Uncategorized
Forensic Focus Podcast: Todd Bellows on Challenges and Opportunities for Forensic Imaging
Christa Miller: At a time when digital forensics tools and techniques seem dominated by the challenges of storage media like mobile devices, cloud storage, and the internet of things, hard drive forensics might not appear to be as captivating. Yet hard drives are still critically necessary to business and government functions, so demand for hard drive forensics remain strong.
Today the Forensic Focus podcast welcomes Todd Bellows, Director of National Sales at Logicube, one of the oldest manufacturers of hard drive duplication and forensic acquisition solutions in the industry. Having been a part of the company since its inception in 1999, Todd oversees and is responsible for all domestic and Canadian sales, including government and tier one corporate accounts. I’m your host, Christa Miller, and welcome, Todd.
Todd Bellows: Good morning. Thank you Christa for having me.
Christa Miller: Thank you for being here. So Todd, you’ve been with Logicube for more than 20 years at this point, so you’ve had a front row seat to so many of the changes that have impacted digital forensics. Encryption and storage capacities, as well as the shifts of mobile and cloud storage are a few of the most profound. What other significant changes have driven Logicube’s product strategy?
Todd Bellows: Well, Christa, I appreciate the question. You know, during my 20 plus year tenure at Logicube I’ve indeed seen a massive technological change, not only in the marketplace, but as an example on product evolution. So more importantly, how clients tackle the shifts in, say, methodology.
You mentioned storage capacities, which is directly linked to in-product scalability, like personal computers and servers and encryption or the requirement of clients to either actively support capturing encrypted sources, or maybe possibly encrypting their target media, you know, as a baseline for securing their data. So I’m proud to say really that Logicube has successfully supported both of these efforts, Logicube prides itself on tackling these challenges through kind of a multi-pronged approach. So we gather intelligence from a variety of sources, kind of with a vision towards offering future-proof products.
Input’s gathered from manufacturers of these targeted devices — in other words, we go to the companies that develop and embed this very media that forensic professionals seek to acquire. They tend to have the inside track on what types of media will next take hold in the market. So in addition we keep an open dialogue with our tier one clients, which operate in a multitude of sectors, and this is important dimension: banking, cyber security, federal and state governments, ediscovery clients, as well as global military assets.
You know, so in summary it’s difficult to ascertain what the next, say, big thing will be. But through the highlights I mentioned Logicube’s well-equipped to bring new clients on board and then also continuing to satisfy our base of customers.
Christa Miller: Have you encountered any surprises over the years? And if so, how did you and Logicube adapt to them?
Todd Bellows: Well, interestingly enough, there’s a couple of what I’ll call blindsides. I know you mentioned I’ve been here for 20 years, but let me just kind of recount them some that I remember. One that I vividly recall was a transition really of hard drive technology moving from what maybe many of the listeners might remember is called parallel ATA or PATA, or maybe some term terminology IDE drive [indecipherable] drive, switch recurrent, right? This simply means most hard drives that were manufactured with the old 40 to 44 pin connections and require this old ribbon style cable to interface between the computer motherboard and a hard drive, that quickly transformed into Cyril ATA technologies. That’s doing away with the ribbon cable and kind of creating a more universal, durable SATA cable. The new cable offered this L connection and could be used in most three and a half inch, say, desktop internal drives and then two and a half inch laptop internal drives.
So Logicube, remember. quickly moved to manufacture this, you know, PATA or IDE to SATA adapter. It may sound simple by today’s technology standards that you have to recall that this happened back in say the early 2000s. And at the time Logicube only offered pat to support all of the tar drive duplication and forensic acquisition devices and move swiftly to design, implement a manufacturer, a SATA adapter for all of it, and at the time existing hardware.
So we not only filled that gap in the support for all the existing clients, but made the support available months, and I would say in some cases a couple of years, prior to what our competition was able to do. So our clients were able to use that technology at the time without having to wait for a new design to come out. They were able to access that design for that adapter. It sounds simple, but it really wasn’t back then.
