forensic tower towerold.pdf · 1. forensic tower . the forensic tower is an updated version of our...

Forensic Tower User’s Guide Forensic Computers, Inc. 110 Forensic Lane Glen Lyn, VA 24093 www.forensic-computers.com © 2009 Forensic Computers, Inc. All rights reserved. © 2008-2009 Tableau, LLC. All rights reserved. Tableau is a registered trademark of Tableau, LLC.

Forensic Tower User’s Guide 2 Copyright © 2009 Forensic Computers, Inc

Table of Contents 1. Forensic Tower _________________________________________________________ 3

2. How to Use This Manual ________________________________________________ 3

3. Quick Start _____________________________________________________________ 3 3.1 Unpacking Your Forensic Tower _____________________________________________ 3 3.1.1 Turning the Forensic Tower ON____________________________________________ 5

3.1.2 Using the T35i Forensic SATA/IDE Bridge ________________________________________5 3.1.3 Using the CRU DataPort V SATA READ/WRITE Unit ______________________________6

4. Useful Information _____________________________________________________ 7 4.1 Tableau T35i Forensic SATA/IDE Bridge _____________________________________ 7

4.1.1 T35i Bridge Overview ___________________________________________________________7 4.1.2 Configuring Switches __________________________________________________________10

4.2 Imaging___________________________________________________________________ 11 4.2.1 Re-Installing the OS Image ____________________________________________________11 4.2.2 Re-Imaging the OS Drive ______________________________________________________12

5. Glossary _______________________________________________________________ 13

1. Forensic Tower The Forensic Tower is an updated version of our first forensic system. There are five 5.25” external bays, two 3.5” external bays and six 3.5” internal drive bays that allow for easy upgrades and the flexibility to configure a forensic lab system to meet your needs. 2. How to Use This Manual This manual has two main sections: Quick Start and Useful Information. The Quick Start section of the manual will give the user enough information about the Forensic Tower and its accessories to get started. There is an overview of the additional components that come with the Forensic Tower and their use. The Useful Information section goes into more detail about specific components of the Forensic Tower. 3. Quick Start 3.1 Unpacking Your Forensic Tower The Forensic Tower includes the following items: the Forensic Tower, the 17” LCD Panel, the Keyboard and Mouse combo, a Manual Bag, a CD Wallet, 10 in 1 Screwdriver, 30-piece Security Screwdriver Set, a Forensic Computer’s Mouse Pad, a surge protector, a flashlight, and the T35i cable and adapter set. Photo Description

Forensic Tower

17” LCD Panel with Speakers

Microsoft Keyboard and Mouse Combo.


Manual Bag: The Manual Bag includes miscellaneous documentation and CD-ROMs.

CD Wallet: In this wallet are all the device drivers and CD ROM's pertinent to your Forensic Tower system. The following is a list of the CD’s included in your CD Wallet: Windows XP Professional, Hard Drive Image, Device Drivers, Norton Anti-Virus, Ahead Nero, and Quick View.

There are two different screwdriver sets included with the Forensic Tower system: the 30-piece Security screwdriver set and the Craftsman 10-in-1 Screwdriver. The 30-piece Security Screwdriver set comes with 30 different security bits for items such as: IBM PS/2 monitors, CATV and telephone equipment, and many ottV and telephone equipment, and many other Tools Bit Sets Pher items, and a screwdriver and a case to hold them in. There is a compartment in the handle of the screwdriver, in which one may store other bits. The Craftsman 10-in-1 screwdriver has four dual-headed bits in a “quick-change” bit system, in-shaft bit storage and a cushioned handle grip. One can use the Craftsman screwdriver as a Phillips (1 or 2), slotted (3/16 or ¼ inch), Torx ® (10 or 15), square recess (1 or 2) and also as a nut driver (1/4 or 5/16 inch).

TC2-8 Power Cable: Molex power cable to connect IDE hard drives to the T35i.

TC5-8 SATA Power Cable: SATA power cable to connect the 15-pin SATA power connector to the T35i.

TC3-8 SATA Signal Cable: SATA signal cable to connect ATA hard drives to the T35i.


TC6-8 IDE Signal Cable: IDE signal cable to connect IDE hard drives to the T35i.

TDA5-25 2.5" IDE Notebook Adapter: Adapter for 1.8" notebook hard drives.

TDA5-18 1.8" IDE Notebook Adapter: Adapter for 2.5" notebook hard drives.

