Dell Digital Forensics Solution Solution Guide
Dell™ Digital Forensics
Solution Guide
Notes, Cautions, and Warnings
NOTE: A NOTE indicates important information that helps you make better use of
your computer.
CAUTION: A CAUTION indicates potential damage to hardware or loss of data if
instructions are not followed.
WARNING: A WARNING indicates a potential for property damage, personal
injury, or death.
____________________
Information in this document is subject to change without notice.
© 2011 Dell Inc. Allrightsreserved.
Reproduction of these materials in any manner whatsoever without the written permission of Dell Inc.
is strictly forbidden.
Trademarks used in this text: Dell™ , the DELL™ logo, PowerEdge™, EqualLogic™, and
PowerConnect™ are trademarks of Dell Inc.
and/or its affiliates.
or other countries.
Other trademarks and trade names may be used in this document to refer to either the entities claiming
the marks and names or their products. Dell Inc. disclaims any proprietary interest in trademarks and
trade names other than its own.
Citrix®is a registered trademark of Citrix Systems, Inc. in the United States and/
Oracle® is a registered trademark of Oracle Corporation
2011 - 07 Rev. A00
Contents
1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . 7
The Dell Digital Forensics Lifecycle . . . . . . . . . . . 9
Dell’s Solution Eases Industry Pain Points
. . . . . . . 11
Solution Components . . . . . . . . . . . . . . . . . . 12
In the Field
In the Datacenter
About This Document
Related Documentation and Resources
. . . . . . . . . . . . . . . . . . . . . 12
. . . . . . . . . . . . . . . . . . 13
. . . . . . . . . . . . . . . . . . 16
. . . . . . . . . 16
2 Triage . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
What is Triage? . . . . . . . . . . . . . . . . . . . . . 17
Dell’s Triage Solution Advantage
Collecting Digital Forensics Evidence
Standard vs. Live Acquisition . . . . . . . . . . . . . . 20
How to Perform Triage Using the Dell Digital
Forensics Solution
. . . . . . . . . . . . . . . . . . . . 20
Turn on Your Dell Ruggedized Laptop
Burn a Boot CD for Standard Acquisition
Procedures
. . . . . . . . . . . . . . . . . . . . . 21
Register a Collector or Store Disk
Clean a Collector or Store Disk
. . . . . . . . . . . . 17
. . . . . . . . . 19
. . . . . . . 20
. . . . . . . . . 21
. . . . . . . . . . . 23
Contents 1
Configure a Collector Profile . . . . . . . . . . . . 23
Deploy Triage Tools
Reviewing Collected Files After Triage
. . . . . . . . . . . . . . . . . 33
. . . . . . . 36
3 Ingest . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Datacenter-enabled EnCase 6 . . . . . . . . . . . . . . 39
Single-server Solution
Multi-server Solution (High Availability)
. . . . . . . . . . . . . . . 40
. . . . . . 40
Datacenter-enabled FTK 1.8
Datacenter-enabled FTK 3
FTK 3 Lab Edition
Multiple Forensics Applications Delivered to
One Desktop
Network Configuration Recommendations
How to Perform Ingest Using the Dell Digital
Forensics Solution
4Store
. . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . 42
Single FTK 1.8 Session Per Desktop
Multiple FTK 1.8 Sessions Per Desktop
. . . . . . . . . . . . . . . . 43
Single FTK 3 Server Solution
Multiserver Solution (No High Availability)
. . . . . . . . . . . . . . . . . . . . . 46
. . . . . . . . . . . . . . . . . . . . . . . 47
. . . . . . . . . . . . . . . . . . . . 51
Ingest Using SPEKTOR
Ingest Using EnCase
. . . . . . . . . . . . . . . 51
. . . . . . . . . . . . . . . . 53
. . . . . . . . 42
. . . . . . . 42
. . . . . . . . . . . . 44
. . . . . 44
. . . . . . . 48
Ingest Using FTK 1.8 and 3.0 Datacenter-enabled
Ingest Using FTK 3 Lab Edition
. . . . . . . . . . . 59
. 56
63
2 Contents
Efficiency. . . . . . . . . . . . . . . . . . . . . . . . . 63
Scalability . . . . . . . . . . . . . . . . . . . . . . . . 64
Security
. . . . . . . . . . . . . . . . . . . . . . . . . 64
Physical Access Layer
. . . . . . . . . . . . . . . 64
Administrative Control Layer and Active Directory
Computer-Based Security Layer and
Active Directory
Tiered Storage
