Logicube F-FALCON-SA User Manual page 165

Q. Does imaging performance slow down when multiple drives are imaged at the same time?
A. Performance is limited by the slowest drive in the configuration. However, there should not be any
significant speed penalty when imaging multiple drives.
Q. How many separate tasks can you have running concurrently?
A. You can have up to five separate tasks running concurrently.
Q. Can I schedule or automate tasks?
A. Falcon features the ability to create up to 5 separate "Tasks Macros". Each macro allows you to set
up to 9 operations to be performed sequentially. For example, if your routine procedure is to wipe a
drive before you begin imaging, then image a drive using e01 mode (S1 to D1), then hash (S1), you
can add these operations to a Macro and from the Falcon GUI select the Macro and the Falcon will
perform the specified tasks/operations in the sequence you have defined. The user can save the
Macro to use in future imaging sessions. Administrators can set up Macros to provide an easier
method for novice users or first responders to image suspect drives in the field.
Q. Can I encrypt my evidence drives using the Falcon? How do I decrypt drives encrypted with Falcon?
A. The Falcon provides AES 256 whole drive encryption. Users can choose between three different
cipher modes and can set their own password/key for the encrypted drive. Users can decrypt a drive
that was encrypted with Falcon by using the Falcon to decrypt or by using TrueCrypt or FreeOTFE.
Q. Can the Falcon image to or from a network destination?
A. Yes. The Falcon includes a gigabit network connection. Users can designate a network share as a
source or destination repository using CIFS (Common Internet File System) or iSCSI (Internet Small
Computer System Interface) protocols.
Q. What is "Parallel Imaging"?
A. Parallel Imaging allows you to image from the same source drive to multiple destinations using
different formats, image to a network location using e01, image to one destination drive using dd
format, and image to a 2nd destination drive using native (mirror format). This is useful when there
are multiple teams of investigators (one in a lab and one at another location but connected to a
network) and you also need to provide a copy of the suspect hard drive to those that require an exact
mirror image (for example to an attorney).
Q. What is a "filter-based file copy"?
A. In many cases, investigators want to image only specific file types on a suspect's hard drive, this can
be useful to shorten the imaging process. The Falcon's "file" mode allows users to specify by
extension type e.g. .jpeg, .pdf, .mov, .xls etc. which files they want to image. The files will be sorted
by path (based on where the file is located on the Source). If a hash method is selected, each file will
be hashed.
Q. Does the Falcon provide log files?
A. Yes, each operation/task produces a log file. The log file is viewable on the Falcon screen (or remotely
on a PC) in an HTML format. The log files can be exported to a thumb drive (the Falcon will export in
XML, HTML and PDF). XML log files can be customized using XML editors. The log files are stored on
the internal hard drive within Falcon and are accessible by pressing the log file icon from the left-side
navigation bar on the Falcon screen.
Logicube Forensic Falcon™ User's Manual
FAQs
156