*** Read me first *** Forensic Recovery of Evidence Device (µFRED, FRED, FREDDIE, FRED DX, FRED-SR, FRED-RM) This document contains important information about the configuration and operation of your FRED system. FAILURE TO FOLLOW THESE GUIDELINES MAY RESULT IN PHYSICAL DAMAGE TO YOUR EQUIPMENT WHICH IS NOT COVERED UNDER WARRANTY. Do not attempt to operate your equipment prior to reading and understanding this document. Please call Digital Intelligence if you have any questions regarding this information: (866) DIGINTEL 1.
Individual Device Documentation, Drivers, and Software
Complete documentation for each of the individual devices, components, and software programs provided with this system is included in separate packaging. This document is not intended to discuss the characteristics, functionality, or operation of the individual components in the system but rather the manner in which these components have been configured and integrated in order to function as a complete system. If you need information on the individual components, please refer to the OEM documentation and Software included separate from this document. 2.
Operating System Information
Your system includes a pre-installed dual boot Operating System consisting of Windows 98SE-Standalone DOS, and Windows 7 Ultimate 64 Bit Operating System with XP mode. The choice of Operating System can be selected at Boot Time and will default to a Windows Operating System if no selection is made. Windows 98 DOS is installed to provide the ability to run the unit in Operating Environments that do not inherently attempt to make changes to attached drives during operation. A fully configured SUSE Linux (complete with NTFS read-only mount support) is also provided as a image which may be installed from a bootable DVD. It should be noted that any installation (or reinstallation) using the Bootable Restoration DVD’s (Linux or Dual Boot) will completely overwrite the contents of the target drive. 3.
System Identification
Several areas of this documentation provide information or guidelines that are specific to a particular FRED configuration. It is important that you identify your particular FRED Configuration to interpret this document properly: µFRED: (Micro FRED) The small portable 2 bay case FRED Configuration FRED: The standard “single-wide” tower FRED Configuration with i7 motherboard FRED DX: The standard “single-wide” tower FRED Configuration with dual Xeon motherboard FRED-SR: The larger “double-wide” tower FRED Configuration with dual Xeon motherboard FREDDIE: The smaller portable FRED system with integrated LCD Panel and Keyboard FRED-RM: The rack mount FRED module (in a FREDC or FREDM rackmount chassis) 4.
Physical Set Up (µFRED, FRED, FREDDIE, FRED DX, FRED-SR, FRED-RM)
The unit requires several cables and adapters to be connected prior to operation. Here is some information that may require special attention: 1.
Removable Drive Bays: • To prevent damage the system is shipped with all Drive Trays locked. • Before starting the system, all Drive Trays that do not contain hard drives should be unlocked and slid out of the rack far enough to disengage the connector on the back of the tray. • Only those bays specifically labeled as HOT SWAP are hot- swappable.
•
5.
Inserting/removing or unlocking/locking a drive bay which is not specifically identified as Hot Swappable is not supported by the Motherboard, Chipset, or Operating System and may result in permanent damage to the associated drive rack.
Initial System Start-Up (µFRED, FRED, FREDDIE, FRED DX, FRED-SR, FRED-RM)
Operating System License: The installed Windows Operating System will require a license or product key at the first boot. The OEM Windows License key certificate is applied to the back of the unit on most systems. For FREDDIE units, the OEM Windows License key certificate is applied to the side of the unit near the ATX I/O Panel. For the FRED-RM rack mount unit, the OEM Windows License key certificate is applied to the left or right side of the unit (you will have to open the side panel door if installed in a rack mount cabinet ). Windows Set Up: Systems are shipped with Windows 7 pre-installed. The first time the system is started, you will be asked a series of questions as part of the Windows Mini Set Up. Default Password - RAID Controller: If your system contains a RAID Storage Array, the array is pre-configured as a RAID5 Array. This storage can be viewed in Disk Management (formatted or unformatted) or Windows Explorer (formatted only). Status checks of the array or configuration changes are made via the RAID utility. This utility can be accessed via a text based interface or a web interface. The text based interface is accessed by use of the "TAB" or "F6" key at the on screen prompt during system boot. The web based access requires a network cable to be connected to the network port on the RAID controller card. The card can either be assigned a static IP address or use DHCP. If using DHCP you may wish to create a reservation for the MAC address of the card. This will ensure the card always received the same IP address via DHCP. For more information regarding RAID configuration, please consult the included controller manual or contact Digital Intelligence. The default password for the controller car has been set to "secret". The manufacturer default password for the controller card is "0000" Digital Intelligence Software Licensing: A registration card was included with your new system. Point your browser to http://www.digitalintelligence.com/productregistration.php and complete the form to register for warranty service, technical support, software license activation and notification of software updates. After successful registration, and if applicable, the license initialization files for your Digital Intelligence software (DRIVESPY, PDWIPE, IMAGE, PDBLOCK, and PART) will be emailed to you. These files should be placed in the same directory as the associated programs in order for them to function. DRIVESPY, PDWIPE, IMAGE, PDBLOCK, and PART can be found in the \DIGINTEL directories of the DOS and WINDOWS 98 partitions. These license initialization files are generated on an individual basis. 6.
