Therefore,anyUDPportscannerwill spend time retrans-mittingitsqueryincasethequeryorresponsewaslost.Furthermore,whileclosedportsdousuallyrespondwith ICMPportunreachablemessages,hoststendto limit thenumberofthosemessagessentpersecond,resultinginfurtherdelay.
Netview Tips
1. SeeNmap.orgforgeneralinformationaboutnetworkscanning.
2. KeepyourIPaddresslists/rangesshort.Thiswillmeanfasterscansandlessnetworktraffic.
3. Keepyourportlists/rangesshort.Thiswillalsomeanfasterscansandlessnetworktraffic.
4. StartbydeselectingtheTCPandUDPscans.Justscanningforthepresenceofhostsismuch
quickerthanrunningTCPandUDPscansonanetworkwithanunknownnumberofmachines.
Onceyouhavealistofdiscoveredmachines,thenyoucandecidewhethertoTCPand/orUDP
scanthemallorscanonlyasubsetatatime.
5. TCPscanningmustbeenabledinordertodetectthetarget’soperatingsystem.
11.2 TARGET MODE: REMOTELY ACCESS DISKS ATTACHED TO THE DITTO DX FORENSIC FIELDSTATION WITH THIRD PARTY SOFTWARE
DisksattachedtoDittoDXForensicFieldStationmaybemountedonyourcomputerasiSCSIdevicesforuse
withthirdpartydataacquisitiontools.Themachinethissoftwareisinstalledondoesnothavetobephysically
connectedtotheDittoDXForensicFieldStation,butratherthesoftwaremayberunremotelyfromaseparate
NOTE
NOTE
44
Protecting Your Digital AssetsTM
Ditto DX Forensic FieldStation User Manual
locationwithinthesamenetwork.Todoso,youwillneedtoputtheDittoDXForensic
FieldStationintoTargetMode.
a. On the“Home” Screen, navigate down to the bottom of the“Disks” panel and
selecttheTarget Mode button.
b. ChecktheboxesintheiSCSIcolumnnexttothedisk(s)thatyouwishtomounton
yourcomputerasiSCSIdevice(s).
c. CheckEnable iSCSI and SMB authenticationifyouwishtorequireauthentication
inorderforiSCSIinitiatorsoftwaretoconnecttotheselecteddisk(s).Theninputyour
desiredcredentials.
d. Pressthe OK button.
Youcannowmountthedisk(s)youselectedinthestepsabovetoyourcomputer.
UsetheDittoDXForensicFieldStation’sIPaddressinyouriSCSIinitiatorsoftwarein
ordertoattachtoit.Initiatorscanvary,buttypicallyyou’lladdtheIPaddresstothe
“Discovery”sectionofyourinitiator.
11.3 USING ISCSI DEVICES
11.3.1 Remotely Access an iSCSI Device
ToconnecttoaniSCSIdevicethatexistsonyournetwork,followthesedirections.
a. EnsurethattheEthernetportthroughwhichtheDittoDXForensicFieldStationisconnectedtoyour
networkisproperlyconfiguredforusewithyournetwork(seeSection5.2).Unlessyouhavemanually
configuredtheDittoDXForensicFieldStation’snetworksettingsbefore,youmostlikelydonothaveto
changeanything.IfyouaredirectlyconnectingtheiSCSIdevicetotheDittoDXForensicFieldStation,
thenseeSection11.3.2.
b. Onthe“Home”Screen,navigatedowntothebottomofthe“Disks”panel.
c. Click theSource Network button if youwant toattach the iSCSIdevice to theDittoDXForensic
FieldStationasawrite-blockedsourcedevice,orclickthe Destination Network buttonifyouwantto
attachtheiSCSIdeviceasaread/write-enableddestination.
d. Clickonthe iSCSI tabifitisnotalreadyselected.
e. TypetheiSCSIdevice’sIPaddressintothe“TargetHost”textfield.
f. TypeintheportnumberofthetargetiSCSIvolumeintothe“Port”textfieldifthenumberisdifferent
thanthedefaultvalueof‘3260’.Ifyoudon’tknowtheportnumber,leaveitasthedefaultvalue.
g. ClicktheDiscover button.TheDittoDXForensicFieldStationwilldetectanyIQNs(iSCSIQualified
Names)attachedtotheIPaddress.
h. SelecttheIQNyouwishtoattachtotheDittoDXForensicFieldStationfromthedrop-downbox.
i. IfauthenticationisrequiredtoconnecttotheIQN,clicktheAdvanced... buttonandinputtheappro-
priatecredentials,includingtheusername,password,anddomain.Otherwise,continuetoStepJ.
