Page 1 Falcon ® -NEO User’s Manual Logicube, Inc. Chatsworth, CA 91311 Phone: 818 700 8488 Fax: 818 700 8466 Version: 1.0 Date: 03/28/2018 MAN-FALCON-NEO Logicube Falcon ® -NEO User’s Manual...
Page 2: Limitation Of Liability And Warranty Information
Logicube Disclaimer LOGICUBE IS NOT LIABLE FOR ANY INCIDENTAL OR CONSEQUENTIAL DAMAGES, INCLUDING, BUT NOT LIMITED TO PROPERTY DAMAGE, LOSS OF TIME OR DATA FROM USE OF A LOGICUBE PRODUCT, OR ANY OTHER DAMAGES RESULTING FROM PRODUCT MALFUNCTION OR FAILURE...
Page 3 EMAIL ADDRESS AND A DESCRIPTION OF THE PROBLEM WITH AS MUCH DETAIL AS POSSIBLE. AT LOGICUBE’S SOLE AND ABSOLUTE DISCRETION, REASONABLE TELEPHONE AND EMAIL SUPPORT MAY ALSO BE AVAILABLE FOR THE LIFE OF THE PRODUCT AS DEFINED BY LOGICUBE. EXCEPT AS OTHERWISE SPECIFICALLY PROVIDED IN THIS AGREEMENT, LOGICUBE PRODUCTS...
Page 4: Rohs Certificate Of Compliance
YOU SPECIFIC LEGAL RIGHTS, AND YOU MAY HAVE OTHER RIGHTS WHICH VARY FROM JURISDICTION TO JURISDICTION. RoHS Certificate of Compliance LOGICUBE PRODUCTS COMPLY WITH THE EUROPEAN UNION RESTRICTION OF THE USE OF CERTAIN HAZARDOUS SUBSTANCES IN ELECTRONIC EQUIPMENT, ROHS DIRECTIVE (2002/95/EC).
Page 5: Table Of Contents
3.1 I ..........................14 MAGING 3.1.1 Step-by-step instructions – Imaging ................15 3.1.2 Imaging BitLocker encrypted drives ................17 3.1.3 Imaging Net Traffic ....................... 19 3.1.4 Imaging to or from a network ..................20 Logicube Falcon -NEO User’s Manual ®...
Page 6 4.3.8.3.2 Signature Based File Categories ....................46 4.3.8.3.3 Keywords ............................ 46 4.3.9 Special Settings in Net Traffic to File mode ..............46 4.4 D ......................47 ESTINATION MAGE 4.5 S ................... 48 TARTING THE MAGING PERATION Logicube Falcon -NEO User’s Manual ®...
Page 7 5.9.2 iSCSI ..........................75 5.9.3 Configuration ....................... 76 5.10 S ........................76 YSTEM ETTINGS 5.10.1 Profiles ........................76 5.10.2 Passwords ........................78 5.10.2.1 Setting Key Passwords ..................79 5.10.2.1.1 Config Lock Notes ........................80 Logicube Falcon -NEO User’s Manual ®...
Page 8 7.3.1 Which decryption software to use? ................98 7.3.2 Decrypting using VeraCrypt ..................98 7.3.3 Decrypting using TrueCrypt ..................100 7.3.4 Decrypting using FreeOTFE ..................102 8: UPDATING/LOADING/RE-LOADING THE FALCON-NEO SOFTWARE ....... 107 8.0 U – I ........... 107 PDATING...
Page 9 14.2.1 Step-by-step – Configuring a local or networked printer ........128 15: FREQUENTLY ASKED QUESTIONS ..............131 15.0 FAQ ..........................131 16: INDEX ....................... 134 ....................135 ECHNICAL UPPORT NFORMATION ........................ 135 OFTWARE TTRIBUTION Logicube Falcon -NEO User’s Manual ®...
Page 10: 1: Introduction
The next-generation of our ground-breaking Falcon® forensic imager, the Falcon®-NEO has been engineered specifically for digital forensic investigations. Delivering high performance and advanced features, the Falcon-NEO is designed to meet the challenges of digital investigations head-on. Efficient and secure digital evidence collection is accomplished with a feature-set that provides sophisticated functionality with a goal to shorten acquisition time.
Page 11 Two 10GbE network ports provide state-of-the-art connectivity for fast network • imaging performance. I/O card ports. Designed for the future, the Falcon-NEO includes 2 source I/O card ports • and 1 destination I/O port to support new interface technologies as they arrive on the market.
Page 12 Audit Trail/Log files provide detailed information on each operation. Log files can be • viewed on Falcon-NEO or via a web browser, exported to XML, HTML or PDF format to a USB enclosure. Users can print the log files directly from their PC when connected to Falcon-NEO via a web browser.
Page 13: In The Box
GETTING STARTED 1.2 In the Box The Falcon-NEO is shipped in a soft-sided carrying case that includes: The Logicube Falcon-NEO unit • AC adapter/Power supply and US power cord • QTY: 6 – SAS/SATA data & power cables • QTY: 2 – CAT7 6FT network cables •...
Page 14: Specifications
• Avoid dropping the Logicube device or subjecting it to sharp jolts. When in use, place it on a flat surface. • Keep the unit dry. If the Logicube device needs to be cleaned, use a lightly damp, lint free cloth. Avoid using soap or other cleaning agents particularly those containing bleach, ammonia, alcohol or other harsh chemicals.
Page 15: 2: Getting Started
2: Getting Started 2.0 Overview of the Falcon-NEO Special Icons – Throughout this manual, there are two icons that can be seen. Please pay close attention when any of these two icons are found. These icons highlight additional information or importa`nt warnings on specific topics.
Page 16 GETTING STARTED Logicube Falcon -Neo User’s Manual ®...
Page 17: Turning The Falcon-Neo On And Off
2.1 Turning the Falcon-NEO on and off The Falcon-NEO has two DC IN ports located in the back of the device. Any of these two ports can be used. The second DC IN port is available for possible future increases in power requirements.
Page 18: Connecting Destination Drives
