Ditto Forensic FieldStation

Protecting Your Digital AssetsTM

Wiebetech Branding

2c85m76yPMS 711C

66c7m7yPMS 299C

Product Name:Univers 73 Black Extended

abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ

Ditto Forensic FieldStationUser ManualFeatures

• Sourceinputs(write-blocked)–eSATA(SATA),PATA,USB2.0,PCIex1expansionport,andgigabitnetwork(NFS,iSCSI,SMB)

• Destinationoutputs–DualeSATA(SATA)portstostoreacquireddataononeortwodisks,SDcard,orgigabitnetwork(iSCSI,NFS,SMB)

• Data acquisitionmodes – physical imageDD, physical imageE01with empty blockcompression,logicalimageL01,clone,andsimultaneousclone&image.

• Hashtypes-MD5,SHA-1,MD5+SHA-1

• Remoteusage–Performoperationsusingthewebbrowserinterfacefromanyremotenetworkedlocationintheworld

• SystemconfigurationmanagementviafrontpanelLCDorwebbrowserinterface

• Userprofilescanbepasswordprotectedandassignedspecificpermissionlevels

• Data log captures a completehistory of data acquisitions and canbemanaged andprintedfromwebbrowserorextractedtoauser-specificdocument

• StealthModeavailableforusewithnightvisiongoggles(notincluded)

2


Ditto Forensic FieldStation User Manual

TABLE OF CONTENTS1Pre-InstallationSteps 2

2Setup 3

3BrowserInterface 3

3.1AccessingtheBrowserInterface 3

3.2IconsUsedintheBrowserInterface 5

3.3UserAccounts 6

4HomeScreen 6

4.1Action 6

4.1.1CloneSourceDisk 7

4.1.2PhysicalImageSourceDisk 7

4.1.3LogicalImageSourceDisk 8

4.1.4CloneandImageSourceDisk 10

4.1.5EraseDestinationDisk 11

4.1.6HashDisk 12

4.1.7SnapshotDisk 12

4.1.8NetViewScan 12

4.2InvestigationInfo 13

4.3SystemSettings 13

4.4CurrentStatus 13

4.5Disks 14

4.6SystemLog 15

5ConfigureScreen 16

6AdminScreen 27

6.1UserAccounts 27

6.2PermissionLevels 27

6.3AddingaNewUser 28

6.4EditinganExistingUser 28

6.5DeletingaUser 28

7LogsScreen 28

8UtilitiesScreen 29

9UsingtheFrontPanelInterfaceinStandaloneMode 31

10StealthMode 35

11AdvancedFeaturesandFunctions 36

11.1NetviewScan 36

11.2TargetMode:RemotelyAccessDisksAttachedtotheDittoForensicFieldStationwithThirdPartySoftware 38

11.3UsingiSCSIDevices 39

11.4UsingNFSandSMB(Samba)Shares 42

11.5AddingaNewLogicalImageMode 42

12UpgradingFirmware 43

13TechnicalSpecifications 45

1 PRE-INSTALLATION STEPS

1.1 PACKAGE CONTENTS

The following listcontains the itemsthatare included in the

completeconfigurationforthisdevice.PleasecontactCRUif

anyitemsaremissingordamaged:

DittoForensicFieldStationUnit 1

UnitizedSAS-to-eSATA+Mini-Fitpowercable 3

IDEcable 1

12Vpowersupply 1

Powercord 1

Legacypower-to-Mini-Fitcable 1

Ethernetcable(RJ45) 1

2.5”IDE-to-3.5”IDEandMini-Fitcable 1

Poweradapter,legacy-to-SATA 1

Velcrocablewrap 6

eSATAcable 2

SDcard(pre-installed) 1

QuickStartGuide 1

1.2 IDENTIFYING PARTS

TakeamomenttofamiliarizeyourselfwiththepartsoftheDitto

ForensicFieldStation.Thiswillhelpyou tobetterunderstand

thefollowinginstructions.

TOP OF UNITPowerAvailableLEDs

LCDMenu

SourceLEDs

DestinationLEDs

NavigationButtonsforLCDMenu

3



2 SETUPPlugthe“suspect”disksordevicesintotheSource Inputssideof

theDittoForensicFieldStation.Allsourceinputsarewrite-blocked

topreventalteration.ThesourceinputsincludeaUSB2.0connec-

tionforUSBdevices,anRJ45gigabitEthernetconnection,anIDE/

PATAdiskconnection,andaneSATAconnectionforSATAdisksor

aneSATAdevice.Theexpansionmoduleconnectionisusedwith

theSAS,USB3.0,andotherDittoForensicFieldStationexpansion

modules.

UsetheDestination OutputssideoftheDittoForensicFieldSta-

tion to store acquired data.The destination output connections

includetwoeSATAconnectionsforSATAdisksoreSATAdevices

andanRJ45gigabitEthernetconnection.

TherearoftheDittoForensicFieldStationhasanSDcardslotand

two powering options: a 12V input for the power supply, and a

SATApowerconnection.Therearalsohasahookforhangingthe

unitinsidethecomputercaseorworkstation.

CRU recommends that you switch thepoweroff totheDittowhenyouaddorremoveadevicefromitinordertoavoiddiskdamageanddatacorruption.

3 BROWSER INTERFACETheDitto Forensic FieldStation can be configured and operated

either from the Front Panel (see Section 9) or through a web

browser.

3.1 ACCESSING THE BROWSER INTERFACE

3.1.1 Accessing Via A Network

a. Plug an Ethernet cable into the Ethernet port on the

“SourceInputs”sideoftheDittoForensicFieldStation.

b. Connect the other end of theEthernet cable to your

network.Thisusuallymeanspluggingitintoarouteror

hub.Inanofficeenvironment,youmayhaveanetwork

jackbuiltintoyourofficewall.

c. Connect the power cable to the rear of the Ditto

Forensic FieldStation and to the providedAC adapter

ortoSATApower.

d. Turn on theDitto Forensic FieldStation’s power using

theswitchontherearpanel.(0=off,1=on)

SOURCE INPUTS(allinputsarewrite-blocked)

RJ45GigabitEthernetConnection4-pinMini-FitPowerConnection

(DCPowerOutput)

IDE/PATAConnection

USB2.0TypeAConnection

ExpansionModuleConnection

eSATAConnection

DESTINATION OUTPUTSeSATAConnections RJ45GigabitEthernetConnection

StealthModeSwitch4-pinMini-FitPowerConnections

(DCPowerOutput)

REAR OF THE UNIT

HangingHookPowerSwitch(0=off,1=on)

SDCardSlotSATAPowerConnection

PowerInputforACSupply

NOTE

4



e. Type the Ditto Forensic FieldStation’s source IP address into yourweb browser. If you know the

address,godowntothelaststepofthissection.Ifyoudonotknowtheaddress,continuetothenext

step.

f. PresstheDownnavigationbuttonontheDittoForensicFieldStationuntilyoureachthe“Settings”

menu.ThenpressEnter.

Settings

View/Edit>

g. PresstheUporDownnavigationbuttonsuntilyoureachthe“SourceIPAddress”screen.

h. TypetheIPaddressshownintoyourwebbrowser.

SourceIPAddress:

10.xxx.xxx.xxx

TheDittoForensicFieldStationisconfiguredbydefaulttouseDHCPforIPassignment. IfyouneedtochangetoastaticIPaddress,checkwithyournetworkadministratorandseeSection3.3.2ofthismanual.

i. Logintothebrowserinterface(thedefaultusernameandpasswordfortheadministratoraccountare

both“admin”).

CRUrecommendsthatyouchangetheadminaccountpasswordandcreateuseraccountsforindividualusersasbestdatamanagementpractices.

Youarenowreadytousethebrowserinterfacetoconfiguresettingsandpreview,image,orcloneattached

disks.

3.1.2 Accessing Via Direct Connection to Your Computer

a. PluganEthernetcableintotheEthernetportonthe“DestinationOutputs”sideoftheDittoForensic

FieldStation.

b. ConnecttheotherendoftheEthernetcabletoyourcomputer’sEthernetport.

ThedestinationEthernetportcanbeconfiguredtoactasaserver.AttachingaDittoForensicFieldSta-tionactingasaservertoanexistingnetworkthroughthedestinationEthernetportwillcausenetworkconflicts.Therefore it is importanttoattachtheDittoForensicFieldStationdirectlytoyourcomputerinstead.TochangethissettingsothattheDittoForensicFieldStationnolongeractsasaserver,seeSection5.2.3.

c. ConnectthepowercabletotherearoftheDittoForensicFieldStationandtotheprovidedACadapter

ortoSATApower.

d. TurnontheDittoForensicFieldStation’spowerusingtheswitchontherearpanel.(0=off,1=on)

NOTE

NOTE

STOP!

5



e. Type theDittoForensicFieldStation’sdestination IPaddress intoyourwebbrowser.Thedefault IP

addressforthedestinationEthernetportis10.10.10.1.Ifyouhavechangedtheaddressanddonot

rememberit,continuetothenextstep.Otherwise,godowntothelaststepofthissection.

f. PresstheDownnavigationbuttonontheDittoForensicFieldStationuntilyoureachthe“Settings”

menu.ThenpressEnter.

Settings

View/Edit>

g. PresstheUporDownnavigationbuttonsuntilyoureachthe“Dest.IPAddress”screen.

h. TypetheIPaddressshownintoyourwebbrowser.

Dest.IPAddress:

10.xxx.xxx.xxx

i. Logintothebrowserinterface(thedefaultusernameandpasswordfortheadministratoraccountare

both“admin”).

CRUrecommendsthatyouchangetheadminaccountpasswordandcreateuseraccountsforindividualusersasbestdatamanagementpractices.

Youarenowreadytousethebrowserinterfacetoconfiguresettingsandpreview,image,orcloneattached

disks.

3.2 ICONS USED IN THE BROWSER INTERFACE

Thebrowserinterfaceusesseveraliconsthatmaybeclickedontoperformcertainactions.

ICON ACTION

InformationOpensawindowwithabriefdescriptionofthesettingtheinformationiconappearsnextto.

Refresh Refreshesthefieldthattheiconappearsnexttoinordertogiveupdatedinformation.

Reset LoadsthedefaultsforthesettingthattheRefreshiconappearsnextto.

Add Addsauserdefinedfieldtoalistofitems.

Remove Removesauserdefinedfieldfromalistofitems.

NOTE

6



3.3 USER ACCOUNTS

TheDittoForensicFieldStationemploysauseraccountsystemtocontrolaccesstoitsfeatures.The“Login”

screenpresentsyouwiththeabilitytologinthroughhttp,oryoucanclicktheSecure Login (HTTPS) linkto

loginsecurely.Acceptthecertificateand/orcontinuetothewebsite,evenifyourbrowsertellsyouitdoes

notrecognizeit.

ThedefaultusernameandpasswordfortheAdministratoraccountareboth“admin”.CRUrecommendsthat

youchangetheadminaccountpasswordandcreateuseraccountsforindividualusersasbestdatamanage-

mentpractices.

ClickontheLog Out buttonatthetoprightofthebrowserinterfacetologout.

4 HOME SCREENThe“Home”screeniswhereyouwillperformmostofyouroperationswiththeDittoForensicFieldStation,andis

thedefaultscreentoloaduponloggingintothebrowserinterface.ClickontheHome tabtoaccessthe“Home”

sceenfromanyotherareaofthebrowserinterface.

4.1 ACTION

The“Action”panelletsyoustart,abort,anddocumentthefollowingactions.The“Start”buttonbeginsthe

action.The“Abort”buttonstopstheactioninprogress.ClicktheComment buttontowriteanotethatwill

beappendedtothelog.ClicktheConfigure buttontomodifythedefaultsettingsforeachaction,whichcan

alsobemodifiedonthe“Configure”screen(SeeSection5).

Figure 1. The“Home”screen.

7



4.1.1 Clone Source Disk

TheDittoForensicFieldStationmakesanexactduplicateofthesourcediskandcanclonetoasingleor

mirroreddestinationdisk.

Whilecloningthesourcedisk,theDittoForensicFieldStationcanalsohashthesourcediskusingtheMD5,SHA-1,orMD5+SHA-1algorithms.Selectthehashtypeunderthe“SystemSettings”panelonthe“Home”screen.SeeSection4.3.HashingwhileusingbothMD5+SHA-1significantlyreducesperformance.

Toclone,followthesesteps:

a. Usingthebrowserinterface,selectClone Source Diskfromthe“ActiontoPerform”drop-downbox.

b. Selectthesourcedisktoclonefromthe“Source”drop-downbox.

c. Selectthedestinationdiskfromthe“Destination”drop-downbox.Toclonetotwodestinationdisksat

thesametime,selecttheMirror option.Destinationdisksdonothavetobethesamephysicalmedia

asthesourcedisk,buteachmustbelargerthanthesourcedisk.

FortheMirrorfeaturetobeshown,twodestinationdisksmustbeattached.

d. ClicktheStart button.A“Completed”messageboxwillpopupwhentheactionhasfinished.Click

onthemessagetocontinue.

Youcanincreasetheperformanceoftheoperationbyclickingoffofthebrowserinterfacewindowsothatitisnotcontinuallyupdated.

Youcanviewtheresultsofthecloneactionbyscrollingdowntothe“SystemLog”panelonthe“Home”

screen.Findandclickonthelatestlink,whichwillbedenotedbyafilenamewithadate/timestampformat:

“S_yyyymmddhhmmss”.Alternatively,youcanclickontheLogs button fromthetopmenubar.

4.1.2 Physical Image Source Disk

TheDittoForensicFieldStationcreatesanE01orDDimageofthesourcediskononeortwodestination

disks.

Whileimagingthesourcedisk,theDittoForensicFieldStationcanalsohashthesourcediskusingtheMD5,SHA-1,orMD5+SHA-1algorithms.Selectthehashtypeunderthe“SystemSettings”panelonthe“Home”screen.SeeSection4.3.HashingwhileusingbothMD5+SHA-1significantlyreducesperformance.

Forthefastestperformance,werecommendutilizinganNTFSfilesystemforWindows,HFS+forMac,or

XFSforLinuxmachines.Tocreateaphysicalimage,followthestepsonthenextpage:

Figure 2. The“Action”sectiononthe“Home”screen,showingtheoptionsavailableforthe“CloneSourceDisk”action.

Figure 3.The“Action”sectiononthe“Home”screen,showingtheoptionsavailableforthe“PhysicalImageSourceDisk”action.

NOTE

NOTE

NOTE

NOTE

8



a. Usingthebrowserinterface,selectPhysical Image Source Disk fromthe“ActiontoPerform”drop-

downbox.

b. Selectthesourcedisktoimagefromthe“Source”drop-downbox.

c. Selectwhichpartition(s)toimagefromthe“Partition”drop-downbox.ChooseAlltoimagetheentire

sourcedisk.

d. Select thedestinationdisk for the image from the“Destination”drop-downbox.To image to two

destinationdisksatthesametime,selectthe Mirror option.Destinationsdonothavetobethesame

physicalmediaasthesourcedisk,buteachmustbelargerthanthesourcedisk.

