Logicube F-FALCON-SA User Manual
  1. Manuals
  2. Brands
  3. Logicube Manuals
  4. Storage
  5. F-FALCON-SA
  6. User manual

Logicube F-FALCON-SA User Manual

Hard drive forensics tool
Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
Forensic Falcon™ User's Manual
PART # F-FALCON-SA
Logicube, Inc.
Chatsworth, CA 91311
USA
Phone: 818 700 8488
Fax: 818 700 8466
Version: 3.1
Date: 01/31/17
MAN-FALCON
Logicube Forensic Falcon™ User Manual
I

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the F-FALCON-SA and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Logicube F-FALCON-SA

Summary of Contents for Logicube F-FALCON-SA

  • Page 1 Forensic Falcon™ User’s Manual PART # F-FALCON-SA Logicube, Inc. Chatsworth, CA 91311 Phone: 818 700 8488 Fax: 818 700 8466 Version: 3.1 Date: 01/31/17 MAN-FALCON Logicube Forensic Falcon™ User Manual...

  • Page 2: Limitation Of Liability And Warranty Information

    LOGICUBE IS NOT LIABLE FOR ANY INCIDENTAL OR CONSEQUENTIAL DAMAGES, INCLUDING, BUT NOT LIMITED TO PROPERTY DAMAGE, LOSS OF TIME OR DATA FROM USE OF A LOGICUBE PRODUCT, OR ANY OTHER DAMAGES RESULTING FROM PRODUCT MALFUNCTION OR FAILURE OF (INCLUDING WITHOUT...

  • Page 3: Rohs Certificate Of Compliance

    MUCH DETAIL AS POSSIBLE. AT LOGICUBE’S SOLE AND ABSOLUTE DISCRETION, REASONABLE TELEPHONE AND EMAIL SUPPORT MAY ALSO BE AVAILABLE FOR THE LIFE OF THE PRODUCT AS DEFINED BY LOGICUBE. EXCEPT AS OTHERWISE SPECIFICALLY PROVIDED IN THIS AGREEMENT, LOGICUBE PRODUCTS ARE...

  • Page 4: Logicube Technical Support Contact Information

    HAZARDOUS SUBSTANCES SUCH AS MERCURY, LEAD, CADMIUM, HEXAVALENT CHROMIUM AND CERTAIN FLAME-RETARDANTS IN THE EUROPEAN UNION. THIS DIRECTIVE APPLIES TO ELECTRONIC PRODUCTS PLACED ON THE EU MARKET AFTER JULY 1, 2006. Logicube Technical Support Contact Information 1. By website: www.logicube.com 2. By email: techsupport@logicube.com 3.

  • Page 5: Table Of Contents

    ..........................14 MAGING 3.1.1 Step-by-step instructions – Imaging ................16 3.1.1.1 Blank Disk Check ....................18 3.1.1.2 Drive Spanning ...................... 19 3.1.2 Imaging to or from a network ..................21 3.2 H ......................... 21 ERIFY Logicube Forensic Falcon™ User Manual...
  • Page 6 5.0.3.6 Filter Settings ......................50 5.0.3.6.1 Path Filter Notes ......................... 51 5.0.3.7 Root Directory ....................... 53 5.0.3.8 Output Format ...................... 54 5.0.3.9 Hash/Verification Method ..................54 5.0.3.10 Verify Hash ......................55 5.0.4 Destination / Image File ....................56 Logicube Forensic Falcon™ User’s Manual...
  • Page 7 6.0.11.4 Language/Time Zone ..................99 6.0.11.4.1 Language ........................... 99 6.0.11.4.2 Time Zone ..........................99 6.0.11.5 Display ......................100 6.0.11.6 Notifications ..................... 101 6.0.12 Network Settings ...................... 101 6.0.12.1 Services ......................102 6.0.12.2 HTTP Proxy......................102 6.0.12.2.1 Server ............................103 Logicube Forensic Falcon™ User’s Manual...
  • Page 8 SMB ........ 131 IEWING OURCE OR ESTINATION DRIVES OVER THE NETWORK USING 11.1.1 Step-by-step – Viewing Source or Destination drives ..........131 11.2 V SCSI ............133 IEWING OURCE DRIVES OVER THE NETWORK USING I Logicube Forensic Falcon™ User’s Manual...
  • Page 9 16.0 C .............. 152 HANGING THE DEFAULT PASSWORDS NTRODUCTION 16.0.1 Changing both the logicube and it passwords ............152 16.0.2 Changing only the logicube password ..............153 16.0.3 Changing only the it password ................. 154 17: FREQUENTLY ASKED QUESTIONS ..............155 17.0 FAQ...

  • Page 10: 1: Introduction

    1: Introduction 1.0 Introduction to the Logicube Falcon Welcome to the Logicube Forensic Falcon™. Falcon sets a new standard in digital forensic imaging. Without exception, the fastest and most technologically advanced forensic imaging solution available. Feature-packed, power-rich performance in a space-saving footprint that provides expandability to meet future technology advances.
  • Page 11 Network Push feature. Push evidence files from connected destination drives or from a Falcon repository to a network location. The Falcon performs an MD5 or SHA hash during the push process, a log file is generated for each push process. Logicube Forensic Falcon™ User’s Manual...

  • Page 12: In The Box

    4 6-pin SATA power plugs  1 USB A female to USB mini-B 5 pin male adapter  1 USB A female to micro B male converter coupler adapter  CD-ROM containing the user’s manual  Carrying case Logicube Forensic Falcon™ User’s Manual...

  • Page 13: Options

    PCIe adapter kit includes adapters for M.2 PCIe, M.2 NVMe, mSATA SSDs, PCie and mini-PCIe cards  Flash Media Reader for compact flash cards, SD cards and other flash media  Hard-sided carrying case 1.4 Specifications Logicube Forensic Falcon™ User’s Manual...
  • Page 14 Avoid using soap or other cleaning agents particularly those containing bleach, ammonia, alcohol or other harsh chemicals.  Do not attempt to service or open the Logicube Forensic Falcon. Doing so may void the warranty. If the unit requires service, please contact Logicube Technical Support for assistance.

