Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
User’s Guide
Intelligent Computer Solutions
10030 Remmet Avenue
Chatsworth, CA 91311
Rev. 4.3
September 2015
Sales/Technical Support
Phone: 1-818-998-5805
Fax: 1-818-998-3190
E-Mail: sales@ics-iq.com
E-Mail: support@ics-iq.com
®
Copyright© 2009, Intelligent Computer Solutions. All rights reserved. The Image MASSter and associated
software are copyrighted and registered in accordance with the laws and regulations of the State of California and
® ®
the United States of America. IBM and OS/2 are registered trademarks of the International Business Machines
® ® ® ® ® ®
Corporation. DOS , Windows , Windows NT , and Windows 95/98/2000 Windows ME , Windows XP ,
®
Windows VISTA are registered trademarks of the Microsoft Corporation. All other brand and product names are
trademarks of their respective owners.
Contents
CONTENTS
Features .......................................................................................... 11
About this User Guide ............................................................................................................................. 13
Typical Conventions Used ...................................................................................................................... 13
Setup ............................................................................................... 14
System Specifications ............................................................................................................................. 14
WipeOut-DoD ............................................................................................................... 36
WipeOut –Fast .............................................................................................................. 36
WipeOut –Secure Erase ................................................................................................ 36
Partial Wipe with ICS Signature ................................................................................... 36
Hash .............................................................................................................................. 37
Event Log Window ........................................................................................................... 37
Navigation Bar .................................................................................................................. 37
Operational Status Information ......................................................................................... 39
Station ........................................................................................................................... 39
Speed ............................................................................................................................. 39
Operational Mode ......................................................................................................... 39
Load Size ...................................................................................................................... 39
Percent Completion ....................................................................................................... 39
Elapsed Time ................................................................................................................ 39
Estimated Time Left ..................................................................................................... 39
Operation Control Functions............................................................................................. 40
Start ............................................................................................................................... 40
Abort ............................................................................................................................. 40
Advanced Operation Settings Menu ....................................................................................................... 41
Single Capture Settings ..................................................................................................... 41
Read Back-Verify ......................................................................................................... 42
Hash Targets ................................................................................................................. 42
Hashing Methods .......................................................................................................... 42
Wipe Remainder ........................................................................................................... 43
Encrypt/Decrypt ............................................................................................................ 44
WipeOut Settings .............................................................................................................. 46
Mode ............................................................................................................................. 46
Iterations ....................................................................................................................... 46
Pattern (0-255) .............................................................................................................. 47
Write ICS Signature ...................................................................................................... 47
Read Back-Verify ......................................................................................................... 47
Format Drives Settings ..................................................................................................... 48
Linux DD Capture Settings ............................................................................................... 49
Capture File Size ........................................................................................................... 49
Custom File Size (MB) ................................................................................................. 49
File Name ...................................................................................................................... 49
LinuxDD Hash Settings .................................................................................................... 50
LinuxDD or E01 Restore Settings .................................................................................... 51
Hash Settings .................................................................................................................... 52
Sectors to Hash ............................................................................................................. 52
E01 Capture Settings......................................................................................................... 53
Capture File Size ........................................................................................................... 53
Custom File Size (MB) ................................................................................................. 53
Ex01 .............................................................................................................................. 53
File Name ...................................................................................................................... 53
Settings Main Menu ................................................................................................................................ 54
User Interface Culture ....................................................................................................... 54
Additional Operational Mode Settings ............................................................................. 54
Contents
Chapter 1: Introduction
9
Chapter 1 - Introduction
Overview
Designed exclusively for Forensic applications, the ImageMASSter Solo-4 G3 Slim
Forensics system is a versatile, light-weight, portable, high speed data acquisition
device. The IMSolo-4 G3 Slim Product Line offers a lower and slimmer profile design
than the IMSolo-4 G3 Product Line with similar features and the same High Speed
support for 6Gb/s SAS-2 and SATA-3 drives. Suspect’s data can be seized at speeds
exceeding 10GB per minute. Using the unit’s on the fly hashing capabilities, the
transferred data can be guaranteed to be an exact replica of the Suspect’s data without
modification, re-arrangement or corruption. The unit provides Native interface support
for SAS, SATA, eSATA, USB 3.0 and Firewire1, drives in addition to supporting P-ATA2,
including ATA compatible solid state and flash devices. Provides flexible Capture mode
formats including “Segmented File” and “Mirror” image formats. Capable of capturing
two Suspect drives simultaneously. The unit’s advanced touch screen user interface
provides ease of use.
1
Available only on some models.
2
Optional P-ATA Adapters required.
10
Chapter 1 - Introduction
Features
High-end Processing Power: The Image MASSter™ Solo-4 G3 Slim Pro Forensic units are
supplied with a powerful INTEL i7™ CPU to handle today’s most demanding Forensic
Acquisition and Analysis tasks. The Image MASSter™ Solo-4 G3 Slim Basic Forensic units are
supplied with a powerful INTEL i3™ CPU.
Advanced SATA-3 Technology: Implements support for 6Gb/s SAS-2 and SATA-3 drives
using 6Gb/s SATA-3 SAS Controller technology. The unit is designed to acquire today’s High
Performance drives and prepares the user with the hardware necessary to take advantage of
tomorrow’s hard drive speed improvements. The unit’s advanced Duplication Technology
provides the capability of performing multiple operations simultaneously. Capture and Wipe
drives with speeds exceeding 20GB/min with a potential of 32GB/min.
Hard Drive Support: Offers native support for SAS, SATA, Firewire and USB 3.0 drives.
Optional adapters are available to support IDE Drives*, Micro SATA*, e-SATA Drives*, 2.5”, 1.8”
IDE Notebook Drives*, ZIF drives*, and Flash media*. The unit ships with expansion ready
hardware to support the Optional PCIe expansion box which can be used to expand the unit’s
capability to support additional drive interfaces such as SCSI and Fiber Channel.
Multiple "Suspect" and Evidence Drive interface Ports: Provides 2 Native SATA/SAS ports
and 2 USB 3.0 ports dedicated for the Suspect Drive Positions. Both SATA/SAS and USB
Suspect ports can be use simultaneously to capture 4 drives in one operation. Provides 2 Native
SATA/SAS ports and 2 USB 3.0 ports dedicated for the Evidence Drive Positions. The unit is
supplied with an IDE drive adapter for IDE drives. Optional drive adapters are available for 1.8",
2.5" ZIF, proprietary interface/Laptop drives, and Micro Media Cards including Compact Flash,
Memory Sticks, SD, Micro SD, MultiMedia cards. Mixed Drive Interface support allows seizing
data between different drive interface types (ie. Use IDE "Suspect" drive with a SATA "Evidence"
drive). All "Suspect" Drive ports are permanently write-protected to prevent altering “Suspect"
Drive Data. The Write-Protect properties of the Suspect ports cannot be disabled.
11
Chapter 1 - Introduction
* The IQCopy Option is purchased separately.
Multi-Op Mode: Allows LinuxDD and Single Capture operations to be performed in one
operation using the same Suspect drive.
Multiple Hash Verification Methods: The Image MASSter™ Solo-4 Forensic G3 supports
SHA-1 and SHA-2 Hash Acceleration and Software based MD5 Hashing.
External Storage: Images can be stored externally to a Shared Network folder, e-SATA drive,
USB drive or an ICS DFSS External Storage Module.
Upload and Download Images to Network Storage Area: Images files can be uploaded and
downloaded to a Network Storage Area allowing the user to take advantage of large storage
platforms for the purpose of processing and archiving images. With the use of the Optional 10
Gigabit Ethernet connection, units can copy and upload at speeds exceeding 4GB/min.
Optional Expansion Box: The Image MASSter™ Solo-4 Forensic G3 is designed with built-in
support to connect the optional Expansion Box module, providing the capability to capture data
from additional devices which have interfaces not natively available on the Image MASSter Solo-
4 Forensic G3 unit. The Expansion Option includes the following hardware:
o SCSI Ultra320 PCI-Express card for connecting SCSI mass storage devices. Solo-4
Forensic G3 can capture 2 SCSI Suspect drives simultaneously,
o PCI-Express to Express Card 34 Reader for connecting a broad range of Express
Card compliant cards**.
* External Multi-Output Power Adapter (not supplied) is required to power the second SCSI drive when
capturing 2 SCSI drives to 2 Evidence drives simultaneously. It is also recommended to use the
External Multi-Output Power Adapter to power two or more external drives connected to the
Expansion Box.
“On the fly” Drive Image Encryption*: Utilizing the built- in AES 256 Encryption Technology
the Image MASSter™ Solo-4 Forensic G3 encrypts with minimal speed degradation all digital
data during the Cloning Process for the purpose of safe guarding sensitive information. The
Image MASSter™ Solo-4 Forensic G3 creates a secure key with a user-chosen pass phrase. An
AES 256 encryption key is then generated by the unit and can be saved to any USB thumb
drive. The encrypted drive can be decrypted on the fly utilizing the Image MASSter™ Solo-4
Forensic G3 or with any PC loaded with the free ICS Decryption utility and USB thumb drive
containing the saved key.
ICS Digital Forensic Storage Solutions (DFSS): The Image MASSter™ Solo-4 Forensic G3
supports the use of the Optional ICS DFSS Modules to provide additional Storage capacity.
12
Chapter 1 - Introduction
Highlighted This is a hyperlink: shortcut link to a referred topic. Select it to jump to the topic.
Use the MS Word Back tool to jump back to previous location.
Bold Indicates a screen menu item or function such as a setting or control button.