. . . . . . . . . . . . . . . . . . 65
. . . . . . . . . . . . . . . . . . . . . . 66
Matching Evidence Archiving and Retrieval to the
Life of the Case
. . . . . . . . . . . . . . . . . . . . . . 67
How to Set Up Storage Security Using the Dell
Digital Forensics Solution and Active Directory
. . . . 68
Creating and Populating Groups in Active Directory
Applying Security Policies Using Group
Policy Objects
Creating and Editing GPOs
Editing a New GPO (Windows Server 2008)
. . . . . . . . . . . . . . . . . . . 69
. . . . . . . . . . . . . 69
. . . . 70
Active Directory Support for Secure Password
Policies
Active Directory User Accounts
Create a Non-administrative User Account
. . . . . . . . . . . . . . . . . . . . . . . 70
. . . . . . . . . . 71
. . . . 73
Setting Up Security for Individual Case and
Evidence Files
. . . . . . . . . . . . . . . . . . . 74
65
68
5 Analyze . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Types of Analysis. . . . . . . . . . . . . . . . . . . . . 77
Hash Analysis
File Signature Analysis
What is Distributed Processing?
Using Distributed Processing in FTK 3.1
. . . . . . . . . . . . . . . . . . . . 77
. . . . . . . . . . . . . . . 78
. . . . . . . . . . . . 78
. . . . . . . . 79
Contents 3
Checking the Installation . . . . . . . . . . . . . . 81
Finding Files on the Network
Analysis Using FTK
. . . . . . . . . . . . . . . . . . . . 82
Open an Existing Case
Processing Case Evidence
Analysis Using EnCase
Open an Existing Case
Create an Analysis Job
Run an Analysis Job
Performing a Signature Analysis
Viewing Signature Analysis Results
. . . . . . . . . . . . . . 81
. . . . . . . . . . . . . . . 82
. . . . . . . . . . . . . 82
. . . . . . . . . . . . . . . . . . 82
. . . . . . . . . . . . . . . 82
. . . . . . . . . . . . . . . 83
. . . . . . . . . . . . . . . . 83
. . . . . . . . . . 84
. . . . . . . . 84
6Present. . . . . . . . . . . . . . . . . . . . . . . . . . 85
How to Create Reports Using the Dell Digital
Forensics Solution
Create and Export Reports Using EnCase 6
Reports Using FTK
. . . . . . . . . . . . . . . . . . . . 85
. . . . 85
. . . . . . . . . . . . . . . . . . 86
7 Archive. . . . . . . . . . . . . . . . . . . . . . . . . . 87
4 Contents
Client One-Click Archive Solution. . . . . . . . . . . . 88
Dell Backup Recommendations
Backup of Evidence and Case files
Off-host vs. Network
. . . . . . . . . . . . . 89
. . . . . . . . . 89
. . . . . . . . . . . . . . . . 90
How to Archive Using the Dell Digital Forensics
Solution
. . . . . . . . . . . . . . . . . . . . . . . . . . 93
On-Demand Archiving
Requirements
Installation
. . . . . . . . . . . . . . . . . . . . . 93
. . . . . . . . . . . . . . . 93
. . . . . . . . . . . . . . . . . . . . 93
Archiving Using NTP Software ODDM . . . . . . . 93
8 Troubleshooting. . . . . . . . . . . . . . . . . . . . 95
General Troubleshooting Tips . . . . . . . . . . . . . . 95
Forensics Software-Specific Issues
EnCase: EnCase launches in Acquisition Mode
. . . . . . . . . . 95
. . 95
FTK Lab: Browser launched by client cannot
display User Interface
FTK 1.8: 5000 object limit\trial version message
. . . . . . . . . . . . . . . 96
. . 96
FTK 1.8: Cannot Access Temp File error appears
on launch
Citrix Issues
Citrix: Applications won’t launch
Frozen or Crashed Citrix Sessions
. . . . . . . . . . . . . . . . . . . . . . 96
. . . . . . . . . . . . . . . . . . . . . . . 96
. . . . . . . . . . 96
. . . . . . . . . 97
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Contents 5
6 Contents
Introduction
Store
Ingest
Store Analyze
Archive
Triage
Present
In recent years there has been an exponential increase in the volume, velocity,
variety, and sophistication of digital activity by criminals and terrorist groups
around the world. Today, most crimes have a digital component. Some have
called it a digital tsunami. This growth has been augmented by dramatic
advances in electronic hardware. The expanding diversity of consumer
electronic devices and their increasing memory and storage capacity offer
criminals and terrorists a wealth of opportunity to hide harmful information.