Not labeled: Two 6-pin power ports for SAS_S1 and SAS_S2 that have • lines corresponding to the proper data port. The Falcon-NEO Source ports are hot swappable (including the PCIe ports). Some drives are not hot swappable. Please check with the drive manufacturer to find out if the drive being used does not support hot swapping.
Page 19: Using Usb/Esata Drives Or Enclosures
2.2.4 Connecting M.2/PCIe/mPCIe drives An optional PCIe adapter kit (part number F-ADP-PCI-FN-KT) is available for the Falcon-NEO which includes M.2 adapters, a mini PCIe adapter, and a PCIe extender cable. Logicube Falcon -Neo User’s Manual...
Page 20: Connecting An External Optical Drive (Cd/Dvd/Blu-Ray)
GETTING STARTED 2.2.5 Connecting an external Optical Drive (CD/DVD/Blu-ray) An optical drive can be connected to the Source USB port. The Falcon-NEO can then image the contents of the CD, DVD, or Blu-ray disc. Although most USB optical drives should work, Logicube...
Page 21: Front And Rear Ports
H – Start icon 2.4 Front and rear ports The Falcon-NEO has two USB host ports, two 10GbE ports, and two DC IN power ports. 2.4.1 Front ports The Falcon-NEO has two USB host ports. These ports are used to connect peripherals such as USB keyboards, mice, and printers.
Page 22: Touch Screen
2.5 Touch screen The Falcon-NEO features a 7” color LCD capacitive touch screen that allows the user to quickly input commands. The screen is bright, easy to read, and supports swipe gestures. Logicube Falcon -Neo User’s Manual...
Page 23: 3: Quick Start
Chapter 4: Imaging Chapter 5: Types of Operation. The Falcon-NEO can perform up to five (5) tasks per mode of operation (specifically Image, Hash, and/or Wipe). It is highly recommended to change the passwords for built-in accounts. Instructions on how to change the passwords to the...
Page 24: Step-By-Step Instructions - Imaging
Source drive. The Falcon-NEO uses a concurrent Image+Verify process. When Verify is set, the Falcon-NEO images and verifies concurrently and takes advantage of destination hard drives that may be faster than the source hard drive.
Page 25 Tap the Destination icon and select the destination(s) to be used then tap the OK icon. For DD, E01, Ex01, and DMG, the Falcon-NEO must be used to format drives. If the Destination drive is not formatted by the Falcon-NEO, the Location will appear as “(NOT_MOUNTED)”...
Page 26: Imaging Bitlocker Encrypted Drives
‘Locked’ icon showing in the LOCKED column. To unlock the encrypted volume, choose a partition that is encrypted with BitLocker to be imaged by tapping the LOCKED icon. The DECRYPT PARTITION screen will appear. Logicube Falcon -Neo User’s Manual ®...
Page 27 If the password is incorrect, a message will appear below the Password field showing ‘Unlock failed’. Once the partition is unlocked, select the partition to be imaged then tap the OK icon to continue. Logicube Falcon -Neo User’s Manual ®...
Page 28: Imaging Net Traffic
3.1.3 Imaging Net Traffic The Falcon-Neo can capture network traffic data using the Net Traffic to File imaging mode. Network traffic that can be captured can include local network activity, internet activity, and VOIP activity. The data is saved and stored to a *.pcanpg file format which can be analyzed by various software such as...
Page 29: Imaging To Or From A Network
3.1.4 Imaging to or from a network A network repository or location must be set for the Falcon-NEO to be able to image to or from a network repository/location. For details on how to add a network repository/location, please see Section 5.9...
Page 30: Drive Spanning
QUICK START 3.1.6 Drive Spanning The Falcon-NEO can automatically span to two (or more) Destination drives when using Drive to File, File to File, Partition to File, or Net Traffic to File mode (DD, E01, EX01, or DMG). When the task is started, and there may not be enough...
Page 31: Blank Disk Check
QUICK START 3.1.7 Blank Disk Check The Falcon-NEO can check a drive to see if it has been wiped by the Falcon-NEO. This check will not be accurate if Secure Erase or Pattern Buffers was used to wipe the drive. To perform a blank disk check: Connect a drive to the Falcon-NEO.
Page 32: Step-By-Step Instructions - Drive Hash Or Case Verify
NEO will hash up to the LBA value of the smallest capacity drive. If drives with different capacities need to be hashed, it is recommended to start one task per drive. CASE VERIFY – This mode will hash cases/images created by the Falcon-NEO (DD, E01, •...
Page 33: Wipe/Format
In addition, a 7-pass DoD wipe can be set with pre-selected pass values. The Falcon-NEO can verify each pass value through a setting. Format – Instructs the Falcon-NEO to format a drive (with or without encryption). The •...
Page 34: Push
Falcon-NEO repository or network location. The Push feature provides a more secure method than simply copying files through a computer by allowing the ability to verify the data that is pushed. The Falcon-NEO will generate a log file for each push process.
Page 35: Step-By-Step Instructions - Push
Verify the settings then tap the OK icon to continue. Tap the Destination icon and select the destination or repository to push the images to. Tap the OK icon to continue. Tap the Start icon to start the push task. Logicube Falcon -Neo User’s Manual ®...
Page 36: Task Macro
Tap the Task icon to select up to nine (9) operations. Set up to 9 operations by tapping on each operation in order (Operation 1, Operation 2, etc.) When all the operations have been set, tap the OK icon. Logicube Falcon -Neo User’s Manual ®...
Page 37: File Browser