FortheMirrorfeaturetobeshown,bothdestinationdisksmustbeempty.AquickwaytoaccomplishthisistousetheDittoForensicFieldStationtoeraseeachdiskbyselectingErase Destination Diskfromthe“ActiontoPerform”drop-downboxandusingthe“ClearPartitionTable”erasemode(seeSec-tion4.1.5).YoumustalsogototheErase tabonthe“Configure”Screenandmakesurethat“FormatAfterErase” is unchecked (seeSection5.6), because if a destinationdisk has a partitionon it, the“Mirror”optionwillnotappear.

e. Selectwhichtypeofphysical imageyouwouldliketocreatefromthe“PhysicalImageType”drop-

downbox.The imagetypesavailableareE01orDD.Youcanmodifywhich imagetypeappearsby

defaultinthedrop-downboxonthe“Home”screen’s“SystemSettings”section(seeSection4.3),or

onthe“Configure”screen’s“System”tab(seeSection5.1).

f. ClicktheStart button.A“Completed”messageboxwillpopupwhentheactionhasfinished.Click


Youcanincreasetheperformanceoftheoperationbyclickingoffofthebrowserinterfacewindowsothatitisnotcontinuallyupdated.

Youcanviewtheresultsoftheimageactionbyscrollingdowntothe“SystemLog”panelonthe“Home”


“S_yyyymmddhhmmss”.Alternatively,youcanclickontheLogs buttonfromthetopmenubar.

4.1.3 Logical Image Source Disk

Logicalimagingallowsaninvestigatortoquicklyscanthecontentsofaharddiskandimageonlythefiles

andfoldersrelevanttotheinvestigationintoanL01,ZIP,TAR,orLISTfileformat.Datacanbeimagedto

oneortwodestinationdisks.Tocreatealogicalimage,followthesesteps:

a. SelectLogical Image Source Diskfromthe“ActiontoPerform”drop-downbox.

b. Selectthesourcedisktoimagefromthe“Source”drop-downbox,thenchoosewhichpartition(s)to

imagefromthe“Partition”drop-downboxunderneaththe“Source”drop-downbox.Ifyouselect“All”,

partitionswillbeimagedsequentially.

NOTE

Figure 4.The“Action” sectionon the“Home”screen, showingtheoptionsavailableforthe“LogicalImageSourceDisk”action.

NOTE

9



c. Selectthedestinationdiskforthelogicalimagefromthe“Destination”drop-downbox,thenchoose

thedestinationdiskpartitionfromthe“Partition”drop-downboxunderneath.Toimagetotwodestina-

tiondisksatthesametime,selecttheMirror option.Destinationdisksdonothavetobethesame

physicalmediaasthesourcedisk,buteachmustbelargerthanthesourcedisk.

FortheMirrorfeaturetobeshown,bothdestinationdisksmustbeempty.AquickwaytoaccomplishthisistousetheDittoForensicFieldStationtoeraseeachdiskbyselectingErase Destination Diskfromthe“ActiontoPerform”drop-downboxandusingthe“ClearPartitionTable”erasemode(seeSec-tion4.1.5).YoumustalsogototheErase tabonthe“Configure”Screenandmakesurethat“FormatAfterErase” is unchecked (seeSection5.6), because if a destinationdisk has a partitionon it, the“Mirror”optionwillnotappear.

d. Selectwhichtypeoflogicalimageyouwouldliketocreatefromthe“LogicalImageType”drop-down

box.TheformatoptionsavailableareL01,TAR,ZIP,orLIST.(Youcanmodifywhichlogicalimagetype

appearsbydefaultinthedrop-downboxonthe“Configure”screen’s“System”tab.SeeSection5.1.)

“LogicalImageSourceDisk”actionscreateareportofdirectoriesandfileschosenfromthesourcediskaswellastheirfilesizesandanyerrormessagesencountered.ThisreportcanbeviewedfromwithinthebrowserinterfaceandcanbeexportedasanExcelspreadsheet.SeeSection7.1.4.

e. SelecttheLogicalImageModefromthe“LogicalImageMode”drop-downbox.Seethelistoflogical

imagemodesattheendofthissubsectionforinformationonwhateachmodedoes.

f. IfyouchoseanyotherLogical ImageMode,click theStart buttonat thetopofActionsection.A

“Completed”messageboxwillpopupwhentheactionhasfinished.Clickonthemessagetocon-

tinue.

Ifyouchose“ManualSelect”,followthesesteps:

i. ClickonSelect Files & Dirs.Adialogboxwillopen.

ii. Usethenavigationtreetoselectthefilesandfoldersyouwishtoimage(SeeFigure5).

iii. ClicktheStart button atthebottomofthedialogbox.A“Completed”messageboxwillpopup

whentheactionhasfinished.Clickonthemessagetocontinue.

Youcanview the resultsof the logical imageactionbyscrollingdown to the“SystemLog”panelon

the“Home”screen.Findandclickonthelatest link,whichwillbedenotedbyafilenamewithadate/

timestampformat:“S_yyyymmddhhmmss”.Alternatively,youcanclickontheLogs buttonfromthetop

menubar.

NOTE

NOTE

Figure 5.Thefilenavigationtree.

10



Logical Image Modes

BeginningwiththeSeptember19,2015firmwareupdate,theLogicalImageactioncanautomatically

searchforfilesthatfitthefollowingLogicalImageModes.Theactionwillsearchforspecificfileexten-

sionsspecifiedbytheLogicalImageMode.Seethenextpageforinformationonspecificfiletypes.

Logical Image Modes, continued...

• Manual Select: Enablesthe“SelectFiles&Dirs”buttonsothatyoucanmanuallyselectwhich

filestologicallyimage.

• All Files and Dirs: Imagesallfilesanddirectories.

• All Except Windows: ImagesallfilesanddirectoriesexceptfortheWindowsdirectory.

• All Except Windows and Programs: ImagesallfilesanddirectoriesexceptfortheWindows,

ProgramFiles,ProgramFiles(x86),andProgramDatadirectories.

• All Users - Windows: ImagestheWindows“Users”directory.

• All Temporary - Windows: ImagestheWindows/TempandTempdirectories.

• All Except Swap and Hibernate:Imagesallfilesanddirectoriesexceptfilesnamedhiberfil.sys,

pagefile.sys,Win386.swp,and386part.par.

• All Media Files: Imagesall.avi,.jpeg,.jpg,.wav,and.movfiles,aswellasallfileswithexten-

sionsbeginningin“.mp”(.mpeg,.mp4,.mp3,etc.)andallfileswithextensionsbeginningin“.m4”

(.m4a,.m4v,etc.).

• All Office Files: Imagesall.txtand.pdffiles,aswellasallfileswithextensionsbeginningin“.doc”,

“.xls”,“.ppt”(.doc,.docx,.xlsx,.pptx,etc.).

• All Financial Files:Imagesall.ifx,.ofx,.qfx,.qif,and.taxfiles.

Youmayalsoaddyourowncustomizedlogicalimagemodestothisdrop-downlist.Todoso,seeSec-

tion11.5.

4.1.4 Clone and Image Source Disk

Thisactionsimultaneouslycreatesacloneofthesourcediskononedestinationdiskandcreatesanimage

onaseconddestinationdisk.Two destination disks are required for this action.

Whilecloningandimagingthesourcedisk,theDittoForensicFieldStationcanalsohashthesourcediskusingtheMD5,SHA-1,orMD5+SHA-1algorithms.Selectthehashtypeunderthe“SystemSettings”panelonthe“Home”screen.SeeSection4.3.HashingwhileusingbothMD5+SHA-1significantlyreducesperformance.

Tosimultaneouslycreateacloneandaphysicalimageofthesourcedisk,followthesesteps:

a. SelectClone & Image Source Diskfromthe“ActiontoPerform”drop-downbox.

b. Selectthesourcedisktocloneandimagefromthe“Source”drop-downbox.

c. Selectthedestinationdiskfortheclonefromthe“CloneDestination”drop-downboxandthedestina-

tiondiskfortheimagefromthe“ImageDestination”drop-downbox.Destinationdisksdonothaveto

bethesamephysicalmediaasthesourcedisk,buteachmustbelargerthanthesourcedisk.

NOTE

11



d. Selectthedestinationdiskpartitiononwhichtosavetheimagefilefromthe“ImagePartition”drop-

downbox.

e. Selectwhichtypeofphysical imageyouwouldliketocreatefromthe“PhysicalImageType”drop-

downbox.TheimagetypesavailableareE01orDD.(Youcanmodifywhichimagetypeappearsby

defaultinthedrop-downboxonthe“Configure”screen’s“System”tab.SeeSection5.1.)

f. ClicktheStart button.A“Completed”messageboxwillpopupwhentheactionhasfinished.Click


Youcanviewtheresultsofthecloneandimageactionbyscrollingdowntothe“SystemLog”panelon

the“Home”screen.Findandclickonthelatestlinks,whichwillbedenotedbyafilenamewithadate/

timestampformat:“S_yyyymmddhhmmss”.Alternatively,youcanclickontheLogs buttonfromthetop

menubar.

4.1.5 Erase Destination Disk

TheDittoForensicFieldStationerasesthedestinationdiskusingyourpreferredEraseMode.TheErase

ModesavailableareClearPartitionTable,QuickErase,LBA/OffsetPattern,CustomErase,SecureErase

Normal,SecureEraseEnhanced,DODClear,DODSanitize,NIST800-88Clear,andNIST800-88Purge.

Toeraseadisk,followthesesteps:

a. SelectEraseDestinationDiskfromthe“ActiontoPerform”drop-downbox.

b. SelecttheEraseModetousefromthe“EraseMode”drop-downbox.(Youcanmodifywhicherase

modeappearsbydefaultinthedrop-downboxonthe“Configure”screen’s“System”tab.SeeSec-

tion5.1.)

c. Selectthetargetdestinationdisk(s)fromthe“Target”drop-downbox.

d. ClicktheStart button.A“Completed”messageboxwillpopupwhentheactionhasfinished.Click


Youcanviewtheresultsoftheerasureactionbyscrollingdowntothe“SystemLog”panelonthe“Home”



Format After Erase

YoucanconfiguretheDittoForensicFieldStationtoautomaticallyformatadiskafteryoueraseit.Click

ontheConfigure tabtogotothe“Configure”screen.ThenclickontheErase tabmakesurethat

“FormatAfterErase”ischeckedforeachoftheerasemodesonwhichyou’dliketoenablethissetting.

Figure 7.The“Action”sectiononthe“Home”screen,showingtheoptionsavailableforthe“EraseDestinationDisk”action.

Figure 6. The“Action”sectionon the“Home”screen, showingtheoptionsavailableforthe“Clone&ImageSourceDisk”action.

12



4.1.6 Hash Disk

TheDittoForensicFieldStationwillhashanysourceoradestinationdiskusingyourpreferredalgorithm.

HashvaluesaresavedintheSystemLog.Theavailablealgorithmsare“MD5”,“SHA-1”,or“MD5+SHA-1”.

Tohashadisk,followthesesteps:

a. SelectHash Disk fromthe“ActiontoPerform”drop-downbox.

b. Selectyourpreferredhashalgorithmfromthe“HashType”drop-downbox. (Youcanmodifywhich

hashalgorithmappearsbydefaultinthedrop-downboxonthe“Configure”screen’s“System”tab.

SeeSection5.1.)

c. Selectthetargetdiskfromthe“Target”drop-downbox.

d. Selectthepartitionyouwanttohashfromthe“Partition”drop-downbox.

e. ClicktheStart button.A“Completed”messageboxwillpopupwhentheactionhasfinished.Click


Youcanviewtheresultsofthehashactionbyscrollingdowntothe“SystemLog”panelonthe“Home”



4.1.7 Snapshot Disk

TheDittoForensicFieldStationprovidesS.M.A.R.T.andhdparminformationforanysourceordestination

diskconnectedtoitself.Nocloneorimagerequestneedstobedone.

Tocreateasnapshotofadisk,followthesesteps:

a. SelectSnapshot Disk fromthe“ActiontoPerform”drop-downbox.

b. Selectthetargetdiskfromthe“Target”drop-downbox.

c. ClicktheStart button.A“Completed”messageboxwillpopupwhentheactionhasfinished.Click


Youcanview the resultsof thesnapshotactionbyscrollingdown to the“SystemLog”panelon the

“Home”screen.Findandclickonthelatestlink,whichwillbedenotedbyafilenamewithadate/time-

stampformat:“S_yyyymmddhhmmss”.Alternatively,youcanclickontheLogs buttonfromthetopmenu

bar.

Scrollto“eSATAExtendedDiskInfo”toseerecordeddata,includingS.M.A.R.T.andhdparminformation.

4.1.8 NetView Scan

NetViewisanetworktoolthatcanbeusedtodiscovermachinesonanetworkandevenprobethemfor

specificservicesthattheymayberunning.Thiscapabilitycanhelpaninvestigatorlocatephysicallyhidden

Figure 9. The“Action”sectiononthe“Home”screen,showingtheoptionsavailableforthe“SnapshotDisk”action.

Figure 8. The“Action”sectionon the“Home”screen, showingtheoptionsavailableforthe“HashDisk”action.

13



computersorquicklydeterminewhetheramachineisactingasadatastoragedevice

thattheDittoForensicFieldStationcanimage.

SeeSection11.1formoreinformationabouttheNetViewScanfeature.

4.2 INVESTIGATION INFO

TheInvestigationInfopanelgroupsrelatedinformationthatmayalsobeusedincreating

customdirectoriesandfilenames (seeSection5.8).The“Hide”buttonallowsyouto

minimizethepanel.

Click theEdit button to enter information about the Investigator,CaseNumber,Evi-

denceNumber,Description,Notes,Basedirectoryprefix,andaBasefilenameprefixfor

anE01orDDimage.

Eachfield isfilteredtoblocknon-printableASCIIcharacters.Anycharactersat thefile

systemlevelthatmaynotbesafeforadirectorynameorfilenamewillbefilteredout

andreplacedwithanunderscore.OnlyprintableASCIIcharactersarecurrentlyallowed

fordirectoryandfilenames.Multipleunderscoreswillalsobereducedtoasingleunder-

scorepernamingitem.

TheDittoForensicFieldStationwillgenerateanerrormessageifyouenteranon-print-

ableASCII character or if yourmessage exceeds the 58 character limit.Additionally,

whenthefinaldirectoryorfilenamethatusesanyofthesefieldsiscreated,anotherlevel

offilteringisapplied.

Usingapostrophes(‘)inthenamefieldswillcauseanerrorwhenthefileorfoldernameiscreated.TheyshouldnotbeusedintheInvestigationInfofields.

4.2.1 User Defined Fields

Clickonthegreen plus sign icontoopenthe“AddUserDefinedField”window(see

Figure12).Youmayaddasmanyuserdefinedfieldsasyouwish.Eachuserdefined

fieldmusthaveatitle,XMLtag,andvalue.