3.1.1 Turning the Forensic Tower ON The Forensic Tower is in a “ready to use” state. After attaching the power cord, the monitor, the keyboard and mouse; turn the Forensic Tower ON. The following programs have been added to aid in your investigations: Acrobat Adobe Reader, Quick View Plus, Open Office, Tableau Updater, Ahead Nero, Image for Windows, Norton Anti-Virus and FTK Imager. Any other specific Forensic Software tools must be purchased separately. There is a copy of your system as you received it in your CD Wallet and is labeled Forensic Tower image. If by chance you need to re-install your operating system or need to restore the machine to as it was when you first received it, use this disk. If you do not have a copy of this disk, you may call and we will send one to you. 3.1.2 Using the T35i Forensic SATA/IDE Bridge Step by Step Instructions for connecting hard drives to the T35i. 1. Confirm that the T35i power button is in the OFF position. The Power LED will be OFF. 2. Connect the hard drive to the appropriate signal cable (either the TC6-8 IDE cable or the TC3-8 SATA signal cable). 3. Connect the hard drive to the appropriate power cable (either the TC2-8 Molex cable or the TC5-8 SATA Power cable).


4. Connect the appropriate signal cable to the T35i (either the TC6-8 IDE cable or the TC3-8 SATA signal cable). 5. Connect the appropriate power cable to the T35i (either the TC2-8 Molex cable or the TC5-8 SATA Power Cable). 6. Turn the T35i power button ON. The Power LED, the Host Det, and either the SATA Det or the IDE Det LEDs will light up. The Activity LED will also light up as communication occurs between the computer and the suspect hard drive. 3.1.3 Using the CRU DataPort V SATA READ/WRITE Unit The second bay in the Forensic Tower is a CRU DataPort V SATA unit, which is configured as READ/WRITE. The unit is NOT hot-swappable and is NOT connected to the Tableau T35i Forensic SATA/IDE Bridge. Step by Step Instructions for inserting hard drives in the CRU DataPort V SATA READ/WRITE unit. 1. Unlock the CRU DataPort V SATA READ/WRITE unit. 2. Pull the CRU DataPort V SATA READ/WRITE hard drive tray from the CRU DataPort V SATA READ/WRITE rail. 3. Open the CRU DataPort V SATA READ/WRITE hard drive tray with the CRU Opener. 4. Insert the suspect SATA hard drive into the CRU DataPort V SATA READ/WRITE hard drive tray; aligning the power and signal connectors of the hard drive to those of the tray. 5. Place the lid of the tray back on the CRU DataPort V SATA READ/WRITE tray. 6. Insert the CRU DataPort V SATA READ/WRITE tray into the CRU DataPort V SATA READ/WRITE rail. 7. Power down the computer. 8. Turn the CRU DataPort V SATA READ/WRITE unit ON. 9. Turn the computer ON. Once the computer has booted, the host computer should see the secondary suspect hard drive as another hard drive available to “READ or WRITE” to.


4. Useful Information 4.1 Tableau T35i Forensic SATA/IDE Bridge

Tableau's newest OEM product, the T35i, continues Tableau's heritage of industry leading innovation. The T35i offers an economical, high-performance alternative to the T345 for forensics professionals whose acquisition needs focus on IDE and SATA subject drives.

The T35i is designed to mount directly in a forensic workstation. Internally the T35i connects to the workstation through a high-performance FireWire800 connection. Externally, the T35i can be connected to SATA or IDE hard disks (one at a time) for write-blocked forensic acquisitions.

The T35i bundle price includes the T35i and one each of the following: TC2-8 (traditional power cable), TC5-8 (SATA style power cable), TC3-8 (SATA signal cable), TC6-8 (IDE signal cable), TDA5-25 and TDA5-18 (2.5" and 1.8" IDE notebook hard disk adapters, respectively).

4.1.1 T35i Bridge Overview

The Table below describes each of the elements visible on the front of the T35i.

Front Element Description Power Switch/LED The Power switch controls power to the T35i as well as to the DC OUT

connector used for powering the connected hard disk. The Power LED will be illuminated when there is power to the T35i and the


power switch is in the "ON" position. SATA Det LED The SATA Det LED (SATA Detect) illuminates when a hard disk attached to the

SATA interface connector has been properly recognized. Only one hard disk may be connected to the T35i at a time.