But I wanted to mention something else. The second big surprise that I wanted to mention was, again, it was kind of tied to the technological change in what I think computer manufacturers’ teams. like this massive shift in the industry. And Logicube engineering — have to give them a lot of credit — had the foresight to develop and embed an express card interface on the back of, at the time, our flagship forensic product called the Falcon, which was the predecessor to the Falcon-NEO that I might mention in this podcast today.
And by adding that express card interface, Logicube was able to address the big, or I should say massive, shift that I just mentioned, which took computers from say using a hard drive to a PCIE type hard drive. So PCIE drives were extremely fast and provide the user optimal performance to meet today’s demands, both for applications, programs and the like.
Again, Logicube was agile enough to give hundreds, literally hundreds of clients who previously purchased the Forensic Falcon the ability to now support the latest hard drive and hardware. So I think this is an amazing feat as the competitive landscape took several years to really catch up to them. So I’m very proud of our engineering team for tackling that at the time.
Christa Miller: I was thinking that 20 years ago I was working in tech support at a university. So I remember that shift from IDE to SATA. So that was an interesting insight into that period of time.
So today, what are the elements of an efficient forensic imaging tool, in terms of those changes that you were just talking about and how they’ve sort of shaped the products that you’re offering now: how has this changed over the years, and how has Logicube defined or shaped the market? I think you went into a little bit of detail about that in your previous response. And then what do you anticipate? Sorry, go ahead.
Todd Bellows: Sure. No, no. I was going to say, these are great questions. They kind of all mesh together. So let me… I think this is kind of has a lot of meat around it. I want to make sure for our listeners that would kind of cover what I think is important. I think it would be best if I address this by explaining to the listeners kind of where the market’s changed, why it changed and what Logicube has done, more importantly, as you put it, to shape the market.
So two decades ago, forensic examiners typically would use a computer say with an external write block device in order to capture forensically sound data. That’s just how they did it. They would run a forensic backend software tool, primarily used for case building, to also acquire data.
So most of these software tools offered some sort of acquisition feature and that’s just what people used back then, even though hard drive sizes were very small. The speeds also were small and scale was, I like to say that they crawled like snails, right? So this says, well, how fast does a snail go? Well, it goes extremely slow. So even though the drives were slow and they were small, the capturing software was extremely slow. So by scale, it was extremely slow as I’ve put it, right?
Then you kind of enter Logicube and its standalone hardware solution. That’s really almost two decades ago it was born. And standalone by nature typically means a dedicated appliance that allows the user to maximize performance, which then translates into a big pickup in speed, which everybody always talks about how fast, right? Which minimizes the collection time. So let me address the key advantages of hardware based forensic imagers in general. I think it’s important that we cover that.
First, speed. Like I mentioned, hardware based imaging is faster than software based imaging just by nature because it’s standalone. It’s portable. So unlike say a workstation or laptop, the device is easily transported the field in, say, a backpack or suitcase. You look at costs, there’s no recurring software licensing fees like associated with operating you know, say a software tool compared to hardware. And then dependability. In other words, reproducible results that are immune from say, Windows-based computers that might have declining performance or even have a virus, right? Would want to use something like that.
You have, I think I mentioned earlier, a dedicated appliance, so it frees up your forensic computer to do other tasks. You can have a dedicated piece of equipment that’s only doing the capturing of that media. And then lastly, it provides a forensically sound write blocking environment. So where you’re write blocking all source content, that’s connected to our imager. Nobody has to worry about any rights to the driver change and the evidence, which is great.
So after mentioning that, I want to be maybe more specific on how Logicube has defined, changed, and as you said, shaped the market itself. So I asked if one were able to build the perfect hardware based forensic imager, what factors might they use in the selection process, right? What products might they purchase in their final determination? So these are all questions that are easy for me to answer, as I represent what I believe is the industry leading hardware imaging product, the Forensic Falcon-NEO. So let me highlight kind of the core elements and factors beyond what I previously noted was important, you know, when you’re selecting just a general imager, and talk a little bit more about these pieces.