Figure 37. The“TargetMode”windowisusedtoallowcomputers and third party software to remotely con-nectviaiSCSItodisksconnectedtoDitto.
45
Protecting Your Digital AssetsTM
Ditto DX Forensic FieldStation User Manual
j. ClicktheAdd button.TheIQNwillnowappearinthelistbelow.
k. RepeatstepsEthroughJtoaddmoreIQNs.Whenyouarefinished,click Close.
TheiSCSIdisk(s)havenowbeenaddedtothelistofDisks,allowingyoutoperformactionsonthemlike
youwouldanyotherdisk.
11.3.2 Directly Connect an iSCSI Device to the Ditto DX Forensic FieldStation
IfyoudonotwishtoconnectaniSCSIdevicetoyournetwork(forexample,itmaybeasuspectdevice
withunknownproperties),youcandirectlyconnectthedevicetotheDittoDXForensicFieldStationand
isolateitfromtherestofyournetwork.Therearetwomethodsfordoingso.Onceyouhaveconnectedthe
device,continuedowntothethirdsubsection,“AddinganiSCSIDisktothe‘Disks’Panel”.
Connect via the Source Ethernet Port
Followthese instructions if the iSCSIdeviceyouareattachingto theDittoDX
ForensicFieldStationisasuspectdevice.You’llneedtoconnecttheiSCSIdevice
tothesourceEthernetportandmanuallyconfiguretheIPaddressofboththe
DittoDXForensicFieldStationandtheiSCSIdevice.
ManuallysettheDittoDXForensicFieldStation’sIPaddress.
a. ClickontheConfigure tab atthetopofthepage,andthenselecttheNet-
work tab.
b. Inthe“SourceNetwork”section,selectStatic IP fromthedrop-downboxunderneaththeMAC
address(seeFigure38).
c. Type in the desired IP address and subnetmask into the appropriate fields. Do not fill in the
Gateway,PrimaryDNSServer,orSecondaryDNSServerunlessdirectedtodosobyyournetwork
administrator.
d. ClickCommit Changes.
ManuallysettheiSCSIdevice’sIPaddress,subnetmask,andgateway.ThefirstthreeoctetsoftheIP
addressmustbeidenticaltothefirstthreeoctetsoftheDittoDXForensicFieldStation’sIPaddress.
Thefourthoctetmustbedifferent,andmustbeanyothernumberbetween1and255.Thesubnet
maskmustbeidenticaltotheDittoDXForensicFieldStation’ssubnetmask.Thegatewaymustalsobe
setastheDittoDXForensicFieldStation’sIPaddress.
BasedontheIPaddressconfigurationofaDittoDXForensicFieldStationthat’sdisplayedinFigure38,
avalidconfigurationforaniSCSIdevicewouldbeasfollows:
IPaddress:10.10.10.100
Subnetmask:255.255.255.0
Gateway:10.10.10.1
AfterthesesettingsareconfiguredfortheDittoDXForensicFieldStationandtheiSCSIdevice,ensure
thattheiSCSIdeviceisconnectedtothesourceEthernetPort.Thencontinuetothe“AddinganiSCSI
Volumetothe‘Disks’Panel”subsectionbelow.
Figure 38. The“SourceNetwork”sectiononthe“Con-figure”screen’s“Network”tab.
46
Protecting Your Digital AssetsTM
Ditto DX Forensic FieldStation User Manual
Connect via the Destination Ethernet Port
FollowtheseinstructionsifyouwillbetransferringevidenceorotherdatatotheiSCSIdevice.First,
ensurethatthedestinationEthernetportisconfiguredtoactasaserver.
a. ClickontheConfigure tab atthetopofthepage,andthenselecttheNetwork tab.
b. In the“DestinationNetwork” section, selectServer from the drop-down box underneath the
MACaddress.Donotcustomizethedefaultserverconfigurationunlessdirectedtodosobyyour
networkadministrator.
c. Click Commit Changes.