It is not uncommon for PCs and laptops to come with hard drives that measure
in the hundreds of Gigabytes of storage. The latest hard drives include options
for one or four Terabytes. Consider that a single Terabyte can store the content
of two hundred DVDs: a vast amount of storage representing a problem that will
only continue to grow.
From PCs to laptops, mobile phones to thumb drives and even game consoles,
digital forensics professionals are being pushed to the limit to clone, ingest,
index, analyze, and store growing amounts of suspect data while preserving the
digital chain of custody and continuing to protect citizens.
Introduction 7
Table 1-1. How Big is a Zettabyte?
Kilobyte (KB) 1,000 bytes 2 KB a typewritten page
Megabyte (MB) 1,000,000 bytes 5 MB the complete works of
Shakespeare
Gigabyte (GB) 1,000,000,000 bytes 20 GB a good collection of the works
of Beethoven
Terabyte (TB) 1,000,000,000,000 bytes 10 TB an academic research library
Petabyte (PB) 1,000,000,000,000,000 bytes 20 PB production of hard-disk drives
annually
Exabyte (EB) 1,000,000,000,000,000,000
bytes
Zettabyte (ZB) 1,000,000,000,000,000,000,000
bytes
* Roger E. Bohn, et. al., How Much Information? 2009, Global Information Industry Center,
University of California, San Diego (January, 2010).
5 EB all words ever spoken by
human beings
2 ZB expected data created
globally during 2010*
When suspected criminals have been charged and computer and other digital
assets seized, digital forensics professionals are put under enormous pressure to
process and analyze potential evidence in a very short space of time and in
environments less than well-suited to ensuring evidentiary requirements. Where
whole organizations are suspected of criminal or terrorist activity , the number of
devices to be analyzed can escalate dramatically.
Digital forensics provides a means for acquiring data retrieved from computers
or other digital devices (mobile phones, games consoles, flash drives, GPSs,
etc.), and the scientific examination and analysis of that data in a manner that
ensures the information can be used in a court of law. The Dell Digital Forensics
Solution comprises the first end-to-end, true enterprise-level solution for law
enforcement, corporate and government security agencies, and e-discovery
organizations, providing all the hardware, software, and service and support
necessary to collect, triage, ingest or image, store, analyze, report, and archive
digital evidence.
Using Dell’s scalable and affordable enterprise server and storage hardware
and—depending on the requirements of your software environment—Oracle
database systems on the back end, a combination of Dell’s ruggedized laptops
and SPEKTOR software in the field, and full service and support from Dell,
8 Introduction
investigative personnel can conduct digital forensics data triage and collection
quickly and simply, ensuring chain-of-custody from the field to the datacenter,
and into the courtroom.
The Dell Digital Forensics Lifecycle
The Dell Digital Forensics Solution assists the forensics investigator across the
six stages of the forensics lifecycle: Triage, Ingest, Store, Analyze, Present, and
Archive.
Figure 1-1. The Dell Digital Forensics Lifecycle
Triage
The triage process allows the digital forensics investigator the opportunity to
quickly view the contents of target devices to determine whether or not the
device should be removed to the lab for further analysis and preparation for
presentation in court.
Introduction 9
Ingest
Ingest is the stage of the digital forensics process in which the target data is
imaged (unless it has been imaged in the field as part of the Triage stage), and an
exact copy of the suspect storage device is created in such a way that the
integrity of the duplicate can be assured by comparing hashes of both the
original and duplicate data drives.