The title identifies the value in theDittoForensicFieldStation’sbrowser andLCD

interfaces,andtheXMLtagonlyappearsintheconfigurationandlogfiles.

Toremoveauserdefinedfield,clickonthegreen minus sign icon.

4.3 SYSTEM SETTINGS

DisplaysthecurrentconfigurationsettingsoftheDittoForensicFieldStation.Theseset-

tingsareloadedasthedefaultsettingsfortheactionsyouperforminthe“Action”panel.

The“Hide”buttonallowsyoutominimizethepanel.ClicktheEdit buttontocustomize

thesesettings.SeeSection5.1fordetailsoneachoption.

4.4 CURRENT STATUS

Reportseitheras“Idle”ordisplaysinfoabouttheactionthattheDittoForensicFieldSta-

tioniscurrentlyperforming.

STOP!

Figure 11. The“InvestigationInfo”section.

Figure 13.The“SystemSettings”section.

Figure 14. The“CurrentStatus”section,displayingathestatusofaPhysicalImageaction.

Figure 10.The“Action”sectiononthe“Home”screen,showing theoptionsavailable for the“NetviewScan”action.

Figure 12. The“AddUserDefinedField”window.

14



4.5 DISKS

DisplaysinformationabouttheattatcheddisksthatarecurrentlyconnectedtotheDitto

ForensicFieldStation.The“Hide”buttonallowsyou tominimize thepanel.Tosee the

availablespaceadiskhas,clickthegreen double arrow iconnextinthe“Used”column

header(seeFigure16).Thediskusagewillrefreshandgiveanupdatedamount.

The“TargetMode”buttonallowsyoutopresentthedisksattachedtotheDittoForensic

FieldStationasiSCSIdisksonanetwork.Thisisusefulifyouwishtousethirdpartydata

acquisitiontoolsagainstthediskswithoutcreatinganimage.The“SourceNetwork”and

“SourceDestination”buttonsareusedformountingiSCSIdevicesaswellasNFSand

SMBsharestotheDittoForensicFieldStation.Formoreinformation,seeSection11.

4.5.1 Previewing and Browsing Disks

Tobrowseordownloaddiskdata,ortoselectfilesandfoldersforlogical imaging,

clickonapartition’snumberunderthedisk’s“Partition”columnandthenselectPre-

view(seeFigure17).Thisopensupafileexplorerwindowwhereyoucannavigate

throughthefilesandfoldersonthedisk.

Directory Toolbar and Right-Click Context Menu Items

ICON ACTION

CollapseFolderTreeCollapsestheentirefoldertreesothatonlythepreviewedpartition’sfolderisvisible.

Refresh Refreshesthefoldercontentsinordertogiveupdatedinformation.

Up Movesuptotheparentfolder.

Back Movesbacktothepreviouslyviewedfolder.

Folders Toggleswhetherfoldersaredisplayedinthecontentspanel.

SelectMode Togglestheabilitytoselectindividualfilesforlogicalimaging.

Figure 15. The“Disks”sectiononthe“Home”screen.

Figure 16. Clickingthegreendoublearrowicondisplaysandupdatesamountofspacecurrentlyusedandavail-able.

Figure 17. Drop-downmenusforadisk(left)andadisk’spartition(right).

15



Directory Toolbar and Right-Click Context Menu Items, continued...

ICON ACTION

DetailView/ListViewToggleswhethertheSize,Type,DateCreated,DateModfied,andDateAccessedcolumnsarevisible.

SizeFormatChangeswhetherfilesizesinthe“Size”columnaremeasuredasbytesorasmegabytes,gigabytes,etc.

ViewOpenstheselectedfile.ImagesandPDFfileswillopeninapreviewwindow.Otherfileswillopenadialogboxtodownloadthefiletoyourcomputer.

Download Opensadialogboxtodownloadtheselectedfiletoyourcomputer.

HashOpensaninfowindowwiththeselectedfile’sname,MD5hash,andfilesizeinbytes.

HexViewOpensthefileintheDittoForensicFieldStation’sbuilt-inhexadecimalviewer.

Logically Image Data

Tologicallyimagedatausingthe“Preview”window,clickontheSelect Mode buttonandthencheck

theboxnexttoeachfileorfolderyouwantto logically image.Whenyouarefinished,clickonthe

Stage buttoninthelowerrightcornerofthe“Preview”window.Youwillbetakenbacktothe“Home”

screen.Usethe“Action”controlpanelasdirectedinSection4.1.3.Whenyouclickon“SelectFiles&

Dirs”,youwillbeaskedtoconfirmwhethertologicallyimagethefilesandfoldersyouhaveselected,

ortoselectnewfilesandfolders.

4.5.2 View Hexidecimal Data

Toviewadisk’shexidecimaldata,clickonthedisknameunderthe“Port”columnandthenselectHex-

View. Toviewadiskpartition’shexidecimaldata,clickonthepartition’snumberunderthedisk’s“Parti-

tion”columnandthenselectHexView (seeFigure17).

4.5.3 View Snapshot Data

Toviewadisk’ssnapshotinformation,clickonthedisknameunderthe“Port”columnandthenselect

Snapshot.

4.6 SYSTEM LOG

Shows the actions that theDitto Forensic FieldStationhasperformed (seeFigure18).The“Hide”button

allowsyoutominimizethepanel.The“Comment”buttonallowsyoutowriteanotethatisappendedtothe

log.

IfthereisnoSDcardpresentintheSDcardslot,thispaneldisplaysthelogsthathavebeenstoredinvola-

tilememorysincetheDittoForensicFieldStation’slastpowercycle.TheselogsaredeletedwhentheDitto

ForensicFieldStationispowereddown.IfthereisanSDcardpresent,thispaneldisplaysallactionssavedon

theSDCard.

Toviewthe logdetailsofaparticularaction,clickonthe linkunderthe“Message”column.whichwillbe

denotedbyafilenamewithadate/timestampformat:“S_yyyymmddhhmmss”.Alternatively,youcanclickon

theLogs buttonfromthetopmenubar.

16



5 CONFIGURE SCREENThe“Configure”screenallowsyoutomodifythewaytheDittoForensicFieldStationfunctionstosuityourspe-

cificneeds.ClickontheConfigure tabtoaccessthe“Configure”screenfromthebrowserinterface.

5.1 SYSTEM

The“System”taballowsyoutoviewandcustomizethefollowingsettings.Thisinformationisalsodisplayed

inthe“SystemSettings”panelonthe“Home”screen.Whenyouarefinished,clicktheCommit Changes

buttontosavethechanges.

• Default Format: Thisisthedefaultfilesystemthatwillbeusedtoformatdestinationdiskswhenthey

areusedinactionsthattheDittoForensicFieldStationperforms.

• Physical Image Type: Setsthedefaultphysicalimagetypeforallactionsthatcreateaphysicalimage.

• Logical Image Type: Setsthedefaultlogicalimagetypeforthe“LogicalImageSourceDisk”action.

• Logical Image Mode:SetsthedefaultLogicalImageModeforthe“LogicalImageSourceDisk”action.

• Verify Single: Determineswhether individualdestinationdiskarehashedandcompared to thehash

valueofthesourcedisk’shashvalue.

Figure 18. The“Configure”screen,showingthe“System”tab.

Figure 18. The“SystemLogs”sectiononthe“Home”screen.

17



• Verify Mirror: Determineswhethermirroreddestinationdisksarehashedandcomparedto thehash

valueofthesourcedisk’shashvalue(s).YoucanchoosetoverifyeSATA-AoreSATA-Bindividually,both

disks,ornone.

• Verify Clone & Image: Determineswhetherclonedandimageddisksarehashedandcomparedtothe

hashvalueofthesourcedisk’shashvalueduringa“Clone&ImageSourceDisk”action.Youcanchoose

toverifytheclone,theimage,both,ornone.

• Log Disk Info: DetermineswhetherS.M.A.R.T.andhdparmdiskinformationisloggedbeforerunningan

action,afterrunninganaction,both,ornotatall.CRUrecommendsthatyoulogdiskinformationbefore

andafteranaction.

• HTML Logging: Logsarealwayssavedin.XMLformat.ThisoptioncausestheDittoForensicFieldSta-

tiontosavelogsinHTMLformataswell.

• DiskView Logging: Logsanyactiontopreviewadiskoractionsperformedwhilepreviewingadisk(i.e.

startingorfinishingapreviewofadisk,startingorfinishingaHexViewaction).

• Hash Type: Setsthedefaulthashalgorithmthatwillbeusedfordiskverificationandthe“HashDisk”

action.TheavailablealgorithmsareMD5,SHA-1,orMD5+SHA-1.Notethathashingwhileusingboth

MD5+SHA-1significantlyreducesperformance.

• Erase Mode: Setsthedefaulterasemodethatwillbeusedforallactionsthatrequireerasingdisks.

• Stealth Mode: TurnsoffallLEDsandLCDson theDittoForensicFieldStation.Thephysical“Stealth

Mode”Switchservesthesamepurpose(seeSection1.2).IfStealthModeisenabledfromthebrowser

interface,thephysicalswitchcannotoverrideit.

• LCD/LED Brightness:SetstherelativebrightnessoftheLCDsandLEDsonthefaceoftheDittoForensic

FieldStationonascaleof1to255.

• Audible Buzzer: Thisisaplannedfeaturethatisnotcurrentlyimplemented.Theaudiblebuzzerwillalert

theusertovariousactionsthatoccurwhenusingtheDittoForensicFieldStation.

• Prompt Invest. Info: Opensa“ConfigureInvestigationInfo”windowaftertheuserhashitthe“Start”

buttoninthe“Action”sectiononthe“Home”screen.ThisallowstheusertocustomizetheInvestigator,

CaseNumber,EvidenceNumber,Description,Notes,BaseDirectoryName,andtheBaseFileName

informationpriortoperformingtherequestedaction.

• LCD Prompt Case: Fiveoptionsmaybechosentomodifythecasenumberspecifiedinthe“Investi-

gationInfo”sectionofthe“Home”screen.Thecasenumber is includedinthelogfortherequested

action.“Disabled” leaves thecasenumberas it is.“Inc/Dec”allowsyou tomanually increment the

casenumberupordownusingthenavigationbuttonsonthefaceof theDittoForensicFieldStation.

“AutoInc” automatically increments the case number, and“AutoInc/Pause” automatically increments

thecasenumber,butdisplaysaconfirmationprompttheLCDscreenbeforebeginningtherequested

action.TheseoptionsrequireanumbertobepresentontheendoftheCaseNumberspecifiedinthe

“InvestigationInfo”section.

• LCD Prompt Evidence: Fiveoptionsmaybechosentomodifytheevidencenumberspecified inthe

“InvestigationInfo”sectionofthe“Home”screen.Theevidencenumberisincludedinthelogforthe

requestedaction.“Disabled” leaves theevidencenumberas it is.“Inc/Dec”allowsyou tomanually

incrementtheevidencenumberupordownusingthenavigationbuttonsonthefaceoftheDittoForensic

18



FieldStation.“AutoInc”automaticallyincrementstheevidencenumber,and“AutoInc/Pause”automati-

callyincrementstheevidencenumber,butdisplaysaconfirmationprompttheLCDscreenbeforebegin-

ningtherequestedaction.TheseoptionsrequireanumbertobepresentontheendoftheEvidence

Numberspecifiedinthe“InvestigationInfo”section.

• Quick Start: Enablesthe“QuickStart”screenontheLCDthatappearsafteryoubootorreboottheDitto

ForensicFieldStation.Thesettingsforthismodemaybemodifiedinthe“QuickStart”tab.SeeSection

5.9.

5.2 NETWORK

The“Network”taballowsyoutoviewandcustomizethefollowingsettings.Ifyouareunsureorhaveques-

tionsaboutchangingyournetworksettings,contactyournetworkadministrator.Whenyouarefinished,click

theCommit Changes buttontosavethechanges.

5.2.1 Host Name

AllowsyoutochangewhatnamefortheDittoForensicFieldStationwillbedisplayedonanetwork.Host

namesarenotcasesensitive,butmustbeginwithanyletter“A-Z”.TheycancontainthethelettersA-Z,

numbers0-9,underscore“_”,anddash“-”characters.Hostnamesmustalsobelimitedto64characters.

Figure 20. The“Network”tabonthe“Configure”screen,showingthe“Source”,“Destination”,and“Wifi”networksettings.The“WifiNetwork”sectiononlyappearswhenaUSBwirelessnetworkadapterhasbeenpluggedin.

19



5.2.2 Source Network

The“SourceNetwork”sectiondisplaysthesourceEthernetport’sMACAddressaswellasitsIPassign-

mentmethod.Youcanchooseeither“DHCP(AutoConfig)”or“StaticIP(ManualSettings)”fromthetop

drop-downbox.

The“RemoteAccessibility”drop-downboxallowsyoutochoosewhetherornottheDittoForensicField-

StationrespondstoanynetworktrafficviathesourceEthernetport.

5.2.3 Destination Network

The“DestinationNetwork”sectiondisplaysthesourceEthernetport’sMACAddressaswellasitsnet-

workingmode.Youcanchooseeither“Server”,“Client(DHCP)”,or“Client(StaticIP)”fromthedrop-down

box.

Server

“Server”allowsyoutoconfiguretheDittoForensicFieldStationforuseasaserver.Thiscanbehelpful

ifyouareconnectinganiSCSIdevicetothedestinationEthernetport,forexample(seeSection11.3.2),

or you are connectingDittodirectly to your computer insteadof throughyourofficenetwork.The

defaultsettingsbelowwillworkformostenvironments.Thisisanadvancedoption,sodonotcus-

tomizethedefaultserverconfigurationbelowunlessdirectedtodosobyyournetworkadministrator.

IP Address: 10.10.10.1

Subnet Mask: 255.255.255.0

DHCP Server: Enabled

DHCP Start Address: 10.10.10.100

DHCP End Address: 10.10.10.199

DNS Server: Enabled

DNS Domain Name: ditto.local

NTP Server: Enabled

NAT Gateway: Disabled

DonotconnecttheDittoForensicFieldStationtoanothernetworkwhileit isconfiguredasaserver.Doingsowillcausenetworkconflictsandmaydisruptnetworktraffic.

Client (DHCP)

ThisoptionautomaticallyconfiguresthedestinationEthernetporttoconnecttotheattachednetwork.

Client (Static IP)

ThisoptionallowsyoutomanuallyconfigurethedestinationEthernetporttoconnecttotheattached

network.

5.2.4 Wifi Network

The“WifiNetwork”sectionallowsyoutoconfigureathirdpartyUSBwifinetworkadapterthat’sbeen

pluggedintothe“SouceInputs”USBport. Italsodisplaysthatport’sMACAddress.Adapterswithan

AtheroschipsetandsomeadapterswithRealtekchipsetsarecompatible.

TheDittoForensicFieldStationcanhandlemultipleUSBdevicesthroughaUSBhubattachedtotheUSBportonthe“SourceInputs”sideoftheForensicFieldStation.

STOP!