  • Page 16: 2: Getting Started

    Special Icons – Throughout this manual, there are two icons that can be seen. Please pay close attention when any of these two icons are found. These icons highlight additional information or important warnings on specific topics. Logicube Forensic Falcon™ User’s Manual...
  • Page 17 GETTING STARTED Logicube Forensic Falcon™ User’s Manual...

  • Page 18: Turning The Falcon On And Off

    PWR – power port for either Source 1 (S1) or Source 2 (S2) position.  USBS1 – USB 3.0 Source port.  FW S1 – FireWire Source port.  PCIe – Located in the back panel. Logicube Forensic Falcon™ User’s Manual...

  • Page 19: Connecting Destination Drives

    Any combination of drives can be connected, up to 5 Destination drives. For example, one SAS drive, one SATA drive, two USB drives, and one FireWire drive can all be connected at the same time. Logicube Forensic Falcon™ User’s Manual...

  • Page 20: Connecting Usb 3.0 Drives

    2.2.5 Connecting SATA Drives using a USB-to-SATA adapter Logicube has qualified a USB 3.0 to SATA adapter for use with the Falcon. This adapter provides the capability to connect SATA drives to the USB 3.0 ports on the Falcon and uses a USB 3.0 to SATA converter.

  • Page 21: Connecting Pcie/Mpcie/M.2 Drives

    With software release 3.1 and above, an optical drive can be connected to the Source USB port. Falcon can then image the contents of the CD, DVD, or Blu-ray disc. Although most USB optical drives should work, Logicube has tested and qualified the following optical drive: - Pioneer BDR-XS06 Multisession support: The Falcon supports imaging from a multisession CD (as a Source).

  • Page 22: Touch Screen

    To change the display resolution on the external display: 1. Connect a wired USB keyboard to one of the front USB host ports. 2. Press ALT+R. An on-screen display should appear on the external display that allows the display resolution to be changed. Logicube Forensic Falcon™ User’s Manual...

  • Page 23: 3: Quick Start

    (if present) that can potentially be restored or recovered.  File to Drive (Image Restore) – Restores DD, E01, EX01 images created by the Falcon to another drive. Logicube Forensic Falcon™ User’s Manual...
  • Page 24 For example, a 2 TB drive with 64MB of cache produced by the manufacturer 2 years ago is most likely slower than a 2 TB drive that the same manufacturer just released this year, even though they are both 7200RPM with 64MB of cache, and are both SATA III. Logicube Forensic Falcon™ User’s Manual...

  • Page 25: Step-By-Step Instructions - Imaging

    Case/File Name field to underscores “_“ when creating the log or file names. POSIX portable characters are: Uppercase A to Z Period (.) Lowercase a to z Underscore (_) Numbers 0 to 9 Hyphen/Dash (-) Logicube Forensic Falcon™ User’s Manual...
  • Page 26 Destination ports and any added repository. Encrypted drives will have the following symbol in the Format column: When formatting the drive from this screen, a prompt will appear to format the drive. Logicube Forensic Falcon™ User’s Manual...

  • Page 27: Blank Disk Check

    To perform a blank disk check: 1. Connect a drive to the Falcon. 2. Choose Imaging, Hash, or Wipe/Format. 3. Choose Source, Destination, or Drives to list the connected drives. Logicube Forensic Falcon™ User’s Manual...

  • Page 28: Drive Spanning

    Destination drive, the following prompt will appear warning that there might not be sufficient space on the Destination drive: When the Destination drive is full and the remaining data to be will not fit, Falcon will prompt for another drive. Logicube Forensic Falcon™ User’s Manual...
  • Page 29 Case/File name and the next DD, E01, or EX01 file. For example, if the last file on the first Destination used is *.E23, the next Destination/Repository used will start with file *.E24. Logicube Forensic Falcon™ User’s Manual...

  • Page 30: Imaging To Or From A Network

    Primary – This will verify the primary hash of the image. o Both – This will verify both primary and second hash of the image. 3.2.1 Step-by-step instructions – Drive Hash or Case Verify Logicube Forensic Falcon™ User’s Manual...

  • Page 31: Wipe/Format

    Allows the user to set a specific pattern to use for wiping the drive. The number of passes is customizable (up to 7 passes) along with the type of data written for each pass. In addition, a 7-pass DoD wipe can be set with pre-selected pass values. Logicube Forensic Falcon™ User’s Manual...

  • Page 32: Step-By-Step Instructions - Wipe/Format

    4. If the drive has an HPA or DCO area that needs to be wiped, tap the HPA/DCO icon and select Yes to wipe the HPA/DCO area of the drive. 5. Tap the Passes icon to edit the number of passes and what gets written on each pass. Logicube Forensic Falcon™ User’s Manual...
  • Page 33 Reset Task to reset the task, and also to delete the task in order for the drive bays to be properly reset and not show as being used or assigned for other tasks to be configured. Logicube Forensic Falcon™ User’s Manual...

  • Page 34: Push

    4. Tap the Settings icon then tap the Verification icon to change the verification setting to Yes or No. Tap the OK icon to continue. 5. Optional: Tap Case Info to set the Case/File Name, Case ID, Examiner, Evidence ID, or Case Notes. Logicube Forensic Falcon™ User’s Manual...

  • Page 35: Task Macros

    1. Select Task Macro from the types of operation on the left side. 2. Select a macro (Macro 1 through Macro 5). 3. Tap the Task icon to select up to nine (9) operations. Logicube Forensic Falcon™ User’s Manual...

  • Page 36: Usb Device (Viewing Drive Contents In Windows)

    4. Windows will automatically detect the drive, install the drive’s drivers (if necessary), and should assign it a drive letter. 5. The new drive letter will contain the contents of the selected drive and is write-protected. Logicube Forensic Falcon™ User’s Manual...

  • Page 37: File Browser

    The Falcon keeps logs of all imaging, hash, wipe, format, and push operations. Logs can be viewed directly on the Falcon or from a computer’s browser (if the Falcon is connected to a network). In addition to viewing, the logs can be Logicube Forensic Falcon™ User’s Manual...

