CRU WiebeTech Ditto Shark User Manual

CRU® WiebeTech® Ditto® Shark

User Manual

Features

• Standalone product—operates without a PC or a Ditto Forensic FieldStation

• Captures Internet and VOIP traffi c with virtually no packet loss*

• Captures sustained 10/100 Mbps network traffi c and short burst gigabit network traffi c*

• Filter and capture network traffi c to a tcpdump/Wireshark-compatible PCAP fi le

• Optional live capture stream (rpcap) interface for Wireshark

• Removable drive carrier for data storage

• Fail-safe design continues passing through network traffi c if power is lost

• Free fi rmware updates for registered users

*Packet loss is a function of the type and saturation level of traffi c on the tapped network

CRU Ditto Shark User Manual

2

TABLE OF CONTENTS

1 General Information 3

1.1 Package Contents 3

1.2 Identifying Parts 3

1.3 LED Behavior 3

1.4 Thermal Cooling 3

1.5 How to Use the Ditto Shark 4

2 Setup 4

3 Browser Interface 6

3.1 Accessing the Browser Interface 6

3.2 Icons Used in the Browser Interface 6

3.3 User Accounts 6

4 Home Screen 7

4.1 Action 7

4.1.1 Network Capture 7

PCAP Network Capture 7

Live Network Capture 8

Simultaneous PCAP and Live Network
Capture

4.1.2 Erase Destination Disk 9

4.2 Investigation Info 10

4.3 System Settings 11

4.4 Current Status 11

4.5 Disks 11

4.5.1 View Hexidecimal Data 11

4.5.2 View Snapshot Data 11

4.6 System Log 12

5 Confi gure Screen 12

5.1 System 12

5.2 Network 14

5.3 Erase 17

5.4 Network Capture 17

5.5 Naming 19

5.6 Quick Start 19

6 Admin Screen 20

6.1 User Accounts 20

6.2 Permissions 20

6.3 Adding a New User 21

6.4 Editing an Existing User 21

6.5 Deleting a User 21

7 Logs Screen 21

8 Utilities Screen 22

8.1 System Maintenance 22

8.1.1 Firmware Upgrade 22

8.1.2 Confi guration 22

8.1.3 Other Buttons 22

8.2 Upgrade Log Messages 23

8.3 Import Log Messages 23

9 Using the Front Panel Interface in Standalone Mode 23

9.1 How to Navigate 23

9

9.2 Menu Screens 23

9.2.1 Status 23

9.2.2 Perform Action 24

9.2.3 Investigation Info 24

9.2.4 Settings 25

9.2.5 Disk Info 28

9.3 Factory Reset 28

10 Stealth Mode 28

11 Advanced Features and Functions 28

11.1 Using iSCSI Devices 28

11.2 Using NFS and SMB (Samba) Shares 30

11.3 Using and Confi guring Network Capture Filters 31

12 Upgrading Firmware 32

13 Technical Specifi cations 34

Protecting Your Digital Assets

TM

CRU Ditto Shark User Manual

3

1 GENERAL INFORMATION

1.1 PACKAGE CONTENTS

The following list contains the items that are included in the

complete confi guration for this device. Please contact CRU if

any items are missing or damaged:

Item Quantity

Ditto Shark 1

40W 12V AC adapter 1

Power cord 1

Unitized SATA-to-eSATA + Mini-Fit power cable 2

Ethernet cable (RJ45) 2

4GB SD card (pre-installed) 1

User Manual 1

1.2 IDENTIFYING PARTS

Take a moment to familiarize yourself with the parts of the

product. This will help you to better understand the following

instructions.

FRONT PANEL

LCD Display

Hanging Hook

NETTAP INTERFACE

RJ45 Gigabit

USB 2.0 Port

RJ45 Gigabit

Ethernet Connection

Ethernet Connection

DESTINATION INTERFACE

DP20 Keylock/

Eject Button

Stealth Mode

Switch

DP20

Carrier

eSATA Ports &

Power Connectors

DP20 Status

Lights

RJ45 Ethernet

Connection

Navigation

Buttons

REAR OF THE UNIT

Power Switch

SD Card Slot Power Input for

AC Adapter

Protecting Your Digital Assets

1.3 LED BEHAVIOR

LED COLOR STATE DESCRIPTION

DP20 Power Green Solid

DP20 Drive
Activity

Amber

Solid or
Blinking

The DP20 is powered
on.

The drive inside the
DP20 is being ac­cessed.