NowconnecttheiSCSIDevicetothedestinationEthernetport.TheiSCSIdevicewillbeassigneda
newIPaddressiftheiSCSIdeviceisconfiguredtoobtainanewIPaddressfromDHCP,whichwillthe
caseformostdevices.IfnoIPaddressisassigned,youwillneedtoconfiguretheiSCSIdevicetouse
DHCP.Ifthatisnotpossible,contactyournetworkadministrator.
Once the iSCSIdevice isassignedan IPaddress,continue to the“Addingan iSCSIVolumeto the
‘Disks’Panel”subsectionbelow.
Adding an iSCSI Disk to the “Disks” Panel
Onthe“Home”Screen,navigatedowntothebottomofthe“Disks”panel.
a. ClicktheSource Network buttonifyouwanttoattachtheiSCSIdevicetothe
DittoDXForensicFieldStationasawrite-blockedsourcedevice,orclickthe
Destination Network buttonifyouwanttoattachtheiSCSIdeviceasaread/
write-enableddestination.
b. Clickonthe iSCSI tabifitisnotalreadyselected.
c. TypetheiSCSIdevice’sIPaddressintothe“TargetHost”textfield.
d. TypeintheportnumberofthetargetiSCSIvolumeintothe“Port”textfieldif
thenumberisdifferentthanthedefaultvalueof‘3260’.Ifyoudon’tknowthe
portnumber,leaveitasthedefaultvalue.
e. ClicktheDiscover button.TheDittoDXForensicFieldStationwilldetectanyIQNs(iSCSIQualified
Names)attachedtotheIPaddress.
f. SelecttheIQNyouwishtoattachtotheDittoDXForensicFieldStationfromthedrop-downbox.
g. Ifauthentication is requiredtoconnect to the IQN,click theAdvanced... button and input the
appropriatecredentials,includingtheusername,password,anddomain.Otherwise,continueto
thenextstep.
h. ClicktheAdd button.TheIQNwillnowappearinthelistbelow.
i. RepeatstepsCthroughHtoaddmoreIQNs.Whenyouarefinished,clickClose.
TheiSCSIdisk(s)havenowbeenaddedtothelistofDisks,allowingyoutousetheDittoDXForensic
Fieldstationtoperformactionsonthemlikeyouwouldanyotherdisk.
Figure 39. The“SourceNetwork”window’siSCSItaballows you to connect iSCSI devices to the Ditto viathe source Ethernet port.The“DestinationNetwork”tablookssimilaranddoesthesameviathedestinationEthernetport.
47
Protecting Your Digital AssetsTM
Ditto DX Forensic FieldStation User Manual
11.3.3 Properly Remove an iSCSI Device
ThisprocesspreventstimeoutissueswheretheDittoDXForensicFieldStationwillattempttoconnectto
iSCSIvolumesthatnolongerareconnectedtoit.Onthe“Home”Screen,navigatedowntothebottom
ofthe“Disks”panel.
a. Clickthe Source Network buttonifyouriSCSIdeviceisconnectedviathesourceEthernetPort,or
clicktheDestination Network buttonifyouriSCSIdeviceisconnectedviathedestinationEthernet
Port.
b. ClickontheiSCSI tab ifitisnotalreadyselected.
c. Under the“iSCSISourceConnections”or the“iSCSIDestinationConnections”section,check the
boxesnexttotheIQN(s)youwanttoremoveandclicktheRemove button.
d. PhysicallydisconnecttheiSCSIdevicefromtheDittoDXForensicFieldStation.