  • Page 38: Step-By-Step Instructions - Viewing Or Exporting Logs

    Falcon can use to catch transfer errors and re-try if needed. Sample Log File (viewed on-screen): 3.8.1 Step-by-step instructions – Viewing or exporting logs Logicube Forensic Falcon™ User’s Manual...

  • Page 39: Deleting Log Files

    To delete a single log file, tap the log file to highlight the log file to be deleted. Tap the Delete icon to delete the selected log file.  To delete all the log files, tap the Delete All icon. Logicube Forensic Falcon™ User’s Manual...

  • Page 40: Accessing The Logs Over A Network

    2. A Windows security screen will appear prompting to enter a User name and Password to connect to the Falcon. Login with the following credentials:  User name: it  Password: it Once connected, an auditlog folder will appear. Open the auditlog folder. Logicube Forensic Falcon™ User’s Manual...

  • Page 41: Statistics

    For more information on how to manage repositories, see Section 6.0.10 this manual. 3.11 System Settings The System Settings screen allows users to configure six different settings for the Falcon: Logicube Forensic Falcon™ User’s Manual...

  • Page 42: Network Settings

    DRIVE POWER – Inactive drives connected to the Falcon can be set to go to standby mode in this tab. The default is set to 0 minutes (OFF). For more detailed screen shots, see Section 6.0.14 of this manual. Logicube Forensic Falcon™ User’s Manual...

  • Page 43: 4: Previewing Drives

    Analysis Drives Connection Drive Drive Drives Access Tools or Software File Browser Computer Very + File Limited Browser iSCSI One file at a time must be downloaded to the computer before it can be analyzed Logicube Forensic Falcon™ User’s Manual...

  • Page 44: File Browser

    Using the Falcon’s 7” touch screen, one drive at a time can be viewed. Section 6.0.7 for details on how to use the File Browser. Logicube Forensic Falcon™ User’s Manual...

  • Page 45: Computer + File Browser

    Falcon cannot open using the file browser alone. Section 6.0.7.1 for details on how to use the File Browser using the web interface. Logicube Forensic Falcon™ User’s Manual...

  • Page 46: Usb

    Some advantages of using this method are:  The contents of the drive are searchable using the Operating System’s search functions.  Third party analysis tools and software can be used with the logical partition. Logicube Forensic Falcon™ User’s Manual...

  • Page 47: Iscsi

    The contents of the drive are searchable using the Operating System’s search functions.  Third party analysis tools and software can be used with the logical partition. Section 11.2 for details on how to view Source drives over the network using iSCSI. Logicube Forensic Falcon™ User’s Manual...

  • Page 48: 5: Imaging

    Source drive.  Drive to File – Images the Source to any of the following image output file formats: DD, E01, or EX01. Compression is available for E01 and EX01 modes. Logicube Forensic Falcon™ User’s Manual...

  • Page 49: Source Or Case

    Falcon will list all the drives connected to the Source position(s). When File to File mode is selected, the Source window will show all drives connected to the Source positions and any repository added with the Source Logicube Forensic Falcon™ User’s Manual...
  • Page 50 (Source or Both Source and Destination). When File to Drive mode is selected, the Case window will show all drives (connected to Source or Destination) that have DD, E01, or Ex01 images created by the Falcon. Logicube Forensic Falcon™ User’s Manual...

  • Page 51: Settings

    This is optional and is not required to start an imaging operation. Information entered here will appear in the logs. In addition, some forensic analysis software can import the information Logicube Forensic Falcon™ User’s Manual...
  • Page 52 TestCase-2, etc. The Falcon will convert any non-POSIX portable characters used in Case/File Name field to underscores “_“ when creating the log or file names. POSIX portable characters are: Uppercase A to Z Period (.) Logicube Forensic Falcon™ User’s Manual...

  • Page 53: Hpa/Dco/Trim

    Configuration Overlay (DCO) and Host Protected Area (HPA) of the destination drive using the Device Configuration Set command for DCO and Set Max Address command for HPA so that the Destination drive’s total native capacity Logicube Forensic Falcon™ User’s Manual...
  • Page 54 Drive to Drive mode and by default is set to NO. Drive Trim only works with ATA drives and will not work with USB external drives (or drives connected via USB), SAS or SCSI drives. Logicube Forensic Falcon™ User’s Manual...
  • Page 55 1 Start the wipe task. The task should finish quickly as it is just wiping the HPA/DCO and 1 LBA. When the wipe task finishes, the drive should be back to its original capacity. Logicube Forensic Falcon™ User’s Manual...

  • Page 56: Error Handling

    As an example, if 4096 Bytes is chosen, and one of the 8 sectors in that cluster size contains a bad sector, the Falcon will skip the entire cluster (or 4096 bytes or 8 sectors). Logicube Forensic Falcon™ User’s Manual...

  • Page 57: Clone Method Settings

    5.0.3.5 File Image Method Settings When Drive to File mode is selected, File Image Method Settings will appear on the top-right of the Settings screen. Tap File Image Method Settings and the following screen will Logicube Forensic Falcon™ User’s Manual...
  • Page 58 (file size). Choose from 2 GB, 4 GB, 8 GB, 16 GB, or Whole Disk. COMPRESSION – Available for E01 and EX01 only. Sets the compression level for E01 or EX01 imaging. When selecting Compression, the following screen will appear. Use the slider Logicube Forensic Falcon™ User’s Manual...

  • Page 59: Filter Settings

    Path Filter – Allows the user to set preset filters or specify one or more custom filter. This is the first level Logicube Forensic Falcon™ User’s Manual...

  • Page 60: Path Filter Notes

    If all filenames with “pic” is desired, the custom filter would be (similar to *pic* where * are wildcards): .*(pic) This will find any file with “pic” in the name like: mypic.jpg picture.jpg baby.pic Example 2: Multiple keywords Logicube Forensic Falcon™ User’s Manual...
  • Page 61 Signature Based File Categories – Allows the user to set signature based file categories. This is the second level of filtering and will narrow down the results of the first filter to only the selected file categories, if selected. Logicube Forensic Falcon™ User’s Manual...