Falcon-NEO’s file browser. The Falcon-NEO will show the partitions and the contents of each partition. Note that only some files can be opened by the Falcon-NEO. Files opened by the file browser will not alter the drive in any way.
Page 38: Step-By-Step Instructions - Viewing Or Exporting Logs
The log files in the Destination drive are available in PDF, HTML, and XML formats. The log files may contain a “partial hash”. This hash is for Falcon-NEO’s internal purposes only and cannot be validated by any other means. The partial hash is a snapshot of the hash engine at the end of each segment file which the Falcon-NEO can use to catch transfer errors and re-try if needed.
Page 39: Deleting Log Files
3.7.3 Accessing the logs over a network The log files can also be accessed through a network on a computer if the Falcon-NEO is connected on the same network. Open File Explorer or a similar window and browse to the hostname or the IP address found in the Statistics screen.
Page 40 QUICK START A Windows security screen will appear prompting to enter a User name and Password to connect to the Falcon-NEO. Login with the following credentials: User name: it • Password it • Once connected, an auditlog folder will appear. Open the auditlog folder.
Page 41: Statistics
Details on the different Statistics screens can be found in Section 5.8: Statistics. About – This screen will show information about the Falcon-NEO including the current software installed. Adv. Drive Statistics – Displays S.M.A.R.T. information taken directly from what the drive is reporting.
Page 42: System Settings
• setting a static IP address and allows certain network services to be enabled or disabled. HTTP Proxy – For the Falcon-NEO to be able to update software from a network (over the • internet), proxy settings may need to be set. Networks that have a proxy server for internet access will require proxy settings for devices like the Falcon-NEO to connect to the Internet.
Page 43: Power Off
Section 5.13: Power Off. POWER OFF – The Falcon-NEO can be remotely turned off or restarted by going to this tab. Additionally the Falcon-NEO screen can be refreshed. DRIVE POWER – Inactive drives connected to the Falcon-NEO can be set to go to standby mode in this tab.
Page 44: 4: Imaging
Drive to File – Images the Source to any of the following image output file formats: DD, • E01, EX01, or DMG. File to File (Targeted Imaging feature) – Create logical images by using preset filters, • custom filters, files signatures filter, and/or keywords search function to select and Logicube Falcon -NEO User’s Manual ®...
Page 45: Bitlocker Encrypted Drives
BitLocker encrypted volume requires going through the Partition to File mode. Net Traffic to File – Falcon-Neo can capture network traffic data using the Net Traffic to • File imaging mode. Network traffic that can be captured can include local network activity, internet activity, and VOIP activity.
Page 46: Settings
This is optional and is not required to start an imaging operation. Information entered here will appear in the logs. In addition, some forensic analysis software can import the information when the image files are opened. Logicube Falcon -Neo User’s Manual ®...
Page 47: Hpa/Dco/Trim
4.3.2.1 DRIVE TRIM Destination Drive Trim is available only in Drive to Drive mode and is a user selectable function that allows the Falcon-NEO to manipulate the Device Configuration Overlay (DCO) and Host Protected Area (HPA) of the destination drive using the Device Configuration Set command for DCO and Set Max Address command for HPA so that the Destination drive’s total native...
Page 48 IMAGING the Falcon-NEO will limit the Destination drive’s capacity to 128 GB to match the Source drive exactly. SAMPLE SOURCE DRIVE: SAMPLE DESTINATION DRIVE PRIOR TO DRIVE TRIM: SAMPLE DESTINATION DRIVE AFTER DRIVE TRIM: Drive Trim is only available in Drive to Drive mode and by default is set to NO.
Page 49 1 Start the wipe task. The task should finish quickly as it is just wiping the HPA/DCO and 1 LBA. When the wipe task finishes, the drive should be back to its original capacity. Logicube Falcon -Neo User’s Manual ®...
Page 50: Error Handling
4096 Bytes. As an example, if 4096 Bytes is chosen, and one of the 8 sectors in that cluster size contains a bad sector, the Falcon-NEO will skip the entire cluster (or 4096 bytes or 8 sectors).
Page 51: File Image Method Settings
DMG – Raw disk image files commonly used in Mac OS X. • SEGMENT SIZE – Allows the user to set the output segment size (file size). Choose from 2 GB, 4 GB, 8 GB, 16 GB, or Whole Disk. Logicube Falcon -Neo User’s Manual ®...
Page 52: Clone Method Settings
For example, the fourth partition of the drive on SAS_S1 can be selected by tapping the folder icon. The folder icon is only selectable after a Source is selected. Logicube Falcon -Neo User’s Manual ®...
Page 53: Output Format
The Custom Filter uses the POSIX Extended Regular Expressions standard for syntax. There are several websites with articles explaining the different expressions than can be used. Simply search the Internet for “POSIX Extended Regular Expressions“. Logicube Falcon -Neo User’s Manual ®...
Page 54 (in example 3), you can use the following syntax: .*\.(pic)$ This will find all files with the “pic” extension and nothing afterwards. Using the examples above, it will find “filename.pic” but not “filename.pict”. Logicube Falcon -Neo User’s Manual ®...
Page 55: Signature Based File Categories