11.4 USING NFS AND SMB (SAMBA) SHARES
11.4.1 Connect to NFS and SMB Shares
a. Onthe“Home”Screen,navigatedowntothebottomofthe“Disks”panel.
b. ClicktheSource Network buttoniftheDittoDXForensicFieldStationisconnectedtoyournetwork
viathesourceEthernetPort,orclicktheDestination Network buttonifitisconnectedviathedes-
tinationEthernetPort.
c. ClickontheNFS tab orthe SMB tab,dependingonwhichtypeofshareyouareconnectingto.
d. TypetheservernameintotheServertextfield.
e. IfyouareconnectingtoanSMBshare,selecttheappropriateprotocolfromthe“Protocol”drop-down
box.Ifyoudon’tknowthecorrectprotocol,leaveitasthedefaultvalueof‘SMBv1’.
f. ClicktheShow Shares button.TheDittoDXForensicFieldStationwilldetectanysharesattachedto
theserver.
g. SelecttheshareyouwishtoattachtotheDittoDXForensicFieldStationfromthedrop-downbox.
h. IfyouareconnectingtoanSMBshareandauthenticationisrequired,clicktheAdvanced... button
and inputtheappropriatecredentials, includingtheusername,password,anddomain. If theSMB
sharedoesnotrequireauthenticationoryouareconnectingtoanNFSshare,continuetothenext
step.
i. ClicktheAdd button.Thesharewillnowappearinthelistbelow.
j. RepeatstepsCthroughItoaddmoreshares.Whenyouarefinished,clickClose.
Theshare(s)havenowbeenaddedtothelistofDisks,allowingyoutoperformactionsonthemlikeyou
wouldanyotherdisk.
11.4.2 Remove an NFS or SMB (Samba) Share
a. Onthe“Home”Screen,navigatedowntothebottomofthe“Disks”panel.
b. ClicktheSource Network button iftheDittoDXForensicFieldStationisconnectedtoyournetwork
viathesourceEthernetPort,orclicktheDestination Network buttonifitisconnectedviathedes-
tinationEthernetPort.
48
Protecting Your Digital AssetsTM
Ditto DX Forensic FieldStation User Manual
c. ClickontheNFS taborSMB tab,dependingonthewhichtypeofshareyouareremoving.
d. Under the“iSCSISourceConnections”or the“iSCSIDestinationConnections”section,check the
boxesnexttotheshare(s)youwanttoremoveandthenclicktheRemove button.
11.5 ADDING A NEW AUTOSELECT LOGICAL IMAGE PROFILE
AutoSelect is a feature that allows you to search during a logical image action only for those file types
of interest to you. If you want to add your own AutoSelect Logical Image profile, you must create a
DittoAutoSelectdirectoryonyourSDCardfirst.ThenyoucanaddoneormoreautoselectXMLfilestothat
directory.YoumayalsoaddsubdirectoriesthatcontainoneormoreautoselectXMLfilestotheDittoDXAu-
toSelectdirectory. InserttheSDCard intotheDittoDXForensicFieldStationandyourcustomAutoSelect
profileswillthenbeavailableinthe“LogicalImageMode”drop-downboxwhenconfiguringa“LogicalImage
SourceDisk”action.
11.5.1 Ditto DX AutoSelect XML File Structure<?xml version=”1.0” encoding=”UTF-8”?>
<!-- All attributes must be in single quotes if they contain double quotes.
-->
<DittoAutoSelect
xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance”
xsi:noNamespaceSchemaLocation=”autoSelect.xsd”
>
<select title=”Example Title”>
<include path=”*”>
<name>*.jpeg</name>
<name>*.jpg</name>
<name>*.m4*</name> <!-- .m4a, .m4v, etc -->
</include>
<exclude path=”Windows”/>
</select>
</DittoAutoSelect>
ThenameoftheautoselectXMLfilecanbeanylegalfilenamewitha.xmlfileextension.EachAutoSe-
lectXMLfilemaycontainoneormore<selecttitle=”...”>blocks.Theselectblock’stitlewillappearatthe
bottomofthe“LogicalImageMode”selectionlistprependedwith“SDCard/”followedbythesubdirec-
tory’sname,ifany.
Eachselectblockmaycontainoneormore<includepath=”...”>and/or<excludepath=”...”>blocks.The
include/excludeblock’spath(case-insensitive)maycontainwildcardcharactersandwillbeincludedinor
excludedfromtheautoselection,respectively.