In common with existing practices, suspect data is imaged in the Dell Digital
Forensics Solution. Instead of imaging data onto a single workstation, however,
the imaged data is ingested into a central evidence repository. By ingesting data
immediately into the datacenter, data is available to multiple analysts, transfer
from one device to another is minimized, and productivity and efficiency is
dramatically improved. Ingestion can, however, take place in the field if the
target storage capacity is small enough. The Dell Digital Forensics Solution
provides onsite ingestion through the use of an optional SPEKTOR Imager
module.
Store
The Dell Digital Forensics Solution provides a wide range of possible storage
and network access options to suit the individual customer. High-speed storage
and retrieval across an enterprise-level network environment allow for a
multiuser configuration that increases efficiency and productivity. Analysts will
no longer have to allocate their individual computing assets to complete
evidence analysis, as all this will happen on the server dedicated for that
purpose.
Analyze
The parallel processing capability provided by the Dell Digital Forensics
Solution allows the analyst to index and triage data on high-performance servers
rather than on far less powerful individual PCs. Additionally, multiple analyst
sessions may be run concurrently on single or multiple workstations using the
back-end configurations that comprise the Solution. This capability helps
protect both system and evidence integrity, helps prevent the need for
workstation rebuilds if malicious code is mistakenly executed, helps preserve
chain of custody, and obviates the need for analyst workstation rebuilds when
moving from one case to the next. In the Digital Forensics environment, Chain
10 Introduction
of Custody may be defined as maintaining the integrity of digital data as
evidence from the time it is collected, through the time findings are reported,
and until the time it may be presented in a court of law.
Present
Using the Dell Digital Forensics Solution, viewing teams and investigators can
access potential case evidence securely and in real time, thus mitigating the need
to release evidence on DVDs or to require experts to travel to the lab for file
access purposes.
Archive
The Dell Solution offers formalized backup, recovery, and archiving
infrastructure to help optimize cooperation between agencies and security
divisions and even across borders, free up administrative overhead, provide
consistency between labs, and minimize risks to the digital chain of custody.
Additionally, Dell’s Digital Forensics Solution blueprint includes an optional
search component that allows for information correlation between ingested data
sets.
Dell’s Solution Eases Industry Pain Points
Using the Dell Digital Forensics Solution can make the process of bringing
digital evidence from the crime scene to the courtroom infinitely simpler for
investigative professionals by providing:
• State-of-the-art datacenter networking that speeds ingestion, analysis, and
sharing of digital information
• Information assurance by further automating the digital forensics process,
thereby lowering the risk of error and data compromise
• Additional data integrity assurance, currently through the use of the most
secure hash protocols, and soon through the implementation of an auditing
feature that will help automate chain-of-custody records
NOTE: Any conclusions or recommendations in this document that may resemble
legal advice should be vetted through legal counsel. Always check with your local
jurisdiction, local prosecutors, and local forensics laboratory regarding their
preferred method(s) of digital evidence collection.
Introduction 11
• An end-to-end solution that significantly lowers the complexity of planning,
implementing and managing an enterprise-level digital forensics process
• An affordable and flexible solution that is modular and scalable, expandable
and pay-as-you-go
Solution Components
In the Field
The mobile portion of the solution fits into one hardshell case designed to fit
into the overhead bin of an aircraft. The rugged case carries all the tools and
software required for onsite triage of suspect storage devices, and it includes a
Dell E6400 XFR Ruggedized Laptop with SPEKTOR forensics software preinstalled, Tableau Forensics Write-Blockers with accessories, an optional
number of external USB hard drives that are licensed to work with the
SPEKTOR software as triage image collectors, a 50:1 card reader, and the
adaptors and cables listed in Figure 1-2.