Segment Ring Buffer – This setting determines what the Falcon-NEO will • do when it reaches the total number of segments. ON – When this is set to ON, the Falcon-NEO will continuously ▪ capture network traffic until the task is aborted. For example, if...
Page 56: Destination/Image File
1 segment, then continue capturing network traffic, and create a new first segment file. OFF – When this is set to OFF, once the Falcon-NEO reaches the ▪ number of segments set, it will stop the task. 4.4 Destination/Image File...
Page 57: Starting The Imaging Operation
Destination drives when using Drive to File mode (DD, E01, EX01, or DMG). When the Destination drive is full and the remaining data to be imaged will not fit, Falcon-NEO will prompt for another drive. Information on Drive Spanning can be found in Section 3.1.6.
Page 58: 5: Types Of Operations
5: Types of Operations 5.0 Types of Operations - Introduction There are thirteen (13) types of operation available on the Falcon-NEO. The left side of the screen shows the different operation types that can be set. Detailed information on all the different operations and their screens can be found in this section.
Page 59 Additionally, users can select to verify the file transfer to ensure data integrity. Network users can then quickly preview data or copy data to a local drive or to any other directory on the network. The Falcon-NEO will create a log file for each push process.
Page 60 Profiles – Allows the user to create, save, apply, or delete user • profiles/configurations. Passwords – Allows the user to set a password to lock the Falcon-NEO from any • configuration changes. Encryption – Sets the cipher mode (VCRPYT, TC-XTS, CBC, or ECB), Cipher, IV •...
Page 61: Imaging
TYPES OF OPERATIONS Power Off – The Falcon-NEO can be turned off on this screen. This can be useful • when using the web interface. The User Interface can also be refreshed in this screen. Drive Power – Drives can be powered down automatically when not in use.
Page 62: Mode
Tap this icon to choose the drive to be hashed or the drive that contains the case (image) files to be verified. When Drive Hash mode is selected, all connected drives will be shown. Logicube Falcon -Neo User’s Manual ®...
Page 63: Settings
Tap the Hash Values icon to set the hash method (SHA-1, SHA- 256, or MD5) and to set the expected hash value (if desired). Setting the expected hash value instructs the Falcon-NEO to hash the drive then verify the hash with the expected value set.
Page 64: Hash Method
By default, this value will have 0s (zeros). If this is not changed, or no value is entered, this will instruct the Falcon-NEO to hash the drive using the selected algorithm in the previous step. If a value is entered, the Falcon-NEO will hash the selected drive and verify hash with the value entered/edited.
Page 65: Case Verify
Section 4.3.1. 5.3 Wipe / Format This type of operation allows the user to erase, wipe, and/or format one or more Destination drives. There are three main settings: Secure Erase, Wipe Mode, and Format. Logicube Falcon -Neo User’s Manual ®...
Page 66: Destination
(up to 7 passes) along with the type of data written for each pass. In addition, a 7-pass DoD wipe can be set with pre-selected pass values. The Falcon-NEO can verify each pass value through a setting. Format – Formats the Destination drive with one of the following user selectable file •...
Page 67: Settings
The Falcon-NEO will perform each of the settings sequentially. For example, if Secure Erase is set to ON, a Wipe Pattern mode is specified, and Format is set to On, the Falcon-NEO will first secure erase the drive, then wipe the drive according to the mode specified, then format the drive.
Page 68: Wipe Patterns
Selecting Mode will open the Wipe Mode screen showing 3 options: NONE – Choosing this will instruct the • Falcon-NEO not to perform a wipe using Wipe Mode. DOD – Choosing this will instruct the • Falcon-NEO to perform a 7-pass wipe conforming to the DoD M-5220-22M standards.
Page 69: Passes
The default value for a custom pass is 00. Editing one or more of the passes in DOD or CUSTOM mode will bring up this screen: SKIP – Instructs the Falcon-NEO to skip • the pass. RANDOM – Writes one random •...
Page 70: Format
Falcon-NEO prior to being used as a Destination for Imaging using either mode above. Tap this icon to set the Falcon-NEO to format the drive (with or without encryption). The following settings are available: • Format – When set to ON, the Falcon-NEO will format the Destination drive with or without encryption.
Page 71: Case Info
MD5 or SHA hash during the push process. Users can also select to verify the file transfer to ensure data integrity. The Falcon-NEO will create a log file for each push process.
Page 72: Source
• 5.4.3 Destination Tap this icon to select the drive or repository where the DD, E01, EX01, or DMG images will be pushed to (where the files to push will be pushed/copied to). This Logicube Falcon -Neo User’s Manual ®...
Page 73: Task Macro
Once the wipe (for example, Wipe 1) and image (for example, Image 1) has been set up, the Task Macro can be set. 5.5.1 Tasks Tapping this icon allows the user to set specific tasks for each macro. The following window will appear: Logicube Falcon -Neo User’s Manual ®...
Page 74 Continue adding operations desired. Each operation added will appear on the list. To delete an operation, tap the X to the right of the operation. When finished, tap the OK icon. A summary of the macro will be seen: Logicube Falcon -Neo User’s Manual ®...