Eachincludeblockmaycontainzeroormore<name>...</name>blocks,whichspecifyafilenametobe
included in theautoselection.Filenamesarecase-insensitiveandmaycontainwildcardcharacters to
specifyasetoffilenames.Excludeblockscannotcontainnameblocks.
YoucannotremoveexistingselectionsfromtheLogicalImageModelist.NOTE
49
Protecting Your Digital AssetsTM
Ditto DX Forensic FieldStation User Manual
TodownloadanXMLSchemathatcanbeusedtovalidateyourautoselectXMLfile,typethefollowinginto
theaddressbarofanInternetbrowser,where<IPAddress>istheIPaddressofyourDittoDXForensic
FieldStation:http://<IPAddress>/data/DittoAutoSelect/autoSelect.xsd
12 UPGRADING FIRMWAREFirmwareupgradesaremadeavailableonCRU’swebsiteatwww.cru-inc.com/support/software-downloads/Ditto-
DX-firmware-updates/.TherearethreemethodstoupgradeyourDittoDXForensicFieldStation’sfirmware.
METHOD 1: COPY AND PASTE A LINK
a. EnsurethattheDittoDXForensicFieldStationisconnectedtoanetworkwithInternetaccess.
b. Gotothefirmwareupdateswebpageandscrolldowntothe“DittoDXFirmwareLinks”section.Copythe
URLofthefirmwareyouwishtousetoupgrade.
c. LogintoyourDittoDXForensicFieldStation’sbrowserinterfaceandnavigatetothe“Utilities”screen.
d. PastethelinkintothetoptextfieldandclicktheFirmware Upgrade button.
e. Whenitasksyoutoconfirmtheretrievaloftheupgradefile,clickContinue.
f. TheDittoDXForensicFieldStationwilldownloadthefileto itself.Oncedownloaded, itwillaskyouto
confirmtheupgrade.ClickContinue.Aftertheupgradeisfinished,clickOK.
g. TheLCDpaneloftheDittoDXForensicFieldStationwillaskyoutoreboot.PresstheRight buttononthe
faceoftheunittoreboot,orclickontheReboot button onthe“Utilities”screen.
METHOD 2: DOWNLOAD TO YOUR COMPUTER
a. Gotothefirmwareupdateswebpageandscrolldowntothe“DittoDXFirmwareLinks”section.
b. Clickonthefirmwareyouwishtousetoupgradetodownloadthefile.Savethefileinaconvenientloca-
tion.
c. LogintoyourDittoDXForensicFieldStation’sbrowserinterface,navigatetothe“Utilities”screen,and
clickonthetopUpload... button.
d. Locatethefirmwarefileyoujustdownloaded,selectit,andclick Open.
e. ClickontheFirmware Upgrade button.
f. TheDittoDXForensicFieldStationwilluploadthefiletoitself.Onceuploaded,itwillaskyoutoconfirm
theupgrade.Click Continue.Aftertheupgradeisfinished,cickOK.
g. TheLCDpaneloftheDittoDXForensicFieldStationwillaskyoutoreboot.PresstheRight buttononthe
faceoftheunittoreboot,orclickontheReboot button onthe“Utilities”screen.
METHOD 3: UPLOAD VIA A USB THUMB DRIVE
a. Gotothefirmwareupdateswebspageandscrolldowntothe“DittoDXFirmwareLinks”section.
b. Clickonthefirmwareyouwishtousetoupgradetodownloadthefile.SavethefiletoaUSBthumbdrive.
c. InsertthethumbdriveintothesourcesideUSBportoftheDittoDXForensicFieldStation.
50
Protecting Your Digital AssetsTM
Ditto DX Forensic FieldStation User Manual
d. TheDittoDXForensicFieldStationwillimmediatelyscanthethumbdriveanddisplayalistontheLCD
screenofallfirmwarefilesfoundonthedrive.Usethenavigationbuttonsonthefaceoftheunittomove
theblinkingcursortothefirmwarethatyouwishtousetoupgrade,andthenpressRight.
e. TheDittoDXForensicFieldStation’sfirmwarewillbeupgraded.TheLCDpaneloftheDittoDXForensic
FieldStationwillaskyoutoreboot.Press Right toreboot.