12 Introduction
Figure 1-2. Dell Digital Forensics Solution: Mobile Components
4
3
5
8
9
10
1
2
7
6
1 50:1 card reader 6 Image restore disk
2 USB DVD ROM 7 SPEKTOR boot disk
3 Collector USB cables 8 Dell ruggedized laptop
4 Phone cables option for SPEKTOR PI
(optional)
5 External hard drive Collectors (5) 10 Pelican Case
9 Dell ruggedized laptop power supply
In the Datacenter
In the datacenter, the Dell Digital Forensics Solution includes a customized
configuration comprised of the following components:
• Dell PowerEdge R410, R610, and R710 Rack Servers
• Dell PowerEdge M610 and M710 Blade Servers
• Dell EqualLogic 4000\6000 Series SAN
• Windows Server 2008 R2
• Citrix XenApp 6.0
• AccessData FTK 1.8, AccessData FTK 3, AccessData Lab
• Guidance EnCase 6.15
Introduction 13
• NTP Software On-Demand Data Management (ODDM)
• Symantec Enterprise Vault
• Symantec Backup Exec 2010
• Dell PowerConnect Switches
• Extreme Networks Switches
The Dell PowerEdge Rack and Blade Servers can fulfill a variety of roles: file
server, evidence server , archive server , database server , EnCase and FTK license
servers, backup server, or domain controller. They support Microsoft Active
Directory and all the security and forensics software that make up the Dell
Digital Forensics Solution.
14 Introduction
Figure 1-3. Dell Digital Forensics Solution: Datacenter
3
11
4
1
2
5
1
3
6
1
4
7
1
5
8
1
6
1
9
2
1
0
E
S
T
2
4
0
3
5
1
3
11
4
1
2
5
1
3
6
1
4
7
1
5
8
1
6
1
9
2
1
0
E
S
T
2
4
0
3
5
1
3
5
4
2
7
8
1
9
6
1 PowerEdge R410 server or R610
server (optional)
6 Dell PowerEdge M1000E and M610
Blade servers
2 Dell PowerConnect switch 7 10 GB data stream
3 Dell Precision or OptiPlex
workstation
4 Dell PowerConnect switch 9 Dell PowerVault ML class storage
5 1 GB data stream
8 Dell EqualLogic PS4000 or PS6000
series storage systems
Introduction 15
About This Document
This document covers each stage of the digital forensics process in its own
chapter, with additional chapters on troubleshooting, hardware and software
supported by the Solution. Each of the process chapters begins with a discussion
of best practices and specific issues that you may encounter as you implement
and manage the Solution, and then moves to a walk-through of the various tools
and components relevant to that stage of the Solution.
Related Documentation and Resources
You can access additional information at support.dell.com/manuals.
16 Introduction
Triage
Store
Ingest
Store Analyze
Archive
Present
What is Triage?
Triage allows the digital forensics investigator to browse the data contained on
suspect devices and to make decisions as to which devices are actually
evidentiary and worth seizing for immediate imaging on site (if the data
comprises a small volume) or for later imaging in the datacenter. This ability to
preview and seize only select target devices can substantially reduce the delays
that affect investigators’ ability to present evidence in a timely fashion. Triage
can curtail the backlog of storage devices awaiting imaging back at the forensics
lab, using fewer resources, avoiding adding to an already overloaded ingestion
queue, and dramatically reducing operating costs.
Dell’s Triage Solution Advantage
Mobile
Dell’s Digital Forensics Solution can be at the crime scene with the investigator;
all components have been thoroughly pre-tested to work together, and they
cover a broad range of target device ports and connectors that you might expect
to find in the field.
Fast
Existing forensic triage solutions can be slow and may even miss data because
they perform tasks, such as keyword searches or hash matching during data
collection. Dell’s Digital Forensics Solution overcomes this obstacle by using
the computing power of the Dell ruggedized laptop rather than the target PC to
perform analysis on the collected data. In some cases, you may be able to bypass
imaging and indexing processes in the forensics lab altogether.
Triage 17
Easy to Use
The Triage components of the Solution are ready to use right out of the hardshell
case. The pre installed software offers an intuitive touch screen interface. User
defined, reusable collection profiles for different scenarios may be created for
standard deployment.
Forensically Acceptable
Triage software enforces an efficient and forensically acceptable process,
ensuring any potential evidence is captured, reviewed, and stored without
compromise.
Flexible
The Triage components
devices and platforms, including devices running under both Windows and
Apple’s Mac OS X operating systems, as well as a wide array of digital storage
device types, such as MP3 players, external hard drives, memory cards, mobile
and satellite phones, GPS units, iPads and iPhones, and flash drives.