Page 75 TYPES OF OPERATIONS To start the macro and have the Falcon-NEO perform all the operations on the task list, tap the Start icon. Example: Setting up a Macro for a Wipe to Secure Erase then perform a Drive to Drive Image...
Page 76: File Browser
This method can be very useful when the Falcon-NEO is out on the field and there are no computers to analyze or triage the contents of drives. Using the Falcon-NEO’s touch screen, one drive at a time can be viewed.
Page 77 B – Up One Level – Tap this icon to go up one level (one folder/directory). C – Path – Displays the current path to the folder/directory being viewed. The Falcon-NEO can open and preview certain files. Some of the files it can preview are: *.jpg, *.gif, *.png, *.txt, *.pdf, *.html Logicube Falcon -Neo User’s Manual...
Page 78: Viewing Files From The Web Interface
5.6.1 Viewing files from the web interface The Falcon-NEO’s File Browser can also be used from the web interface. Using the web interface gives the ability to open files that the Falcon-NEO cannot preview by downloading the file to a computer (where the Falcon-NEO is being browsed from).
Page 79: Important Notes About Using The File Browser
• The Falcon-NEO file browser is not able to open every file to preview. When a file cannot be opened directly on the Falcon-NEO, the file can be saved on a computer by connecting to the Falcon-NEO’s web interface. 5.7 Logs The Falcon-NEO keeps logs of all imaging, hash, wipe, format, and push operations.
Page 80: Statistics
This will display the following tabs: About, Adv. Drive Statistics, Network Interface Stats, Debug Logs, and Help. 5.8.1 About Screen The About screen will show information about the Falcon-NEO including the current software installed, host name, and IP address. Logicube Falcon -Neo User’s Manual...
Page 81: Adv. Drive Statistics
The help tab contains a QR code that links to the user’s manual online. There are several ways to view the manual through the QR code such as: From the touch screen (if the Falcon-NEO is connected to a network with •...
Page 82: Add/Remove
5.9.1 Add/Remove A list of repositories will be shown. The user has the option of adding or deleting a repository. This will include all drives attached to the Falcon-NEO (Destination ports) and any networked repository. If a repository location shows (NOT MOUNTED), it is because the drive attached is not formatted by the Falcon-NEO or the Falcon-NEO cannot connect to the shared network resource.
Page 83 Tap Drive to select network share to set as a repository. Tap the OK icon when finished. Tap Network Settings to enter the network settings. See the example below. Tap the OK icon when finished. Logicube Falcon -Neo User’s Manual ®...
Page 84: Iscsi
To add a repository using the iSCSI protocol, an iSCSI Target must be setup on the remote system. Since networks are configured differently, a Systems Administrator or Network Administrator may be needed to set up the iSCSI protocol. Once the iSCSI Target has been setup, click Settings. Logicube Falcon -Neo User’s Manual ®...
Page 85: Configuration
• Notifications • 5.10.1 Profiles Do not highlight and save over the INITIAL.DB profile. This is the default profile of the Falcon-NEO and is used to reset the Falcon-NEO to the factory default settings. Logicube Falcon -Neo User’s Manual ®...
Page 86 Falcon-NEO will load that profile during its boot process. For example, if the user wants the Falcon-NEO to always boot up with the default imaging mode to Drive to File with the setting of E01 with a segment size of 2GB: Turn the Falcon-NEO off then back on.
Page 87: Passwords
(in this case, E01-2GB.DB) and tap the Load icon. A confirmation screen will appear. Tap the Yes icon to confirm. The profile is now loaded. Also, the next time the Falcon-NEO is turned on it will load the E01-2GB.DB profile.
Page 88: Setting Key Passwords
(through a web browser). If this password is set, the Falcon-NEO will prompt for a password before allowing access through a web browser. Key: Config Lock – The Falcon-NEO can be configured to lock out any • configuration changes. When this is enabled, changes to the different types of operations cannot be made without entering the correct key or password.
Page 89: Config Lock Notes
Tech Support assistance. 5.10.2.1.1 Config Lock Notes A shortcut (and indicator) to the config lock can always be seen on the Falcon-NEO’s screen. It is located on the top-right of the screen, next to the Falcon-NEO logo. While in a locked state, the following operations will be affected as follows: Imaging –...
Page 90: Forgotten Password For Any Keys
Falcon-NEO. 5.10.2.1.2 Forgotten password for any keys If any of the keys is forgotten, the INITIAL.DB profile will need to be loaded using the Command Line Interface (CLI).
Page 91: User Account Passwords
Telnet/SSH application. 8. Turn the Falcon-NEO on. When the Falcon-NEO boots up, it will load the default configuration (INITIAL.DB). 5.10.2.2 User Account Passwords The Falcon-NEO comes with two built-in user accounts: logicube • Logicube Falcon -Neo User’s Manual ®...
Page 92: Encryption
Tech Support assistance. 5.10.3 Encryption The Falcon-NEO allows imaging drives onto a Destination where the data on the Destination drive is encrypted. Destination drives that are encrypted by the Falcon-NEO can be decrypted by using the Falcon-NEO or third-party software (VeraCrypt, TrueCrypt, or FreeOTFE).