  • Page 62: Root Directory

    For example, the entire first partition of the drive on SAS_S1 can be selected by tapping the folder icon. The folder icon is only selectable after a Source is selected. Logicube Forensic Falcon™ User’s Manual...

  • Page 63: Output Format

    None – No hash of the Source will be performed. This is available only when using the following mode: o Drive to Drive  SHA-1 – Uses the SHA-1 algorithm to hash the Source. This is available in the following modes: o Drive to Drive Logicube Forensic Falcon™ User’s Manual...

  • Page 64: Verify Hash

    (using Drive to File). Only images created by the Logicube Forensic Falcon can be used with this setting. Logicube Forensic Falcon™ User’s Manual...

  • Page 65: Destination / Image File

    NT file system (NTFS) to format drives. If the Destination drive is not formatted properly, the Location will appear as “(NOT_MOUNTED)” and a format icon will appear in the Format column. Tap the (Format) icon the Destination drive. Logicube Forensic Falcon™ User’s Manual...

  • Page 66: Starting The Imaging Operation

    A confirmation screen will appear. Tap the Yes icon to continue. A progress bar will appear at the bottom of the screen showing the bytes processed, the rate (speed), elapsed time, and time remaining. Logicube Forensic Falcon™ User’s Manual...
  • Page 67 Drive to File mode (DD, E01, EX01). When the Destination drive is full and the remaining data to be imaged will not fit, Falcon will prompt for another drive. Information on Drive Spanning can be found in Section 3.1.1.2. Logicube Forensic Falcon™ User’s Manual...

  • Page 68: 6: Types Of Operations

    Output formats available are: LX01, ZIP or directory tree. Optionally an MFT report can be generated, which contains a list of deleted files (if present) that can potentially be restored or recovered. Logicube Forensic Falcon™ User’s Manual...
  • Page 69 Destination for imaging or pushing images (or a Source when using the File to File mode). 11. SYSTEM SETTINGS – This mode allows changes to the system settings on the Falcon which include the following: Logicube Forensic Falcon™ User’s Manual...

  • Page 70: Imaging

    6.0.2 Hash / Verify This type of operation allows the hashing of any connected drive using one of the following algorithms: SHA-1, SHA-256, MD5, and SHA-1+MD5. Case (Image) files created by the Falcon can also be verified. Logicube Forensic Falcon™ User’s Manual...

  • Page 71: Mode

    Settings, and Case Info. 6.0.2.1 Mode Tap this icon to choose the mode. Drive Hash will hash a drive (based on Logical Block Addresses (LBA) or Sectors). Case Verify will verify the hash of a case (image) file. Logicube Forensic Falcon™ User’s Manual...

  • Page 72: Drives

    Falcon will hash up to the LBA value of the smallest capacity drive. If drives with different capacities need to be hashed, it is recommended to start one task per drive. Logicube Forensic Falcon™ User’s Manual...
  • Page 73 The LBA icon will bring up the LBA settings screen. On this screen the user can adjust the percentage or the number of blocks of the drive to hash and Logicube Forensic Falcon™ User’s Manual...

  • Page 74: Case Verify Settings

    6.0.2.3.2 Case Verify Settings If Drive Hash mode was chosen, the Hash Settings screen will appear: Tap this icon to set which hash to verify (Primary or Both). Logicube Forensic Falcon™ User’s Manual...

  • Page 75: Case Info

    Case/File Name field to underscores “_“ when creating the log or file names. POSIX portable characters are: Uppercase A to Z Period (.) Lowercase a to z Underscore (_) Numbers 0 to 9 Hyphen/Dash (-) Logicube Forensic Falcon™ User’s Manual...

  • Page 76: Wipe / Format

    Case Info. 6.0.3.1 Destination Tap this icon to choose a drive to erase, wipe, and/or format. A screen will appear, allowing the selection of one or more destinations. Tap the drive(s) to be erased, wiped, and/or Logicube Forensic Falcon™ User’s Manual...

  • Page 77: Settings

    On, the Falcon will first secure erase the drive, then wipe the drive according to the mode specified, then format the drive. 6.0.3.2.1 Secure Erase Choose ON to Secure Erase the selected Destination drive(s). Most drives support this function. Logicube Forensic Falcon™ User’s Manual...

  • Page 78: Wipe Patterns

    In addition, a 7-pass DoD wipe can be set with pre-selected pass values. There are 4 selections when setting a wipe pattern:  MODE  HPA/DCO  LBAS  PASSES Logicube Forensic Falcon™ User’s Manual...
  • Page 79 This will open the HPA/DCO option for wiping. If the drive to be wiped has HPA and/or DCO that needs to be wiped, select Yes for the corresponding Logicube Forensic Falcon™ User’s Manual...
  • Page 80 Editing one or more of the passes in DOD or CUSTOM mode will bring up this screen:  SKIP – Instructs the Falcon to skip the pass. Logicube Forensic Falcon™ User’s Manual...

  • Page 81: Format

    NT file system (NTFS), depending on which file system is chosen. When set to OFF, the Falcon will not format or encrypt the selected drive.  File System – Select EXT4 to format the Destination using the EXT4 file system. Logicube Forensic Falcon™ User’s Manual...

  • Page 82: Case Info

    Information entered here will appear in the logs. More information on the Case Info screen can be found in Section 5.0.3.1. Tap any of the boxes and an on-screen keyboard will appear allowing information to be entered. After entering the Logicube Forensic Falcon™ User’s Manual...

  • Page 83: Push

    The Falcon will create a log file for each push process. There are three selections when performing a push:  Source  Settings  Destination Logicube Forensic Falcon™ User’s Manual...

  • Page 84: Source

    (where the files to push will be pushed/copied to). This will only show drives connected to the Destination ports or locations set up as a repository where the DD, E01, or EX01 images will be pushed Logicube Forensic Falcon™ User’s Manual...