Hard Drive Contents (µFRED, FRED, FREDDIE, FRED DX, FRED-SR, FRED-RM)
The unit is typically shipped with two hard drives. The first hard drive is pre-installed and configured with the dual boot Windows 98SE DOS / Windows 7 Ultimate 64 bit. The second drive may already be partitioned and formatted as "DATA Drive". You may partition and format the second hard drive to meet your personal requirements. 7.
Removable Drive Bays (SATA/HOTSWAP) - (µFRED, FRED, FREDDIE, FRED DX, FRED-SR, FRED-RM) a. A couple of definitions will be helpful to maintain consistency:
b.
•
“Drive Bays” are the positions in the chassis provided to facilitate insertion, removal, and reconfiguration of hard drives. A Drive Bay consists of two pieces, the Drive Rack and the Drive Tray.
•
“Drive Trays” are the removable portion of the drive bay which holds the hard drive.
•
“Drive Racks” are the part of the drive bay that mounts permanently inside the system chassis.
With the exception of the OS and "DATA" drive, all remaining drive bays are categorized and labeled as “Hot Swap”. The DATA drives on µFRED, FREDDIE and dual RAID (2R) system are "Hot Swap". There are two system interface types for the Hot Swap drive bays. •
SATA Interface - connected directly to an onboard disk controller (SATA) - FREDDIE
• c.
Notes on Bridge Trays (IDE / SATA): Bridge trays may be used to attach an IDE drive onto a SATA channel. Bridge Trays may be inserted into any Hot Swap bay. Any IDE drive inserted into a Bridge Tray must be jumpered as a master (or single-master) device.
d.
Working with “Hot Swap” Removable Drive Bays:
e.
8.
USB 3.0 Interface - connected to a USB 3.0 controller - All other system types
•
Only those drive bays specifically labeled as “HOT SWAP” drive bays can be treated as such.
•
Hot Swap bays are particularly useful to mount hard drives which are intended to receive evidence or images. Using a Hot Swap drive bay to mount your evidence or casework drive allows these drives to be changed without turning off the system.
•
You may insert either a SATA drive into a Hot Swap bay using a SATA tray or an IDE drive into a Hot Swap bay using a Bridge tray (IDE/SATA).
•
Drives must be locked into the bays for proper operation. An LED will illuminate when the drive is locked into place and power is being provided to the unit. The Operating System will physically detect the drive once it is locked into the “Hot Swap” drive bay. If the OS does not detect the drive, use the “Rescan Disks” command from the Actions Menu in Disk Management or the “Scan for Hardware Changes in Device Manager (right click on “FRED” in device manager for menu option).
•
Always notify the Operating System before unlocking a “Hot Swap” drive bay. This will give the O/S a chance to flush any pending disk writes in the cache before the drive is removed. This can be done using the “Add/Remove” Icon on the taskbar in the Windows Operating System. Failure to “Safely Remove” or “Stop” the drive before it is removed from the system can lead to data loss and file system corruption.
•
After a drive tray is unlocked, slide the tray out to disengage the internal connector or completely remove from the drive rack
Working with Non-Hot Swap Removable Drive Bays (OS) •
Inserting/removing or locking/unlocking the OS drive bay while the system is powered on can result in damage to the drive bay and is not covered under warranty. All removable drive bays should be treated as “Native” drive bays unless they are specifically labeled and identified as a “HOT SWAP” bay.
•
Drives must be locked into the bays in order for proper operation. An LED will illuminate when the drive is locked into place and power is being provided to the unit.
SATA Drives (Operating System, Data Drives, CD/DVD Drive) - (µFRED, FRED, FREDDIE, FRED DX, FRED-SR, FRED-RM) 1.
