Upload
ramon
View
24
Download
0
Embed Size (px)
DESCRIPTION
IMSolo-IV Expansion Option Quick Start Guide Rev1.1
Citation preview
IMSolo-IV Expansion Option Quick Start Guide
Rev 1.1
This Quick Start Guide provides the procedure to quickly setup and start using the IMSolo-IV Expansion Option to capture data from additional devices which have interfaces not available on the IMSolo-IV unit. The IMSolo-IV Expansion Option is configured with the following hardware:
• FireWire 1394b PCI-Express card for connecting 1394a or 1394b mass storage devices.
• SCSI Ultra320 PCI-Express card for connecting SCSI mass storage devices.
• PCI-Express to ExpressCard 34/54 Reader for connecting a broad range of ExpressCard compliant cards, such as ExpressCard USB 3.0 cards used to connect USB 3.0 mass storage devices. NOTE: ExpressCards are not supplied with the Expansion Option
Transfer rates are dependent on the media and interface in use. The table below provides expected transfer rates using high performance drives.
Interface Connection Transfer Rate FireWire 1394b 1394b 4.5GB/min SCSI Ultra320 5.5GB/min USB ExpressCard1 USB 3.0 2.1GB/min
1 ExpressCard is not supplied
Hardware Description This section describes the IMSolo-IV Expansion Option hardware.
Components and Functions
Expansion Box Front Panel (Fig. 1)
FUNCTIONS
Two FireWire 1394b Ports
Connect 1394b mass storage devices
One FireWire 1394a Port
Connect 1394a mass storage devices
SCSI Ultra320 Port Connect SCSI mass storage devices. ExpressCard 34/54 Reader Port
Connect ExpressCard compliant cards and ExpressCard compliant mass storage devices
Expansion Box Back Panel (Fig. 2)
PCI-e Interconnect Port
Connect PCI-e Expansion Box Interconnect Cable
Expansion Box Power-IN Port
Used to supply power to the Expansion Box from the IMSolo-IV corresponding Power-Out Port
Internal Cooling Fan Cools the inside of the Expansion Box. IMSolo-IV Back Panel (Fig. 3)
PCI-e Interconnect Port
Connect PCI-e Expansion Box Interconnect Cable
Expansion Box Power-OUT Port
Used to supply power to the Expansion Box.
ExpressCard 34/54 Reader
FireWire 1394b Ports
FireWire 1394a Port
SCSI Port
FRONT PANEL
PCI-e Interconnect Port
Power-In
Internal Cooling Fan
BACK PANEL
PCI-e Interconnect PortExternal Drive
Power-OUT
Expansion Port Power-OUT
IMSolo-IV BACK PANEL
SCSI In-Line Terminator
SCSI CABLE
ExpressCard/34 (NOT Supplied)
Setup 1. Power OFF the IMSolo-IV unit.
2. Connect the Expansion Box Power Cable to the Expansion Box Power-OUT
Port, located on the back of the IMSolo-IV unit and to the Expansion Box Power-IN Port, located on the back of the Expansion Box.
3. Connect the PCI-e Expansion Box Interconnect Cable to the IMSolo-IV unit
and the Expansion Box, using the PCI-e Interconnect Ports located on the back of both units. Secure the cable’s connectors using the connectors thumb screws.
Expansion Box Power CablePCI-e Expansion Box
Interconnect Cable
IMSolo-IV with Expansion Box – Back View
SCSI Data Cable
FireWire Data Cable
USB 3.0 Data Cable (Not Supplied)
USB 3.0 ExpressCard (Not Supplied)
Expansion Box with Interface Cables
Operational Procedures Capturing from External FireWire Drives The following procedure is recommended to capture data from External FireWire drives using the Expansion Option. 1. Power OFF the IMSolo-IV unit. 2. Connect the Expansion Box to the IMSolo-IV unit using the SETUP
Instructions outlined in the section titled SETUP. 3. Connect the appropriate FireWire data cable to the Expansion Box and to the
External FireWire drive. 4. Power ON the IMSolo-IV by pressing the unit’s Power ON button, located on
top corner of the unit’s back panel. The IMSolo-IV Forensics Advanced Interface Control Console will be displayed. NOTE: If the IMSolo-IV fails to initialize properly. Power OFF the IMSolo-IV
and wait approximately 20 seconds before powering ON.
Drive Selection Panel
Operational Modes
5. Attach the Evidence drive(s) to the IMSolo-IV unit’s Evidence ports using the ICS supplied SATA/SAS drive data/power cables.