13
Chapter 1 - Introduction
Setup
1. Carefully remove the IMSolo-4 G3 Slim Forensics unit from its shipping box.
System Specifications
Supply Voltage 100 - 240V / 50 - 60 Hz 400Watt Universal Auto switching input voltage
Power Consumption 9W
Operating Temperature 5 degrees - 55 degrees C
Relative Humidity 20% - 60% non-condensing
Net Weight 5.35 lbs
Overall Dimensions 10.5” x 4” x 7.6””
14
Chapter 2 – Quick Start
11
Chapter 2 – Quick Start
16
Chapter 2 – Quick Start
4. Attach the ICS supplied SATA/SAS drive data/power cables to the unit’s Suspect
and Evidence connectors (See Fig. 5 through Fig. 9) and to the SATA or SAS drives.
For PATA drives use the supplied ICS SATA-to-PATA Adapter and connect the
supplied PATA data cable’s “Unit Side” connector to the Adapter’s data connector
and the “HDD Side” connector to the drive.
Drive Positions
Figure 3
17
Chapter 2 – Quick Start
5. Select the Mode of Operation from the Operations pull down menu.
Drive Selection
Panel
Figure 4
6. Select the drives to be used for the selected operation from the Drive Selection
Panel.
7. Verify all remaining applicable settings and optionally enter Case Information using
the CASE INFO screen functions. It is recommended to enable the Hash Targets
function. Selecting Hash Targets will result in the Capture operation generating the
Hash value for the data read from the Suspect drive and the data written to the
Evidence drive. After all the data is written to the Evidence drive, the Capture
operation will generate the Hash value for the data read from the Evidence drive.
Hash values generated during the capture operation are generated for the data
read from the Suspect’s drive not from the data read from the Evidence (target)
drive, unless the unit is instructed to hash the Evidence drive(s) by enabling the
Hash Targets function.
operation passes or RED if the operation fails. Log files will automatically be stored
internally and can be transferred to external media using the unit’s USB ports,
located on the back of the unit.
NOTE: Audit Trails are saved in both a standard text format and a PDF format using
128-bit password encryption protection, so the Audit Trail contents cannot be
changed. The Company Logo can be added to the Audit Trail PDF by
selecting its location using the "SET AUDIT TRAIL LOGO" function, located in
the LOG menu screen.
The unit can be powered OFF by pressing and releasing the unit’s Power
button, located on the top corner of the unit’s back panel.
19
Chapter 2 – Quick Start
Chapter 3: Installation
20
Chapter 2 – Quick Start
Hardware Accessories
The following section provides a description of the Hardware Accessories that are
available for the IMSolo-4 G3 Slim Forensics unit.
Figure 5
21
Chapter 2 – Quick Start
Hardware Description
This section describes the hardware of the IMSolo-4 G3 Slim Forensics unit.
3
Available only on some models
22
Chapter 4 - Operation
Back View
Figure 6
23
Chapter 4 - Operation
Left View
Figure 7
24
Chapter 4 - Operation
Front View
Figure 8
25
Chapter 4 - Operation
Chapter 4: Operation
26
Chapter 4 - Operation
User Interface
The IMSolo-4 G3 Slim Forensics provides Windows based Graphical User Interface
applications, which the user can use to setup and control the unit’s various functions.
All of the unit’s menus and functions are controlled through the unit’s Touch Screen
Display. Screen menu items can be selected by touch or with use of the included
Touch Screen Stylus Pen. An On-Screen Keyboard is available for an easy method to
enter text related information. Optionally, an external keyboard, mouse or display can
be connected. The IMSolo-4 G3 unit provides an Advanced Interface Control Console
which will run at start up and can also be activated from Windows START/PROGRAMS
menu or by selecting the IMSolo-4 G3 application’s Desktop Shortcut ICON. The
Advanced Interface screens are available to customize operations. Multiple instances
of the IMSolo-4 G3 application can be activated to allow multiple operations to be
performed simultaneously.
27
Chapter 4 - Operation
Non-Active
Drive Panel
Event Log
Window
Figure 9
Operation
Operational Navigation Bar Status 28
Mode Select
Information
Menu
Chapter 4 - Operation
The IMSolo-4 G3 Slim Forensics Advanced Drive Detect Menu will provide a list of the detected drives
and allows detected drives to be configured as active or inactive drives. The menu screen will also allow
drives connected in Evidence positions to be configured as Suspect Drives. The menu is displayed by
selecting the Detection Tab from the Advanced Interface Control Console. The descriptions of
the available Advanced Drive Detect Menu functions are discussed in the following section.
NOTE: The Drive Select menu provides a power indicator for each drive position.
The indicator will be GREY prior to drive detection, GREEN if the drive is
detected or the operation passed, and RED if the drive is not detected or if
the operation was not successful.
29
Chapter 4 - Operation
Detect Drives
Select the Detect Drives Button to turn ON and detect the selected the drive(s).
Remove Drives
Select Remove Drives to turn OFF and remove the selected the drive(s).
Figure 10
Browse
Select Browse to select the Shared Folder Location.
4
The Detect Remote Drives Option requires purchase
30
Chapter 4 - Operation
NOTE: Drives can be manually transferred between Drive Panels by selecting and
“dragging” the listed drive using the Touch Screen or using an attached mouse.
Suspect’s Drives cannot be moved to Evidence locations.
31
Chapter 4 - Operation
Single Capture
The Single Capture operational mode will seize the entire contents of the Suspect’s
drive to the Evidence drive. The operation will create an exact duplicate of all of the
Suspect’s drive partitioned and un-partitioned areas as well as all used and unused
sectors on the Suspect’s drive. The process of acquiring the data from the
Suspect’s drive is methodical and contiguous, beginning from the first byte of the
first sector on the drive, and ending on the last byte of the last sector of the drive.
The data is copied to the corresponding sector on the Evidence drive. Only one
seizure operation can be performed to the same Evidence drive. See Single
Capture Settings for more details.
LinuxDD Capture
The LinuxDD Capture Mode will copy the entire contents of the Suspect’s drive to
the Destination drives. The data will be written as individual segmented LinuxDD
files and stored in an individual subdirectory on the Destination drive(s). The size of
the individual LinuxDD files can be set by selecting a value within the Capture File
Size pull down menu. The default setting is 650MB (CD). The File Name
information entered by the user will be used as the name of the subdirectory where
the Suspect’s LinuxDD files will be stored. This File Name will also be used as the
filename of all LinuxDD files associated with this seizure. The Linux DD files will
begin with the extension 000, and incremented by 1 for each additional file.
The Destination drive will be inspected prior to transferring data. The operation will
verify if the first partition on the Evidence drive is based on the exFAT or NTFS File
System and will have “EVIDENCE” as the volume label. A Destination drive that
meets these criteria will be a valid Destination drive, a new subdirectory will be
created, and the transfer will begin. A Destination drive that fails these criteria will
cause the user to be prompted with a message asking whether or not to overwrite
the current contents of the Destination drive in order to make it a valid LinuxDD
32
Chapter 4 - Operation
Destination drive. The operation will abort unless the user agrees to overwrite the
Destination drive.
Any number of “Loads” can be placed on the same Destination drive provided there
is adequate space to save the transferred data on the Destination drive. See
LinuxDD Capture Settings for more details.
o The drive connected to the last Evidence drive position will be configured
using the Single Capture format. The remaining Evidence drive(s) will be
configured with the LinuxDD Capture format.
LinuxDD Restore
This function allows restoring the captured LinuxDD formatted Case to its original file
format. This function requires the LinuxDD drive, containing the LinuxDD Case files,
to be connected to one of the unit’s Suspect positions and the “Destination” drive to
be connected to the unit’s Evidence position.
LinuxDD Hash
This function will generate a Hash value for the selected LinuxDD Case. The
LinuxDD drive can be connected to either the Suspect or Evidence position.
E01 Capture
The E01 Capture Mode will capture the entire contents of the Suspect’s drive to the
Destination drives using Guidance Software’s EnCase® Forensic format. The data
will be written as individual segmented EnCase ® formatted files and stored in an
individual subdirectory on the Destination drive(s). The size of the individual E01
files can be set by selecting a value within the Capture File Size pull down menu.
The default setting is 650MB (CD). The EnCase® format limits the File Size to 2GB.
The File Name information entered by the user will be used as the name of the
subdirectory where the Suspect’s files will be stored. This File Name will also be
used as the filename of all files associated with this seizure. The E01 files will begin
with the extension E01, and incremented by 1 for each additional file. The
Compression Level can be set as “Disabled”, “Minimum” and “Maximum”.
The Destination drive will be inspected prior to transferring data. The operation will
verify if the first partition on the Evidence drive is based on the exFAT or NTFS File
System and will have “EVIDENCE” as the volume label. Otherwise, the operation
will prompt the User that the Evidence drive will be overwritten.
Any number of “Loads” can be placed on the same Destination drive provided there
is adequate space to save the transferred data on the Destination drive. See
E01 Capture Settings for more details.
33
Chapter 4 - Operation
NOTE: The E01 Capture Mode will result in reduced transfer rates when compared
with other Capture Modes.
o The drive connected to the last Evidence drive position will be configured
using the Single Capture format. The remaining Evidence drive(s) will be
configured with the E01 Capture format.
34
Chapter 4 - Operation
E01 Restore
This function allows restoring the captured E01 formatted Case to its original file
format. This function requires the E01 drive, containing the E01 Case files, to be
connected to one of the unit’s Suspect positions and the “Destination” drive to be
connected to the unit’s Evidence position.