The primary hard drive shipped in the uppermost SATA removable drive bay is pre-configured with your dual boot Operating System Image (see note below on switching operating systems). OS Drive in µFRED is mounted inside the case and is not accessible without opening the case.
2.
The secondary hard drive shipped in the SATA removable drive bay immediately below the Operating System drive will not have been prepared in any way. It is anticipated that the user will allocate the space on the drive as desired. If the user does not wish to install the Linux Operating system image on the second drive, it may be desirable to use the entire second drive for restoration and processing of suspect images.
3.
The CD/DVD Drive connects to the motherboard via a SATA interface. (The CD/DVD drive for the µFRED is optional and connects externally via USB)
4. 9.
If your system includes additional SATA bays, they will be shipped empty and may be used as desired.
UltraBay 3d™ and UltraBay 3 Hardware Write Blockers UltraBay 3d™ is utilized in FRED, FRED DX, FRED-SR, and FRED-RM systems UltraBay 3™ is utilized in µFRED and FREDDIE systems The UltraBay 3d™ and UltraBay 3™ are hardware based write blockers with the following features and capabilities. - Integrated Write Blocked (Read-Only) Ports • SATA • IDE • SAS • USB 3.0 / 2.0 / 1.1 • FireWire 800 / 400 - Integrated touch screen with a graphical user interface (GUI) for acquisition process monitoring. (UltraBay 3d™ Only) - Full multi-LUN FireWire acquisition support is provided for Write Protected imaging of Apple Mac systems booted to FireWire device mode. The UltraBay 3d™, in addition to IDE, SATA, or SAS hard drives, will allow USB 3.0 / 2.0 / 1.1 and FireWire 800 / 400 devices to be connected for secure forensic imaging. Although the UltraBay 3d™ has multiple write blocked connectors, only one device may be attached at a time. A “pull-out” imaging shelf is located directly below the UltraBay providing a location to rest the connected drive. Before connecting any device, ensure that the power LED near the power switch is not illuminated. The "U" button is utilized to set the UltraBay device into "update mode". The unit must be in update mode to apply a firmware update. To enter "update mode": UltraBay Power should be off. Press and hold the "U" button. While pressing the "U" button, press the "Power" button. Release the "U" button after the lights have flashed. UltraBay is now in update mode. Firmware updates are made available as necessary and can be found at www.tableau.com.
10. Connecting Drives to the UltraBay 3d™or UltraBay 3™ (µFRED, FREDDIE, FRED, FRED Sr, FRED-RM). For simplicity “UltraBay” is used below in place of “UltraBay 3d™/ UltraBay 3™”. Connecting an IDE Drive: The IDE Drive MUST be configured as a Master Device. If the drive has multiple master configurations (i.e. Western Digital drives), it MUST be configured as a Single Master Device. Connect the short IDE data cable and power cable (from the toolbox) between the drive and the UltraBay. Connecting a SATA Drive: Connect the short SATA data cable and the power cable (from the toolbox) between the drive and the UltraBay. Connecting a SAS Drive: Connect the short unified SAS / SATA data and power cable (from the toolbox) between the drive and the UltraBay. Connecting a USB 3.0 / 2.0 / 1.1 Device: USB flash drives may be plugged directly into the USB port. USB enclosures containing a hard drive may also be connected to this port using a USB cable. Improved imaging speeds may be achieved by removing the hard drive from the enclosure and image using the hard drive's "native" interface. A USB 3.0 cable is provided in the toolbox. Connecting a FireWire 800 /400 Device: FireWire enclosures may be connected to this port as well as devices designed to operate in "Target Mode" (i.e. some Apple devices). Improved imaging speeds may be achieved by removing
the hard drive from the enclosure and image using the hard drive's "native" interface. FireWire adapters and cable are provided in the toolbox.
11. Retractable Ventilated Imaging Shelf (FRED, FRED DX, FRED Sr, FRED-RM) A custom retractable imaging work shelf is provided with the unit. The shelf is located immediately below the UltraBay. You may pull out this work shelf and use it as a platform to place drives being imaged with the UltraBay. The shelf also incorporates cooling fans which switch on when pulled out.