Furthermore, triage results using the Dell Digital Forensics Solution are
exportable to other programs.
can be used to examine the most common digital storage
Powerful
The Dell ruggedized laptop controls the entire process from performing an
automated analysis of targeted data to delivering detailed results in easy-to-use
report format within a few minutes of data capture. Using the Dell Solution, the
investigator will be able to run multiple triage scans in parallel with a single
license key.
18 Tr ia ge
secure scene
Are trained
personnel
available?
do not turn
the device
off.
document and
photograph information
request
assistance
remove power cord
from device(s)
label all connections
on device(s)
locate and secure
evidence
process all
devices
secure evidence
Is the
device on?
Is the
device a networked
environment?
Are
destructive processes
running?
Is evidence
visible on the
screen?
do not
turn device
on.
Collecting Digital Forensics Evidence
Figure 2-1. Collection Workflow
Triage 19
Standard vs. Live Acquisition
The Dell Digital Forensics Solution offers two types of acquisition: Standard
and Live. During a standard acquisition procedure, the Dell ruggedized laptop
uses the SPEKTOR boot disk to capture triage data from an already powereddown target storage device. A live acquisition triage procedure, on the other
hand, aims to capture triage data from a still powered-up target storage device,
obtaining evidence not otherwise available.
Previously, industry standards required that the investigator unplug and seize a
digital device for transport and examination back at the lab. This practice meant
the loss of potentially valuable evidence in the form of stored volatile data: any
data stored on the clipboard, currently open files, the contents of RAM, and
cached passwords, etc. Additionally, encrypted data may be lost should the
computer be shut down prior to imaging the disk. Furthermore, many computers
have BIOS and hard drive passwords that are user-determined, and removing
power from a live system with a BIOS password can cause loss of access to the
entire content of the device.
Industry best practices require the investigator to approach a suspect data
storage device with the following guidelines in mind:
• If the device is powered on, keep it on where possible until a thorough
investigation can be performed.
• If the device is powered off, leave it off.
The reason for these guidelines is that the investigator must be careful to
preserve the storage device as he finds it at the scene, and to introduce as little
change as possible to the device and its contents.
How to Perform Triage Using the Dell Digital
Forensics Solution
Turn on Your Dell Ruggedized Laptop
1
Press the power button to log on to the Dell ruggedized laptop. The laptop
automatically loads the SPEKTOR software.
2
Tap or click
20 Tr ia ge
Accept EULA
. The
Home
screen opens.
Figure 2-2. Home Screen
Burn a Boot CD for Standard Acquisition Procedures
1
At the
Home
screen, tap or click
Figure 2-3. Burn Boot CD Button on the Home Screen
Admin
. Then tap or click
Burn Boot CD
.
2
Follow the instructions on the screen, and then click
Finish
.
Register a Collector or Store Disk
NOTE: Collectors must be licensed and configured by SPEKTOR before they can be
used with your Dell Digital Forensics Solution. Contact your systems administrator if
you need additional Collectors or licenses.
1
Plug in a new Collector or store disk to one of the USB ports on the left hand
side of the Dell ruggedized laptop. The device appears on the screen as an
unrecognized device.
Triage 21
Figure 2-4. Unknown Collector or Store Disk Status Indicator
2
Tap or click the
Status Indicator
icon that corresponds to the Collector or
store disk you plugged into the Dell ruggedized laptop. The icon for the
device that has been registered will turn green (for a Collector) or orange (for
a store disk).
3
The
Unknown Device Menu
Figure 2-5. Unknown Device Menu
will display.
4
T ap or click
Stor e Disk
5
Tap or click
Register this device as a Collector or Register this device as a
.
Yes.
The status indicator will show the new Collector or store disk number, and its
status will change to
Dirty
.
22 Tr ia ge
Figure 2-6. Dirty Collector and Store Disk Icons
.
NOTE: Collectors and store disks, whether newly registered or previously used on
other data collections, must be cleaned before they can be deployed against a
target.
6
For a store disk only
, enter the serial number of the store disk.
Clean a Collector or Store Disk
NOTE: Allow approximately two hours per 100 GB of Collector volume.
1
Select the
2
On the
3
Tap or click
Indicator
When cleaning has completed, the software will run a verification program to
confirm that the only characters on the Collector drive are zeros.