6. Select the Mode of Operation from the Operations pull down menu. 7. Power ON the External FireWire drive. 8. Select the Evidence Drive(s) to be used for the selected operation from the
Drive Selection Panel. NOTE: Do not select any Suspect position from the Drive Selection Panel.
9. Select Detect Drives from the IMSolo-IV Forensics Advanced Interface Control Console screen. The detected FireWire drive will be listed in the Other Detected Drives, “Non-Active” drive panel. The Evidence drive will be listed in the Destination Drives panel list. NOTE: If the External FireWire Drive is not detected, reseat the FireWire
data cable and select Detect Drives again. 10. Using the touch screen display, select and move the listed FireWire drive
model from the Other Detected Drives Panel to the Source Drive Panel. 11. Verify all remaining applicable settings and optionally enter Case Information
using the CASE INFO screen functions. It is recommended to enable the Hash Targets function. Selecting Hash Targets will result in the Capture operation generating the Hash value for the data read from the Suspect drive and the data written to the Evidence drive. After all the data is written to the Evidence drive, the Capture operation will generate the Hash value for the data read from the Evidence drive.
Hash values generated during the capture operation are generated for the data read from the Suspect’s drive not from the data read from the Evidence (target) drive, unless the unit is instructed to hash the Evidence drive(s) by enabling the Hash Targets function. As an alternative, the Evidence Drives can also be hashed after the capture operation using the Hash mode of operation.
12. Select START to begin the operation. Operational status information will be displayed during an operation.
13. After the operation completes, the Evidence drive will be powered OFF and the drive can be safely removed. Power OFF and disconnect the External FireWire drive. The simulated drive status LEDs will be set to GREEN if the operation passes or RED if the operation fails. Log files will automatically be stored internally and can be transferred to external media using the unit’s USB ports, located on the back of the unit.
Capturing from SCSI Drives The following procedure is recommended to capture data from SCSI drives using the Expansion Option. 1. Power OFF the IMSolo-IV unit. 2. Connect the Expansion Box to the IMSolo-IV unit using the SETUP
Instructions outlined in the section titled SETUP. 3. Connect the SCSI In-Line Terminator between to the supplied SCSI cable
and to the SCSI drive. 4. Connect the supplied SCSI cable to the Expansion Box. Secure the cable
using the connector’s thumb screws. 5. Connect the supplied drive power cable to the SCSI drive and to the
IMSolo-IV External Drive Power Connector, located on the back of the IMSolo-IV unit. NOTE: Due to power consumption, it may be necessary to use an external
power source to power some SCSI drive models.
6. Power ON the IMSolo-IV by pressing the unit’s Power ON button, located on top corner of the unit’s back panel. The IMSolo-IV Forensics Advanced Interface Control Console will be displayed. NOTE: If the IMSolo-IV fails to initialize properly. Power OFF the IMSolo-IV
and wait approximately 20 seconds before powering ON.
Drive Selection Panel
Operational Modes
7. Attach the Evidence drive(s) to the IMSolo-IV unit’s Evidence ports using the ICS supplied SATA/SAS drive data/power cables.
8. Select the Mode of Operation from the Operations pull down menu. 9. Select the Evidence Drive(s) to be used for the selected operation from the
Drive Selection Panel. NOTE: Do not select any Suspect position from the Drive Selection Panel.
10. Select Detect Drives from the IMSolo-IV Forensics Advanced Interface Control Console screen. The detected SCSI drive will be listed in the Other Detected Drives, “Non-Active” drive panel. The Evidence drive will be listed in the Destination Drives panel list.
11. Using the touch screen display, select and move the listed SCSI drive model from the Other Detected Drives Panel to the Source Drive Panel.
12. Verify all remaining applicable settings and optionally enter Case Information using the CASE INFO screen functions. It is recommended to enable the Hash Targets function. Selecting Hash Targets will result in the Capture operation generating the Hash value for the data read from the Suspect drive and the data written to the Evidence drive. After all the data is written to the Evidence drive, the Capture operation will generate the Hash value for the data read from the Evidence drive.
Hash values generated during the capture operation are generated for the data read from the Suspect’s drive not from the data read from the Evidence (target) drive, unless the unit is instructed to hash the Evidence drive(s) by enabling the Hash Targets function. As an alternative, the Evidence Drives can also be hashed after the capture operation using the Hash mode of operation.
13. Select START to begin the operation. Operational status information will be displayed during an operation.
14. After the operation completes, the Evidence drive will be powered OFF and the drive can be safely removed. The SCSI drive will remain powered ON. The simulated drive status LEDs will be set to GREEN if the operation passes or RED if the operation fails. Log files will automatically be stored internally and can be transferred to external media using the unit’s USB ports, located on the back of the unit.