  • Page 85: Task Macro

    Tapping this icon allows the user to set specific tasks for each macro. The following window will appear: Tap Operation 1 to set the first operation in the macro. The following screen will appear allowing the user to choose the Logicube Forensic Falcon™ User’s Manual...
  • Page 86 To start the macro and have the Falcon perform all the operations on the task list, tap the Start icon. Example: Setting up a Macro for a Wipe using Secure Erase then perform a Drive to Drive Image Logicube Forensic Falcon™ User’s Manual...
  • Page 87 Since the second task to be run is the Drive to Drive Imaging task, select Image 1 then tap OK. 7. The screen should now show Wipe 1, Image 1 as the Tasks for Macro 1. Logicube Forensic Falcon™ User’s Manual...

  • Page 88: Usb Device

    Choose the drive to view then tap the ENGAGE icon. The ‘DRIVE STATUS’ for the selected drive will change to “ENGAGED” and the ENGAGE icon will change to DISENGAGE. At this point, connect a USB cable between the computer and the Logicube Forensic Falcon™ User’s Manual...

  • Page 89: Settings

    If the drive is not detected by the Operating System, change the Export Mode and/or the Export type. These settings will not change anything on the drive. It will simply change how the Logicube Forensic Falcon™ User’s Manual...

  • Page 90: File Browser

    Drives connected to the Source ports (SAS_S1, SAS_S2, – Drives connected to the Source USB_S1, and FW_S1) ports are always write-protected. Using the File Browser function will not alter the drive or its contents in any way. Logicube Forensic Falcon™ User’s Manual...
  • Page 91 The only change to the contents of the destination drive will be the file’s accessed date and time. In the File Browser screen, select the drive to view: Select the partition to view: Logicube Forensic Falcon™ User’s Manual...
  • Page 92 Falcon can open and preview certain files. Some of the files it can preview are: *.jpg, *.gif, *.png, *.txt, *.pdf, *.html f the Falcon cannot preview a file, a message will appear stating “File viewer cannot view file type:” Logicube Forensic Falcon™ User’s Manual...

  • Page 93: Viewing Files From The Web Interface

    Word document. 6.0.7.2 Important notes about using the File Browser When using the Falcon’s File Browser, there are several things to take note of:  Drives connected to the Source positions are write- protected. Logicube Forensic Falcon™ User’s Manual...

  • Page 94: Logs

    In addition to viewing, the logs can be exported to an external USB location such as a USB flash drive. Logs are exported in PDF, HTML and XML format. From this screen, log files can also be deleted one at a time or all at once. Logicube Forensic Falcon™ User’s Manual...

  • Page 95: Statistics

    6.0.10 Manage Repositories Repositories can be added to the Falcon in this operation. Repositories can act as a Source or Destination. Logicube Forensic Falcon™ User’s Manual...

  • Page 96: Add/Remove

    A list of repositories will be shown including local Destination drives and networked repositories. The user has the option of adding or deleting a repository. Tap Add Repository to add a repository. The Add Repository window will appear. Logicube Forensic Falcon™ User’s Manual...
  • Page 97 Tap Drive to select a drive or network share to set as a repository. Tap the OK icon when finished. Tap Network Settings to enter the network settings. See the example below. Tap the OK icon when finished. Logicube Forensic Falcon™ User’s Manual...
  • Page 98 (edit) icon. This will allow changes to the path, domain, username, or password. To delete a repository, tap the (delete) icon. A confirmation screen will appear. Tap Yes to permanently delete the repository from the list. Logicube Forensic Falcon™ User’s Manual...

  • Page 99: Iscsi

    Systems Administrator or Network Administrator may be needed to set up the iSCSI protocol. Once the iSCSI Target has been setup, tap Settings. Input the iSCSI target portal, username and password. Tap the OK icon when finished. Logicube Forensic Falcon™ User’s Manual...

  • Page 100: System Settings

    This screen shows all user profiles/configurations for the Falcon. There are three options in this screen:  New – Allows the user to create a new profile/configuration name.  Save – Saves the selected profile/configuration. Logicube Forensic Falcon™ User’s Manual...
  • Page 101 4. In the System Settings, go to User Profiles/Configurations and tap the New icon. 5. Type a name for this profile. For example, E01-2GB and tap the OK icon. The profile name should appear on the screen. Logicube Forensic Falcon™ User’s Manual...

  • Page 102: Passwords

    INITIAL.DB configuration. This is the default configuration of the Falcon and is used to reset the Falcon to the factory default settings. 6.0.11.2 Passwords There are two sets of passwords that can be entered on the Falcon. Logicube Forensic Falcon™ User’s Manual...

  • Page 103: Additional Information For Config Lock

    Tap the Enable icon to enter a password or key. The available characters are 0 through 9 and A through F. 6.0.11.2.1 Additional information for Config Lock Tap the Auto Lock icon to set the time to automatically lock the configuration and require Logicube Forensic Falcon™ User’s Manual...
  • Page 104 Lock.  File Browser – The file browser cannot be accessed without the unlock key.  Logs – Since there are no settings or configurations for this operation, it is not affected by Config Lock. Logicube Forensic Falcon™ User’s Manual...
  • Page 105 Remember the Config Lock Key! If the Falcon is configured to load with the Config Lock set (enabled) the only way to delete the Config Lock is to reset the Falcon using the Command Line Interface (CLI). Logicube Forensic Falcon™ User’s Manual...

  • Page 106: Forgotten Password Or Config Lock Key

    Telnet/SSH application. 8. Wait for the Falcon to completely turn off then turn it back on. When the Falcon boots up, it will load the default configuration. The default configuration Logicube Forensic Falcon™ User’s Manual...

  • Page 107: Encryption Settings

     File to File – Image specific files (by filename, extension, etc.). The files will be sorted by path (based on where the file is located on the Source and each file will be Logicube Forensic Falcon™ User’s Manual...

  • Page 108: Language/Time Zone

    NTP and adjust the time as needed. The Falcon also has a time zone setting. Tap Time Zone to select the time zone region. Tap Logicube Forensic Falcon™ User’s Manual...

  • Page 109: Display

    Each time the Falcon boots, the brightness will be reset to 80%. Stealth Mode – Stealth mode turns the Falcon’s screen off, allowing privacy so no one can see what the Falcon is doing. Logicube Forensic Falcon™ User’s Manual...