51
Protecting Your Digital AssetsTM
Ditto DX Forensic FieldStation User Manual
13 TECHNICAL SPECIFICATIONSProductName DittoDXForensicFieldStation
DataInterfaceTypes&Speeds
• eSATA:upto6Gbps• 1000BASE-TEtherNet:upto1Gbps• PATA/IDE:upto133MB/s• USB3.0:upto5Gbps• PCIex4:upto4GB/s
SupportedDiskTypes 2.5”and3.5”rotationalorsolidstateharddisks
SDCardSlotSupport SD,SDHC(MMC,mini-SD,andmicroSDarecompatiblewithadapters)
WifiUSBAdapterSupport WifiadapterswithAtheroschipsets,andsomeRealtekchipsets
DataConnectors
• Three(3)eSATAports• Three(3)1000BASE-TEthernetconnectors• One(1)PATA/IDEconnector• Three(3)USB3.0connectors• One(1)SDCardslot• Two(2)PCIex4DittoExpansionModuleconnectors
Write-BlockedDataInputs eSATA,PATA/IDE,USB3.0,Source-sideEthernetport.OtherinputtypessupportedwithDittoExpansionModulesordriveadapters.
DataOutputs Two(2)eSATAportsoperableassingle,dual,ormirrored.Two(2)USB3.0portsoperableassingle,dual,ormirrored.Bothsource-sideanddestination-side1000BASE-TEthernetports.
SupportedFileSystems ext2,ext3,ext4,FAT32,HFS+,NTFS,XFS
UserInterface• Four-lineLCDcontrolledwithfoursoft-touchmenunavigationbuttonsorUSBkeyboard• Browser-basedDittointerfaceallowsfordirectoperation,remoteoperation,andadministra-
tion
LEDIndicatorsLightbarstatusindicator,powerin5V/12V,USB3,SourceNetwork,IDE,eSATA,SourceExpan-sion,HPA/DCO,DestinationNetwork,eSATAA,eSATAB,USB3A,USB3B,DestinationExpan-sion.
StealthMode Turnsoffalllights(LEDs/LCD)
BrowserCompatibility InternetExplorer,Firefox,Safari,Chrome,Opera
PhysicalImageTypes DD,E01
LogicalImageTypes L01,LIST,TAR,ZIP
Image/CloneOutputModes
Singlediskimage,singlediskclone,imageandclone,imagetomirroreddisks,clonetomirroreddisks,restorephysicalimage,logicalimagetosingledisk,logicalimagetomirroreddisks
HashModes None,MD5,SHA-1,SHA-256,MD5&SHA-1,andMD5&SHA-256,enabledduringimagingandcloningoperations.
EraseModes ClearPartitionTable,QuickErase,CustomErase,SecureEraseNormal,SecureEraseEnhanced,DoDClear,DoDSanitize,NIST800-88Clear,NIST800-88Purge
Externalmaterial All-aluminumconstruction
OperatingHumidity 5%to95%,non-condensing
PowerSwitch 2position:On/Off
PowerInputs 40W12V3.33ADCbarrelconnector(centerpinpositive),15-pinstandardSATApower
Protecting Your Digital AssetsTM
For more information, visit the CRU web site.
www.cru-inc.com
Compliance
• EMIStandard:FCCPart15ClassA• CE• EMCStandard:EN55022,EN55024• RCM
ShippingWeight 5lbs(2.3kg)
ProductDimensions 4.92inx6.77inx1.72in(125mmx172mmx43.7mm)
TechnicalSupportYourinvestmentinCRUproductsisbackedupbyourfreetechnicalsupportforthelifetimeoftheproduct.Contactusthroughourwebsite,www.cru-inc.com/supportorcallusat1-800-260-9800or+1-360-816-1800.
©2016CRUAcquisitionGroup,LLC.ALLRIGHTSRESERVED.
ThisUserManualcontainsproprietarycontentofCRUAcquisitionGroup,LLC(“CRU”)whichisprotectedbycopyright,trademark,andotherintellectualpropertyrights.