Figure 2-7. Registered, Clean Collector and Store Disk Status Indicators
Status Indicator
Collector Menu
Yes
to confirm your selection. Cleaning begins, and the
representing the Collector you want to clean.
, tap or click
Clean Collector
will confirm the cleaning progress.
.
Status
NOTE: If the cleaning process has not been successful, the status indicator will
indicate that the Collector remains dirty. You will need to re-initiate the cleaning
process. If cleaning is unsuccessful a second time, try another Collector or store
disk.
Configure a Collector Profile
NOTE: By default, configuration settings in the triage software are set to collect no
files. Specify a restricted subset of all files on the target device to lower collection
time and avoid exceeding the capacity of the Collector.
Triage 23
Configuring a Collector allows the user to determine a series of specific
filetypes or files created between a specific set of dates that the Collector will
pull from the suspect storage device for triage. The more you are able to restrict
your collection parameters, the more quickly the target data can be acquired for
review.
Dell recommends establishing a set of standard configuration profiles that you
or your agency encounter repeatedly. Examples of such standard configuration
profiles are as follows:
• Photos and Videos would capture filetypes such as *.jpg, *.png, *.swf,
*.vob, and *.wmv, which are associated with photographs, video, or other
types of visual media
• Documents would specifically collect filetypes, such as all *.pdf, *.doc,
*.docx, *.txt.
• Audio_Files would gather *.mp3, *.mp4, *.wav, and other audio files.
Configuring a Collector for Acquisition
NOTE: For an explanation of the differences between standard and live acquisition,
see "Standard vs. Live Acquisition" on page 20.
NOTE: When a Collector is configured for standard or live acquisition, it must be
cleaned before it can be reconfigured for use in the other type of acquisition.
1
From the
Collector Menu
, tap or click
Configure Collector
.
Figure 2-8. Collector Menu
24 Tr ia ge
2
If you have previously created a configuration profile that you want to use,
select the profile and tap or click
configuration of the Collector; otherwise, tap or click
Configure using selected profile
New
to create a new
profile.
NOTE: Figure 2-9 shows the Selected Profile screen at first use of the software
before any profiles have been defined and saved. when you have begun creating
configuration profiles, they will appear in this screen for your use.
NOTE: Navigation from one of the Collector Configuration screens to the next is
accomplished by tapping or clicking the left- and right-arrow buttons at the top and
to one side of the screen.
Figure 2-9. Select Profile
to initiate
3
Determine the type of acquisition you want to perform, Live or Standard (see
"Standard vs. Live Acquisition" on page 20 for further information on the
difference between Live and Standard Acquisition types), then tap or click
either
Live Acquisition
or
Standard Acquisition
.
Triage 25
Figure 2-10. Profile Configuration Step 1: Acquisition Type
4
Determine the timestamp settings for your new profile. The more specific
you can be, the shorter time it will take to process the captured files.
Figure 2-11. Profile Configuration Step 2: File Timestamp Settings
26 Tr ia ge
5
Click the right arrow in the upper-right corner of the screen.
6
In the
File Extension Filter
screen, select the filetypes you want to collect.
Use the right arrow to move the selected filetypes and their associated
extensions from the
Figure 2-12. Profile Configuration Step 3: File Extension Filter
7
Click the right arrow in the upper-right corner of the screen when you have
Not Selected
to the
Currently Selected
list box.
finished selecting filetypes and extensions.
Triage 27
NOTE: Unless specifically required, it is suggested that you leave Quick Mode off.
8
In the
MB
, or
Quick Mode
Entire File
screen, select the number of megabytes (
1 MB, 5 MB, 10
) of the first part of files that you want to capture. By
collecting only the first part of very large files (usually multimedia files), you
will be able to review enough of the files to determine the subject matter
while minimizing the amount of processing time required.
NOTE: If you did not select file extensions in step 6, no files will be collected and no
step 6
filetypes will be displayed for selection in this screen. Return to
the required filetypes to activate for step 8.
Figure 2-13. Profile Configuration Step 4: Quick Mode
and select
9
Click the right arrow in the upper-right corner of the screen.
10
T ap or click the appropriate button to select any system files that you want to
include your collection.
28 Tr ia ge
Loading...