1.4 THERMAL COOLING

The Ditto Shark is a passively cooled system that pulls heat

out of the processor and other electronics into the all-metal

housing where it dissipates. The heat generated by the Ditto

Shark is an intended design feature that eliminates the need

of a noisy internal cooling fan and drastically reduces the

amount of particulates that are pulled through the system.

TM

CRU Ditto Shark User Manual

4

1.5 HOW TO USE THE DITTO SHARK

The Rear Interface side of the Ditto Shark has a power switch, a 12V input for the included power supply

and an SD card slot from which to store configuration data.

Use the NetTap Interface side of the Ditto Shark to insert the Ditto Shark in between the target computer

and the network it is connected to. The available connections include two RJ45 gigabit Ethernet ports and a

USB 2.0 port for use with USB storage devices, a keyboard, or a wifi adapter. Both RJ45 ports are direction

agnostic, so it doesn’t matter which port is used to connect to the network and which is used to connect to

the target computer.

Use the Destination Interface side of the Ditto Shark to store acquired data. The destination output con

nections include a CRU DataPort DP20 and two eSATA ports for SATA disks or eSATA devices. It also

includes an RJ45 gigabit Ethernet port to allow network access to the Ditto Shark’s Browser Interface (see

Section 3) and a stealth switch that will turn off all external lights and enable nightvision display via Stealth

Mode (see Section 10).

NOTE

CRU recommends that you switch the power off to the Ditto Shark when you add or remove a device
from it in order to avoid disk damage and data corruption.

2 SETUP

a. Leave the Ditto Shark disconnected from the network until you have configured it

properly using the steps below.

b. Connect the power cable to the rear of the Ditto Shark and turn the Ditto Shark on with

the power switch located on the rear of the unit.

c. Press the Down navigation button on the Ditto Shark until you reach the “Settings”

menu (see Figure 1) on the Front Panel. Then press Enter to view the Settings.

d. Press Up or Down until you reach the “Dst Network Settings” screen shown in Figure

2 and press Enter.

e. Press Up or Down until you reach the “Dst Network” screen shown in Figure 3.

f. If the text on the second line says “Disabled”, press the Enter button to edit the set

ting. Press Up once and then Enter to commit the change. If the text says “Enabled”,

continue to the next step.

g. Press Up or Down until you reach the “Dst Network Mode” screen shown in Figure 4

and then press Enter to edit the setting.

Figure 1. A depiction of the “Settings” menu on the

Ditto Shark.

-

Figure 2. A depiction of the “Dst Network Settings”

screen on the Ditto Shark.

-

Settings

View/Edit >

Dst Network Settings

View/Edit >

h. The Ditto Shark has three connection modes. Press Up or Down to choose which way

you would like to use the Ditto Shark and press Enter to select it.

• Client (DHCP): The Ditto Shark acts as a client on the network and automatically

detects network parameters (e.g. IP address, gateway, etc.) from a DHCP server

on the network. DHCP is the protocol used by most network environments today.

Unless your network administrator directs otherwise, you should probably use this

mode.

Protecting Your Digital Assets

TM

Dst Network:

Disabled

Edit >

Figure 3. A depiction of the “Dst Network” screen on

the Ditto Shark.

CRU Ditto Shark User Manual

5

• Client (Static IP): The Ditto Shark acts as a client on the network and you manu-

ally input all network parameters (e.g. IP address gateway, etc.).

• Server: The Ditto Shark acts as the master DHCP server on the network and you

manually input all network parameters. The server mode is also used to directly

connect Ditto Shark to a computer.

Dst Network Mode:

Client (Static IP)

Edit >

STOP!

NOTE

i. If you selected Client (Static IP) or Server, then follow additional steps in Section 2.1

After your first-time setup, always ensure that the Ditto Shark is properly config
ured to use the proper connection mode before you connect your Ditto Shark to
a different computer or network. An improperly configured Ditto Shark can cause
networking conflicts on the host network.

The Ditto Shark is configured by default to use “Network Client (DHCP)” mode
so that it will not conflict with the most common types of networks.

below.

If you selected Client (DHCP), you are ready to start using the Ditto Shark. You may

access its settings via the Browser Interface (see Sections 3-8) or via the Front Panel

(see Section 9).

2.1 ADDITIONAL STEPS FOR “CLIENT (STATIC IP)” AND “SERVER”

a. Press Up or Down until you reach the “Dst IP Address” screen shown in Figure 5.

b. Press Enter to edit the IP address. You can use a keyboard that you’ve attached

to the USB 2.0 port on the “NetTap Interface” side of the Ditto Shark to enter the

static IP address your network administrator gave you.