UseofthisUserManualisgovernedbyalicensegrantedexclusivelybyCRU(the“License”).Thus,exceptasotherwiseexpresslypermittedbythatLicense,nopartofthisUserManualmaybereproduced(byphotocopyingorotherwise),transmitted,stored(inadatabase,retrievalsystem,orotherwise),orotherwiseusedthroughanymeanswithoutthepriorexpresswrittenpermissionofCRU.
UseofthefullDittoForensicFieldStationproduct,including,withoutlimitation,itswebinterface,issubjecttoallofthetemrsandconditionsofthisUserManualandtheabovereferencedLicense.
ThisDittoForensicFieldStationproductandUserManualareprovidedonaRESTRICTEDbasis.Use,duplication,ordisclosurebytheUSGovernmentissubjecttorestrictionssetforthinParagraph(b)oftheCommercialComputerSoftwareLicenseclauseat48CFR42.227-19,asapplicable.
CRU®,Ditto®,andWiebeTech®(collectively,the“Trademarks”)aretrademarksownedbyCRUandareprotectedundertrademarklaw.NmapisaregisteredtrademarkofInsecure.Com,LLCintheUnitedStatesand/orothercountries.ExcelisaregisteredtrademarkofMicrosoftintheUnitedStatesand/orothercountries.EnCaseisaregisteredtrademarkofGuidanceSoftwareintheUnitedStatesand/orothercountries.ThisUserManualdoesnotgrantanyuserofthisdocumentanyrighttouseanyoftheTrademarks.
Product WarrantyCRUwarrantsthisproducttobefreeofsignificantdefectsinmaterialandworkmanshipforaperiodofthreeyearsfromtheoriginaldateofpurchase.CRU’swarrantyisnontransferableandislimitedtotheoriginalpurchaser.
Limitation of LiabilityThewarrantiessetforthinthisagreementreplaceallotherwarranties.CRUexpresslydisclaimsallotherwarranties,includingbutnotlimitedto,theimpliedwarrantiesofmerchantabilityandfitnessforaparticularpurposeandnon-infringementofthird-partyrightswithrespecttothedocumentationandhardware.NoCRUdealer,agent,oremployeeisauthorizedtomakeanymodification,extension,oradditiontothiswarranty.InnoeventwillCRUoritssuppliersbeliableforanycostsofprocurementofsubstituteproductsorservices,lostprofits,lossofinformationordata,computermalfunction,oranyotherspecial,indirect,consequential,orincidentaldamagesarisinginanywayoutofthesaleof,useof,orinabilitytouseanyCRUproductorservice,evenifCRUhasbeenadvisedofthepossibilityofsuchdamages.InnocaseshallCRU’sliabilityexceedtheactualmoneypaidfortheproductsatissue.CRUreservestherighttomakemodificationsandadditionstothisproductwithoutnoticeortakingonadditionalliability.
FCC Compliance Statement: “ThisdevicecomplieswithPart15oftheFCCrules.Operationissubjecttothefollowingtwoconditions:(1)Thisdevicemaynotcauseharmfulinterference,and(2)thisdevicemustacceptanyinterferencereceived,includinginterferencethatmaycauseundesiredoperation.”
ThisequipmenthasbeentestedandfoundtocomplywiththelimitsforaClassAdigitaldevice,pursuanttoPart15oftheFCCRules.Theselimitsaredesignedtoprovidereasonableprotectionagainstharmfulinterferencewhentheequipmentisoperatedinacommercialenvironment.Thisequipmentgenerates,uses,andcanradiateradiofrequencyenergyand,ifnotinstalledandusedinaccordancewiththeinstructionmanual,maycauseharmfulinterferenceinwhichtheuserwillberequiredtocorrecttheinterferenceattheirownexpense.
IntheeventthatyouexperienceRadioFrequencyInterference,youshouldtakethefollowingstepstoresolvetheproblem:1) Ensurethatthecaseofyourattacheddiskisgrounded.2) UseadatacablewithRFIreducingferritesoneachend.3) UseapowersupplywithanRFIreducingferriteapproximately5inchesfromtheDCplug.4) Reorientorrelocatethereceivingantenna.
FOROFFICEORCOMMERCIALUSE
PartNumber:A9-000-0050Rev1.1