15. Power OFF the IMSolo-IV and disconnect the SCSI drive.
Capturing from ExpressCard Mass Storage Devices The following procedure is recommended to capture data from mass storage devices connected through an installed ExpressCard. NOTE: ExpressCards are not supplied with the Expansion Option. 1. Power OFF the IMSolo-IV unit. 2. Connect the Expansion Box to the IMSolo-IV unit using the SETUP
Instructions outlined in the section titled SETUP. 3. Connect the ExpressCard to the ExpressCard port of the Expansion Box. 4. Power ON the IMSolo-IV by pressing the unit’s Power ON button, located on
top corner of the unit’s back panel. The IMSolo-IV Forensics Advanced Interface Control Console will be displayed. NOTE: If the IMSolo-IV fails to initialize properly. Power OFF the IMSolo-IV
and wait approximately 20 seconds before powering ON. 5. The IMSolo-IV O/S will detect the ExpressCard as “New Hardware”, and a
prompt will be displayed requesting drivers for the installed hardware. NOTE: Drivers can be installed using the IMSolo-IV unit’s general purpose
USB ports, located on the back of the unit. Insert a USB Thumb drive with the appropriate driver files. Select Detect Drives and use the unit’s Mount Drive function to mount the USB Thumb drive’s volume. Follow the prompts to install the appropriate driver for the installed hardware.
6. Select Remove Drives to “remove” the USB Thumb Drive and power cycle the IMSolo-IV unit. The IMSolo-IV Forensics Advanced Interface Control Console will be displayed.
Drive Selection Panel
Operational Modes
7. Attach the Evidence drive(s) to the IMSolo-IV unit’s Evidence ports using the ICS supplied SATA/SAS drive data/power cables.
8. Select the Mode of Operation from the Operations pull down menu. 9. Connect the External Mass Storage Device to the installed ExpressCard
using the appropriate data cable for the device. 10. Power ON the External Mass Storage device. 11. Select the Evidence Drive(s) to be used for the selected operation from the
Drive Selection Panel. NOTE: Do not select any Suspect position from the Drive Selection Panel.
12. Select Detect Drives from the IMSolo-IV Forensics Advanced Interface Control Console screen. The detected Mass Storage Device will be listed in the Other Detected Drives, “Non-Active” drive panel. The Evidence drive will be listed in the Destination Drives panel list. NOTE: If the Mass Storage Device is not detected, reseat the device data
cable and select Detect Drives again.
13. Using the touch screen display, select and move the listed Mass Storage Device model from the Other Detected Drives Panel to the Source Drive Panel.
14. Verify all remaining applicable settings and optionally enter Case Information using the CASE INFO screen functions. It is recommended to enable the Hash Targets function. Selecting Hash Targets will result in the Capture operation generating the Hash value for the data read from the Suspect drive and the data written to the Evidence drive. After all the data is written to the Evidence drive, the Capture operation will generate the Hash value for the data read from the Evidence drive.
Hash values generated during the capture operation are generated for the data read from the Suspect’s drive not from the data read from the Evidence (target) drive, unless the unit is instructed to hash the Evidence drive(s) by enabling the Hash Targets function. As an alternative, the Evidence Drives can also be hashed after the capture operation using the Hash mode of operation.
15. Select START to begin the operation. Operational status information will be displayed during an operation.
16. After the operation completes, the Evidence drive will be powered OFF and the can be safely removed. Power OFF and disconnect the External Mass Storage device. The simulated drive status LEDs will be set to GREEN if the operation passes or RED if the operation fails. Log files will automatically be stored internally and can be transferred to external media using the unit’s USB ports, located on the back of the unit.
COMMON SETTINGS
Single Capture Settings Table 1
Menu Item Setting
Operational Modes Single Capture Bad Sector Handling Log and Skip Write-Verify Disable (Optional) Readback-Hash Enable (Optional) Transfer Buffer Size (64KB) – Located under Program Settings
10
Bad Sector Handling Abort Drive Hashing Methods CRC32: OFF
MD5: ON SHA1: OFF SHA2: OFF
LinuxDD Capture Settings Table 2
Menu Item Setting
Operational Modes LinuxDD Capture Bad Sector Handling Log and Skip Write-Verify Disable (Optional) Readback-Hash Enable (Optional) Transfer Buffer Size (64KB) – Located under Program Settings
10
Bad Sector Handling Abort Drive Hashing Methods CRC32: OFF
MD5: ON SHA1: OFF SHA2: OFF
File Size 4000