IDE Det LED The IDE Det LED (IDE Detect) illuminates when a hard disk attached to the IDE interface connector has been properly recognized. Only one hard disk may be connected to the T35i at a time.

Host Det LED The Host Det LED (Host Detect) indicates when the connected hard disk has been recognized by the host computer. The Host Detect LED will illuminate only after the T35i has successfully identified a hard disk connected to the front of the T35i and after the host computer has "logged in" to the corresponding T35i channel using the FireWire/1394 SBP-2 protocol.

Wrt Blk LED The Wrt Blk LED (Write Block) is illuminated whenever the Tableau bridge is in READ-ONLY mode. This LED provides a positive indication that the bridge may be used to capture a forensically sound image from a subject hard disk.

Activity LED The Activity LED indicates that the host is performing some kind of I/O to the connected hard disk.

DC OUT Connector The DC Out connector may be used to provide power from the Tableau bridge to the subject hard disk. The DC Out output is controlled by the power switch. So, using the DC Out connector guarantees that the drive will be powered ON/OFF simultaneously with the T35i bridge.

Disk interface Connectors (SATA and IDE)

The disk interface connectors attach the subject hard disk to the T35i. Tableau recommends the following cables:

Interface Cable

SATA TC3-8 IDE TC6-8 or TC6-2

The next image is a rear view of the T35i. Captions identify each internal T35i connector and the location of the configuration switches.


The following table describes each of the elements shown in the above picture.

Internal Element Description 1394B (FireWire 800) The T35i must be connected to the host computer via a FireWire800/1394B

connection. This is the interface through which each of the T35i's two I/O channels will communicate with the host computer. It is acceptable to use FireWire400/1394A instead (with an appropriate cable adapter), but performance will be reduced.

DIP Switch Bank The T35i has one DIP switch bank with four switches. The next section in this document, Configuration Switches, describes the function of these switches in detail.

Power Power should be provided to the T35i through the standard 4-pin "Molex"-style power connector shown in the picture. The T35i requires approximately 450mA @ +5VDC for its internal operation. This figure does not include the power requirements of the hard disk connected to the DC OUT connector on the T35i. IMPORTANT: Tableau strongly recommends that the T35i be on a


dedicated power supply lead. Switching the T35i on/off can lead to large current/voltage surges which can interrupt the operation of other devices which share a power supply connection with the T35i.

4.1.2 Configuring Switches

The following table summarizes the function of the four position DIP switch.

Operation Switch Switch OFF Switch ON

1 Bridge operates in forced READ-ONLY mode and may be used to capture forensically sound images from subject hard disks.

Bridge operates in READ-WRITE mode.

2 Bridge reports errors if host computer attempts to write when bridge is in READ-ONLY mode.

Bridge does not report write errors when in READ-ONLY mode. (The bridge discards write data without returning an error.)

3 Bridge reports that it is WRITE-PROTECTED to the host computer when in READ-ONLY mode.

Bridge does not report that it is WRITE-PROTECTED when in READ-ONLY mode.

4 This switch is RESERVED as must remain in the OFF position for correct operation.

The following table summarizes the recommended Tableau bridge configuration depending on the operating system you are using. These recommendations apply only when using the Tableau bridge in READ-ONLY mode to capture forensic images from subject hard drives (i.e., when the Write Block LED is illuminated).

O/S SW2-1 SW2-2 Comments Windows XP OFF OFF In most situations, Windows XP handles READ-ONLY bridges

correctly and will work optimally when leaving switches 2 and 3 in the OFF (default) state. However, Tableau has seen cases where Windows XP will not allow a user to access a READ-ONLY partition. If you encounter a situation in which Windows XP reports that a volume is "write protected" and will not allow you to access the partition, then try the switch setting recommended for Windows 2000, below.

Windows 2000 ON ON Windows 2000 does not mount NTFS volumes correctly when the bridge declares that it is READ-ONLY. These settings make Windows 2000 believe the bridge is in READ-WRITE mode (even though it is not), and Windows 2000 will successfully mount NTFS volumes.

Windows ME/98se ON OFF Windows ME/98se may not recognize that a bridge is READ-ONLY and may attempt to write to the bridge anyway. If this happens, Windows ME/98se will generate a "blue screen" error. The recommended settings to the left eliminate the


"blue screen" error. NOTE: Some forensic users prefer to see the Windows "blue screen" error if a write is attempted. Users with these preferences should use the recommended settings for Windows XP instead.