E01 Hash5
This function will generate a Hash value for the selected E01 Case. The E01 drive
can be connected to either the Suspect or Evidence position.
Format Drives
This function can be used to quickly format drives as exFAT or NTFS drives, if
necessary.
5
Pending development as of release of this document (11/09).
35
Chapter 4 - Operation
WipeOut-DoD
The WipeOut DoD Operational mode provides a method of sanitizing a drive that
meets the U.S. Department of Defense specification DOD 5220-22M for sanitizing
drives. Using ordinary “DELETE” and “ERASE” commands, data on a hard drive
remains accessible to a variety of intrusive procedures. The WipeOut DoD erasure
technique provides a solution to this problem using a series of null-coded overwrites
that completely removes all data from the hard drive. The process is performed in
three iterations and two individual passes that completely over writes the drive
connected to the internal drive position. Each iteration makes two write-passes over
the entire drive. The first pass writes ONEs (Hex 0xFF) over the entire drive
surface. The second pass writes ZEROes (Hex 0x00) over the entire drive surface.
After the third iteration, a seventh pass writes the government designated code “246”
(Hex 0xF6) across the entire drive surface, which is then followed by an eighth pass
that inspects the drive with a Read-Verify review.
WipeOut –Fast
The Wipeout Fast Operational mode provides a quick non-DoD method of sanitizing
a drive of all previously stored data. The process involves writing a user defined hex
pattern to the drive connected in the Target drive position, for a number of user
defined iterations. The process is methodical and contiguous, beginning from the
first byte of the first sector on the drive, and ending on the last byte of the last sector
of the drive.
36
Chapter 4 - Operation
Hash
The Hash operation provides a method of generating a hash value for either the
entire area of a drive or for a selected number of sectors of a drive. No data is
written to the selected drives during this operation. When hashing the entire drive
the process is methodical and contiguous, beginning with the first sector on the drive
and ending with the last sector of the drive. See Hash Settings for more details.
Navigation Bar
The Navigation Bar menu provides the user with functions to select the various User
Interfaces and IM support functions.
Advanced Screen
Provides access to the Advanced User Interface Screen functions. These functions include
access to advanced settings and advanced operational modes.
Operator Screen
Provides access to the Operator User Interface Screen functions. Allows the Operator to start or
abort common operations.
Keyboard
Selecting this function results in starting a new session of the IMSolo-4 G3 Slim Forensics Wizard
Interface Control Console. Multiple sessions allow more than one operation to be performed
simultaneously.
Explorer
Exit
Terminates the active visible session. The function automatically releases all detected drives before
exiting the session.
About
Selecting About, displays information about the IMSolo-4 G3 Slim Forensics unit,
such as serial number and software version in use.
38
Chapter 4 - Operation
Station
Speed
Operational Mode
Load Size
Percent Completion
Elapsed Time
Estimated Time Left
Station
Displays the Computer Name of the IMSolo-4 G3 Slim Forensics unit.
Speed
The Speed field displays the average transfer rate in megabytes per minute.
Operational Mode
Displays the selected Operational Mode.
Load Size
The Load Size field displays the total data required to be transferred.
Percent Completion
Displays the percent of completion for the active operation.
Elapsed Time
Refers to the time elapsed during an operation. This field will also display the
total elapsed time at the end of an operation.
39
Chapter 4 - Operation
Start
Abort
Start
Selecting Start will instruct the Control Console to turn ON the drives and begin
the selected operation.
Abort
Selecting Abort will instruct the Control Console to turn OFF the drives and
terminate the selected operation.
40
Chapter 4 - Operation
Read Back-Verify
Hash Targets
Hashing Methods
Encryption/Decryption
Wipe Remainder
Figure 11
41
Chapter 4 - Operation
Read Back-Verify
Provides additional data integrity checks during data transfers. When Read Back-
Verify is selected the operation will verify each block of data transferred during the
data transfer process. Data written to the Evidence drive is read back and
compared to the data read from the Suspect’s drive. Enabling this option results in
reducing the transfer rate. Disabling this option will result in the data transfer
process to make use of the drive's own Ultra DMA Mode error-detection handling
mechanism known as cyclical redundancy checking (CRC-16) to check for Data
Integrity. In most cases the CRC-16 error checking algorithm is sufficient. CRC is
an algorithm that calculates an order and value sensitive checksum used to detect
errors in a stream of data. Both the Suspect’s drive and the Evidence drives
calculate a CRC value for each Ultra DMA burst. After the Suspect’s data is sent,
the Evidence drive calculates a CRC value and this is compared to the original
Suspect’s CRC value. If a difference is reported, the unit may be required to select
a slower transfer mode and re-try the original request for data. The transfer rate will
not be affected when using the drive’s CRC-16 mechanism for checking data
integrity.
Hash Targets
The Hash Targets function provides a method of generating Hash values for the
Source drive’s data and for the data written to the Target drives, in the same
operation. The data is read back and hashed from the target drive(s) after each
transferred block. Since data is read back during the operation the average transfer
rate will decrease and the total time of completion will increase when this function is
enabled.
Hashing Methods
The Hashing Methods menu selection provides the user with list of different Hash
Algorithms to generate a Hash value for the Source drive’s data. Hashing is a
process that calculates a "unique signature" value for the contents of an entire drive.
CRC32
Selecting CRC32 will result in the operation generating the CRC32
32-bit hash value for the data read from the source drive(s). Selecting the Hash
Targets function will result in the operation generating the CRC32 Hash values for
the data read from the Source drive and the data written to the Target drive.
MD5
Selecting MD5 will result in the operation generating the MD5 128-bit hash value
for the data read from the source drives. Selecting the Hash Targets function will
result in the operation generating the MD5 Hash values for the data read from the
Source drive and the data written to the Target drive.
42
Chapter 4 - Operation
SHA-1
Selecting SHA-1 will result in the operation generating the SHA-1 160-bit hash
value for the data read from the source drives. Selecting the Hash Targets
function will result in the operation generating the SHA-1 Hash values for the data
read from the Source drive and the data written to the Target drive.
NOTE: The SHA-1 Hash function uses Hardware Acceleration for calculations and
therefore effects on transfer rates are limited.
SHA-2 (224,384,256,512)
Selecting SHA-2 (224,384,256,512) will result in the operation generating the SHA-
2 (224,384,256,512)-bit hash value for the data read from the source drives.
Selecting the Hash Targets function will result in the operation generating the
Hash values for the data read from the Source drive and the data written to the
Target drive.
NOTE: The SHA-2(256) Hash function uses Hardware Acceleration for
calculations and therefore effects on transfer rates are limited.
Wipe Remainder
The Wipe Remainder function instructs the capture operation to wipe (erase)
remaining sectors after a capture operation is performed, if the Evidence drive is
larger than the Suspect’s drive.
43
Chapter 4 - Operation
Encrypt/Decrypt
The Encrypt/Decrypt menu selection provides the user with the functions and
settings necessary to configure an operation to Encrypt or Decrypt captured data.
Figure 12
Load Key
Provides the function to allow the User to select and load the Encryption Key which
can be used to Decrypt the Evidence drive’s Encrypted data.
NOTE: For compatibility with the IMSolo-III Encryption and ICS DiskCypher hardware, choose 192
as the AES Key Length and ECB as the AES Mode.
45
Chapter 4 - Operation
WipeOut Settings
The WipeOut Settings menu provides the Operator with a list of settings available for
the selected operation. The menu is selected when the Operational Mode is selected
from the Operational Mode Select Menu.
User
DoD
Secure Erase
Partial Wipe with ICS Signature
Iterations
Pattern (0-255)
Read Back-Verify
Write ICS Signature
Figure 13
Mode
The WipeOut Mode provides the Operator with two methods of sanitizing drives.
User
The Wipeout User option provides a quick non-DoD method of sanitizing a
drive of all previously stored data. The process involves writing a user
defined pattern to the drive connected in the Target drive position, for a
number of user defined drive passes (iterations). The process is methodical
and contiguous, beginning from the first byte of the first sector on the drive,
and ending on the last byte of the last sector of the drive.
Iterations
Allows the Operator to define the number of WipeOut-User iterations or
passes to perform. Selecting 0 instructs the operation to sanitize the drive in
one pass.
46
Chapter 4 - Operation
Pattern (0-255)
Allows the Operator to define the WipeOut-User Pattern to be used to sanitize
the Target drive(s). The available range is 0-255.
DoD
The Wipeout DoD function provides a method of sanitizing a drive that meets
the U.S. Department of Defense specification DOD 5220-22M for sanitizing
drives.
The operation is performed in three iterations and two individual passes that
completely overwrites the destination drives. Each iteration makes two write-
passes over the entire drive. The first pass writes ONEs (Hex 0xFF) over the
entire drive surface. The second pass writes ZEROes (Hex 0x00) over the
entire drive surface. After the third iteration, a seventh pass writes the
government designated code “246” (Hex 0xF6) across the entire drive
surface, which is then followed by an eighth pass that inspects the drive with
a Read-Verify review.
Secure Erase
The WipeOut-Secure Erase option uses the drive’s own built-in firmware
”Secure Erase” function to erase data. The WipeOut-Secure Erase option
offers two modes which are automatically selected if the drive supports the
modes. Normal Erase and Enhanced Erase. Normal Erase will erase drives
using the 0x00 pattern. The Enhanced Erase mode will erase drives with a
predetermined pattern and will clear Relocation List Sectors.
NOTE: Not all drives provide support for the Secure Erase command.
Secure erase is recognized by NIST 800-88 as an effective and
secure way to meet legal data sanitization requirements
Partial Wipe with ICS Signature
Performs a partial Wipe of the Evidence drive and writes an ICS signature.