If you do not have a keyboard, press Back and Enter to scroll the cursor right and

left, and press Up or Down to increase or decrease the number highlighted by the

cursor.

-

Figure 4. A depiction of the “Dst Network Mode”

screen on the Ditto Shark.

Dst IP Address:

10.10.0.1

Edit >

Figure 5. A depiction of the “Dst IP Address” screen

on the Ditto Shark.

Dst Subnet Mask:

255.0.0.0

Edit >

Figure 6. A depiction of the “Dst IP Address” screen

on the Ditto Shark.

c. When you have finished, press Enter until the cursor has moved all the way to the right, and then press

Enter once more to commit the changes.

d. Press Up or Down until you reach the “Dst Subnet Mask” screen shown in Figure 6 and press Enter to

edit the subnet mask.

e. Use the keys on the Front Panel or your USB keyboard to enter the subnet mask your network admin

istrator gave you. If your administrator did not give you a subnet mask, the default setting will usually

suffice.

f. When you have finished, press Enter until the cursor has moved all the way to the right, and then press

Enter once more to commit the changes.

NOTE

Protecting Your Digital Assets

Additional network parameters can be input using the Browser Interface’s Configure screen (see Sec
tion 5.2)

You are ready to start using the Ditto Shark. You may access its settings via the Browser Interface (see Sec

tion 3) or via the Front Panel (see Section 9).

TM

-

-

-

CRU Ditto Shark User Manual

6

3 BROWSER INTERFACE

The Ditto Shark can be confi gured and operated either from the Front Panel (see Section 9) or through a web

browser.

3.1 ACCESSING THE BROWSER INTERFACE

a. Using the Front Panel, navigate to “Dst Network Settings” → “Dst IP Address”.

b. Type the IP address shown into your web browser.

c. Log into the Browser Interface (the default user name and password for the administrator account are

both “admin”).

NOTE

CRU recommends that you change the admin account password and create user accounts for indi­vidual users as best data management practices.

You are now ready to use the Browser Interface to confi gure settings and preview, image, or clone attached

disks.

3.2 ICONS USED IN THE BROWSER INTERFACE

The Browser Interface uses several icons that may be clicked on to perform certain actions.

ICON ACTION

Information

Refresh

Reset

Add

Remove

Opens a window with a brief description of the setting that the information icon appears
next to.

Refreshes the fi eld that the icon appears next to in order to give updated information.

Loads the defaults for the setting that the Refresh icon appears next to.

Adds a user defi ned fi eld to a list of items.

Removes a user defi ned fi eld from a list of items.

3.3 USER ACCOUNTS

The Ditto Shark employs a user account system to control access to its features. The “Login” screen

presents you with the ability to log in through http, or you can click the Secure Login (HTTPS) link to log

in securely. Accept the certifi cate and/or continue to the website, even if your browser tells you it does not

recognize it.

The default user name and password for the Administrator account are both “admin”. CRU recommends

that you change the admin account password and create user accounts for individual users as best data

management practices.

Click on the Log Out button at the top right of the Browser Interface to log out.

Protecting Your Digital Assets

TM

CRU Ditto Shark User Manual

7

Figure 7. The “Home” screen.

4 HOME SCREEN

The “Home” screen is where you will perform most of your operations with the Ditto Shark, and is the default

screen to load upon logging into the Browser Interface. Click on the Home tab to access the “Home” screen

from any other area of the Browser Interface.

4.1 ACTION

The “Action” panel lets you start, abort, and document the following actions. The “Start” button begins the

action. The “Abort” button stops the action in progress. Click the Comment button to write a note that will

be appended to the log. Click the Configure button to modify the default settings for each action, which

can also be modified on the “Configure” screen (See Section 5).

4.1.1 Network Capture

The Ditto Shark provides two methods of capturing network traffic that can be combined and used

simultaneously if you wish. The first method captures network traffic and stores it in a series of incre

mented PCAP files on the local target destination. The second method captures network traffic in

real-time and outputs it to a remote monitor that uses a third-party Wireshark network protocol analyzer.

Instructions for both methods as well as instructions for using them simultaneously can be found below.

PCAP Network Capture

a. Using the Browser Interface, select Network Capture from the “Action to Perform” drop-down

box.

b. Select the network capture filter from the “Network Capture Filter” drop-down box or type in

the ports you wish to capture in the text box directly below that using the syntax “port ## or ##”

without quotes (e.g. port 80 or 81 or 443).