  • Page 110: Notifications

    6.0.12 Network Settings The Network settings screen allows certain services to be enabled or disabled in the Services tab. There is also an HTTP Proxy tab where proxy server information can be entered. Logicube Forensic Falcon™ User’s Manual...

  • Page 111: Services

    Internet, a proxy settings may need to be set in order for the Falcon to be able to update software from a network (over the internet),. This typically includes a server (or Logicube Forensic Falcon™ User’s Manual...

  • Page 112: Server

    Username/Password icon to set this information. 6.0.13 Software Update New and improved software will be released from time to time There are two ways to update the software on the Logicube Forensic Falcon™ User’s Manual...

  • Page 113: Power Off

    Additionally, the Graphical User Interface (GUI) can be refreshed. DRIVE POWER – Inactive drives connected to the Falcon can be set to go to standby mode in this tab. The default is set to 0 minutes (OFF). Logicube Forensic Falcon™ User’s Manual...

  • Page 114: 7: Viewing Ext4 Formatted Destination Drives In Windows

    EXT3 and EXT4 partitions to be viewable in Windows. The Falcon labels the formatted Destination drive as “REPOSITORY”. Logicube does not provide full support for Ext2fsd. We provide basic instructions on how to make this utility work in our scenario. For Ext2fsd support, please visit their website above.
  • Page 115 The following screen will appear. Make sure that there is a check mark next to “Automatically mount via Ext2Mgr. Also, make sure there is a drive letter assigned (to the right of this option). If not, assign an available drive letter. Click the Apply button. Logicube Forensic Falcon™ User’s Manual...
  • Page 116 5. The following confirmation screen will appear. Click OK to continue. 6. Close the Ext2fsd Volume Manager program. Windows should now see the drive and assign it a drive letter with the volume name “REPOSITORY”. Logicube Forensic Falcon™ User’s Manual...

  • Page 117: 8: Drive Encryption And Decryption

    Cipher – At this time, only the AES-256 cipher is supported.  IV Generation – Initialization Vector. Unavailable when TC-XTS cipher mode is selected. If CBC or ECB cipher mode is selected, users can choose between PLAIN64 and ESSIV:SHA256. Logicube Forensic Falcon™ User’s Manual...

  • Page 118: Encrypting A Destination

    Set Encryption to ON. When finished, tap the OK icon. 8. Tap the Start icon to start the wipe task. The Falcon will perform a Secure Erase first (if selected), then a Wipe Pattern (if selected), then finally a Format with encryption. Logicube Forensic Falcon™ User’s Manual...

  • Page 119: Using Previously Encrypted Destination Drives

    If the values are incorrect, the drive will not be decrypted properly and the data will be unrecognizable. 5. Connect the previously encrypted Destination drive to one of the Destination ports Logicube Forensic Falcon™ User’s Manual...
  • Page 120 USB mode. The USB cable can now be disconnected from the computer and the Falcon. If the data on the drive is unrecognizable, disconnect the drive, then double-check the encryption settings (steps 2 through 4), then re-connect the drive Logicube Forensic Falcon™ User’s Manual...

  • Page 121: Decrypting The Drive Without A Falcon

    In order to mount and read an encrypted Destination drive in Windows, without using a Forensic Falcon, Logicube recommends one of three third-party utilities called VeraCrypt, TrueCrypt or FreeOTFE. Other utilities may work, but are not supported or tested by Logicube. VeraCrypt can be downloaded from: https://veracrypt.codeplex.com/...
  • Page 122 DRIVE ENCRYPTION & DECRYPTION 1. Once the drive is connected to the computer, Open VeraCrypt. 2. Click Select Device and choose the partition of the connected drive then click OK. Logicube Forensic Falcon™ User’s Manual...
  • Page 123 DRIVE ENCRYPTION & DECRYPTION 3. Click Mount. 4. Type the encryption password in the Password field then click OK. 5. The drive should now be mounted and assigned a drive letter. Logicube Forensic Falcon™ User’s Manual...

  • Page 124: Decrypting Using Truecrypt

    1. Open TrueCrypt and select Volumes from the menu system, then click Select Device… 2. The ‘Select a Partition or Device’ window will appear. Select the partition of the drive. Do not select the actual drive itself. Click OK to continue. Logicube Forensic Falcon™ User’s Manual...
  • Page 125 This setting can be found by clicking Mount Options… A hardware write-block device may be used instead, if needed. 5. TrueCrypt will mount the drive and assign it a drive letter. Logicube Forensic Falcon™ User’s Manual...

  • Page 126: Decrypting Using Freeotfe

    FreeOTFE properly installed  A drive encrypted by the Falcon using the CBC cipher mode connected to the computer with FreeOTFE. 1. Open FreeOTFE. In the main window, click File then Linux volume then Mount partition… Logicube Forensic Falcon™ User’s Manual...
  • Page 127 4. In the Encryption tab, set the Cipher to AES (256 bit CBC). Set the Initialization Vector (IV) generation method to match what was used in the IV Generation on the Falcon. In this example, “plain64’ was used. In the ‘Sector zero location’, choose Start of encrypted data. Logicube Forensic Falcon™ User’s Manual...
  • Page 128 Windows may not mount the drive if this option is checked. If this is the case, use a write-protect device and uncheck the Mount readonly option. 6. Click the OK button. The following warning screen may appear. Click the Yes button to continue. Logicube Forensic Falcon™ User’s Manual...
  • Page 129 7. FreeOTFE will mount the drive and assign a drive letter. 8. Click the OK button to continue. The drive should appear in the FreeOTFE window. 9. The Destination drive should now be accessible in Windows. Logicube Forensic Falcon™ User’s Manual...

  • Page 130: 9: Updating The Falcon Software

    If one is found, it will display the version on the screen and the Update icon will be selectable. 4. Tap the Update icon to begin the update. A confirmation screen will appear. Tap Yes to continue the update. Logicube Forensic Falcon™ User’s Manual...

  • Page 131: From Usb Drive - Via Software Download

    7. Verify the software version at the top of the ‘Software Updates’ screen. 9.1.2 From USB Drive – Via software download The latest software can also be downloaded from Logicube’s website and be placed onto a USB flash drive. It is recommended to use an empty USB flash drive.