Read Back-Verify
Use Link for previous description.
47
Chapter 4 - Operation
Figure 14
48
Chapter 4 - Operation
Figure 15
File Name
The File Name entry will be used as the name for the LinuxDD subdirectory, where
the individual LinuxDD files will be stored. This File Name will also be used as the
name of all LinuxDD files associated with the selected operation.
NOTE: If the File Name field is left blank, the operation will use a default LinuxDD
file name referenced as “CASE<DATE><TIME>.”
49
Chapter 4 - Operation
Hash Methods
File Name
Encryption/Decryption
Figure 16
50
Chapter 4 - Operation
Hash Methods
File Name
Read Back-Verify
Hash Targets
Encryption/Decryption
Figure 17
Figure 18
51
Chapter 4 - Operation
Hash Settings
The Hash Settings menu provides the Operator with a list of settings available for the
selected operation. The menu is selected when the Operational Mode is selected from the
Operational Mode Select Menu.
Sectors to Hash
Hash Methods
Encryption/Decryption
Figure 19
Sectors to Hash
Allows the Operator to define the number of sectors to hash. The default value of 0 will instruct the
Hash operation to hash the entire drive.
52
Chapter 4 - Operation
Figure 20
Ex01
Instructs the operation to use the Ex01 format instead of the E01 format.
File Name
The File Name will be used as the name for the E01 Case subdirectory, where the
individual E01 files will be stored. This File Name will also be used as the name of
all E01 files associated with the selected operation.
NOTE: If the File Name field is left blank, the operation will use a default E01 file
name referenced as “CASE<DATE><TIME>.”
53
Chapter 4 - Operation
Figure 21
Read Back-Verify
54
Chapter 4 - Operation
Skip Block
When enabled, the bad sector handling process time is reduced by skipping the
entire transferred block in which the bad sector was encountered. Each transferred
block is composed of 1280 sectors. When the block is skipped it results in writing
‘0’s to Evidence drive’s corresponding block. This process is significantly faster but
would not capture any data that may exist in any of the good sectors of the block(s)
containing bad sectors.
Skip Sector
The operation will log the location of the bad sector on the source drive and the bad
sector will be skipped.
Abort drive
The operation will abort when encountering a bad sector on the source drive.
Start View
The Start View menu provides optional Start Up View options.
Operator Screen
Instructs the unit to Start Up using the Operator Interface Control Console. The
Operator Interface provides all the functions and controls necessary to start or stop
the operations pre-selected using the Wizard Interface or Advanced Interface. It
provides the user with a graphical view of the Source and Target drive positions and
the ability to change the active drive(s) for the selected operation.
Advanced Screen
Instructs the unit to Start Up using the Advanced Interface Control Console. The
Advanced Interface provides all the functions and controls necessary to setup,
customize and perform the unit’s common and advanced IT operations.
55
Chapter 4 - Operation
56
Chapter 4 - Operation
Figure 22
Auto
Automatically selects Drive Detection method based on the hardware detected. This
mode will automatically select Fast Detection for the IMSolo-4 G3 Slim Forensics
systems.
57
Chapter 4 - Operation
Fast Detection
Selects use of the Fast Detection method to detect drives. This method identifies
the drive by the SAS/S-ATA controller’s physical address location used by polling
the drive. It is the quickest method to detect drives.
Sequential Detection
Selects the Sequential Detection method to detect drives. This method identifies the
drive by sensing the drive’s “current load”. The selected drives are detected in turn
by powering Up the individual drive and then waiting for each individual drive to be
detected before powering Up the next selected drive. This method is slower than
the Fast Detection method to detect drives.
Wait Time Between Powering Up Each Drive and Starting Drive Detection
This is the time allocated after powering Up each drive, and before checking the
controller and O/S for detected drives. The default value is 20 seconds.
NOTE: Some drives may take longer to be discovered by the O/S. This setting
limits the wait time.
NOTE: Calibration would only be necessary if the unit can no longer detect
drives.
58
Chapter 4 - Operation
NOTE: Calibration would only be necessary if the unit can no longer detect
drives.
NOTE: Some drives may take longer to be discovered by the O/S. This setting
limits the wait time.
59
Chapter 4 - Operation
Figure 23
60
Chapter 4 - Operation
Hash Advisory
When enabled, this function will prompt the User if the Hash Method is not enabled.
Confirm Drives
When enabled, this function will prompt the User if the operation should proceed with
the detected drives.
NOTE: Exit all applications which may be using the drives prior to manually
powering OFF the drives.
Auto Run
Instructs the selected Operation to continuously run until the Operation is manually
aborted. This function can be used to test drives or unit’s hardware.
61
Chapter 4 - Operation
Figure 24
Speed Threshold
Minimum transfer rate accepted before the drive is aborted. The decision to abort a
drive is based on the individual drive speed and not on the average speed of the
process.
62
Chapter 4 - Operation
Speed Optimization
Used to obtain optimal transfer rates.
Fan Control
Controls Drive Bay Fan Speeds.
Enable IMAccess
Provides function for proprietary 3rd Party applications to access USB drive volumes
connected in the unit’s general purpose USB ports.
63
Chapter 4 - Operation
Figure 25
64
Chapter 4 - Operation
Figure 26
65
Chapter 4 - Operation
Apply
Applies the selected Drive Property settings.
Refresh
Selecting Refresh, displays the drive properties of the currently selected drive.
66
Advanced HPA/DCO Menu
The IMSolo-4 G3 Slim Forensics Advanced HPA Menu provides the functions to view
and modify the
drive’s Host Protected Area (HPA) and Device Configuration Overlay (DCO) Capacity
feature set. The menu is displayed by selecting the HPA Tab from the Advanced Interface Control
Console. The descriptions of the available HPA Menu Settings are discussed in the
following section.
Protected Area Type
Protected Area Support
Set Capacity
Reset
New Capacity
Volatile
Figure 27
67
Protected Area Support
When selected, this function instructs the selected Operation to determine if a Suspect’s
drive is configured with an HPA or DCO Area. If an HPA or DCO area exists on a
Suspect’s drive, the Operation will seize all of drive’s data including the data stored in
the drive’s HPA or DCO area.
New Capacity
Value in sectors which will define the drive’s programmed HPA or DCO capacity.
Current Capacity
Displays drive’s current DCO or HPA programmed capacity in sectors.
Native Capacity
Displays drive’s Native capacity in sectors.
Set Capacity
Provides the function to program the Evidence drive’s capacity using the HPA or DCO
User Defined values.
Reset Capacity
Provides the function to reset the Evidence drive’s capacity to its Native Capacity.
Volatile
Instructs the Set Capacity function to modify the drive’s capacity only when the drive is
power cycled.
68
Advanced LOG Menu
The IMSolo-4 G3 Slim Forensics LOG Menu provides the functions for viewing, transferring and printing
Event Log and Audit information. The menu is displayed by selecting the LOG Tab from the Advanced
Interface Control Console. Event Log and Audit files are automatically stored in the unit’s local file
folder. Files are stored using a DATE_TIME.TXT naming convention. The Audit Trail file will be
referenced as such. The descriptions of the available LOG functions are discussed in the
following section.
Print Logs
Copy Logs
Open Log Folder
Set Audit Trail Logo
Figure 28
69
Print Logs
Provides the functions to print Event Log files and Audit Trail Log files to a connected
printer.
Copy Logs
Provides the function to copy Event Log files and Audit Trail Log files to an external
device.
70
Chapter 5 – Operational Procedures
Disable Password
Figure 29
Disable Password
Provides the function to Disable the drive’s User Password. It may be necessary to
Disable the “ics” password which is set on the drive during Secure Erase if the operation
is aborted prior to completion. If the User Password is not reset, the drive will block
Read and Write commands.
NOTE: It is not necessary to disable the drive’s User Password if Secure Erase is used
to erase the drive.
71
Chapter 5 – Operational Procedures
Chapter 5:
Operational Procedures
72
Chapter 5 – Operational Procedures
NOTE: To configure the Capture Operation to verify the location of the Suspect Drive,
refer to the section titled “Verify Location of Suspect Drive Configuration”
NOTE: By default, all ports including the dedicated Evidence drive ports are Write-
Protected. The Write-Protection feature of all Evidence drive ports will
automatically be disabled if the selected operational mode requires writing to the
Evidence drive(s).
73
Chapter 5 – Operational Procedures
Common Settings
Table 2
Menu Item Setting
5. Removing Drives
The Drive Select menu provides a power indicator for each drive position. The
indicator will be GREY prior to drive detection, GREEN if the drive is detected or
if the operation passed, and RED if the drive is not detected or if the operation
was not successful. Drives are powered OFF after an operation completes.
Drives can be physically removed after an operation completes and the drive is
removed from its assigned Active Drive Status Panel.
6. Follow the Operational Procedure instructions, in this chapter for the required
operation.
74
Chapter 5 – Operational Procedures
Capturing Drives using Single Capture Mode
The following section describes the procedure to use the Single Capture
mode for Capturing Suspect’s data from drive(s) that have been removed
from its PC or Notebook.
1. The Advanced Interface Control Console will be displayed after the unit is powered ON.
2. Connect and configure the drives as outlined in the “Quick Start” and “Prepare to Capture”
sections of the manual.
NOTE: By default, all ports including the dedicated Evidence drive ports are
Write-Protected. The port’s Write-Protection will automatically be
disabled if the selected operational mode requires writing to the
Evidence drive(s).