Page 93: Language/Time Zone
AES-256 encryption and the different modes and settings that come with encryption. 5.10.4 Language/Time Zone The Falcon-NEO’s menu system’s language can be changed. The available languages are English, Chinese (中文), Korean (한국어), and Japanese (日本語). This screen also allows the time zone to be set.
Page 94: Time Zone
NTP and adjust the time as needed. The Falcon-NEO also has a time zone setting. Tap Time Zone to select the time zone region. Tap the OK icon to continue. After selecting the region, select the time zone where the Falcon- NEO is located.
Page 95: Display
NEO boots, the brightness will be reset to 80%. Stealth Mode – Stealth mode turns the Falcon-NEO’s screen off, allowing privacy so no one can see what the Falcon-NEO is doing. When Stealth mode is activated, currently running operations continue to run.
Page 96: Network Settings
TYPES OF OPERATIONS 2. Select None or Sound for when the Falcon-NEO has a successful task or if the task has an error. 3. Tap the OK icon when finished. End of Task notifications can be saved into a user profile and loaded each time the Falcon- NEO is turned on.
Page 97: Enabling/Disabling Network Services
3. Tap the IP SETTINGS box to manually set the IP address, NetMask, Gateway, and DNS Server. When finished, tap the OK icon. To save the settings so that the Falcon-NEO boots up with the static IP address, see Section 5.10.1 for more information on saving and loading a user profile.
Page 98: Http Proxy
If the network the Falcon-NEO is connected to uses an HTTP proxy server to access the Internet, proxy settings may need to be set for the Falcon-NEO to be able to update software from a network (over the internet). This typically includes a server (or IP address), a host port, a username and password.
Page 99: Software Update
5.13 Power Off There are two tabs in the Power Off screen: POWER OFF – The Falcon-NEO can be remotely turned off by going to this tab. Additionally, the Graphical User Interface (GUI) can be refreshed. DRIVE POWER – Inactive drives connected to the Falcon-NEO can be set to go to standby mode in this tab.
Page 100: 6: Previewing Drives
6: Previewing Drives 6.0 Previewing Drives - Introduction Contents of drives connected to both Source and Destination ports can be previewed. There are 4 different methods available to preview drive contents with the Falcon-NEO: Falcon-NEO’s native File Browser • A computer + Falcon-NEO’s File Browser •...
Page 101: File Browser
The Falcon-NEO can be accessed from a computer (through a direct network cable connection or through a network). Using a computer with the Falcon-NEO’s file browser allows more files to be previewed by using the computer’s Operating System and installed software. Connecting the two devices directly together with a network cable or onto a network and using the Falcon-NEO’s web...
Page 102: Iscsi
To use the iSCSI protocol, an iSCSI initiator must be installed and configured to view the contents of drives connected to the Falcon-NEO over a network. Like using SMB, some advantages of using this method are: The contents of the drive are searchable using the Operating System’s search functions.
Page 103: 7: Drive Encryption And Decryption
This is only supported when using the Drive to File mode. Falcon-NEO can also decrypt drives that were encrypted using the Falcon-NEO. Alternatively, third party utilities can be used to decrypt a drive encrypted by the Falcon-NEO such as VeraCrypt, TrueCrypt, and FreeOTFE.
Page 104: Step-By-Step Instructions
Select the desired File System (EXT4, NTFS, exFAT, or FAT32). Set Encryption to ON. When finished, tap the OK icon. Tap the Start icon to start the wipe task. The Falcon-NEO will format the selected drive(s) with encryption. 7.1.2 Using previously encrypted Destination drives...
Page 105: Decrypting A Falcon-Neo Encrypted Drive With A Falcon-Neo
2 through 9. 7.2 Decrypting a Falcon-NEO encrypted drive with a Falcon-NEO Falcon-NEO can decrypt a Destination drive encrypted by the Falcon-NEO. To decrypt the drive using a Falcon-NEO, follow these steps: Make sure the previously encrypted Destination drive is not connected, then turn the Falcon-NEO on.
Page 106: Decrypting The Drive Without A Falcon-Neo
SMB. 7.3 Decrypting the drive without a Falcon-NEO To mount and read an encrypted Destination drive in Windows, without using a Falcon-NEO, the following third-party utilities can be used depending on how the Destination drive was encrypted: VeraCrypt, TrueCrypt or FreeOTFE. Other utilities may work but are not supported or tested by Logicube.
Page 107: Which Decryption Software To Use
NEO must be used to decrypt the drive. 7.3.2 Decrypting using VeraCrypt Requirements: VeraCrypt installed. • A drive encrypted by the Falcon-NEO using the VCRYPT cipher mode • connected to the computer with VeraCrypt. Once the drive is connected to the computer, Open VeraCrypt. Logicube Falcon -Neo User’s Manual...
Page 108 DRIVE ENCRYPTION & DECRYPTION Click Select Device and choose the partition of the connected drive then click OK. Click Mount. Logicube Falcon -Neo User’s Manual ®...
Page 109: Decrypting Using Truecrypt
The drive should now be accessible in Windows. 7.3.3 Decrypting using TrueCrypt Requirements: TrueCrypt properly installed. • A drive encrypted by the Falcon-NEO using the TC-XTS cipher mode • connected to the computer with TrueCrypt. Logicube Falcon -Neo User’s Manual...