NOTE

20



“WifiMode”allowsyoutodeterminewhethertheDittoForensicFieldStationconnectstoawifinetwork

oractsasawifihotspotitself.HotSpotModeishelpfulifyouareworkinginaseparatelocationfrom

theDittoForensicFieldStationthatisstillwithinrangeofawirelessnetwork,orifthereisnohardwired

networkavailableinthelocation.

Choose“ClientMode” toconnect toanexistingwifinetworkor“HotSpotMode” tomake theDitto

ForensicFieldStationintoawifihotspot.

Client Mode

Check“Status:AutoStart”ifyouwanttheDittoForensicFieldStationtoconnecttothespecifiedwire-

lessnetworkautomatically.

Toselecttheclientmode’snetworkingmode,youcanchooseeither“Client(DHCP)”or“Client(Static

IP)fromthedrop-downboxunderneaththeMACAddress.“Client(DHCP)”automaticallyconfigures

theUSBwifinetworkadaptertoconnecttoawifinetwork.“Client(StaticIP)”allowsyoutomanually

configuretheconnection.

Hot Spot Mode

Check“Status:AutoStart”ifyouwanttheDittoForensicFieldStationtobeginbroadcastingasahot

spotautomaticallywheneverawifiadapterispluggedin.

Thedefaultsettingsbelowwillworkformostenvironments,withseveralexceptions.

InputyourownkeytoensurethatyourDittoForensicFieldStationremainssecure.

Youmayberequiredtoconformtoyourcountry’s lawsandregulationsregardingwirelessradiofre-quencyusage.Selectyourtwo-digitcountrycodefromthe“RegulatoryDomain”dropdownlist,andtheDittoForensicFieldStationwilllimitthefrequenciesitmaybroadcastontoonlythoseintheper-mittedrange(s).

DonotconnecttheDittoForensicFieldStationtoawirednetworkwhileitisconfiguredasahotspot.Doingsowillcausenetworkconflictsandmaydisruptnetworktraffic.

SSID: {HostName}-wifi

Regulatory Domain: Global

Band: G-2.4GHz

Channel: Auto

Broadcast: Checked

Security: WPA2Personal

Key: ditto123

Show Key: Unchecked

IP Address: 10.10.10.1

Subnet Mask: 255.255.255.0

DHCP Server: Enabled

DHCP Start Address: 10.10.20.100

DHCP End Address: 10.10.20.199

Moresettingsareavailableonthenextpage.

STOP!

STOP!

STOP!

21



Hot Spot Mode, continued...

DNS Server: Enabled

DNS Domain Name: dittowifi.local

NTP Server: Enabled

NAT Gateway: Disabled

5.3 CLONE

The“Clone”taballowsyoutoviewandcustomizethefollowingsettingsfordiskcloningactions,including

the“Clone&ImageSourceDisk”action.Whenyouarefinished,clicktheCommit Changes buttontosave

thechanges.

5.3.1 Typical Settings

• Source HPA/DCO: SetswhetherthecloningactionshouldindicateinthelogthatthereisanHPA

(hostprotectedarea)orDCO(deviceconfigurationoverlay)present, temporarilybypasstheHPA,

permanentlyunhidetheHPA,orpermanentlyunhideboththeHPAandDCO.

• Fill to End of Disk: Checkthisboxtoenablezeroestobewrittentotheendofthedisk.

• Reset HPA After Fill: SetstheHPAonthedestinationdisksothatthecapacityofthedestinationdisk

isidenticaltothecapacityonthesourcedisk.

5.3.2 Advanced Settings

Theadvancedsettingsmaybehidden.ClicktheShow buttontorevealthem.

• Buffer Size: SetsthethebuffersizeusedbytheDittoForensicFieldStationduringacloningaction.

Theminimumsizeis512K(kilobytes).Thedefaultsizeof1M(megabyte)worksbestformostuses.

Themaximumsizeislimitedbythetargetfilesystem.

• Exit when a bad sector is encountered: AbortsthecloningactioniftheDittoForensicFieldStation

encountersabadsectoronthesourcedisk.

5.4 PHYSICAL IMAGE

The“PhysicalImage”taballowsyoutoviewandcustomizethefollowingsettingsforphysicalimagingactions,

includingthe“Clone&ImageSourceDisk”action.Thereareseparateoptionsavailableforboththe“E01”and

“DD”imagetypes.Whenyouarefinished,clicktheCommit Changes buttontosavethechanges.

5.4.1 E01

ClickontheE01 tab torevealtheE01imagesettings.

Typical Settings

• Image File Segment Size: Allowsyoutospecifythesizeinbytesthat imagefilesegments

shouldbe.Theminimumsizeis1M(megabyte).Themaximumsizeislimitedbythetargetfile

system.Ifthisfieldisleftblank,themaximumsizewillbeused.Clickthe“I”informationicon

formoreinformation.

• Source HPA/DCO: Setswhetherthephysicalimageactionshouldindicateinthelogthatthere

is an HPA (host protected area) or DCO (device configuration overlay) present, temporarily

bypasstheHPA,permanentlyunhidetheHPA,orpermanentlyunhideboththeHPAandDCO.

22



• Compression Type: Setswhethertheactionshoulduseemptyblockcompressionornocom-

pression.

• EWF File Format: ChoosewhichEnCaseimagefileformatshouldbeusedduringE01physical

images.CRUrecommendsusing“encase6”formostacquisitions.

Advanced Settings

Theadvancedsettingsmaybehidden.ClicktheShow buttontorevealthem.

• Buffer Size: Sets the the buffer size used by theDitto Forensic FieldStation during anE01

physicalimageaction.Theminimumsizeis512K(kilobytes).Thedefaultsizeof1M(megabyte)

worksbestformostuses.Themaximumsizeislimitedbythetargetfilesystem.

• Error Granularity: Determineshowmanysectorsareignoredonareaderror.Theminimum

sizeis512bytes.ThedefaultsizeistheBufferSize.Themaximumsizeislimitedbythetarget

filesystem.

• Swap Byte Pairs of the Media Data (endian conversion): Check this box if you need to

convertfrombig-endiantolittle-endianorvice-versa,whichmaybenecessaryfordisksusedin

olderx86orPowerPC-basedsystems.

• Wipe Sectors on Read Error (mimic EnCase-like behavior): Ifareaderror isencountered

duringanE01physicalimageaction,theDittoForensicFieldStationwillwriteoutzeroestofill

thesector.

• Read Error Retries: SpecifiesthenumberoftriestheDittoForensicFieldStationwilltrytoread

asectorbeforemovingontothenextsector.

5.4.2 DD

ClickontheDD tab toconfiguretheDDimagesettings.

Typical Settings




formoreinformation.

• Source HPA/DCO: SetswhetherthephysicalimageactionshouldindicatethatthereisanHPA

(host protected area) orDCO (device configurationoverlay) present, temporarily bypass the

HPA,permanentlyunhidetheHPA,orpermanentlyunhideboththeHPAandDCO.

Advanced Settings

Theadvancedsettingsmaybehidden.ClicktheShow button torevealthem.

• Buffer Size: SetsthethebuffersizeusedbytheDittoForensicFieldStationduringaDDphysical

imageaction.Theminimumsizeis512K(kilobytes).Thedefaultsizeof1M(megabyte)works

bestformostuses.Themaximumsizeislimitedbythetargetfilesystem.

• Exit when a bad sector is encountered: Aborts theDDphysical image action if theDitto

ForensicFieldStationencountersabadsectoronthesourcedisk.

23



5.5 LOGICAL IMAGE

The“Logical Image” tab allowsyou to viewand customize the following settings for the“Logical Image

SourceDisk”action.TherearedifferentoptionsavailableforeachoftheL01,ZIP,TAR,andLISTfiletypes.

Whenyouarefinished,clicktheCommit Changes buttontosavethechanges.

5.5.1 L01

ClickontheL01 tab toconfiguretheL01imagesettings.

Typical Settings




formoreinformation.

• Log File Access/Modify/Change Times: Checkthisboxtologtheaccess,modify,andchange

timestampsoffilesanddirectoriesduringanL01logicalimageaction.

• Compression Type: Setswhethertheactionshoulduseemptyblockcompressionornocom-

pression.

• Per File Hash Type: Setsthedefaulthashalgorithmthatwillbeusedforindividualfileverifica-

tion.TheavailablealgorithmsareMD5andSHA-1.Thedefaultsettingis“None”.

Advanced Settings

Theadvancedsettingsmaybehidden.ClicktheShow button torevealthem.

• Buffer Size: SetsthethebuffersizeusedbytheDittoForensicFieldStationduringanL01logical

imageaction.Theminimumsizeis512K(kilobytes).Thedefaultsizeof1M(megabyte)works

bestformostuses.Themaximumsizeislimitedbythetargetfilesystem.

• Read Error Retries: SpecifiesthenumberoftriestheDittoForensicFieldStationwilltrytoread

asectorbeforemovingontothenextsector.

5.5.2 ZIP and TAR Settings

ClickontheZIP or TAR tabtoconfigurethesettingsforeitherofthoselogicalimagetypes.

• Log File Access/Modify/Change Times: Check this box to log the access,modify, and change

timestampsoffilesanddirectoriesduringthelogicalimageaction.Thissettingisformat-dependent.

5.5.3 LIST Settings

ClickontheLIST tabtoconfiguretheLISTimagesettings.

• Log File Access/Modify/Change Times: Check this box to log the access,modify, and change

timestampsoffilesanddirectoriesduringthelogicalimageaction.Thissettingisformat-dependent.

• Validate File Extensions: UsesMIMEtomakesure that thefileheadersof thefileswithin the

newlycreatedlogicalimagelistmatchtheirfileextensions.Anyquestionablefilesarehighlightedin

theLogicalImageReport.

24



5.6 ERASE

TheDittoForensicFieldStationallowsyoutoviewandcustomizesettingsforhowtheDittoForensicFieldSta-

tionerasesdisks.

5.6.1 Available Erase Modes

ERASE MODE EXPLANATION

ClearPartitionTable Removesthepartitiontableonthedisk.

QuickErase Performsasinglepasswritingallzeroes.

LBA/OffsetPattern Writesbyte/LBAinfotoeachsector.Each512bytesectoriswrittenwith:B_XXXXXXXXXXXXXXL_DDDDDDDDDDDD‘XXXXXXXXXXXXXX’istheByteoffsetasahexadecimalstring,and‘DDDDDDDDDDDD’istheLBAnumberasadecimalstring.Theremainderofthesectorisfilledwithzero.

CustomErase Performs1-99passes,overwritingthediskwithzeroesorauser-selectedpattern.

SecureEraseNormal Initiatesthedisk’sbuilt-inSecureEraseNormalfunction.

SecureEraseEnhanced Initiatesthedisk’sbuilt-inSecureEraseEnhancedfunction.

DODClear PerformstheU.S.DepartmentofDefense“Clear”standardbywritingzeroestothedrive.

DODSanitize PerformstheU.S.DepartmentofDefense“Sanitize”standardbyusinga0xAAAAAAApattern,thenitscomplement,andthenanotherunclassifiedpattern.

NIST800-88Clear Performsthe“Clear”standarddefinedbyNISTspecialpublication800-88bywritingallzeroestothedrive.

NIST800-88Purge Performsthe“Purge”standarddefinedbyNISTspecialpublication800-88.byinitiatingthedrive’sbuilt-inSecureErase(Normal)command.

Figure 21. The“Erase”tabonthe“Configure”screen,showingallavailableerasemodesandtheircustomizablesettings.

25



5.6.2 Customizable Settings

SomeEraseModesrequireseveralofthefollowingsettingstobeconfiguredacertainwayaspartoftheir

standard.Inthesecases,thesettingscannotbemodified.

• Mode Name: Thenameoftheerasemode.

• HPA/DCO Handling: SetshoweraseactionsusingthespecifiederasemodeshouldhandleHPAs

andDCOs.ItcanindicateinthelogthatthereisanHPA(hostprotectedarea)orDCO(deviceconfig-

urationoverlay)present,temporarilybypasstheHPA,permanentlyunhidetheHPA,orpermanently

unhideboththeHPAandDCO.

• Passes: Forthe“CustomErase”settingonly,thisallowsyoutospecifythenumberofpassesthe

diskisoverwrittenduringtheeraseaction.Youcanspecifybetween1and99passes.

• Overwrite Method: Forthe“CustomErase”settingonly,youcanspecifyapatternforthediskto

writerepeatedlyacrosstheentiredisk.If“text”isselectedfromthedrop-downbox,the“Pattern”

fieldmustcontainoneormoreASCIIcharacters.If“hex”isselected,the“Pattern”fieldmustcon-

tainanevennumberofASCIIcharactersrepresentinghexadecimaldigits(e.g.17a64F).Leavingthe

“Pattern”fieldblanktellstheDittoForensicFieldStationtousezeroes.

• Verify: Thisisaplannedfeaturethatisnotcurrentlyimplemented.The“Verify”drop-downboxwill

allowyoutoverifytheeraseddiskafterithasbeenfullyerased.If“Quick”isselected,thebeginning,

middle,andendofthediskwillbereadtoensurethatthelastpatternwasactuallywritten.If“Full”

isselected,theentirediskwillbereadtoensurethatthelastpatternwasactuallywritten.If“None”

isselected,noverificationwillbeperformed.

• Format After Erase: Checkthisboxtoformatthediskwiththedefaultformat.Thedefaultformatcan

besetinthe“System”tabonthe“Configure”screen(seeSection5.1).

5.7 HASH

The“Hash”taballowsyoutoviewandcustomizethefollowingsettingsforallhashactions.Whenyouare

finished,clicktheCommit Changesbuttontosavethechanges.

• Buffer Size: SetsthethebuffersizeusedbytheDittoForensicFieldStationduringahashaction.The

minimumsizeis512K(kilobytes).Thedefaultsizeof1M(megabyte)worksbestformostuses.The

maximumsizeislimitedbythetargetfilesystem.

• Exit when a bad sector is encountered: AbortsthehashdiskactioniftheDittoForensicFieldSta-

tionencountersabadsectoronthetargetdisk.

5.8 NAMING

The“Naming”taballowsyoutocustomizehowtheDittoForensicFieldStationnamesdirectoriesandfiles

duringimagingactions.Whenyouarefinished,clicktheCommit Changes button tosavethechanges.

AsshowninFigure22onthenextpage,thefiledirectoryusedinimagingactionscanbeanamethatcontains

uptosixuser-selectablefields,andthefilenameusedinimagingactionscancontainuptofouruser-select-

ablefields.Asyoucustomizethesefields,the“DirectoryNameTemplate”,“FinalDirectoryName”,“FileName

Template”,and“FinalFileName”fieldswillupdate.Thetemplatefieldsshowtheorderofvariableswillappear

inthename,whereasthefinalnamefieldsdisplaythedirectoryorfilenameusingtheactualinformationfrom

the“InvestigationInfo”panelonthe“Home”screenandthesourcedisk.

26



5.8.1 Variables

Tomodifytheanyoftheuser-customizablevariables,navigatetothe“Investigation

Info”panelonthe“Home”screen(seeSection4.2).