Other OFF OFF Most other modern operating systems handle READ-ONLY forensic bridges correctly, so the default OFF settings are best for users of these operating systems.

IMPORTANT: As long as the Write Block LED is illuminated, the Tableau bridge will never permit writes or other modifications to the subject hard disk. Switches 2 and 3 only affect the way the bridge appears to behave from the perspective of the host computer.

NOTE: Switches 2 and 3 are ignored when the Tableau bridge is in READ-WRITE mode (i.e., when the Write Block LED is off).

4.2 Imaging Over time, an investigator will need to image and re-image their OS hard drive. As of December 2007 three types of software have been used to create the initial OS hard drive images sent out with Forensic Computers’ line of systems: Norton Ghost, Acronis TrueImage version 10 and Image for Windows. Image for Windows is the current imaging software and the directions are here. If the directions for the other imaging software are needed, please refer to our documentation list online or email us.

4.2.1 Re-Installing the OS Image (Your username and SN for IMAGE FOR WINDOWS will be located in your CD wallet. If it is not, call us with the serial number of your system and we will locate your IMAGE FOR WINDOWS serial number.)

• Enter the BIOS and ensure that the DVD_RW is set to boot before the hard drive

• Insert the DVD into the DVDRW

• The program will automatically start up and ask you to "press <space> for menu or wait for the restore to start"

• Wait for the restore to start as it will select the first hard disk (HD0) which is your OS drive

• The program will then ask if you want to continue with the restore on HD0 (this will erase everything on the drive and restore it to factory defaults.)

• Once the restore has completed and has been rebooted, the machine will be ready for use.

• For more advance and detailed instructions please refer to the PDF included on your Image for Windows CD


4.2.2 Re-Imaging the OS Drive

• Start Image for Windows from desktop shortcut/start menu

• Choose operation to perform: Backup (next)

• Select Partition: HD0 / specific hard drive (next)

• Select Destination: DVDRW (next)

• Backup Options (default settings) (Finish)

Image for Windows will burn an image of the drive to the disk and then proceed to automatically validate the disk. If errors occur during validation, one must start completely over with a fresh DVDRW.


5. Glossary A ATA – AT Attachment is a standard interface for connecting storage devices such as hard disks and CD-ROM drives inside of personal computers. B C D DIN- the abbreviated name of the German Institute for Standardization (Deutches Institut fur Normung) and is used in the names of its standards. There are a variety of DIN connectors in existence today. The one mentioned in this text is a 5-pin DIN connector. DIP – as in DIP Switch, is an electric switch that is packaged in a group of standard dual in-line package and is designed to be used on a printed circuit board along with other electronic components and is commonly used to customize the behavior of an electronic device for specific situations. E eSATA – external serial advanced technology attachment: an external interface for SATA technologies. F

FireWire Symbols -

a. b.

The above symbols represent the IEEE1394 standard. These symbols will help you identify products that are compatible with computers and cameras that use this standard. The

FireWire symbol on the left (a) is a trademark of the Apple Corporation. The i. Link symbol on the right (b) is a trademark of Sony Corporation.

G H Hot swapping or hot plugging is the ability to remove and replace components of a machine, usually a computer, while it is operating. I IDE – Integrated Drive Electronics, a synonym for an ATA storage device. iPOD – a brand of portable media players designed and marketed by Apple Computer. J K



L M Molex® - A type of power connection used the computer industry, which has a plastic end attached to four wires: one yellow (12V), one red (5V) and two black (ground). There are female and male Molex® connectors. N O P Q R S SAS – Serial Attached SCSI, a data transfer designed to move data to and from computer storage devices. SATA – is a traditional dish from the Malaysian state of Terenngganu, consisting of spiced fish meat wrapped in banana leaves and cooked on a grill. NO REALLY -Serial ATA, a computer bus technology primarily designed for the transfer of data from a hard disk. SCSI – Small Computer System Interface is a standard interface and command set for transferring data between devices on both internal and external computer buses. (pronounced skuzzy) T U USB – Universal Serial Bus is a serial bus standard to interface devices. It was designed for computers such as PCs and the Apple Macintosh, but its popularity has prompted it to also become commonplace on video game consoles, PDAs, cell phones and even devices such as televisions and home stereo equipment (mp3 players) and portable memory devices. V W X Y Z

forensic tower towerold.pdf · 1. forensic tower . the forensic tower is an updated version of our...

Documents