Page 110 DRIVE ENCRYPTION & DECRYPTION Once the drive is connected to the computer, open TrueCrypt. Click Select Device and choose the partition of the connected drive then click OK. Click Mount. Logicube Falcon -Neo User’s Manual ®...
Page 111: Decrypting Using Freeotfe
7.3.4 Decrypting using FreeOTFE Requirements: FreeOTFE properly installed. • A drive encrypted by the Falcon-NEO using the CBC cipher mode • connected to the computer with FreeOTFE. Open FreeOTFE. In the main window, click File then Linux volume then Mount partition…...
Page 112 In the Encryption tab, set the Cipher to AES (256 bit CBC). Set the Initialization Vector (IV) generation method to match what was used in the IV Generation on the Falcon-NEO. In this example, “plain64’ was used. In the ‘Sector zero location’, choose Start of encrypted data.
Page 113 To do so, make sure the Mount readonly option is checked. Windows may not mount the drive if this option is checked. If this is the case, use a write-protect device and uncheck the Mount readonly option. Logicube Falcon -Neo User’s Manual ®...
Page 114 Click the OK button. The following warning screen may appear. Click the Yes button to continue. FreeOTFE will mount the drive and assign a drive letter. Click the OK button to continue. The drive should appear in the FreeOTFE window. Logicube Falcon -Neo User’s Manual ®...
Page 115 DRIVE ENCRYPTION & DECRYPTION The Destination drive should now be accessible in Windows. Logicube Falcon -Neo User’s Manual ®...
Page 116: 8: Updating/Loading/Re-Loading The Falcon-Neo Software
The Falcon-NEO software can be updated/re-installed by connecting the Falcon- NEO to a network with internet access. Connect the Falcon-NEO to a network with internet access and turn the Falcon-NEO on. From the main menu on the Falcon-NEO, locate and tap the Software Updates icon on the left side.
Page 117: From Usb Drive (Through A Software File Download)
Once completed, a screen will appear stating the update is complete and will prompt you to turn the unit off then back on. Turn the Falcon-NEO off. Wait at least 5 seconds then turn the Falcon- NEO back on.
Page 118: Firmware Loading Instructions
Some software releases may contain a firmware upgrade. The steps below outline how to check if the Falcon-NEO requires a firmware upgrade: 1. After the software is updated on the Falcon-NEO, tap the Software Updates icon. 2. Tap the “Firmware Update” page. One of two screens will appear: FIRMWARE UPGRADE AVAILABE –...
Page 119: 9: Remote Operation
9.1 Web Interface Using a web browser, go to the IP address or the name of the Falcon-NEO with its serial number. Both IP address and serial number can be found by going to the Statistics screen on the Falcon- NEO.
Page 120: Command Line Interface (Cli)
REMOTE OPERATION 9.2 Command Line Interface (CLI) The Falcon-NEO also has a CLI, or Command Line Interface. This interface has no graphical content and is all command line (text) based and is for advanced users who have knowledge of command line functions. This type of connection requires a Telnet or SSH client from a connected computer (over a network).
Page 121: Connecting Via Ssh
Internet Protocol Suite (TCP/IP). For example, when the Falcon-NEO is connected (using a network cable) directly to a Windows based computer that is DHCP enabled, both the Falcon-NEO and the Windows based computer will automatically configure themselves to be seen by each other using TCP/IP with a 169.254.x.x IP address configuration.
Page 122: 10: Viewing Source And Destination Drives Over A Network
10: Viewing Source and Destination Drives over a Network 10.0 Viewing drives over a network – Overview The contents of drives connected to any Source or Destination position on the Falcon-NEO can be viewed over a network. Contents of Source and Destination drives viewed over a network are write-protected.
Page 123 VIEWING DRIVES A window may appear asking you to enter password to connect to the Falcon-NEO. Enter the following information: a. User name: it b. Password: it A folder called bays will be shown in Windows Explorer. Go into the bays folder and select the connected Destination drive. For example, SAS_D1.
Page 124: Viewing Source Drives Over The Network Using Iscsi
Using an iSCSI initiator may require additional assistance from your IT administrator. 10.2.1 Configuring the iSCSI initiator Open the iSCSI initiator. In the Target tab, enter the Falcon-NEO’s host name or IP address in the Target field. Click the Quick Connect button to continue.
Page 125 VIEWING DRIVES The Quick Connect window will appear and any drives connected to the Source ports of the Falcon-NEO will appear on the list of discovered targets. Highlight the drive to view, then click Connect. The selected drive status will change to Connected.
Page 126: 11: Net Traffic Imaging
11: Net Traffic Imaging 11.0 Net Traffic Introduction The Falcon-Neo can capture network traffic data using the Net Traffic to File imaging mode. Network traffic that can be captured can include local network activity, internet activity, and VOIP activity. The data is saved and stored to a *.pcanpg file format.
Page 127: Net Traffic Imaging Notes
The Number of Segments determines how many segment files (how many pcapng files) will be written. When the Ring Buffer setting is set to ON, the Falcon-NEO will complete the Number of Segments set, then delete the first segment and continue capturing network traffic.
