A Beginner’s Guide to do the Forensic Image — Logicube Forensic Falcon
To many beginners in forensic area, we have many tools to image. But how do I start with those tools? Which tool should I choose? I think it’s a big problem to a beginner.
This time I use a forensic machine which named“ Logicube Forensic Falcon ” as the role of this article. Hope it help~
We can find many introductions about Forensic Falcon. But the big problem is that we can’t find any simple user guide on the internet. How to use it? What should I do to the next step? All problems are annoying.
As a result, I will share some basic guidance about forensic image by Forensic Falcon and it can lead the beginner to start working.
The outline as following :
- What is Forensic Image ?
- What is Logicube Forensic Falcon?
- Basic preparation for image.
- Start to image !
What is Forensic Image?
Forensic imaging is one element of computer forensics, which is the application of computer investigation and analysis techniques to gather evidence suitable for presentation in a court of law.
However not all imaging and backup software create forensic images. For example,Windows backup just creates image backups that are not complete copies of the physical device.
Forensic images can be created through specialized forensic software or machines. In addition, Some disk imaging utilities not marketed for forensic use also make complete disk images.
What is Logicube Forensic Falcon?
Forensic Falcon is one of the fastest and most technologically advanced forensic imaging machine. It’s the useful machine in forensic area, whenever you need to image or backup something from someone’s computer.
The basic feature of it as following:
- Imaging and verifying to multiple image formats. Such as native or mirror copy, dd image, e01, ex01 (e01 and ex01 with compression) and file-based copy.
- Supporting SHA1, SHA256 or MD5 and dual-hash (MD5+SHA-1) authentication.
- Supporting EXT4 or NTFS destination file format.
- Multiple imaging ports.
Write-protected source ports include 2 SAS/SATA, 1 USB 3.0, 1 Firewire, destination ports include 2 SAS/SATA, 2 USB 3.0 and 1 Firewire. Gigabit Ethernet port for network connectivity. USB source and destination can be converted to SATA using a USB to SATA adapter.
- Multiple imaging ports.Image Restore.
File to drive mode restores dd, e01, ex01 images created by the Falcon to another drive.
Basic preparation for image.
Before starting to image, we should know which types of hard drive (see Photo 1) will we image first. Second is know the each port of Falcon. In this article I just show the source port and target port.
Before we start to use it, we should know the left side of machine has “one” source port and right side has “two” target(destination) port.(see photo 2)
However if you mix up it, it will appear some interest things. Be careful!
Start to image !
First time you start up the Forensic Falcon, the most important thing is that you need to check the date of setting. If you didn’t set it first, the log of image will have error dates.
Then you should fill out all of settings. Each step I had wrote down in the attached.(see Photo 3)
A. Select mode.
There are three types of mode that you can select. Such as “Drive to Drive”, “Drive to File” and “File to File”. Each one has it’s own data type. If you want to image, you should select “Drive to File”. Otherwise, if you want to backup hard drive, you can select “Drive to Drive”.(see Photo 4)
B. Select the source of drive/file.
If you had connected the source port, then you can find the drive in the list.(see Photo 5)
C. Fill out the contents of settings .
As we try to image, we need to fill out the contents of settings. Such as Case information, Clone method settings, etc. (see Photo 6)
- In Case information, you can fill in what you want. For example, if we received the project named TAIPEI 101, then we can named it as TA101. Then we will set Case/File Name and Case ID as TA101, and set Evidence ID as TA101A.(It’s up to examiner~!!)
- In “Clone method”, “HPA/DCO/TRIM”, “Error handling” and “Hash/Verification” settings, all of them should use the method what the project need.
By the way, here are some basic information about format method(see the table below).
D. Select the destination of drive/file.
It’s the same as step B. By the way, if the project needs two same image, you can select two destination at the same time.
After you finished the steps as stated above, then another important thing is “Password” or “Encryption” setting. Otherwise, if the project don’t need to encrypt, you can press the start button. Then you just need to wait for it.
Password and Encryption Settings
If you need any password or encryption, you just need to enter the setting mode and set all of it.(see Photo 7)
In conclusion, if you finished all steps as stated above, you finished the first time of forensic imaging.
Thanks for your reading.
It’s my first published a technical article on Medium. Please have a look ! :)