-

Protecting Your Digital Assets

TM

CRU Ditto Shark User Manual

8

c. Select “NetTap” from the “Interface” drop-down box.

d. Select the media from the “Destination” drop-down box that you want Ditto Shark to save your

captured data.

e. Select the partition on the destination media you want to capture to from the “Partition” drop-

down box.

f. Bypass “Live Network Capture” and leave it disabled.

g. Click the Start button to begin capturing network data. When you are fi nished, click the Stop

button.

You can view the log of the network capture action by scrolling down to the “System Log” panel

on the “Home” screen. Find and click on the latest link, which will be denoted by a fi lename with a

date/timestamp format: “S_yyyymmddhhmmss”. Alternatively, you can click on the Logs button

from the top menu bar.

You can view the data retrieved from the network capture action by examining the destination

media, which will contain a folder named with the same data/timestamp format: “S_yyyymmd-

dhhmmss”, which includes the PCAP fi les containing the captured data, an XML fi le containing the

log information of the network capture, and—if hashing is enabled—a TXT fi le that contains each of

the generated PCAP fi les’ MD5 or SHA-1 hash value (see Section 5.1.2 to enable hashing).

STOP!

Live Network Capture

a. Using the Browser Interface, select Network Capture from the “Action to Perform” drop-down

box.

b. Select the network capture fi lter from the “Network Capture Filter” drop-down box or type in

the ports you wish to capture in the text box directly below that using the syntax “port ## or ##”

without quotes (e.g. port 80 or 81 or 443)

c. Disregard the “Interface” and “Destination” drop-down boxes.

d. Ensure your third party Wireshark network protocol analyzer is standing by to receive data. If you

need help in confi guring Wireshark itself, click the

Information icon next to “Live Network

Capture” for a link to Wireshark’s remote capture documentation.

e. Click the Enable button next to “Live Network Capture” to turn live network capture on. When

you are fi nished capturing network traffi c, click the Disable button.

Do NOT click the Start button! This button actually enables the PCAP network capture function that
captures network traffi c to your local destination media. It does NOT enable live network capture.

Figure 8. The “Action” section on the “Home” screen, showing

the options available for the “Network Capture” action.

Protecting Your Digital Assets

TM

CRU Ditto Shark User Manual

9

Simultaneous PCAP and Live Network Capture

a. Using the Browser Interface, select Network Capture from the “Action to Perform” drop-down

box.

b. Select the network capture fi lter from the “Network Capture Filter” drop-down box or type in

the ports you wish to capture in the text box directly below that using the syntax “port ## or ##”

without quotes (e.g. port 80 or 81 or 443).

c. Select “NetTap” from the “Interface” drop-down box.

d. Select the local media from the “Destination” drop-down box that you want Ditto Shark to save

your captured data to as a series of incremented PCAP fi les

e. Select the partition on the local destination media you want to capture to from the “Partition”

drop-down box.

f. Ensure your third party Wireshark network protocol analyzer is standing by to receive data. If you

need help in confi guring Wireshark itself, click the

Capture” for a link to Wireshark’s remote capture documentation.

g. Click the Enable button next to “Live Network Capture” to turn live network capture on. When

you are fi nished capturing network traffi c, click the Disable button.

h. Click the Start button to begin capturing network data to your local destination media. When

you are fi nished, click the Stop button.

Information icon next to “Live Network

You can view the log of the PCAP network capture action by scrolling down to the “System Log”

panel on the “Home” screen. Find and click on the latest link, which will be denoted by a fi lename

with a date/timestamp format: “S_yyyymmddhhmmss”. Alternatively, you can click on the Logs

button from the top menu bar.

You can view the data retrieved from the PCAP network capture action by examining the destina-

tion media, which will contain a folder named with the same data/timestamp format: “S_yyyymmd-

dhhmmss”, which includes the PCAP fi les containing the captured data, an XML fi le containing the

log information of the network capture, and—if hashing is enabled—a TXT fi le that contains each of

the generated PCAP fi les’ MD5 or SHA-1 hash value (see Section 5.1.2 to enable hashing).

4.1.2 Erase Destination Disk

The Ditto Shark erases your preferred destination media. The available Erase Modes are Clear Partition

Table and Quick Erase.

To erase a disk, follow these steps:

a. Select Erase Destination Disk from the “Action to Perform” drop-down box.