12. Accessing USB Storage Devices under DOS (µFRED, FREDDIE, FRED, FRED Sr, FRED-RM) If you wish to make a forensic image of a USB Mass Storage device, you may do so by booting the system to the DOS prompt and loading PDBLOCK. The system BIOS is capable of providing native support (Interrupt 13) to USB storage devices. Here are the steps which will need to be accomplished: a. FRED should be shut down and powered off b. Attach the USB Mass Storage device to the system. You may connect the device to the onboard USB connections located on the ATX backplane of the system (µFRED, FREDDIE), the USB / FireWire Combo Hub (FRED, FRED-SR, FRED-RM), or the case front (µFRED) c. Boot FRED d. Enter the CMOS setup menu by pressing the [DEL] key as the system boots e. Locate the setting for boot priority and select the USB device as the 1st device. (Please note that the USB device will not be available unless a USB storage device is attached to the system when booted – Do NOT use the “AUTO” Option) f. In some instances, it may necessary to adjust the USB emulation configuration type to HARD DISK . (Please note that this menu option will not be available unless a USB storage device is attached to the system when booted – Do NOT use the “AUTO” Option) g. Boot to Windows 98 Standalone DOS h. Select the boot option to load PDBLOCK i. Image the USB Device (En.exe, SafeBack, DriveSpy, etc) Once this CMOS option is set, USB Mass Storage Devices can be accessed from a forensically sound operating environment (DOS w/PDBLOCK loaded). DOS based imaging tools will be required in this environment. 13. Power Guidelines (µFRED, FREDDIE, FRED, FRED DX, FRED Sr, FRED-RM) µFRED: The µFRED system has a standard power supply. A single switch on the front of the case controls all power to the system. FREDDIE: The FREDDIE system have a fully modular power supply. A single switch on the upper right side of the case controls all power to the system. FRED, FRED DX, FRED-RM, FRED-SR: The FRED, FRED DX, FRED-RM and FRED SR systems have a fully modular power supply. A single switch on the top front of the case controls all power to the system. 14. Switching Operating Systems (µFRED, FREDDIE, FRED, FRED DX, FRED Sr, FRED-RM) Your system is pre-configured to assist you in switching between the bootable partitions during system start up. 15. System Boot Time (µFRED, FREDDIE, FRED, FRED Sr, FRED-RM) The system is prepared for use on a TCP/IP network. The network card is configured to retrieve its TCP/IP address from a DHCP server on the local network. If the machine is connected to a TCP/IP network without DHCP services, the
system may take a longer time to boot (as it looks for DHCP services). If you find this unacceptable in your environment, simply assign a static IP address to the network card or disable TCP/IP services altogether. 16. Reinstallation of the Factory Baseline Windows or Linux System Images (µFRED, FREDDIE, FRED, FRED Sr, FRED-RM) Your system includes a bootable DVD that will restore the original factory Dual Boot Windows system image as well as the included Linux operating system. The operating system may be reinstalled to the factory baseline by booting to the “Factory Image Restoration DVD”. WIN PE (a bootable Windows environment) will load. Instructions will appear on the Windows Desktop. Read and follow the instructions. This will automatically execute a copy of Ghost from the GHOST directory on this DVD. It is important that you accept the verification prompted by GHOST to keep the partition sizes as displayed. Note: Any USB storage devices and the Multi Media Card Reader should be removed before booting the Image Restoration DVD. The Drive Bay containing the hard drive to receive the Restore Image should be the ONLY Drive Bay turned on. All other Drive Bays should be turned OFF. On systems with RAID arrays, hard drives should also be removed from the RAID chassis. This prevents restoring the image to the wrong location. In order for the Operating System partitions to be bootable, they must all start within the first 1023 Cylinders of the drive. GHOST, by default, will attempt to adjust the partition sizes in the image to fill the entire hard drive. The automated DVD installation procedure uses GHOST command line arguments to keep all but the last partition size fixed. The last partition on the drive will be resized to fill the remainder of the drive. Please refer to the section above titled “Initial System Start-Up” for operations that must be performed after a fresh reinstall of the system. 17. Linux Notes: System Password: The password for the “root” account is “secret” Windows and Linux File System Compatibility: Although, both Linux and Windows can coexist in the system simultaneously, it should be noted that Windows will experience drive letter assignment problems if the Linux drive is installed in the system at the same time. (Specifically, Windows will inappropriately try to assign a drive letter to the first primary Linux Partition it sees on other drive(s)). This is due to a bug in Windows and you should not try to “prepare” or Format the erroneous drive if the Linux disk is installed in the system at the same time. In order to minimize confusion, consider installing only one drive at a time if you wish to maintain these Operating Systems on separate hard drives.