• Timestamp/{Timestamp}: Displaysthetimestamp.Thetimestampisrequired

tobeincludedinalldirectorynames,butitisoptionalforfilenames.

• Base Filename: Displaysthebasefilename.Thisoptionisthedefaultfirstvari-

ableforfilenames,butmaybechanged.Usercustomizable.

• Case Number: Displaysthecasenumber.Usercustomizable.

• Description: Displaysthedescriptionfield.Usercustomizable.

• Evidence Number: Displaystheevidencenumber.Usercustomizable.

• Investigator: Displaystheinvestigator.Usercustomizable.

• Source Drive Model Type: Displaysthemodelnumberofthesourcedisk.

• Source Drive Unique ID: DisplaystheuniqueIDnumberofthesourcedisk.

5.9 QUICK START

The“QuickStart”taballowsyoutocustomizethequickstartmodethatappearsonthe

LCDoftheDittoForensicFieldStationwhenthe“QuickStart”optionisenabledinthe

“System”tab.Manyofthesettingsbelowarevisibleonlywhencertaintypesofactions

areselectedinthe“Actiontoperform”drop-downbox.

• Action to perform: Setstheactionthatisperformedbythequickstartmode.

• Allowed Sources: PlaceacheckmarknexttoeachsourcewhereyouwanttheDittoForensicFieldSta-

tiontosearchforaconnectedsource.

• Allowed Targets: PlaceacheckmarknexttoeachtargetwhereyouwanttheDittoForensicFieldStation

tosearchforaconnectedtarget.

• Clone Destination: Forthe“CloneSourceDisk”and“Clone&ImageSourceDisk”actionsonly.Speci-

fiesthetargetdestinationwherethesourcediskwillbecloned.

• Source Partition: Determineswhichpartition(s)will be imaged from thesourcedisk.ChooseAll to

imagetheentiresourcedisk.

• Image Destination: Specifiesthetargetdestinationwheretheimagewillbeplaced.

• Image Partition: Specifiesthepartitiononthetargetdestinationwheretheimagewillbeplaced.

• Action Target: Forthe“EraseDestinationDisk”actiononly.Specifieswhichtargetvolumewillbeerased.

Figure 22. The “Naming” tab on the “Configure”screen.

27



6 ADMIN SCREENThe“Admin”screenallowstheadministratortomanageuseraccountsandassignpermissionlevelsforeachuser.

ClickontheAdmin tabtoaccessthe“Admin”screenfromthebrowserinterface.

6.1 USER ACCOUNTS

TheDittoForensicFieldStationcontainstwopermanentaccounts;“admin”and“panel”.The“admin”account

istheAdministratoraccount,andonlytheFullNameandpasswordmaybemodified.The“panel”accountis

theFrontPanelaccount,andmodifiesaccesspermissionsforfunctionalitythatcanbeaccessedthroughthe

LCDscreenandnavigationbuttonsontheDittoForensicFieldStation.

6.2 PERMISSIONS

6.2.1 Permission Levels

Permissionlevelsonthebrowserinterfacearedisplayedas“FULL”,“AUTH”,orasahyphen,andas“Full

Access,“MustAuthenticate”,and“None”,respectively,wheneditingorcreatingauser.“FULL”and“Full

Access”indicatethattheuserhascompleteaccesstothefeaturesgovernedbythatpermissionandisnot

requiredtoenterapassword.“AUTH”and“MustAuthenticate”indicatethattheusermustauthenticate

hiscredentialswithapassword inordertochangeasettingorperformanactionthatthatpermission

governs.Ahyphenor“None”indicatesthattheuserdoesnothaveaccesstothefeaturesgovernedby

thatpermission.

6.2.2 Configurable Permissions

The following listofpermissionsspecifieswhateachcontrols,andcanbeconfiguredwhenaddingor

editingauseraccount.SomepermissionsfortheAdministratorandFrontPanelaccountswillbegreyed

outbydefault.

• Admin: “None”allowsaccesstomodifytheUserNameandFullNameoftheAdministrator,Front

Panel, and the user’s own account, and allows the user to change his or her ownpassword, but

blockstheuserfromviewinganyaccount’spermissionlevels.“ModifyUsers”enablestheusertobe

abletomodifyuseraccounts,passwords,andpermissions(exceptforthe“Admin”permission).“Full

Access”additionallyenablestheabilitytocreateanddeleteusersandassignthe“Admin”permission.

• Config: Governsallnon-networkconfigurationsettings, including those found in the“SystemSet-

tings”panelonthe“Home”screenandonalltabsonthe“Configure”screen.

• NetSettings: Controlsaccesstothenetworksettingsonthe“Configure”screen.

• Clone: Controlsaccesstothe“CloneSourceDisk”and“Clone&ImageSourceDisk”actions.

Figure 23. The“Admin”screen.

28



• Physical Image: Controlsaccesstothe“PhysicalImageSourceDisk”and“Clone&ImageSource

Disk”actions.

• Logical Image: Controlsaccesstothe“LogicalImageSourceDisk”action.

• Erase: Controlsaccesstothe“EraseDestinationDisk”action.

• Hash: Controlsaccesstothe“HashDisk”action.

• Snapshot: Controlsaccesstothe“SnapshotDisk”action.

• Netview: Controlsaccesstothe“NetviewScan”action.

• Abort: Controlsaccesstotheabilitytoabortactionsinprogress.

• Note: Controlsaccesstothe“Comment”buttonsinthe“Action”and“SystemLog”panelsonthe

“Home”screen.

• Logs: Controlstheabilitytodeletelogfilesfromthe“Logs”screen.

• DiskView: Controlstheabilitytopreviewanddownloadfilesfromthesuspectdriveviathe“Disks”

panelonthe“Home”screen.

6.3 ADDING A NEW USER

Toaddanewuser,clicktheAdd User button,entertheuser’sinformation,andsetthepermissionlevels.

Whenfinished,clickontheCommit Add button.

6.4 EDITING AN EXISTING USER

Toupdateauser’sname,password,orpermissions,clickontheuseraccountunderthe“UserName”column,

updatetheinformation,andthenclicktheCommit Edits button.

6.5 DELETING A USER

Todeleteauser,clickon theuseraccountunder the“UserName”columnandclickon theDelete User

button.Donotclickthisbuttonunlessyouareabsolutelycertainyouwishtodeletetheaccount.

7 LOGS SCREENThe“Logs”screenprovidesinformationabouttheDittoForensicFieldStation’sactions.ClickontheLogs tabto

accessthe“Logs”screenfromthebrowserinterface.

Actionlogsshowthetimestamp,thetypeofactionperformed,theuserwhoperformedtheaction,andalinkto

the“ActionLog”screenthatprovidesmoreinformationabouttheperformedaction.

7.1 ACTION LOG

7.1.1 Settings

DisplaysthesettingsoftheDittoForensicFieldStationthatwereactivewhentheparticularactionwas

performed.

7.1.2 User Permissions

Displaysthepermissionsoftheuserthatwereinplacewhentheparticularactionwasperformed.

29



7.1.3 Extended Disk Info

Thisreportdisplaystheinformationofthediskused(whichisnotedinthetitleofthisreport)intheaction,

includingtheinterface,model,serialnumber,capacity,thepresenceofHPAs(hostprotectedareas)or

DCOs(deviceconfigurationoverlays),partitioninformation,hdparminformation,andS.M.A.R.Tinforma-

tion.Ifmultipledisksareusedintheaction,thenmultiplereportsarecreated.

7.1.4 Logical Image Report

Thisreportappearsinactionlogsof“LogicalImageSourceDisk”actionsanddisplayseachdirectoryand

filethatwasimaged,alongwiththeirsizeandanyerrormessagesthatweregenerated.If“ValidateFile

Extensions”isenabledforLISTlogicalimagesinthe“Configure”screen,itwillalsologanyfilesinLIST

logicalimagesthathaveamismatchedfileheaderandextension(seeSection5.5.3).ClickontheExport

buttontosaveacopyofthelogasanExcelspreadsheet.ClickontheExport Suspects buttontosavea

copyofallofthesuspectfileswherethereisamismatchbetweenthefile’sMIMEtypeandfileextension.

7.1.5 Netview Report

Thisreportappearsinactionlogsof“NetviewScan”actionsanddisplayssummariesofthediscovered

hosts,includingtheIPaddress,MACaddress,andthemanufacturerassociatedwiththeMACaddress

ifthatinformationcanbedetermined.The“Hostname”willbeblankifaDNSlookupcouldnotassociate

thehost’sIPaddresstoaname.

8 UTILITIES SCREENThe“Utilities”screenallowsyou toperformvariousmiscellaneous functions, including theability toupgrade

firmware, importcustomizedconfigurations, remotely reboot theDittoForensicFieldStation,modifydateand

timesettings,andperformafactoryreset.ClickontheUtilities tabtoaccessthe“Utilities”screenfromthe

browserinterface.

Figure 24. The“Logs”screen.

30



8.1 SYSTEM MAINTENANCE

8.1.1 Firmware Upgrade

Forinformationonhowtoupgradethefirmware,seeSection12.

8.1.2 Configuration

YoucansaveandloadconfigurationsfortheDittoForensicFieldStation.Thefilegeneratedsavesacopyof

everycustomizablesettingfortheunit.

Save Configuration

Tosaveaconfiguration,clickontheSave Config button.Namethefile,andthenclickContinueto

openaSaveAsdialogboxandsavethefiletoyourcomputer.

Load Configuration

a. ClickontheLoad Config button,browsetothe.xmlconfigurationfileyouwanttoload,highlight

it,andclickOpen.

b. The“ConfirmImport”windowwillopen.Placeachecknexttoeachsettingyouwanttoload,and

thenclick Continue.Byselectingthesesettings,youwillbeoverwritingtheexistingsettings,so

besuretosavethecurrentconfigurationfirst.

c. TheDittoForensicFieldStationwillimporttheconfigurationsettings.ClickOKwhenit’sfinished.

8.1.3 Other Buttons

• Reboot: OpensaconfirmationtoreboottheDittoForensicFieldStation.

• Date & Time: Allowsyoutosetthecurrentdate,time,andtimezone.ClicktheSynchronize button

tosyncthesesettingswithyourbrowser’soperatingsystem.

• Factory Reset: OpensaconfirmationdialogtoreturntheDittoForensicFieldStationtofactoryset-

tings.CheckthePurge Ditto SD card log files boxtoremovealllogfilesfromtheSDcardintheunit.

YoucanalsousetheFrontPaneltoperformafactoryreset.SeeSection9.3.

• System Verify: Verifies that theDittoForensicFieldStation’soperatingsystemfileshavenotbeen

modifiedandplacesastatementinthesystemlog.Iftheverificationfails,thedetailscanbeviewed

byexportingtheSystemDiagnostics.

Figure 25. The“Utilities”screen.

31



• Diagnostics: ExportsadiagnosticslogfileinHTMLformat.Thediagnosticslogcontainsinformation

about theDitto Forensic FieldStation’s current configuration, including user accounts, kernelmes-

sages,logs,processinformation,disks,PHPerrors,andsystemverifyresults.

8.2 UPGRADE LOG MESSAGES

Thissectiondisplaysthestatuslogoffirmwareupgradesandisonlyvisibleafterafirmwareupgradehasbeen

performed.

8.3 IMPORT LOG MESSAGES

Thissectiondisplaysthestatuslogofconfigurationfileexportsandimportsandisonlyvisibleafteraconfigu-

rationfilehasbeenloadedorsaved.

9 USING THE FRONT PANEL INTERFACE IN STANDALONE MODE TheDittoForensicFieldStationcanworkasastandalonedevicewithnoadditionalcomputerrequired,whichcan

beusefulwhenworkingwithevidencedisksinthefield.

TheFrontPanelinterfaceallowsyoutoclone,physicallyimage,performalogicalimageusingaLogicalImage

Mode,simultaneouslycloneandimage,erase,hashadisk,orperformasnapshotofadisk.Youcanalsoadjust

settings,viewinformationaboutattacheddisks,orcheckontheDittoForensicFieldStation’soperationalstatus.

Theadministrator account canassignaccesspermissions to theFrontPanel’s actionsandsettingsusing the

browserinterface.

9.1 HOW TO NAVIGATE

9.1.1 Using the Navigation Buttons

ThenavigationbuttonsonthefrontoftheDittoForensicFieldStationallowyoutonavigatethroughthe

menu. UpandDownallowyoutoscroll throughtheavailableoptionsontheFrontPanel,whileEnter

selectstheoptionandBackgoesbacktothepreviousscreen.IfQuickStartModeisenabled,pressBack

toexitit.

9.1.2 Using a Keyboard

PlugaPCUSBkeyboardintotheUSBportonthe“SourceInputs”sideoftheDittoForensicFieldStation.

Youcannavigateusingthearrowkeys.PressEnter or the Right Arrow keys toselectamenuoption.

Pressthe Left Arrow keytobackoutofamenuorsetting.IfQuickStartModeisenabled,youcanpress

theEscape keytoexitit.

TheDittoForensicFieldStationcanhandlemultipleUSBdevicesthroughaUSBhubattachedtotheUSBportonthe“SourceInputs”sideoftheForensicFieldStation.However,ifmultiplekeyboardsareconnected,keystrokesfromallkeyboardsareprocessed.

9.2 MENU SCREENS

TheDittoForensicFieldStationmenuconsistsofthefollowingscreens:

9.2.1 Status

Thestatusscreenisthedefaultscreen.Itshowstheprogressofanycurrentpro-

cesses.WhentheDittoForensicFieldStationis“Idle”,thecurrentfirmwareofthe

unitisalsolistedonthisscreen.AnexampleofastatusscreenisshowninFigure26.

Ditto:IdleVersion:2015Sep19a

(Up/DnforMenu)

Figure 26. The“Status”screenontheFrontPanelLCD.

NOTE

32



9.2.2 Perform Action

Afteryouadjustsettings toyourspecifications,youare readytoput theDittoForensicFieldStation to

work.The“PerformAction”screenletsyoustartorabortanyoftheDittoForensicFieldStation’sactions

usingthecurrentsettings.

a. Onthe“PerformAction”screen,usetheUpandDownbuttonstocyclethroughtheavailableactions.

PressEntertoselecttheoneyouwant.

b. Cyclethroughtheavailablesettingsfortheaction.PressEnterifyouwishtomodifythem.

c. Whenyouarefinishedmodifyingsettings,scrolldowntooptionthatasksyoutostarttheaction(ex.

“StartPhysicalImage?”.PressEntertobegin.

ThestatusandremainingtimewillbedisplayedontheLCDscreenastheDittoForensicFieldStationper-

formstheaction.Toabortanaction,presstheBack button.TheLCDscreenwillaskifyouwishtoabort

theaction.PressEntertoconfirm,orBacktocanceltheabortrequest.

9.2.3 Investigation Info

The“InvestigationInfo”liststhecurrentsettingsthatcanbemodifiedinthe“Investi-

gationInfo”sectiononthe“Home”screenofthebrowserinterface.Tomodifythese

settingsfromthebrowserinterface,seeSection4.2.