3. Select Single Capture from the Operation pull down menu, located in the Main Screen.
4. Set the Operational Mode Settings which are dynamically displayed in the Operation’s Main
Screen. See Table 3 for recommended settings.
5. Verify the Common Settings located in the Settings Screen. See Table 2 for recommended
settings.
6. Select CASE INFO from the Main Screen and enter the required information.
7. Select the drives to be used for the selected operation from the Drive Selection
Panel.
8. Select the drives to be used for the selected Operation using the Drive Selection
Panel.
9. Select Start from the Main Screen to begin the operation. A prompt will be displayed requesting
the Operator to verify that the detected drives are listed in the appropriate Drive
Status panels. The Suspect drive should be listed in the Source Drive panel’s
list, and the Evidence drive should be listed in the Destination Drives panel’s list.
75
Chapter 5 – Operational Procedures
10. If capturing from two Suspect’s drives start a second instance of the IMSolo-4 G3 Forensic
Capture application and follow steps 2 through 9.
Hash values generated during the capture operation are generated for the data read from the
Suspect’s drive not from the data read from the Evidence (target) drive unless the operation is
instructed to hash the Evidence drive by enabling the Hash Targets function.
76
Chapter 5 – Operational Procedures
Capturing using LinuxDD Capture Mode
The following section describes the procedure to use the LinuxDD Capture
mode for Capturing Suspect’s data from drive that has been removed from
its PC or Notebook.
1. Connect and configure the drives as outlined in the “Quick Start” and “Prepare to Capture”
sections of the manual.
NOTE: By default, all ports including the dedicated Evidence drive ports are
Write-Protected. The port’s Write-Protection will automatically be
disabled if the selected operational mode requires writing to the
Evidence drive(s).
2. Select LinuxDD Capture from the Operation pull down menu, located in the Main Screen.
3. Set the Operational Mode Settings which are dynamically displayed in the Operation’s Main
Screen. See Table 4 for recommended settings.
4. Select File Name and enter the name of the file which will be used by the operation for creating
the LinuxDD directory and segmented files.
5. Set the LinuxDD file fragment size by selecting the size from the Capture File
Size pull down menu.
6. Verify the Common Settings located in the Settings Screen. See Table 2 for recommended
settings.
7. Select CASE INFO from the Main Screen and enter the required information.
8. Select the drives to be used for the selected Operation using the Drive Selection
Panel.
9. Select Start from the Main Screen to begin the operation. A prompt will be displayed requesting
the Operator to verify that the detected drives are listed in the appropriate Drive
Status panels. The Suspect drive should be listed in the Source Drive panel’s
list, and the Evidence drive should be listed in the Destination Drives panel’s list.
77
Chapter 5 – Operational Procedures
10. If capturing from two Suspect’s drives start a second instance of the IMSolo-4 G3 Forensic
Capture application by selecting New Copy Session from the Navigation Bar and follow steps 2
through 9.
Hash values generated during the capture operation are generated for the data read from the
Suspect’s drive not from the data read from the Evidence (target) drive unless the operation is
instructed to hash the Evidence drive by enabling the Hash Targets function.
78
Chapter 5 – Operational Procedures
1. Connect and configure the drives as outlined in the “Quick Start” and “Prepare to Capture”
sections of the manual.
NOTE: By default, all ports including the dedicated Evidence drive ports are
Write-Protected. The port’s Write-Protection will automatically be
disabled if the selected operational mode requires writing to the
Evidence drive(s).
2. Select E01 Capture from the Operation pull down menu, located in the Main Screen.
3. Set the Operational Mode Settings which are dynamically displayed in the Operation’s Main
Screen. See Table 5 for recommended settings.
4. Select File Name and enter the name of the file which will be used by the operation for creating
the E01 directory and segmented files.
5. Set the E01 file fragment size by selecting the size from the Capture File Size
pull down menu.
6. Verify the Common Settings located in the Settings Screen. See Table 2 for recommended
settings.
7. Select CASE INFO from the Main Screen and enter the required information.
8. Select the drives to be used for the selected operation from the Drive Selection
Panel.
9. Select Start from the Main Screen to begin the operation. A prompt will be displayed requesting
the Operator to verify that the detected drives are listed in the appropriate Drive
Status panels. The Suspect drive should be listed in the Source Drive panel’s
list, and the Evidence drive should be listed in the Destination Drives panel’s list.
79
Chapter 5 – Operational Procedures
10. If capturing from two Suspect’s drives start a second instance of the IMSolo-4 G3 Forensic
Capture application by selecting New Copy Session from the Navigation Bar and follow steps 2
through 10.
Hash values generated during the capture operation are generated for the data read from the
Suspect’s drive not from the data read from the Evidence (target) drive unless the operation is
instructed to hash the Evidence drive by enabling the Hash Targets function.
80
Chapter 5 – Operational Procedures
1. Connect and configure the Evidence drives as outlined in the “Quick Start” and “Prepare to
Capture” sections of the manual.
NOTE: By default, all ports including the dedicated Evidence drive ports are
Write-Protected. The port’s Write-Protection will automatically be
disabled if the selected operational mode requires writing to the
Evidence drive(s).
2. Select the Operational Mode from the Operation pull down menu, located in the Main Screen.
3. Set the Operational Mode Settings which are dynamically displayed in the Operation’s Main
Screen.
4. Verify the Common Settings located in the Settings Screen. See Table 2 for recommended
settings.
5. Select DETECT REMOTE DRIVES from the Drive Selection Panel.
NOTE: Do not select any Suspect position from the Drive Selection Panel.
6. Select the Evidence Drive(s) to be used for the selected operation from the Drive Selection Panel.
7. Verify all remaining applicable settings and optionally enter Case Information using the CASE
INFO screen functions.
NOTE: Hash values generated during the capture operation are generated for the data read from
the Suspect’s drive not from the data read from the Evidence (target) drive, unless the
unit is instructed to hash the Evidence drive(s) by enabling the Hash Targets function.
As an alternative, the Evidence Drives can also be hashed after the capture operation
using the Hash mode of operation.
8. Connect the ICS supplied Crossover Ethernet Cable to the IMSolo-4 G3 unit’s Ethernet port and
to the Notebook/PC Ethernet port. Alternately, connect the Gigabit USB-to-Ethernet Network
Adapter to the Notebook/PC USB port and the Ethernet Cable connector end to the IMSolo-4 G3
unit’s Ethernet port. See the instructions titled “USB-to-Ethernet Connection”, for additional
details.
9. Configure the Suspect’s PC or Notebook BIOS to boot from its CD-ROM or DVD drive. Most
BIOS have a section titled “Boot Order” to perform this function.
NOTE: Various PC or Notebook BIOS require deferent key combinations at boot up to change
the default Boot Order. It is the user’s responsibility to correctly setup the Suspect’s
PC or Notebook BIOS.
10. Insert the LinkMASSter Bootable CD and allow the Suspect’s PC or Notebook to boot from the
LinkMASSter CD.
11. After “Initializing the Environment”, the LinkMASSter application will display a prompt indicating
“Do you want to prepare a USB Flash?” Select “NO” to continue.
NOTE: To configure a USB device for LinkMASSter usage, see the instructions titled USB
LinkMASSter Setup and Usage, for additional details.
12. The LinkMASSter Network Capture Agent Screen is display with the computer’s detected drive
information.
81
Chapter 5 – Operational Procedures
13. Select Detect Drives from the IMSolo-4 G3 Slim Forensics Advanced Interface Control Console
screen. The Suspect drive, located in the Suspect’s computer, will be listed in the Source Drive
panel list and the Evidence drive will be listed in the Destination Drives panel list.
14. Select START to begin the operation. Operational status information will be displayed during an
operation.
15. After the operation completes, the Evidence drive will be powered OFF and can be safely
removed. Remove the LinkMASSter CD from the Suspect’s computer prior to powering OFF the
computer. The simulated drive status LEDs will be set to GREEN if the operation passes or RED
if the operation fails. Log files will automatically be stored internally and can be transferred to
external media using the unit’s USB ports, located on the back of the unit.
NOTE: Prior to saving logs to external media, disable the DETECT REMOTE DRIVES function
from the Drive Selection Panel.
82
Chapter 5 – Operational Procedures
1. Connect the Evidence drive(s) as outlined in the “Quick Start” and “Prepare to
Capture” sections of the Manual.
NOTE: The Evidence drive needs to be preformatted with NTFS or exFAT prior
to starting the capture operation. The Evidence drive can be formatted
on a PC or using the IMSolo-4. If using a PC Workstation to format the
drive, use “EVIDENCE” as the Volume label and skip to step 5.
2. Select the Evidence drive(s) which needs to be formatted, from the Drive
Selection Panel.
3. Select FORMAT from the Operation pull down menu, located in the Main Screen and choose
either NTFS or exFAT.
4. Select Start from the Main Screen to format the Evidence drive.
5. Select LinuxDD or E01 Capture from the Operation pull down menu, located in the Main
Screen.
6. Select the Evidence drive(s) from the Drive Selection Panel.
NOTE: Do not select any Suspect position from the Drive Selection Panel.
7. Select Detect Drives from the Console’s main menu.
8. Select the Mount Drive function Tab from the Advanced Interface Control Console.
9. Highlight and Select the detected Evidence drive from the Console’s Drive Status
Panel.
10. De-Select (uncheck) the Write-Protect setting in the Mount Drive Screen Menu.
11. Select (check) the Mount Volumes setting in the Mount Drive Screen Menu.
12. Select APPLY.
NOTE: Repeat steps 9-12 for the second Evidence drive if applicable.
13. Select New Copy Session from the Navigation Bar to begin a new session of the IMSolo-4
G3 Forensic Capture application.