  • Page 132: Extracting The Software Download On A Computer With Winzip (Or Other Third Party Zip Software)

    Windows Explorer will open the zip file and the files can be extracted using the Extract all files function to the USB flash drive. This will bypass WinZip and use the built in utility in Windows. Logicube Forensic Falcon™ User’s Manual...

  • Page 133: Firmware Loading Instructions

    Falcon will reboot automatically. b. FIRMWARE UPGRADE NOT AVAILABLE – This message will appear if the device does not require a firmware update. No further action is necessary if this message appears. Logicube Forensic Falcon™ User’s Manual...

  • Page 134: 10: Remote Operation

    Falcon will be available on the browser. On some browsers or Operating Systems, the Falcon will need to be accessed by browsing to http://Falcon-XXXXXX.local/. The Falcon can be controlled by clicking on the icons appearing on the browser window. Logicube Forensic Falcon™ User’s Manual...

  • Page 135: Command Line Interface (Cli)

    Type open followed by the IP address or name of the Falcon. For example open 192.168.1.100 or open Falcon-XXXXXX where XXXXXX is the 6 digit serial number of the Falcon, then press Enter. The Falcon login screen should appear. Logicube Forensic Falcon™ User’s Manual...

  • Page 136: Connecting Via Ssh

    On some Operating Systems, the Falcon will need to be accessed by opening Falcon-XXXXXX.local. Login with the username “it” (without the quotes) and the password “it” (without the quotes). The following prompt should appear in the SSH window: Logicube Forensic Falcon™ User’s Manual...

  • Page 137: Zero Configuration Networking (Zeroconf)

    Type net del -n eth0 to delete the current network configuration. d. The following information is required: a static IP, the netmask, network gateway, the network nameserver, the domain. For example: IP Address: 192.168.1.123 Netmask: 255.255.255.0 iii. Gateway: 192.168.1.10 Logicube Forensic Falcon™ User’s Manual...

  • Page 138: Copying User Profiles/Configurations From One Falcon To Another

    Falcons connected should be the one with the profiles/configurations already set up. 3. Using Telnet or SSH to the Falcon with the profiles/configurations already set up, connect to the Falcon’s Command Line Interface (CLI) via Logicube Forensic Falcon™ User’s Manual...
  • Page 139 9. Repeat step 8 to copy the profiles/configurations to other Falcon units. 10. When finished, reboot all the Falcons where the profiles/configurations were copied to. They should boot up with the same profiles/configuration set to load and all other saved profiles/configurations. Logicube Forensic Falcon™ User’s Manual...

  • Page 140: 11: Viewing Source And Destination Drives Over A Network

    Both IP address and serial number can be found by going to the Statistics screen on the Falcon. For example, browse to \\192.168.1.100 \\falcon-XXXXXX where XXXXX is the 6 digit serial number of the Falcon. Logicube Forensic Falcon™ User’s Manual...
  • Page 141 Password: it 4. A folder called bays will be shown in Windows Explorer. 5. Go into the bays folder and select the connected Destination drive. For example, SAS_D2. The contents of the drive will be shown. Logicube Forensic Falcon™ User’s Manual...

  • Page 142: Viewing Source Drives Over The Network Using Iscsi

    2. The Quick Connect window will appear and any drives connected to the Source ports of the Falcon will appear on the list of discovered targets. Highlight the drive to view, then click Connect. Logicube Forensic Falcon™ User’s Manual...
  • Page 143 For more information, please see Microsoft KB Article ID: 2581408: Windows support for hard disks that are larger than 2 TB. This can also be searched with the keyword: KB2581408 Logicube Forensic Falcon™ User’s Manual...

  • Page 144: 12: Optional Adapters

    12: Optional Adapters 12.0 Optional Adapters - Introduction Logicube has many different adapters that allow the imaging of almost any drive. This chapter lists the available optional adapters that can be used with the Falcon. 12.1 mSATA (mini-SATA) Drives mSATA (mini-SATA) drives can be connected using the adapter shown above. This mSATA adapter has a standard SATA connector that can connect to the Falcon using the standard SATA cables included.

  • Page 145: Pcie Adapter Kit (For M.2 And Pcie)

    M.2 PCIe AHCI or NVMe based SSDs require the M.2 to PCIe Adapter (F-ADP- M.2-PCIE) and the PCI Express Card Adapter (F-ADP-PCI-EXP). Any time the PCI Express Card Adapter is used, the SSD will only appear as a Source drive. 1. Turn the Falcon off. Logicube Forensic Falcon™ User’s Manual...

  • Page 146: Sata Based Ssds

    4. Connect the M.2 to PCIe Adapter (F-ADP-M.2-PCIE) to the PCI Express Card Adapter (F-ADP-PCI-EXP). 12.3.2 M.2 SATA based SSDs M.2 SATA based SSDs require the M.2 to SATA Adapter (F-ADP-M.2-SATA) which connects directly to any of the SAS/SATA cables supplied with the Logicube Forensic Falcon™ User’s Manual...

  • Page 147: Mini Pcie (Mpcie) Ssds

    Express Card Adapter is used, the SSD will only appear as a Source drive. 1. Connect the PCI Express Card Adapter (F-ADP-PCI-EXP) to the PCIe port located in the back of the Falcon. 2. Connect the SSD to the Mini PCIe to PCIe Adapter (F-ADP-MINI-PCIE). Logicube Forensic Falcon™ User’s Manual...

  • Page 148: Msata Ssds

    1. Connect the SSD to the mSATA to SATA Adapter (F-ADP-Z-MSATA). 2. Connect mSATA to SATA Adapter (F-ADP-Z-MSATA) to the desired SAS/SATA port on the Falcon. The following ports can be used: SAS_S1, SAS_S2, SAS_D1, or SAS_D2. Logicube Forensic Falcon™ User’s Manual...