Editing Fields With A Keyboard

Onthe“InvestigationInfo”menu,an“Edit(Keyboard)”menuitemwillappear

whenakeyboardisdetected(seeFigure27).Youcaneditthefieldcurrentlydis-

playedontheLCDbypressingtheEnter buttononthefaceoftheDittoForensic

FieldStationorbypressingEnter or the Right Arrow keysonthekeyboard,and

thenusingthekeystotype.

Usingapostrophes(‘)inthenamefieldswillcauseanerrorwhenthefileorfoldernameiscreated.TheyshouldnotbeusedintheInvestigationInfofields.

Stringslongerthan24charactersaredisplayedwithanellipsescharacter(...)attherightsideofthestring.

TheDittoForensicFieldStationcanhandlemultipleUSBdevicesthroughaUSBhubattachedtotheUSBportonthe“SourceInputs”sideoftheForensicFieldStation.However,ifmultiplekeyboardsareconnected,keystrokesfromallkeyboardsareprocessed.

Hereisatableofthemostcommonkeyboardcommands:

KEY COMMAND

Escape Cancelsanedit.

Enter Beginsaneditonauser-editablestringorselectsthecurrently-visiblemenuoption.Whenpressedwhileeditingastring,itconfirmstheedit.

Home/End Wheneditingastring,thesekeysmovethecursortothebeginning/endofthestring,respectively.

Up/Down Movesthroughthemenuoptions.Wheneditingastring,theymovethecursortothebeginning/endofthestring,respectively.

Delete Deletesthecharactercurrentlyhighlightedbythecursor.

STOP!

Investigator:C.Walker

Edit(Keyboard)

Figure 27. The“Investigator”fieldinthe“InvestigationInfo”menuontheFrontPanelLCD,whenaUSBkey-boardisattachedtotheDittoForensicFieldStation.

NOTE

NOTE

33



Most Common Keyboard Commands, continued...

KEY COMMAND

Backspace Deletesthecharacterimmediatelybehindthecursor.

NumLock Forcesthenumberedarrowkeystotypenumberswhenpressed.

CapsLock Forcesallletterkeystotypecapitalletters.

Tab/Shift+Tab/PageUp/PageDown/Function/Alt/Windows/Control/Insert

Nothandled.

9.2.4 Settings

The“Settings”screenallowsyoutoviewandcustomizethefollowingsettings,whicharegroupedinto

threesubsections.Thesesettingswillbethedefaultsettingsusedinanyactionsperformed.

TheSystemSettingsbelowcannotbemodifiediftheFrontPaneluseraccountdoesnothavefullaccesstothe“Config”permission,andtheSourceandDestinationNetworkSettingscannotbemodifiediftheFrontPaneluseraccountdoesnothaveaccesstothe“NetSettings”permission.SeeSection6forinformationonhowtocustomizetheFrontPaneluseraccount.

System Settings

• Physical Image Type: Setsthedefaultphysicalimagetypeforallactionsthatcreateaphysical

image.TheimagetypesavailableareE01orDD.

• Logical Image Type: Setsthedefaultlogicalimagetypeforallactionsthatcreatealogicalimage.

ThelogicalimagetypesavailableareL01,TAR,ZIP,andLIST.

• Logical Image Mode: Setsthedefault logical imagemode.Thelogical imagemodesavailable

areAllFilesandDirs,AllExceptWindows,AllExceptWindowsPrograms (abbreviatedas“All

ExceptW...ndPrograms”),AllUsers-Windows,AllTemporary-Windows,AllExceptSwapand

Hibernate(abbreviatedas“AllExceptS..dandHibernate”),AllMediaFiles,AllOfficeFiles,andAll

FinancialFiles.SeeSection4.1.3under“LogicalImageModes”foradescriptionofeachmode.

• Hash Type: Setsthedefaulthashalgorithmthatwillbeusedfordiskverificationandthe“Hash

Disk”action.TheavailableoptionsareNone,MD5,SHA-1,orMD5+SHA-1.

• Erase Mode: Setsthedefaulterasemodethatwillbeusedforallactionsthatrequireerasing

disks.TheavailablemodesareClearPartitionTable,QuickErase,LBA/OffsetPattern,Custom

Erase,SecureEraseNormal, SecureEraseEnhanced,DODClear,DODSanitize,NIST800-88

Clear,andNIST800-88Purge.

• Default Format: Thisisthedefaultfilesystemthatwillbeusedtoformatdestinationdiskswhen

theyareusedinactionsthattheDittoForensicFieldStationperforms.Theavailableformatsare

HFS+,FAT32,NTFS,EXT2,EXT3,EXT4,andXFS.

• HTML Logging: Logsarealwayssaved in .XMLformat.ThisoptioncausestheDittoForensic

FieldStationtosavelogsinHTMLformataswell.TheavailableoptionsareOffandOn.

• DiskView Logging: Logsanyactiontopreviewadiskoractionsperformedwhilepreviewinga

disk(i.e.startingorfinishingapreviewofadisk,startingorfinishingaHexViewaction).Theavail-

ableoptionsareOffandOn.

NOTE

34



• LCD/LED Brightness: SetstherelativebrightnessoftheLCDsandLEDsonthefaceoftheDitto

ForensicFieldStationonascaleof1to255.

• LCD Prompt Case: Fiveoptionsmaybe chosen tomodify the casenumber specified in the

“Investigation Info”sectionofthe“Home”screen inthebrowser interface.Thecasenumber

isincludedinthelogfortherequestedaction.“Disabled”leavesthecasenumberasitis.“Inc/

Dec”allowsyoutomanuallyincrementthecasenumberupordownusingthenavigationbut-

tonsonthefaceoftheDittoForensicFieldStation.“AutoInc”automaticallyincrementsthecase

number,and“AutoInc/Pause”automatically incrementsthecasenumber,butdisplaysaconfir-

mationprompttheLCDscreenbeforebeginningtherequestedaction.Theseoptionsrequirea

numbertobepresentontheendoftheCaseNumberspecifiedinthe“InvestigationInfo”section

ofthe“Home”screeninthebrowserinterface.

• LCD Prompt Evidence: Fiveoptionsmaybechosentomodifytheevidencenumberspecifiedin

the“InvestigationInfo”sectionofthe“Home”screen.Theevidencenumberisincludedinthe

logfortherequestedaction.“Disabled”leavestheevidencenumberasitis.“Inc/Dec”allows

youtomanuallyincrementtheevidencenumberupordownusingthenavigationbuttonsonthe

faceoftheDittoForensicFieldStation.“AutoInc”automaticallyincrementstheevidencenumber,

and“AutoInc/Pause”automaticallyincrementstheevidencenumber,butdisplaysaconfirmation

prompttheLCDscreenbeforebeginningtherequestedaction.Theseoptionsrequireanumber

tobepresentontheendoftheEvidenceNumberspecifiedinthe“InvestigationInfo”sectionof

the“Home”screeninthebrowserinterface.

• Quick Start: Enablesthe“QuickStart”screenontheLCDthatappearsafteryoubootorreboot

theDittoForensicFieldStation.Thesettingsforthismodemaybemodifiedinthe“QuickStart”

tabofthe“Configure”screenonthebrowserinterface.SeeSection5.9.

• Verify Single: Determineswhetherindividualdestinationdiskarehashedandcomparedtothe

hashvalueofthesourcedisk’shashvalue.TheavailableoptionsareYesandNo.

• Verify Mirror: Determineswhethermirroreddestinationdisksarehashedandcomparedtothe

hash valueof the sourcedisk’s hash value(s).You can choose to verify nodisks, eSATA-Aor

eSATA-Bindividually,ortoverifybothdisks.

• Verify Clone & Image: Determineswhetherclonedandimageddisksarehashedandcompared

tothehashvalueofthesourcedisk’shashvalueduringa“Clone&ImageSourceDisk”action.

Youcanchoosetoverifynodisks,theclone,theimage,orboth.

• Log Disk Info: DetermineswhetherS.M.A.R.T.andhdparmdisk information is loggedbefore

runninganaction,afterrunninganaction,both,ornotatall.

Src (Source) Network Settings

• Source Network: EnableordisablethesourcenetworkEthernetconnection.

• Source MAC Address: DisplaysthesourceEthernetport’sMACaddress.

• Source IP Assignment:DisplaysthesourceEthernetport’sIPassignmentmethod.Theavailable

optionsareDHCPorStatic.AnIPaddresscanbemanuallyconfiguringinthebrowserinterface

(seeSection5.2.2).

35



• Source Network Access: AllowsyoutochoosewhetherornottheDittoForensicFieldStation

respondstoanynetworktrafficviathesourceEthernetport.

• Source IP Address: DisplaystheIPaddressassignedtothesourceEthernetport.

Dst (Destination) Network Settings

• Destination Network: EnableordisablethedestinationnetworkEthernetconnection.

• Dest. MAC Address: DisplaysthedestinationEthernetport’sMACaddress.

• Dest. Network Mode: DisplaysthedestinationEthernetport’snetworkingmode.Theavailable

optionsareServer,Client (DHCP),orClient (Static IP).“Server”allowsyoutouseenable the

DittoForensicFieldStationforuseasaserver.Thenetworkmodecanbefurtherconfiguredinthe

browserinterface(seeSection5.2.3).

• Dest. IP Address: DisplaystheIPaddressassignedtothedestinationEthernetport.

• Dest. Subnet Mask: Displays thesubnetmaskaddressassigned to thedestinationEthernet

port.

9.2.5 Disk Info

The“Disk Info” screen shows all available disks attached to either the source or

destinationports.Ports are shownonly if a disk is connected there.PressEnter

(View)andthenUporDowntoscrollthroughthefollowinginformationabouteach

connecteddisk:

• Modelnumber

• Diskcapacity

• Filesystem

9.3 FACTORY RESET

ToresettheDittoForensicFieldStation’ssettingsbacktotheirfactorydefaults,pressand

holdtheUp,Enter,andDownnavigationbuttonswhilepoweringtheuniton.TheDitto

ForensicFieldStationwillstartupandthendisplaythetext,“PreparingFactoryReset”

(seeFigure31).

YouwillthenbepromptedtoconfirmyourchoicetoresettheDitto.PressEntertocon-

tinueorBacktocancel.

Youcanalsousethebrowserinterfacetoperformafactoryreset.SeeSection8.1.3.

10 STEALTH MODEStealthModeturnsoffallLEDsandLCDsontheDittoForensicFieldStation.YoucanenableStealthModebyflip-

pingthephysical“StealthMode”switchontheDestinationOutputssideoftheDittoForensicFieldStation(see

Section1.2).

Youcanalsoenableitfromthebrowserinterface.ClickontheConfigure tab,andthenunderthe“System”tab

changethe“StealthMode”drop-downboxto“Enabled.”ThenclickCommit Changes.

IfStealthModeisenabledfromthebrowserinterface,thephysicalswitchcannotoverrideit.

****DITTO****Initializing...

PreparingFactoryReset

Figure 29. The“Preparing Factory Reset” screen ontheFrontPanelLCD.

SourceeSATA:HTS5410806XXXXX79.8GB

Nofilesystem

Figure 28. The“Disk Info”screenon theFrontPanelLCD.

NOTE

36



11 ADVANCED FEATURES AND FUNCTIONS

11.1 NETVIEW SCAN

Thistypeofnetworkprobingisvery noisyandmaytriggeranyITrelatedIntrusionDetectionDevices(IDSs)on

thenetwork.Pleasebesuretorunthisactioninaverycontrolledandisolatedenvironment.

a. SelectNetview Scan fromthe“ActiontoPerform”drop-downbox.

b. Configuretheavailableoptions,whicharedetailedbelowinSection11.1.1.

c. Whenyouarefinished,presstheStart button.Youshouldseeupdateseveryfewsecondsthatdescribe

thecurrentscanbeingexecuted,thenumberofhostsdiscovered,andtheprogressofthecurrentscan.

Pleasenotethatprogressestimatesarecrudeandarestillbeingdeveloped.A“Completed”messagebox

willpopupwhentheactionhasfinished.Clickonthemessagetocontinue.

YoucanviewtheresultsoftheNetviewScanactionbyscrollingdowntothe“SystemLog”panelonthe

“Home”screen.Findandclickonthelatestlink,whichwillbedenotedbyafilenamewithadate/timestamp

format:“S_yyyymmddhhmmss”.Alternatively,youcanclickonthe Logs buttonfromthetopmenubar.

The“NetviewReport”sectioncontainssummariesofthediscoveredhosts,includingtheIPaddress,MAC

address,andthemanufacturerassociatedwiththeMACaddressifthatinformationcanbedetermined.The

“Hostname”willbeblankifaDNSlookupcouldnotassociatethehost’sIPaddresstoaname.

11.1.1 Netview Scan Configuration Options

ThefollowingoptionscanbeconfiguredbeforerunningaNetviewScan:

Interface Selection

The“Interface”drop-downboxallowsyoutotelltheDittoForensicFieldStationwhichEthernetcon-

nectiontouseduringtheNetviewScan.YoucanchooseeithertheSourceorDestinationEthernet

ports.

Theselectedinterfacewillbeusedwhenthescanisstarted.Thismaycreateaheavynetworktrafficloadanddependingonthe“Timing”settinginthe“DiscoveryOptions”subsection,mayalertyourITdepartmentthatthenetworkisundersomesortofthreat.Ensurethattheselectedinterfaceisattachedtoacontrolledandisolatednetwork.

Figure 30. The“Action”sectiononthe“Home”screen,showingtheoptionsavailableforthe“NetviewScan”action.

STOP!

37



IP Scan Range

BydefaultthelastoctetoftheIPaddressoftheselectedinterfacewillbescanned.Youmaychange

thisvalueandenteralistofIPaddress,arangeofIPaddresses,oracombinationofboth.Clickthe

“Reset”icontoresettheIPScanRangebacktoitsdefaultvalue.

Examples:

1. Range:10.10.10.0-255

• Scanstheaddresses10.10.10.0through10.10.10.255.

2. Range2:10.10.10-12.0-255

• Scansaddresses10.10.10.0-255,10.10.11.0-255,and10.10.12.0-255.

3. List:10.10.10.1

• WillonlyscanIPaddress10.10.10.1

4. List2:10.10.10.2,10.10.10.3

• Willscanonlyhosts10.10.10.2and10.10.10.3

5. Combo:10.10.10.1,10.10.10.2,10.10.10.50-100

• Willscanhosts10.10.10.1,10.10.10.2andhosts10.10.10.50through10.10.10.100.

Discovery Options

Therearethreeoptionalhost(machine)discoveryoptionsandone“NoPing”portscanoptionavail-

able.Bydefault,the“PingEcho”optionisenabledandwillsufficeformostusecases.Somemachines

maybeconfiguredtoignorepingsandnotrespond,sotherearetwootherspecializedPingoptions

whichmaybeuseful.Clickthe“Reset”icontoreloadthedefaultsettings.

• Ping Echo: SendsastandardICMPechorequesttoeachIPaddress.