14. Connect the Suspect drive(s) as outlined in the “Quick Start” and “Prepare to
Capture” sections of the IMSolo-4 User’s Manual.
15. Select LinuxDD or E01 Capture from the Operation pull down menu, located in the Main
Screen.
16. Select the Operational Mode Settings which are dynamically displayed in the Operation’s
Main Screen.
83
Chapter 5 – Operational Procedures
17. Select File Name and enter the name of the file which will be used by the operation for creating
the LinuxDD or E01 directory and segmented files.
18. Set the file fragment size by selecting the size from the Capture File Size pull
down menu.
19. Verify the Common Settings located in the Settings Screen. See Table 2 for recommended
settings.
20. Select the Suspect drive to be used for the selected Operation using the Drive
Selection Panel.
NOTE: Do not select any Evidence position from the Drive Selection Panel.
21. Select Add Network Location from the Drive Selection Panel. The “Add Network Location” menu
screen is displayed.
22. Select Browse from the “Add Network Location” menu screen.
23. Select “D:\”. The Shared Drive Letter will be listed in the Evidence Drives Panel.
NOTE: Select “E:\” if “D:\” is in use by a previous session.
24. Select Detect Drives from the IMSolo-4 G3 Slim Forensics Advanced Interface Control Console
screen. The Suspect drive will be listed in the Source Drive Panel list and the Shared Drive
Letter will be listed in the Evidence Drives Panel.
25. Select CASE INFO from the Main Screen and enter the required information.
84
Chapter 5 – Operational Procedures
26. Select Start from the Main Screen to begin the operation. A prompt will be displayed requesting
the Operator to verify that the detected drives are listed in the appropriate Drive
Status panels.
Hash values generated during the capture operation are generated for the data read from the
Suspect’s drive not from the data read from the Evidence (target) drive unless the operation is
instructed to hash the Evidence drive by enabling the Hash Targets function.
27. After the operation completes, the Suspect drive(s) will be powered-OFF and can
be safely removed but the Evidence drives will remain
powered-ON until they are manually powered-OFF. Using the NEXT COPY
SESSION function, select the initial Session which was used to mount the
physical Evidence drive(s) and select REMOVE DRIVES to power-OFF and
safely removed the Evidence drive(s).
NOTE: If more than one operation is running at the same time, do not select
REMOVE DRIVES until both operations have completed.
85
Chapter 5 – Operational Procedures
1. Connect and configure the Suspect drives as outlined in the “Quick Start” and “Prepare to
Capture” sections of the manual.
NOTE: Attach an Evidence drive if capturing to both a local Evidence drive and a Network
Shared Folder.
2. Configure a Shared Network Folder on the Network PC.
3. Connect the appropriate Ethernet Cable to the IMSolo-4 G3 unit and to the Network PC.
NOTE: It is the responsibility of the User to properly configure the Network for proper
connectivity and to properly configure the Shared Network Folder. The Shared
Network Folder requires write access. If properly configured, the Shared Network
Folder should be accessible from the IMSolo-4 G3.
5. Select LinuxDD or E01 Capture from the Operation pull down menu, located in the Main
Screen.
6. Set the Operational Mode Settings which are dynamically displayed in the Operation’s Main
Screen.
7. Select File Name and enter the name of the file which will be used by the operation for creating
the LinuxDD or E01 directory and segmented files.
8. Set the file fragment size by selecting the size from the Capture File Size pull
down menu.
9. Verify the Common Settings located in the Settings Screen. See Table 2 for recommended
settings.
10. Select the Suspect drive to be used for the selected Operation using the Drive
Selection Panel.
NOTE: Do not select any Evidence position from the Drive Selection Panel unless an Evidence
drive will also be used as a Destination drive.
11. Select Add Network Location from the Drive Selection Panel. The “Add Network Location” menu
screen is displayed.
12. Select Browse from the “Add Network Location” menu screen.
13. Select “My Network Places” to locate and select the Shared Network Folder. The Shared
Network Folder will be listed in the Evidence Drives Panel.
86
Chapter 5 – Operational Procedures
14. Select Detect Drives from the IMSolo-4 G3 Slim Forensics Advanced Interface Control Console
screen. The Suspect drive will be listed in the Source Drive Panel list and the Shared Network
Folder will be listed in the Evidence Drives Panel.
15. Select CASE INFO from the Main Screen and enter the required information.
16. Select Start from the Main Screen to begin the operation. A prompt will be displayed requesting
the Operator to verify that the detected drives are listed in the appropriate Drive
Status panels.
Hash values generated during the capture operation are generated for the data read from the
Suspect’s drive not from the data read from the Evidence (target) drive unless the operation is
instructed to hash the Evidence drive by enabling the Hash Targets function.
87
Chapter 5 – Operational Procedures
1. Connect and configure the drives as outlined in the “Quick Start” and “Prepare to Capture”
sections of the manual.
NOTE: E01 Capture Encryption Support was pending development at time of this
document’s (Rev 4.0) release. By default, all ports including the
dedicated Evidence drive ports are Write-Protected. The port’s Write-
Protection will automatically be disabled if the selected operational mode
requires writing to the Evidence drive(s).
2. Select the Capture Mode from the Operation pull down menu, located in the Main Screen.
NOTE: Sanitize (WipeOut) the Evidence drive(s) prior to Encrypting data. Do
not use LinuxDD Evidence drives which contain previously captured
cases which were not Encrypted.
3. Select On-Screen Keyboard from the Navigation Bar.
4. Select Encrypt/Decrypt from the Operation’s dynamically displayed settings menu.
5. Select the AES Key Length and AES Mode.
NOTE: For compatibility with the IMSolo-III Encryption and ICS Disk Cypher hardware, choose
192 as the AES Key Length and ECB as the AES Mode.
6. Select Encrypt.
7. Select Save Key. Select a name for the Encryption Key. which will be required
NOTE: In addition to unique password information, the saved Encryption Key will also contain
the selected AES Key Length and AES Mode settings.
8. Select Exit Encryption Dialog.
9. Verify the Operational Mode Settings and Common Settings located in the Settings
Screen. See Table 2 and 6 for recommended settings.
10. Select CASE INFO from the Main Screen and enter the required information.
11. If LinuxDD Capture is in use, select File Name and enter the name of the file which will be used
by the operation for creating the Case directory and segmented files. Set the F ile Fragment
Size by selecting the size from the Capture File Size pull down menu.
12. Select the drives to be used for the selected operation from the Drive Selection
Panel.
13. Select Start from the Main Screen to begin the operation. A prompt will be displayed requesting
the Operator to verify that the detected drives are listed in the appropriate Drive
Status panels. The Suspect drive should be listed in the Source Drive panel’s
list, and the Evidence drive should be listed in the Destination Drives panel’s list.
88
Chapter 5 – Operational Procedures
Drives panels are considered “active” drives and will be used during data
transfer operations. If necessary, also transfer “active” drives from the
Source Drive or Destination Drives panel to the Other Detected Drives
panel. If capturing from two Suspect’s drives start a second instance of the IMSolo-4
G3 Forensic Capture application and follow steps 1 through 13.
Hash values generated during the capture operation are generated for the data read from the
Suspect’s drive not from the data read from the Evidence (target) drive unless the operation is
instructed to hash the Evidence drive by enabling the Hash Targets function.
6
E01 Capture Encryption Support was pending development at time of this document’s release.
89
Chapter 5 – Operational Procedures
1. Connect the Evidence drive with the Encrypted Case data to one of the unit’s Suspect positions.
2. Connect a blank Destination drive to one of the unit’s Evidence positions.
NOTE: By default, all ports including the dedicated Evidence drive ports are
Write-Protected. The port’s Write-Protection will automatically be
disabled if the selected operational mode requires writing to the
Evidence drive(s).
3. Select the Operational Mode from the Operation pull down menu, located in the Main Screen.
NOTE: The supported Operational modes for Decryption are Single Capture,
LinuxDD Restore and E01 Restore7. The “Hash Only” modes would also
be supported to generate hash values based on decrypted data.
4. Select On-Screen Keyboard from the Navigation Bar.
5. Select Encrypt/Decrypt from the Operation’s dynamically displayed settings menu.
6. Select Decrypt.
7. Select Load Key to select the saved Encryption Key which was used to Encrypt the Case data.
NOTE: Since the saved Encryption Key also contains the original AES Key Length and AES
Mode settings, it is not necessary to manually enter these settings.
8. Select Exit Encrypt/Decrypt Dialog.
9. Verify the Operational Mode Settings and Common Settings located in the Settings
Screen. See Table 2 and 8 for recommended settings.
10. Select CASE INFO from the Main Screen and enter the required information.
11. If LinuxDD Restore or E01 Restore is in use, select File Name and enter the name of the file
which will be used by the operation for selecting the Case directory and segmented files.
12. Select the drives to be used for the selected operation from the Drive Selection
Panel.
13. Select Start from the Main Screen to begin the operation. A prompt will be displayed requesting
the Operator to verify that the detected drives are listed in the appropriate Drive
Status panels.
7
E01 Decryption Support was pending development at time of this document’s (Rev 2.1) release.
90
Chapter 5 – Operational Procedures
Hash values generated during the capture operation are generated for the data read from the
Suspect’s drive not from the data read from the Evidence (target) drive unless the operation is
instructed to hash the Evidence drive by enabling the Hash Targets function.
8
E01 Decryption Support was pending development at time of this document’s (Rev 2.1) release.