  • Page 149: Usb 3.0 To Sata Adapter

    12.4 USB 3.0 to SATA Adapter Logicube has qualified a USB 3.0 to SATA Adapter for use with the Falcon. This adapter provides the capability to connect SATA drives to the USB 3.0 ports on the Falcon and uses a USB 3.0 to SATA converter.
  • Page 150 The multi-card reader supports the following formats:  CF (CompactFlash)  SD/SDXC/MMC  Micro SD  Memory Stick (MS)  Memory Stick Duo (M2)  X-Card Attach only one flash memory card to the multi-card reader at a time. Logicube Forensic Falcon™ User’s Manual...

  • Page 151: 13: Scsi Module

    In the box:  Power supply & power cord  2 SCSI drive data cables (CBL-031A)  2 SCSI drive power cables (CBL-EXT-PWR-04)  Optional 50-pin and 80-pin SCSI adapters are available. Logicube Forensic Falcon™ User’s Manual...
  • Page 152 SCSI MODULE Logicube Forensic Falcon™ User’s Manual...

  • Page 153: Instructions - How To Attach The Scsi Module

    1. Turn the Falcon upside-down and locate the expansion cover to the right of the sticker. 2. Insert a small, sturdy tool (for example, an eyeglass screwdriver) as seen below. Pry the expansion cover off as shown below. Logicube Forensic Falcon™ User’s Manual...

  • Page 154: Turning The Falcon With Scsi Module On And Off

    Attach one of the included power supplies to the left side of the SCSI module. The power supply has a ‘notch’ to guide the connection. The notch should be guided to face the top side of the power port. Logicube Forensic Falcon™ User’s Manual...

  • Page 155: Connecting Drives

    This section shows how to connect SCSI drives to the Falcon’s SCSI module. For information on how to connect other types of drives directly to the Falcon and not through the SCSI module, please see Section 2.2: Connecting Various Drive Types. Logicube Forensic Falcon™ User’s Manual...

  • Page 156: Connecting Scsi Source And Destination Drives

    Simply connect the two cables to the SCSI module and connect the other side of the cables to the SCSI drive. 50-pin and 80-pin adapters are available. Please contact Logicube Sales to purchase these adapters. For 50-pin drives, connect the 50-pin adapter between the 68-pin data cable and the drive.

  • Page 157: 14: Usb Boot Client

    Operating System on the computer and can be imaged without having to remove the drive from the computer. Details on how to create the USB boot client can be found on the Forensic Falcon’s support page at http://www.logicube.com/knowledge/forensic-falcon. Logicube Forensic Falcon™ User’s Manual...

  • Page 158: 15: Printing Log Files

    Once the printers are set up and configured, the configuration must be saved to a profile. 15.2.1 Step-by-step – Configuring a local or networked printer 1. Connect the Falcon to a network with DHCP. For networked printers, make sure the Falcon is connected to the same network. For local Logicube Forensic Falcon™ User’s Manual...
  • Page 159 : Brother HL-4150CDN series : lpd://BRN001BA9A8F7EA/BINARY_P1 7. Add the printer using the following syntax (case sensitive): printer add –n <name_for_the_printer> -N –u <uri> -m <make_model> printer add –n <name_for_the_printer> -D –u <uri> -m <make_model> Logicube Forensic Falcon™ User’s Manual...
  • Page 160 A “Successful” message should appear. 9. Type db load printer.db to load the database configuration. Each time the Falcon is turned on, the local or networked printer should be available on the Falcon’s touch screen. Logicube Forensic Falcon™ User’s Manual...

  • Page 161: 16: Security - Changing The Default Passwords

    Changing password for logicube. (current) UNIX password: 4. Type the current password for the “logicube” account (the default password for this account is “logicube”) then press the Enter key. The following prompt will appear: Enter new UNIX password: 5. Type a new password then press the Enter key. The following prompt...

  • Page 162: Changing Only The Logicube Password

    1. Connect a USB keyboard one of the two USB ports in front of the Falcon then use the following key combinations: Alt+2 then Alt+Shift+Enter. 2. Once logicube prompt appears, type the following commands, one line at a time (Press the Enter key after each command/line):...

  • Page 163: Changing Only The It Password

    13. Connect a USB keyboard one of the two USB ports in front of the Falcon then use the following key combinations: Alt+2 then Alt+Shift+Enter. 14. Once logicube prompt appears, type the following commands, one line at a time (Press the Enter key after each command/line):...

  • Page 164: 17: Frequently Asked Questions

    A. Falcon uses a Linux-based operating system. A Linux-based operating system provides increased stability and security over Windows-based systems. Q. What file format does Falcon use when formatting destination drives? A. Falcon can format destination drives using the NT File System (NTFS) or EXT4 file system. Logicube Forensic Falcon™ User’s Manual...
  • Page 165 XML, HTML and PDF). XML log files can be customized using XML editors. The log files are stored on the internal hard drive within Falcon and are accessible by pressing the log file icon from the left-side navigation bar on the Falcon screen. Logicube Forensic Falcon™ User’s Manual...
  • Page 166 Gigabit Ethernet or via the destination ports (USB 3.0 or the SAS/SATA) built into Falcon. If the external storage device has a RAID configuration it will require that it be configured as a single drive. Any source drive connected to Falcon can be imaged directly to the external storage device. Logicube Forensic Falcon™ User’s Manual...

  • Page 167: 19: Index

    System Settings, 91 Flash memory cards, 140 Task Macro, 76 Format, 72 Task Macros, 26 Hash, 21, 22, 61 Technical Support, Logicube, III, 159 Hash/Verification Method, 54 Telnet, 126 Host Protected Area (HPA), 44 Time Zone, 99 HPA/DCO, 47 Touch Screen, 13...

  • Page 168: Technical Support Information

    Technical Support Information For further assistance please contact Logicube Technical Support at: (001) 818 700 8488 7am-5pm PST, M-F (excluding US legal holidays) or by email to techsupport@logicube.com Software Attribution Ubuntu 12.04 LTS (http://www.ubuntu.com) Linux Kernel (3.2.48) (GPL v2) (http://www.kernel.org) (modified) libcli (1.9.5) (LGPL v2.1)

This manual is also suitable for:

Forensic falcon

Table of Contents