• Ping Timestamp: SendsarequestforatimestampedICMPpacket.

• Ping Netmask: Sendsarequestforthedestination’ssubnetmaskusinganICMPpacket.

• No Ping: Skipshostdiscoveryandforcesaportscan,whichisusefulwhenthehostsappear

tobedown.

• Timing: Selects a timing interval for scanning a network.“3” is the default setting. Lower

numbersareslowerandwillhelpyouavoidtriggeringanintrusiondetectionalert,andhigher

numbersarefasterbutmaybelessaccurate,andmaycauseintrusiondetectionalerts.

TCP Options

NetViewcanoptionallyscan thespecifiedhosts foropenTCPports.Bydefault, this feature isnot

enabled.Checktheboxnextto“TCPOptions”toenablethisfeatureandexpandmoreoptions.Click

the“Reset”icontoresetallTCPOptionsbacktotheirdefaultvalues.

• Ports: Bydefault,TCPportsforcommonlyusedservicesaswellasservicestowhichtheDitto

ForensicFieldStationmaybeable toconnect areentered into this textbox, includingports

forNFS,iSCSI,andSamba.Onlyportsenteredintothistextboxwillbescanned.NetViewIP

portrangesmaybespecifiedasanycombinationof listsandranges.Validportnumbersare

between1and65535(inclusive).Alistisintheform:80,22,23.Arangeisintheform:1-40.

Bothmaybecombinedtoform:22,23,40-50,80,90-91.

38



• Syn Scan: SynScan isselectedbydefaultand isappropriate formostusecases.TheDitto

ForensicFieldStationgeneratesrawIPpacketsandmonitorsforresponses.Thistypeofscanis

alsoknownas“half-openscanning”sinceitdoesnotopenafullTCPconnection.

• Connect Scan: TheDittoForensicFieldStationusesafullsystem-levelTCPconnectioninorder

todeterminewhatportsareavailableonthehostnetwork.Thisscanshouldonlybeperformed

byadvancedusers.

Themoreportsbeingscanned,thelongerthescanwilltake.

UDP Options

NetViewcanoptionallyscanthespecifiedhostsforopenUDPports.Bydefault,thisfeature isnot

enabled.Checktheboxnextto“UDPOptions”toenablethisfeature.Clickthe“Reset”icontoreset

theUDPoptionbacktoitsdefaultvalues.

Ports: By default, UDP ports for commonly used services aswell as services towhich theDitto

ForensicFieldStationmaybeabletoconnectareenteredintothistextbox,includingNFS,iSCSI,and

Samba.Onlyportsenteredintothistextboxwillbescanned.NetViewIPportrangesmaybespeci-

fiedasanycombinationoflistsandranges.Validportnumbersarebetween1and65535(inclusive).

Alistisintheform:80,22,23.Arangeisintheform:1-40.Bothmaybecombinedtoform:22,23,40-

50,80,90-91.

UDPportscanningtakesmuchlongerthanTCPportscanningduetothefactthatopenandfilteredportsdonot typically respond toqueries.Therefore,anyUDPportscannerwill spend time retrans-mittingitsqueryincasethequeryorresponsewaslost.Furthermore,whileclosedportsdousuallyrespondwith ICMPportunreachablemessages,hoststendto limit thenumberofthosemessagessentpersecond,resultinginfurtherdelay.

Netview Tips

1. SeeNmap.orgforgeneralinformationaboutnetworkscanning.

2. KeepyourIPaddresslists/rangesshort.Thiswillmeanfasterscansandlessnetworktraffic.

3. Keepyourportlists/rangesshort.Thiswillalsomeanfasterscansandlessnetworktraffic.

4. StartbydeselectingtheTCPandUDPscans.Justscanningforthepresenceofhostsismuch

quickerthanrunningTCPandUDPscansonanetworkwithanunknownnumberofmachines.

Onceyouhavealistofdiscoveredmachines,thenyoucandecidewhethertoTCPand/orUDP

scanthemallorscanonlyasubsetatatime.

5. TCPscanningmustbeenabledinordertodetectthetarget’soperatingsystem.

11.2 TARGET MODE: REMOTELY ACCESS DISKS ATTACHED TO THE DITTO FORENSIC FIELDSTATION WITH THIRD PARTY SOFTWARE

DisksattachedtoDittoForensicFieldStationmaybemountedonyourcomputerasiSCSIdevicesforusewith

thirdpartydataacquisitiontools.Themachinethissoftwareisinstalledondoesnothavetobephysicallycon-

nectedtotheDittoForensicFieldStation,butratherthesoftwaremayberunremotelyfromaseparateloca-

tionwithinthesamenetwork.Todoso,youwillneedtoputtheDittoForensicFieldStationintoTargetMode.

a. Onthe“Home”Screen,navigatedowntothebottomofthe“Disks”panelandselecttheTarget Mode

button.

NOTE

NOTE

www.nmap.org

39



b. ChecktheboxesintheiSCSIcolumnnexttothedisk(s)thatyouwishtomountonyourcomputerasiSCSI

device(s).

c. CheckEnable iSCSI and SMB authentication ifyouwishtorequireauthentication inorderfor iSCSI

initiatorsoftwaretoconnecttotheselecteddisk(s).Theninputyourdesiredcredentials.

d. Pressthe OK button.

Youcannowmountthedisk(s)youselectedinthestepsabovetoyourcomputer.UsetheDittoForensic

FieldStation’sIPaddressinyouriSCSIinitiatorsoftwareinordertoattachtoit.Initiatorscanvary,buttypi-

callyyou’lladdtheIPaddresstothe“Discovery”sectionofyourinitiator.

11.3 USING ISCSI DEVICES

11.3.1 Remotely Access an iSCSI Device

ToconnecttoaniSCSIdevicethatexistsonyournetwork,followthesedirections.

a. Ensure that theEthernetport throughwhich theDittoForensicFieldStation is

connectedtoyournetworkisproperlyconfiguredforusewithyournetwork(see

Section5.2).UnlessyouhavemanuallyconfiguredtheDittoForensicFieldSta-

tion’snetworksettingsbefore,youmostlikelydonothavetochangeanything.

IfyouaredirectlyconnectingtheiSCSIdevicetotheDittoForensicFieldStation,

thenseeSection11.3.2.

b. Onthe“Home”Screen,navigatedowntothebottomofthe“Disks”panel.

c. ClicktheSource Network buttonifyouwanttoattachtheiSCSIdevicetothe

DittoForensicFieldStationasawrite-blockedsourcedevice,orclickthe Desti-

nation Network buttonifyouwanttoattachtheiSCSIdeviceasaread/write-

enableddestination.

d. Clickonthe iSCSI tabifitisnotalreadyselected.

e. TypetheiSCSIdevice’sIPaddressintothe“TargetHost”textfield.

f. TypeintheportnumberofthetargetiSCSIvolumeintothe“Port”textfieldifthenumberisdifferent

thanthedefaultvalueof‘3260’.Ifyoudon’tknowtheportnumber,leaveitasthedefaultvalue.

g. ClicktheDiscover button.TheDittoForensicFieldStationwilldetectanyIQNs(iSCSIQualifiedNames)

attachedtotheIPaddress.

h. SelecttheIQNyouwishtoattachtotheDittoForensicFieldStationfromthedrop-downbox.

i. IfauthenticationisrequiredtoconnecttotheIQN,clicktheAdvanced... buttonandinputtheappro-

priatecredentials,includingtheusername,password,anddomain.Otherwise,continuetoStepJ.

j. ClicktheAdd button.TheIQNwillnowappearinthelistbelow.

k. RepeatstepsEthroughJtoaddmoreIQNs.Whenyouarefinished,click Close.

TheiSCSIdisk(s)havenowbeenaddedtothelistofDisks,allowingyoutoperformactionsonthemlike

youwouldanyotherdisk.

Figure 31. The“TargetMode”windowisusedtoallowcomputers and third party software to remotely con-nectviaiSCSItodisksconnectedtoDitto.

40



11.3.2 Directly Connect an iSCSI Device to the Ditto Forensic FieldStation

IfyoudonotwishtoconnectaniSCSIdevicetoyournetwork(forexample,itmaybeasuspectdevice

withunknownproperties),youcandirectlyconnectthedevicetotheDittoForensicFieldStationandiso-

lateitfromtherestofyournetwork.Therearetwomethodsfordoingso.Onceyouhaveconnectedthe

device,continuedowntothethirdsubsection,“AddinganiSCSIDisktothe‘Disks’Panel”.

Connect via the Source Ethernet Port

FollowtheseinstructionsiftheiSCSIdeviceyouareattachingtotheDittoForensicFieldStationisa

suspectdevice.You’llneedtoconnecttheiSCSIdevicetothesourceEthernetportandmanuallycon-

figuretheIPaddressofboththeDittoForensicFieldStationandtheiSCSIdevice.

ManuallysettheDittoForensicFieldStation’sIPaddress.

a. ClickontheConfigure tab atthetopofthepage,andthenselecttheNet-

work tab.

b. Inthe“SourceNetwork”section,selectStatic IP fromthedrop-downbox

underneaththeMACaddress.

c. TypeinthedesiredIPaddressandsubnetmaskintotheappropriatefields.

Donotfill in theGateway,PrimaryDNSServer,orSecondaryDNSServer

unlessdirectedtodosobyyournetworkadministrator.

d. ClickCommit Changes.

ManuallysettheiSCSIdevice’sIPaddress,subnetmask,andgateway.Thefirst

threeoctetsoftheIPaddressmustbeidenticaltothefirstthreeoctetsoftheDittoForensicFieldSta-

tion’sIPaddress.Thefourthoctetmustbedifferent,andmustbeanyothernumberbetween1and

255.ThesubnetmaskmustbeidenticaltotheDittoForensicFieldStation’ssubnetmask.Thegateway

mustalsobesetastheDittoForensicFieldStation’sIPaddress.

BasedontheIPaddressconfigurationofaDittoForensicFieldStationthat’sdisplayedinFigure32,a

validconfigurationforaniSCSIdevicewouldbeasfollows:

IPaddress:10.10.10.100

Subnetmask:255.255.255.0

Gateway:10.10.10.1

AfterthesesettingsareconfiguredfortheDittoForensicFieldStationandtheiSCSIdevice,ensure

thattheiSCSIdeviceisconnectedtothesourceEthernetPort.Thencontinuetothe“AddinganiSCSI

Volumetothe‘Disks’Panel”subsectionbelow.

Connect via the Destination Ethernet Port

FollowtheseinstructionsifyouwillbetransferringevidenceorotherdatatotheiSCSIdevice.First,

ensurethatthedestinationEthernetportisconfiguredtoactasaserver.

a. ClickontheConfigure tab atthetopofthepage,andthenselecttheNetwork tab.

b. Inthe“DestinationNetwork”section,selectServerfromthedrop-downboxunderneaththe

MACaddress.Donotcustomizethedefaultserverconfigurationunlessdirectedtodosoby

yournetworkadministrator.

c. Click Commit Changes.

Figure 32. The“SourceNetwork”sectiononthe“Con-figure”screen’s“Network”tab.

41



NowconnecttheiSCSIDevicetothedestinationEthernetport.TheiSCSIdevicewillbeassigneda

newIPaddressiftheiSCSIdeviceisconfiguredtoobtainanewIPaddressfromDHCP,whichwillthe

caseformostdevices.IfnoIPaddressisassigned,youwillneedtoconfiguretheiSCSIdevicetouse

DHCP.Ifthatisnotpossible,contactyournetworkadministrator.

Once the iSCSIdevice isassignedan IPaddress,continue to the“Addingan iSCSIVolumeto the

‘Disks’Panel”subsectionbelow.

Adding an iSCSI Disk to the “Disks” Panel

Onthe“Home”Screen,navigatedowntothebottomofthe“Disks”panel.

a. ClicktheSource Network buttonifyouwanttoattachtheiSCSIdeviceto

theDittoForensicFieldStationasawrite-blockedsourcedevice,orclickthe

Destination Network buttonifyouwanttoattachtheiSCSIdeviceasaread/

write-enableddestination.

b. Clickonthe iSCSI tabifitisnotalreadyselected.

c. TypetheiSCSIdevice’sIPaddressintothe“TargetHost”textfield.

d. TypeintheportnumberofthetargetiSCSIvolumeintothe“Port”textfield

ifthenumberisdifferentthanthedefaultvalueof‘3260’.Ifyoudon’tknowtheportnumber,leave

itasthedefaultvalue.

e. ClicktheDiscover button.TheDittoForensicFieldStationwilldetectanyIQNs(iSCSIQualified

Names)attachedtotheIPaddress.

f. SelecttheIQNyouwishtoattachtotheDittoForensicFieldStationfromthedrop-downbox.

g. Ifauthentication is requiredtoconnect to the IQN,click theAdvanced... button and input the

appropriatecredentials,includingtheusername,password,anddomain.Otherwise,continueto

thenextstep.

h. ClicktheAdd button.TheIQNwillnowappearinthelistbelow.

i. RepeatstepsCthroughHtoaddmoreIQNs.Whenyouarefinished,clickClose.

The iSCSIdisk(s)havenowbeenaddedtothe listofDisks,allowingyoutousetheDittoForensic

Fieldstationtoperformactionsonthemlikeyouwouldanyotherdisk.

11.3.3 Properly Remove an iSCSI Device

Thisprocesspreventstimeout issueswheretheDittoForensicFieldStationwillattempttoconnect to

iSCSIvolumesthatnolongerareconnectedtoit.Onthe“Home”Screen,navigatedowntothebottom

ofthe“Disks”panel.

a. Clickthe Source Network buttonifyouriSCSIdeviceisconnectedviathesourceEthernetPort,or

clicktheDestination Network buttonifyouriSCSIdeviceisconnectedviathedestinationEthernet

Port.

b. ClickontheiSCSI tab ifitisnotalreadyselected.

c. Under the“iSCSISourceConnections”or the“iSCSIDestinationConnections”section,check the

boxesnexttotheIQN(s)youwanttoremoveandclicktheRemove button.

d. PhysicallydisconnecttheiSCSIdevicefromtheDittoForensicFieldStation.

Figure 33. The“SourceNetwork”window’siSCSItaballows you to connect iSCSI devices to the Ditto viathe source Ethernet port.The“DestinationNetwork”tablookssimilaranddoesthesameviathedestinationEthernetport.