91
Chapter 5 – Operational Procedures
1. The Advanced Interface Control Console will be displayed after the unit is powered ON.
2. Connect and configure the drives as outlined in the “Quick Start” and “Prepare to Copy” sections
of the manual.
3. Select LinuxDD Restore or E01 Restore from the Operation pull down menu, located in the
Main Screen.
4. Set the Operational Mode Settings which are dynamically displayed in the Operation’s Main
Screen. See Table 7 for recommended settings.
5. Select File Name and enter the name of the file which was used by the LInuxDD or E01 Capture
operation for creating the segmented Case files.
6. Verify the Common Settings located in the Settings Screen. See Table 3 for recommended
settings.
7. Select the drives to be used for the selected Operation using the Drive Selection
Panel.
8. Select Start from the Main Screen to begin the operation. A prompt will be displayed requesting
the Operator to verify that the detected drives are listed in the appropriate Drive
Status panels. The Source drive should be listed in the Source Drive panel’s list,
and the Target drive should be listed in the Destination Drives panel’s list.
92
Chapter 5 – Operational Procedures
1. The Advanced Interface Control Console will be displayed after the unit is powered ON.
2. Connect and configure the drives as outlined in the “Quick Start” and “Prepare to Copy” sections
of the manual.
3. Select WipeOut from the Operation pull down menu, located in the Main Screen.
4. Select DoD as the Operational Mode setting.
5. Set the Operational Mode Settings which are dynamically displayed in the Operation’s Main
Screen. See Table 9 for recommended settings.
6. Verify the Common Settings located in the Settings Screen. See Table 3 for recommended
settings.
7. Select the drives to be used for the selected operation from the Drive Selection
Panel.
8. Select Start from the Main Screen to begin the operation. The Suspect drive should be
listed in the Suspect Drive panel’s list, and the Evidence drive(s) should be listed
in the Destination Drives panel’s list.
93
Chapter 5 – Operational Procedures
1. The Advanced Interface Control Console will be displayed after the unit is powered ON.
2. Connect and configure the drives as outlined in the “Quick Start” and “Prepare to Copy” sections
of the manual.
3. Select WipeOut from the Operation pull down menu, located in the Main Screen.
4. Select User as the Operational Mode setting.
5. Set the Operational Mode Settings which are dynamically displayed in the Operation’s Main
Screen. See Table 10 for recommended settings.
6. Verify the Common Settings located in the Settings Screen. See Table 3 for recommended
settings.
7. Select the drives to be used for the selected operation from the Drive Selection
Panel.
8. Select Start from the Main Screen to begin the operation. The Suspect drive should be
listed in the Suspect Drive panel’s list, and the Evidence drive(s) should be listed
in the Destination Drives panel’s list.
WipeOut-User SETTINGS
Table 10
94
Chapter 5 – Operational Procedures
1. The Advanced Interface Control Console will be displayed after the unit is powered ON.
2. Connect and configure the drives as outlined in the “Quick Start” and “Prepare to Copy” sections
of the manual.
3. Select WipeOut from the Operation pull down menu, located in the Main Screen.
4. Select Secure Erase as the Operational Mode setting.
5. Verify the Common Settings located in the Settings Screen. See Table 3 for recommended
settings.
6. Select the drives to be used for the selected operation from the Drive Selection
Panel.
7. Select Start from the Main Screen to begin the operation. The Suspect drive should be
listed in the Suspect Drive panel’s list, and the Evidence drive(s) should be listed
in the Destination Drives panel’s list.
NOTE: It may be necessary to Disable the “ics” password which is set on the drive
during Secure Erase if the operation is aborted prior to completion. If the
User Password is not reset, the drive will block Read and Write commands.
It is not necessary to disable the drive’s User Password if Secure Erase is
used to erase the drive after an aborted operation.
95
Chapter 5 – Operational Procedures
1. Select the LOG Tab function, located in the Advanced Interface Control Console.
2. Select “Copy Logs to a Removable Device”. A message will be displayed prompting the User to
insert a USB Storage Device.
3. Insert a USB Storage Device on one of the unit’s available USB general purpose ports, located
on the back of the unit. Select OK to continue.
4. The USB Storage Device Volume will be mounted and the Device will be listed in the Other
Detected Drives Panel. Disregard the Windows AutoPlay prompt and wait for the prompt
indicating Select Files to Copy. Select the Event Log and Audit file(s) to copy.
NOTE: If the USB Device is not properly detected, remove the USB Device and repeat steps 3-7.
5. Select OPEN from the Select Files to Copy prompt, to continue.
6. Select the destination folder on the USB Device to store the selected file(s) and select OK to
store the selected files.
7. The USB Storage Device can be removed after the Device is removed from the Other Detected
Drives Panel.
NOTE: Audit Trails are saved in both a standard text format and a PDF format using
128-bit password encryption protection, so the Audit Trail contents cannot
be changed. The Company Logo can be added to the Audit Trail PDF by
selecting its location using the "SET AUDIT TRAIL LOGO" function, located
in the LOG menu screen.
96
Chapter 5 – Operational Procedures
1. Connect and configure the drives as outlined in the “Quick Start” and “Prepare to Capture”
sections of the manual.
2. Select the required Operation from the Operation pull down menu, located in the Main Screen.
3. Select CASE INFO from the Main Screen and enter the required information.
4. Verify the Operational Mode Settings and Common Settings.
5. Select only the drives to be used for the selected operation from the Drive
Selection Panel.
6. Select Start from the Main Screen to begin the operation using the current active instance of
the IMSolo-4 G3 Forensic Capture application.
7. Verify that the detected drives are in their respective Drive Status Panels. The
drives listed in the Source Drive and, Destination Drives Panels are considered
“Active” drives and will be used by the current instance of the IMSolo-4 G3 Forensic
Capture application.
8. Select New Copy Session from the Navigation Bar to begin a new instance of the IMSolo-4
G3 Forensic Capture application.
NOTE: The second instance of the IMSolo-4 G3 Forensic Capture application can be started
before or after beginning an operation using a prior instance of the application.
9. Repeat steps 1 to 7.
NOTE: The number of operations which can be performed in parallel is limited by the available ports
and unit’s available resources.
97
Chapter 5 – Operational Procedures
Previewing Write-Protected Drive Data
The following section describes the procedure to securely view data from
the drive(s) connected to the IMSolo-4 G3 ports.
1. Connect and configure the drive as outlined in the “Prepare for Operation” section of the manual.
2. Select the drives to be used for the selected operation from the Drive Selection
Panel.
3. Select Detect Drives from the Console’s main menu.
4. Select the Mount Drive function Tab from the Advanced Interface Control Console.
5. Highlight and Select the drive to be previewed from the Console’s Drive Status
Panel.
6. Verify that the Write-Protect function is Enabled (checked) in the Mount Drive
Screen Menu.
7. Select (check) the Mount Volumes setting in the Mount Drive Screen Menu.
8. Select APPLY. This operation will allow preview access to the drive’s volume
using the unit’s O/S or 3rd party application.
9. Select DESKTOP from the Navigation Bar to preview the drive’s volume.
10. To turn OFF the drive after previewing the drive’s volume, select the drive from
the Drive Selection Panel and select REMOVE DRIVES.
98
Chapter 5 – Operational Procedures
1. Connect and configure the Evidence drive as outlined in the “Prepare for Operation” section of
the manual.
2. Select the drives to be used for the selected operation from the Drive Selection
Panel.
3. Select Detect Drives from the Console’s main menu.
4. Select the Mount Drive function Tab from the Advanced Interface Control Console.
5. Highlight and Select the drive to be accessed from the Console’s Drive Status
Panel.
6. De-Select (uncheck) the Write-Protect setting in the Mount Drive Screen Menu.
7. Select (check) the Mount Volumes setting in the Mount Drive Screen Menu.
8. Select APPLY. This operation will allow preview and write access to the
Evidence drive’s volume using the unit’s O/S or 3rd party application.
9. Select DESKTOP from the Navigation Bar to access the drive’s volume.
10. To turn OFF the drive after accessing the drive’s volume, select the drive from
the Drive Selection Panel and select REMOVE DRIVES.
99
Chapter 5 – Operational Procedures
100
Appendix A
Appendix A:
Operational Notes
101
Appendix A
Image MASSter™ Solo-4 Internet/Network
Connection Disclaimer
Intelligent Computer Solutions, Inc. (ICS) assumes no liability for the security of the
customer’s computer/network systems. ICS assumes no liability for the security of the
Image MASSter™ Solo-4 when it is connected to either the Internet or another Network.
Utilizing the Image MASSter™ Solo-4 for data seizure from a network or uploading data
to a network requires the unit to be connected to the network and this may cause a risk
of the system being compromised. The user is responsible for taking the necessary
steps to ensure the safety of both the Image MASSter™ Solo-4 and the network in use
when the unit is utilized to either seize or upload data to/from a network.
The security of the Image MASSter Solo-4™ when connected to the Internet or a
network relies on the user’s discretion; however, ICS recommends, at a minimum, to the
user to take the following steps:
1) The Image MASSter™ Solo-4 is set to have Internet Connection and Automatic
Windows Updates disabled as default. Users will need to enable Internet
Connection when seizing or uploading data from/to a network. It is highly
recommended that the user install anti-virus and firewall Hardware Device
protection prior to connecting the Image MASSter™ Solo-4 to either the Internet
or a network. A lesser protection can be achieved with personal firewall
software. Continuously running an updated version of anti-virus software with
the Image MASSter™ Solo-4 may help prevent an intrusion into the unit or
network. ICS recommends updating the anti-virus software program every time
the Image MASSter™ Solo-4 is connected to the Internet or a network.