Page 128 NET TRAFFIC switch with port mirroring can be used to mirror a specific port so the Falcon-NEO can capture the network traffic coming from that single port. To find out if your network switch supports port mirroring, and for support on how to setup port mirroring, please contact the manufacturer of your specific switch.
Page 129: 12: Viewing Ext4 Formatted Destination Drives In Windows
12: Viewing EXT4 formatted Destination drives in Windows 12.0 Viewing EXT4 formatted Destination drives - Introduction The Falcon-NEO can format Destination drives using the EXT4 file system. Linux Operating Systems have native support for EXT4 file systems. Windows, however, does not have native support for viewing the EXT4 file system.
Page 130 Click the Apply button. Do not uncheck the “Mount volume in readonly mode” unless it is absolutely certain that the mounted drive needs to be over-written or erased (whether partially or fully). Logicube Falcon -Neo User’s Manual ®...
Page 131 VIEWING EXT4 IN WINDOWS Windows should now see the drive and assign it a drive letter with the volume name “REPOSITORY”. Logicube Falcon -Neo User’s Manual ®...
Page 132: 13: Usb Boot Client
13.2 Creating the USB Boot Client Here are the steps to create the USB Boot Client with the software necessary to be bootable, and when used to boot a computer, will allow the Falcon-NEO to use the computer’s drive as a Source drive.
Page 133 6. Click the folder icon to select a disk image. 7. In the folder where the files were downloaded (in step 2), select the USB Boot Client *.img file and click the Open icon. Logicube Falcon -Neo User’s Manual ®...
Page 134 No. This will take you back to the previous screen where you can select the correct drive letter (back to step 9). 11. The USB flash drive is now being prepared and the progress bar should be advancing. Logicube Falcon -Neo User’s Manual ®...
Page 135: Using The Usb Boot Client
13.3 Using the USB Boot Client Drives connected to the computer can be used by the Falcon-NEO as a Source drive over a network connection if the USB Boot Client is used to boot computer. The USB Boot Client is set to DHCP.
Page 136 SDB, SDC, etc. For example, if there is one drive connected, it will show as: I:9.118/SDA. From here you can image using the Falcon-NEO using the normal imaging steps. When using the USB Boot Client, imaging speeds may vary depending on network performance.
Page 137: 14: Printing
Operating System to print. 14.2 Configuring a local or networked printer The Falcon-NEO can also print to a local (through USB) or networked printer. The printer must be configured using the Command Line Interface (CLI, see Section 9.2 for instructions on how to connect to the CLI using a Telnet or SSH client).
Page 138 PRINTING Statistics screen on the Falcon-NEO and look at the hostname and IPAddress. Using Telnet or SSH, connect to the Falcon-NEO. Instructions on how to connect via Telnet or SSH can be found in Section 9.2. Once logged in to the Falcon-NEO via CLI, type command, then press the enter key.
Page 139 PRINTING Type db load printer.db to load the profile. Each time the Falcon-NEO is turned on, the local or networked printer should be available on the Falcon-NEO’s touch screen. Logicube Falcon -Neo User’s Manual ®...
Page 140: 15: Frequently Asked Questions
Q. Do Destination drives need to be wiped or formatted using the Falcon? A. For Drive to File, File to File, Partition to File, and Net Traffic to File mode, the Falcon-NEO must be used to format Destination drives. This helps ensure that the images and data are written properly to the Destination drive(s).
Page 141 Falcon- NEO screen. Q. If I am imaging to or from USB enclosures, will the Falcon-NEO’s USB ports power my devices, or will an additional power source be required? A.
Page 142 Q. Does the Falcon-NEO provide log files? A. Yes, each operation/task produces a log file. The log file is viewable on the Falcon-NEO screen (or remotely on a PC) in an HTML format. The log files can be exported to a thumb drive (the Falcon-NEO will export in XML, HTML and PDF).
Page 143: 16: Index
Error Handling, 41 Remote operation, CLI, 111 EU, EUROPEAN UNION, III Remote Operation, Web Interface, 110 Ext2fsd, 120 Repositories, 32 Falcon-NEO, 1 RoHS Directive (2002/95/EC), III FAQs, 131 S.M.A.R.T. (Self-Monitoring, Analysis and Features, 1 Reporting Technology), 72 File Browser, 28, 67, 92...
Page 144: I Nformation
Targeted Imaging, 14, 35, 49 User interface (UI), 11 Technical Support, Logicube, III, 135 VeraCrypt, 98 Time Zone, 84 Warranty, Parts and Labor, I, III Touch Screen, 13 Website, Logicube, III TrueCrypt, 100 Wipe, 24, 56 Types of Operation, 49...

Logicube Falcon-NEO User Manual

Limitation of Liability and Warranty Information

Table of Contents

1: Introduction

2: Getting Started

3: Quick Start

4: Imaging

5: Types of Operations

6: Previewing Drives

7: Drive Encryption and Decryption

8: Updating/Loading/Re-Loading the Falcon-Neo Software

9: Remote Operation

10: Viewing Source and Destination Drives over a Network

11: Net Traffic Imaging

12: Viewing Ext4 Formatted Destination Drives in Windows

13: Usb Boot Client

14: Printing

15: Frequently Asked Questions

16: Index

Quick Links

Need help?

Questions and answers

Related Manuals for Logicube Falcon-NEO

Summary of Contents for Logicube Falcon-NEO

Table of Contents