42



11.4 USING NFS AND SMB (SAMBA) SHARES

11.4.1 Connect to NFS and SMB Shares

a. Onthe“Home”Screen,navigatedowntothebottomofthe“Disks”panel.

b. ClicktheSource Network buttoniftheDittoForensicFieldStationisconnectedtoyournetworkvia

thesourceEthernetPort,orclicktheDestination Network buttonifitisconnectedviathedestina-

tionEthernetPort.

c. ClickontheNFS tab orthe SMB tab,dependingonwhichtypeofshareyouareconnectingto.

d. TypetheservernameintotheServertextfield.

e. IfyouareconnectingtoanSMBshare,selecttheappropriateprotocolfromthe“Protocol”drop-down

box.Ifyoudon’tknowthecorrectprotocol,leaveitasthedefaultvalueof‘SMBv1’.

f. ClicktheShow Shares button.TheDittoForensicFieldStationwilldetectanysharesattachedtothe

server.

g. SelecttheshareyouwishtoattachtotheDittoForensicFieldStationfromthedrop-downbox.

h. IfyouareconnectingtoanSMBshareandauthenticationisrequired,clicktheAdvanced... button

and inputtheappropriatecredentials, includingtheusername,password,anddomain. If theSMB

sharedoesnotrequireauthenticationoryouareconnectingtoanNFSshare,continuetothenext

step.

i. ClicktheAdd button.Thesharewillnowappearinthelistbelow.

j. RepeatstepsCthroughItoaddmoreshares.Whenyouarefinished,clickClose.

Theshare(s)havenowbeenaddedtothelistofDisks,allowingyoutoperformactionsonthemlikeyou

wouldanyotherdisk.

11.4.2 Remove an NFS or SMB (Samba) Share

a. Onthe“Home”Screen,navigatedowntothebottomofthe“Disks”panel.

b. ClicktheSource Network button iftheDittoForensicFieldStationisconnectedtoyournetworkvia

thesourceEthernetPort,orclicktheDestination Network buttonifitisconnectedviathedestina-

tionEthernetPort.

c. ClickontheNFS taborSMB tab,dependingonthewhichtypeofshareyouareremoving.

d. Under the“iSCSISourceConnections”or the“iSCSIDestinationConnections”section,check the

boxesnexttotheshare(s)youwanttoremoveandthenclicktheRemove button.

11.5 ADDING A NEW LOGICAL IMAGE MODE

IfyouwanttoaddyourownLogicalImageModeselection,youmustcreateaDittoAutoSelectdirectoryon

yourSDCardfirst.ThenyoucanaddoneormoreautoselectXMLfilestothatdirectory.Youmayalsoadd

subdirectoriesthatcontainoneormoreautoselectXMLfilestotheDittoAutoSelectdirectory.InserttheSD

CardintotheDittoForensicFieldStationandyourcustomLogicalImageModeswillthenbeselectablewhen

configuringa“LogicalImageSourceDisk”action.

43



11.5.1 DittoAutoSelect XML File Structure<?xml version=”1.0” encoding=”UTF-8”?>



<dittoAutoSelect

xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance”

xsi:noNamespaceSchemaLocation=”autoSelect.xsd”

>

<select title=”Example Title”>

<include path=”*”>

<name>*.jpeg</name>

<name>*.jpg</name>

<name>*.m4*</name> 

</include>

<exclude path=”Windows”/>

</select>

</dittoAutoSelect>

ThenameoftheautoselectXMLfilecanbeany legalfilenamewitha .xmlfileextension.Eachauto

selectXMLfilemaycontainoneormore<selecttitle=”...”>blocks.Theselectblock’stitlewillappearat

thebottomoftheLogicalImageModeselectionlistprependedwith“SDCard/”followedbythesubdirec-

tory’sname,ifany.

Eachselectblockmaycontainoneormore<includepath=”...”>and/or<excludepath=”...”>blocks.The

include/excludeblock’spath(case-insensitive)maycontainwildcardcharactersandwillbeincludedinor

excludedfromtheautoselection,respectively.

Eachincludeblockmaycontainzeroormore<name>...</name>blocks,whichspecifyafilenametobe

included in theautoselection.Filenamesarecase-insensitiveandmaycontainwildcardcharacters to

specifyasetoffilenames.Excludeblockscannotcontainnameblocks.

YoucannotremoveexistingselectionsfromtheLogicalImageModelist.

TodownloadanXMLSchemathatcanbeusedtovalidateyourautoselectXMLfile,typethefollowing

intotheaddressbarofanInternetbrowser,where<IPAddress>istheIPaddressofyourDittoForensic

FieldStation:http://<IPAddress>/data/DittoAutoSelect/autoSelect.xsd

12 UPGRADING FIRMWAREFirmwareupgradesaremadeavailableonCRU’swebsiteatwww.cru-inc.com/support/software-downloads/ditto-

firmware-updates/.TherearethreemethodstoupgradeyourDittoForensicFieldStation’sfirmware.

METHOD 1: COPY AND PASTE A LINK

a. EnsurethattheDittoForensicFieldStationisconnectedtoanetworkwithInternetaccess.

b. Gotothefirmwareupdateswebpageandscrolldowntothe“DittoFirmwareLinks”section.Copythe

URLofthefirmwareyouwishtousetoupgrade.

c. LogintoyourDittoForensicFieldStation’sbrowserinterfaceandnavigatetothe“Utilities”screen.

NOTE

www.cru-inc.com/support/software-downloads/ditto-firmware-updates/

www.cru-inc.com/support/software-downloads/ditto-firmware-updates/

44



d. PastethelinkintothetoptextfieldandclicktheFirmware Upgrade button.

e. Whenitasksyoutoconfirmtheretrievaloftheupgradefile,clickContinue.

f. TheDittoForensicFieldStationwilldownloadthefiletoitself.Oncedownloaded,itwillaskyoutoconfirm

theupgrade.ClickContinue.Aftertheupgradeisfinished,cickOK.

g. TheLCDpaneloftheDittoForensicFieldStationwillaskyoutoreboot.PresstheEnterbuttonontheface

oftheunittoreboot,orclickontheReboot button onthe“Utilities”screen.

METHOD 2: DOWNLOAD TO YOUR COMPUTER

a. Gotothefirmwareupdateswebspageandscrolldowntothe“DittoFirmwareLinks”section.

b. Clickonthefirmwareyouwishtousetoupgradetodownloadthefile.Savethefileinaconvenientloca-

tion.

c. LogintoyourDittoForensicFieldStation’sbrowserinterface,navigatetothe“Utilities”screen,andclick

onthetopUpload... button.

d. Locatethefirmwarefileyoujustdownloaded,selectit,andclick Open.

e. ClickontheFirmware Upgrade button.

f. TheDittoForensicFieldStationwilluploadthefiletoitself.Onceuploaded,itwillaskyoutoconfirmthe

upgrade.Click Continue.Aftertheupgradeisfinished,cickOK.

g. TheLCDpaneloftheDittoForensicFieldStationwillaskyoutoreboot.PresstheEnter buttonontheface

oftheunittoreboot,orclickontheReboot button onthe“Utilities”screen.

METHOD 3: UPLOAD VIA A USB THUMB DRIVE

a. Gotothefirmwareupdateswebspageandscrolldowntothe“DittoFirmwareLinks”section.

b. Clickonthefirmwareyouwishtousetoupgradetodownloadthefile.SavethefiletoaUSBthumbdrive.

c. InsertthethumbdriveintothesourcesideUSBportoftheDittoForensicFieldStation.

d. TheDittoForensicFieldStationwillimmediatelyscanthethumbdriveanddisplayalistontheLCDscreen

ofallfirmwarefilesfoundonthedrive.Usethenavigationbuttonsonthefaceoftheunittomovethe

blinkingcursortothefirmwarethatyouwishtousetoupgrade,andthenpressEnter.

e. TheDittoForensicFieldStation’sfirmwarewillbeupgraded.TheLCDpaneloftheDittoForensicFieldSta-

tionwillaskyoutoreboot.Press Enter toreboot.

45



13 TECHNICAL SPECIFICATIONSProductName DittoForensicFieldStation

DataInterfaceTypes&Speeds

• eSATA:upto3Gbps• 1000BASE-TEtherNet:upto1Gbps• PATA/IDE:upto133MB/s• USB2.0:upto480Mbps

SupportedDiskTypes 2.5”and3.5”rotationalorsolidstateharddisks

SDCardSlotSupport SD,SDHC(MMC,mini-SD,andmicroSDarecompatiblewithadapters)

WifiUSBAdapterSupport • WifiadapterswithAtheroschipsets,andsomeRealtekchipsets

DataConnectors

• Three(3)eSATAports• Two(2)1000BASE-TEthernetconnectors• One(1)PATA/IDEconnector• One(1)USB2.0connector• One(1)SDCardslot• One(1)DittoExpansionModuleconnector

Write-BlockedDataInputs eSATA,PATA/IDE,USB2.0.Source-sideEthernetport.OtherinputtypessupportedwithDittoExpansionModulesordriveadapters.

DataOutputs Two(2)eSATAoperableassingle,dual,ormirrored.Both1000BASE-TEthernetports.

SupportedFileSystems ext2,ext3,ext4,FAT32,HFS+,NTFS,XFS

UserInterface• Four-lineLCDcontrolledwithfoursoft-touchmenunavigationbuttonsorUSBkeyboard• Browser-basedDittointerfaceallowsfordirectoperation,remoteoperation,andadministra-

tion

LEDIndicators Powerin5V/12V,USB,SourceNetwork,IDE,eSATA,Expansion,HPA/DCO,DestinationNetwork,eSATAA,eSATAB

StealthMode Turnsoffalllights(LEDs/LCD)

BrowserCompatibility InternetExplorer,Firefox,Safari,Chrome,Opera

PhysicalImageTypes DD,E01

LogicalImageTypes L01,LIST,TAR,ZIP

Image/CloneOutputModes

Singlediskimage,singlediskclone,imageandclone,imagetomirroreddisks,clonetomirroreddisks,logicalimagetosingledisk,logicalimagetomirroreddisks

HashModes None,MD5,SHA-1,MD5+SHA-1,enabledduringimagingandcloningoperations.HashingwhileusingbothMD5+SHA-1significantlyreducesperformance.

EraseModes ClearPartitionTable,QuickErase,CustomErase,SecureEraseNormal,SecureEraseEnhanced,DoDClear,DoDSanitize,NIST800-88Clear,NIST800-88Purge

Externalmaterial All-aluminumconstruction

OperatingHumidity 5%to95%,non-condensing

PowerSwitch 2position:On/Off

PowerInputs 40W12V3.33ADCbarrelconnector(centerpinpositive),15-pinstandardSATApower


For more information, visit the CRU web site.

www.cru-inc.com

Compliance

• EMIStandard:FCCPart15ClassA• CE• EMCStandard:EN55022,EN55024• C-Tick

ShippingWeight 5lbs(2.3kg)

ProductDimensions 4.92inx6.77inx1.72in(125mmx172mmx43.7mm)

TechnicalSupportYourinvestmentinCRUproductsisbackedupbyourfreetechnicalsupportforthelifetimeoftheproduct.Contactusthroughourwebsite,www.cru-inc.com/supportorcallusat1-800-260-9800or+1-360-816-1800.

©2012-2014CRUAcquisitionGroup,LLC.ALLRIGHTSRESERVED.

ThisUserManualcontainsproprietarycontentofCRUAcquisitionGroup,LLC(“CRU”)whichisprotectedbycopyright,trademark,andotherintellectualpropertyrights.

UseofthisUserManualisgovernedbyalicensegrantedexclusivelybyCRU(the“License”).Thus,exceptasotherwiseexpresslypermittedbythatLicense,nopartofthisUserManualmaybereproduced(byphotocopyingorotherwise),transmitted,stored(inadatabase,retrievalsystem,orotherwise),orotherwiseusedthroughanymeanswithoutthepriorexpresswrittenpermissionofCRU.

UseofthefullDittoForensicFieldStationproduct,including,withoutlimitation,itswebinterface,issubjecttoallofthetemrsandconditionsofthisUserManualandtheabovereferencedLicense.

ThisDittoForensicFieldStationproductandUserManualareprovidedonaRESTRICTEDbasis.Use,duplication,ordisclosurebytheUSGovernmentissubjecttorestrictionssetforthinParagraph(b)oftheCommercialComputerSoftwareLicenseclauseat48CFR42.227-19,asapplicable.

CRU®,Ditto®,andWiebeTech®(collectively,the“Trademarks”)aretrademarksownedbyCRUandareprotectedundertrademarklaw.NmapisaregisteredtrademarkofInsecure.Com,LLCintheUnitedStatesand/orothercountries.ExcelisaregisteredtrademarkofMicrosoftintheUnitedStatesand/orothercountries.EnCaseisaregisteredtrademarkofGuidanceSoftwareintheUnitedStatesand/orothercountries.ThisUserManualdoesnotgrantanyuserofthisdocumentanyrighttouseanyoftheTrademarks.

Product WarrantyCRUwarrantsthisproducttobefreeofsignificantdefectsinmaterialandworkmanshipforaperiodofthreeyearsfromtheoriginaldateofpurchase.CRU’swarrantyisnontransferableandislimitedtotheoriginalpurchaser.

Limitation of LiabilityThewarrantiessetforthinthisagreementreplaceallotherwarranties.CRUexpresslydisclaimsallotherwarranties,includingbutnotlimitedto,theimpliedwarrantiesofmerchantabilityandfitnessforaparticularpurposeandnon-infringementofthird-partyrightswithrespecttothedocumentationandhardware.NoCRUdealer,agent,oremployeeisauthorizedtomakeanymodification,extension,oradditiontothiswarranty.InnoeventwillCRUoritssuppliersbeliableforanycostsofprocurementofsubstituteproductsorservices,lostprofits,lossofinformationordata,computermalfunction,oranyotherspecial,indirect,consequential,orincidentaldamagesarisinginanywayoutofthesaleof,useof,orinabilitytouseanyCRUproductorservice,evenifCRUhasbeenadvisedofthepossibilityofsuchdamages.InnocaseshallCRU’sliabilityexceedtheactualmoneypaidfortheproductsatissue.CRUreservestherighttomakemodificationsandadditionstothisproductwithoutnoticeortakingonadditionalliability.

FCC Compliance Statement: “ThisdevicecomplieswithPart15oftheFCCrules.Operationissubjecttothefollowingtwoconditions:(1)Thisdevicemaynotcauseharmfulinterference,and(2)thisdevicemustacceptanyinterferencereceived,includinginterferencethatmaycauseundesiredoperation.”

ThisequipmenthasbeentestedandfoundtocomplywiththelimitsforaClassAdigitaldevice,pursuanttoPart15oftheFCCRules.Theselimitsaredesignedtoprovidereasonableprotectionagainstharmfulinterferencewhentheequipmentisoperatedinacommercialenvironment.Thisequipmentgenerates,uses,andcanradiateradiofrequencyenergyand,ifnotinstalledandusedinaccordancewiththeinstructionmanual,maycauseharmfulinterferenceinwhichtheuserwillberequiredtocorrecttheinterferenceattheirownexpense.

IntheeventthatyouexperienceRadioFrequencyInterference,youshouldtakethefollowingstepstoresolvetheproblem:1) Ensurethatthecaseofyourattacheddiskisgrounded.2) UseadatacablewithRFIreducingferritesoneachend.3) UseapowersupplywithanRFIreducingferriteapproximately5inchesfromtheDCplug.4) Reorientorrelocatethereceivingantenna.

FOROFFICEORCOMMERCIALUSE

PartNumber:A9-000-0028Rev3.2

www.cru-inc.com/support

Documents

Ditto Forensic FieldStation