Figure 10. The “Action” section on the “Home” screen, showing

the options available for the “Erase Destination Disk” action.

Protecting Your Digital Assets

TM

CRU Ditto Shark User Manual

10

b. Select the Erase Mode to use from the “Erase Mode” drop-down box. (You

can modify which erase mode appears by default in the drop-down box on the

“Confi gure” screen’s “System” tab. See Section 5.1.)

c. Select the target destination media from the “Target” drop-down box.

d. Click the Start button. A “Completed” message box will pop up when the

action has fi nished. Click on the message to continue.

You can view the results of the erasure action by scrolling down to the “System

Log” panel on the “Home” screen. Find and click on the latest link, which will be

denoted by a fi lename with a date/timestamp format: “S_yyyymmddhhmmss”.

Alternatively, you can click on the Logs button from the top menu bar.

Format After Erase

You can confi gure the Ditto Shark to automatically format a disk after you erase

it. Make sure that Erase Destination Disk is selected from the “Action to

Perform” drop-down box. Then click on the Confi gure button. Make sure that

“Format After Erase” is checked for each of the erase modes on which you’d

like to enable this setting. Finally, click OK.

4.2 INVESTIGATION INFO

The Investigation Info panel groups related information that may also be used in

creating custom directories and fi le names (see Section 5.9). The “Hide” button allows

you to minimize the panel.

Click the Edit button to enter information about the Investigator, Case Number,

Evidence Number, Description, Notes, Base directory prefi x, and a Base fi lename prefi x

for a PCAP fi le.

Each fi eld is fi ltered to block non-printable ASCII characters. Any characters at the fi le

system level that may not be safe for a directory name or fi le name will be fi ltered out

and replaced with an underscore. Only printable ASCII characters are currently allowed

for directory and fi lenames. Multiple underscores will also be reduced to a single

underscore per naming item.

The Ditto Shark will generate an error message if you enter a non-printable ASCII char-

acter or if your message exceeds the 58 character limit. Additionally, when the fi nal

directory or fi lename that uses any of these fi elds is created, another level of fi ltering is

applied.

STOP!

Using apostrophes (‘) in the name fi elds will cause an error when the fi le or
folder name is created. They should not be used in the Investigation Info fi elds.

4.2.1 User Defi ned Fields

Click on the green plus sign icon to open the “Add User Defi ned Field” window

(see Figure 11). You may add as many user defi ned fi elds as you wish. Each user

defi ned fi eld must have a title, XML tag, and value.

Figure 9. The “Investigation Info” section.

Figure 11. The “Add User Defi ned Field” window.

Protecting Your Digital Assets

TM

CRU Ditto Shark User Manual

11

The title identifies the value in the Ditto Shark’s browser and LCD interfaces, and

the XML tag only appears in the configuration and log files.

To remove a user defined field, click on the green minus sign icon.

4.3 SYSTEM SETTINGS

Displays the most commonly used configuration settings of the Ditto Shark. These

settings are loaded as the default settings for the actions you perform in the “Action”

panel. The “Hide” button allows you to minimize the panel. Click the Configure

button to customize these settings as well as additional advanced settings. See Sec

-

tion 5.1 for details on each option.

4.4 CURRENT STATUS

Reports either as “Idle” or displays info about the action that the Ditto Shark is cur-

rently performing.

4.5 DISKS

Displays information about the attached media that are currently connected to the Ditto

Shark. The “Hide” button allows you to minimize the panel. To see the available space

a disk has, click the green double arrow icon next in the “Used” column header (see

Figure 14). The disk usage will refresh and give an updated amount.

The “Destination Network” button allows you to mount an iSCSI, NFS, or SMB share

to the Ditto Shark so that you can capture network data to it. For more information, see

Section 11.

4.5.1 View Hexidecimal Data

To view a disk’s hexidecimal data, click on the disk name under the “Port” column

and then select HexView. To view a disk partition’s hexidecimal data, click on the

partition’s number under the disk’s “Partition” column and then select HexView

(see Figure 15).

Figure 12. The “System Settings” section.

Figure 13. The “Current Status” section, displaying a

the status of a Physical Image action.

Figure 14. Clicking the green double arrow icon

displays and updates amount of space currently used
and available.

Figure 15. Drop-down menus for a disk (left) and a

disk’s partition (right).

4.5.2 View Snapshot Data

To view a disk’s snapshot information, click on the disk name under the “Port”

column and then select Snapshot.

Figure 16. The “System Logs” section on the “Home” screen.

Protecting Your Digital Assets

TM