2) Users should always utilize a clean (scanned for viruses) USB Thumb Drive
when updating the Image MASSter™ Solo-4 unit Software or Firmware.
3) Users should ONLY connect the Image MASSter™ Solo-4 to a network when
either seizing or uploading data. It is imperative for users to REMOVE the Image
MASSter™ Solo-4 connection when not actively performing these tasks.
These recommendations are provided to the user as a reference; however ICS cannot
assure that the Image MASSter™ Solo-4 will not become compromised when
connected to the Internet or a network. User assumes all responsibility for the data and
security of the Network.
Customers understand and agree that the use of the Image MASSter™ Solo-4 implies
acceptance to the terms and conditions specified in this disclaimer.
102
Appendix A
USB-to-Ethernet Connection
will also include a Gigabit USB-to-Ethernet
The IMSolo-4 G3 LinkMASSter Option
Network Adapter (CSAR-0265-000A) to allow connecting to a Notebook or PC
which does not have an Ethernet port, or if drivers are unavailable for the
computer’s network interface. For improved performace, the Gigabit USB-to-
Ethernet Network Adapter would also be recommended when connecting to a
Notebook or PC which uses an Ethernet interface that offers less than a
1 Gigabit connection.
NOTE: When using the Gigabit USB-to-Ethernet Network Adapter, connect the
Ethernet connector to the IMSolo-4 G3 unit and connect the USB
connector to the computer.
1. Connect the ICS supplied Crossover Ethernet Cable to the IMSolo-4 G3 unit’s
Ethernet port.
2. Connect the Crossover Ethernet Cable to the Gigabit USB-to-Ethernet
Network Adapter.
3. Connect the ICS supplied USB 8” Cable to the Gigabit USB-to-Ethernet
Network Adapter.
4. Connect the USB 8” Cable to the Notebook/PC USB port.
Connect to
IMSolo-4 G3
Connect to PC
Figure 36
103
Appendix A
9
The USB Flash Drive is not supplied with the LinkMASSter Option
104
Appendix A
The following are instructions to restore the unit’s System Drive contents.
1. Insert the IMSOLO-4 G3 Slim USB Restore drive to one of the available general
purpose USB ports, located on the back of the unit and connect a USB Keyboard.
2. Access the IMSOLO-4 G3 Slim Boot Device Selection menu by pressing <F12>
during Power ON when the POST Startup Screen is displayed.
3. Highlight and selected the listed USB Device.
4. Type “Restore” after the unit boots from the USB Restore drive. Type ‘Y’ to start
the Restore process. The Restore process will take approximately 7 minutes.
When the message is displayed indicating “Success,” power off the unit and
reboot.
NOTE: The request to type “Y” is Case Sensitive. The operation will wait until the
proper key is entered.
5. After the unit reboots, Windows SETUP will run for approximately 7 minutes. Once
Windows SETUP completes check Device Manager by running devmgmt.msc from
the Desktop START function. If Device Manager lists “Unknown Device” in the
“Other Devices” Header, follow the Restore Addendum instructions listed below.
Otherwise complete the installation by installing the unit’s ImageMASSter
application by running s4v4.12.xx.x Setup_x64 located in the root directory of the
supplied USB Flash Drive.
105
Appendix A
IMSOLO-4 G3 Slim System Drive Removal
Instructions
The following are instructions to remove the IMSolo-4 G3 Slim unit’s System drive.
1. Remove the single Drive Bay Screw located on the bottom of the unit as shown
in the diagram below.
2. Slide out the drive as shown in the diagram below.
106
Appendix A
LinuxDD and E01 Capture exFAT Usage
The exFAT File System provides enhanced drive data security for LinuxDD and E01
Evidence drives. The following are the benefits of using the exFAT File System:
• Provides improved data security when transferring data between the Suspect
drive and Evidence drive during the LinuxDD Capture or E01 Capture operation.
The data is isolated from the unit's O/S environment.
• Provides for a quicker format of drives and uses less overhead.
• The exFAT file system uses 64 bits to define file size.
• Support for volumes that are larger than 32 GB when compared with FAT32. The
theoretical maximum volume size is 64 ZB.
• Support for files that are larger than 4 GB when compared with FAT32. The
theoretical maximum file size is 64 ZB.
• Support for more than 1000 files in a single directory.
NOTE: To preview exFAT LinuxDD or exFAT E01 Evidence drives using WIN-XP
Workstations or IMSolo-4 G3 units configured with S/W versions prior to
v4.2.54.0, it will be necessary to load the exFAT File System driver
(WindowsXP-KB955704-x86-ENU), which can be downloaded using the ICS
FTP Link IMSolo-4 G3 Support Files. The exFAT File System is currently
supported by Win-VISTA and Windows 7.
107
Appendix A
DEFINITIONS
HASHING
Hashing is a process that calculates a "unique signature" value for the contents of an
entire drive.
MD5 Hash
SHA-1
Secure Hash Algorithm is a 160-bit cryptographic hash function. Designed by the NSA.
SHA-2
CRC32
Sanitize
Sanitize refers to the process of clearing a drive of all previously stored data. The
WipeOut function can be used to sanitize a drive.
HPA is defined as a reserved area for data storage outside the normal operating file
system. This area is hidden from the operating system and file system and is normally
used for specialized applications. Systems may wish to store configuration data or save
memory to the hard disk drive device in a location that the operating systems cannot
change. If an HPA area exists on a Suspect’s drive, the IMSolo-4 G3 Slim Forensics
seizure operation will detect this area and capture all the contents of the drive’s sectors,
including all the HPA hidden sectors, to the Evidence drive.
108
Appendix A
Device Configuration Overlay (DCO)
DCO allows systems to modify the apparent features provided by a hard disk drive
device. DCO provides a set of commands that allows a utility or program to modify
some of the modes, commands and feature sets supported by the hard disk drive. DCO
can be used to hide and protect a portion of the drive’s area from the operating system
and file system. If DCO is detected on a Suspect’s drive, the IMSolo-4 G3 Slim
Forensics seizure operation will capture all the contents of the drive’s sectors, including
all the DCO hidden sectors, to the Evidence drive.
AES is a 128-bit block cipher Encryption Standard, which supports a choice of three key
sizes (128, 192 and 256-bits) according to the level of security required. AES has
become the encryption algorithm of choice for applications requiring a high degree of
data security.
AES Modes
AES Modes provide a method of implementing different AES properties. The AES
modes provided by the IMSolo-4 G3 Slim Forensics unit are described as follows:
Electronic Code Book (ECB)
The message is divided into blocks and each block is encrypted separately.
Cipher Block Chaining (CBC)
Each block of plaintext is XORed with the previous ciphertext block before being
encrypted.
Cipher FeedBack (CFB)
Makes a block cipher into a self-synchronizing stream cipher. A stream cipher is
a symmetric key cipher where plaintext bits are combined with a pseudorandom
cipher bit stream (keystream), typically by an xor operation.
Output FeedBack (OFB)
Makes a block cipher into a synchronous stream cipher: it generates keystream
blocks, which are then XORed with the plaintext blocks to get the ciphertext
Counter (CTR)
Counter mode turns a block cipher into a stream cipher. It generates the next
keystream block by encrypting successive values of a "counter".
109
Appendix A
Appendix B:
Product Information
Limited Warranty
Intelligent Computer Solutions, Inc. warrants that our products are free from defects in materials and
workmanship for a period of twelve (12) months from the date of purchase by the original buyer. If you
discover physical defects or malfunction, Intelligent Computer Solutions, Inc. will, at our discretion, repair
or replace the product. You must return the defective product to Intelligent Computer Solutions, Inc. within
the warranty period accompanied by an RMA number that has been issued by Intelligent Computer
Solutions, Inc.
All products purchased from Intelligent Computer Solutions, Inc. include a seven-day unconditional
money-back guarantee.
Intelligent Computer Solutions, Inc.’s products are shipped in cardboard boxes that have been designed
and tested to ensure that our products can endure standard commercial shipping methods and still arrive
in working order. We advise you to save your box and original packing materials in case you need to
return the product(s) for any reason. If product(s) are returned without proper protective packaging, the
warranty may be void.
-That the shipping box does not have dents or visible damage.
-What you have received conforms to the packing list.
-There is no apparent damage to the product(s) or accessories.
110
Appendix B
- Products which have been subjected to abuse, accident, alteration, modification, tampering,
negligence, misuse, faulty installation, lack of reasonable care, or if repaired or serviced by
anyone without prior authorization from Intelligent Computer Solutions, or if the model or serial
number has been altered, tampered with, defaced or removed.
- Normal maintenance.
- Damage that occurs in shipment due to act of God and/or cosmetic damage.
- Accessories
This Agreement also does not include service (whether parts or labor) necessitated by any natural cause
such as flood, tornado, earthquake or other acts of nature.
Limitation of Liability
The following limitations of ICS liability apply:
ICS is not liable for any incidental or consequential damages, including, but not limited to
property damage, loss of time, loss resulting from use of an ICS product, or any other damages
resulting from breakdown or failure of a serviced product or from delays in servicing or inability
to render service on ICS product. ICS will make every effort to ensure proper operation of its
product. It is, however, the Customer’s responsibility and obligation to verify that the output of
ICS product meets the Customer’s quality requirement. Customer acknowledges that improper
operation of ICS product and/or software, or hardware problems, can cause defective formatting
or data loading to target drive. It is the customer, not ICS, who is responsible for verifying that
the drive meets the Customer’s quality standards. ICS will make efforts to solve any problems
identified by Customer.
Technical Support
For help in resolving a problem, contact ICS Technical Support at:
111