So I mentioned speed. So we look at max throughput. So what is the top rated speed this hardware platform can obtain? So if you look at something like the Falcon-NEO, it can obtain speeds up to, and sometimes exceeding, 50 gigabytes per minute, capturing from a solid state drive media in a forensic easier one format, which is unbelievably fast by… even say in the last few years. I mean, lightning fast, if you look back just say three to five years of what can be achieved now.
Furthermore, the power of the platform allows a high-performing say PCIE drive, which is now in the market to run at speeds approaching sometimes and sometimes surpassing 90 gigabytes a minute, say just in a straight mirror mode. So unbelievably fast.
So you also want to consider things like bandwidth is critical, right? So you would consider how many sources and how many destination points does the device you’re using support, right? And you say, well, how many pieces of media can I plug in at one time? Most are limited to one. Falcon-NEO can run up to five tasks and sources at one time. It can, believe this, copy it to nine targets or destination drives, where the industry norm is one or two connection points. To me, that’s an unbelievable achievement in that product.
And then we think of things like, we don’t want to forget about network connectivity. If your network infrastructure say supports a 10 gigabit backbone, you’re in luck as the Falcon-NEO offers two connection points, which would allow a user set up to a 30 gigabyte per minute throughput. Again, amazing speeds here.
We talk about now tools that have remote operability as being crucial. So if we look at, say, the Falcon-NEO, it supports accessing its GUI remotely for easy monitoring by the say the user and actual user inputs, meaning the user can truly instruct the unit to run operations without sitting on top of that unit. Obviously, Christa, the unit would have to have hard drives connected to it, to be able to instruct it what to do, but it just shows you how far we’ve come with, say a tool like this.
You know, and then something that might get overlooked is the availability of using advanced software features. So now you start to ask yourself, well, what does a platform like this offer? Well, the NEO is, I would say, the most robust and feature packed device in the market. There’s so many goodies that the users get far beyond what was available, say, just a couple of years ago.
So, Christa, I’d like to consider the purchase of the Falcon-NEO. I like to tell my clients, this is an investment, right? That’s an investment when you’re looking at these tools now, so one should ask, you know, what special hardware add on capabilities, you know, might be offered in something like this. And is there upside potential beyond what you see at first glance? So the answer is yes, with the NEO. It offers an array of hardware adds that a user can purchase, you know, when they need them. So it’s not like they have to buy everything upfront, but they say, well, hold on, what else is supported on this platform? And can I add to it after I make this initial purchase?
So some of the key ones that we offer Christa, and I’m proud to say, we’re the first in industry that offers a Thunderbolt three USBC IO card. So along with the ability to add things like FireWire, and even say legacy SCSI and fiber channel support. So these are very unique to this box and there are users, believe it or not, that are still using that type of technology. I also wanted to, you know, for the listeners to consider scalability, right?
What other software options might be available, right? To add to that unit, right? So you have your features, but what options? So the Falcon-NEO offers the users, believe it or not, the ability to capture cloud storage. Also mobile phone capture support. These are optional software packages on the device, but it kind of opens up the platform to doing more than what we set out for it to do. And we say, well, wait a minute. The core of it is to collect data. Why not open it up to what users are already doing, using other tools, and now they can accomplish it in addition to the core on the Falcon-NEO. So it just enhances the platform, you know, and providing key support where, you know, kind of where it’s required.
And lastly, we kind of mentioned the future. So it’s, you know, it’s hard to pinpoint exactly what our superior engineering group at Logicube here will bring next, but suffice it to say, they’ll continue to strive to future-proof its technology to the best of our ability. That’s really what we’re here to do.
Christa Miller: So tell us a little bit more about your digital forensics product line. So you’ve talked a little bit about the Falcon-NEO in particular. Could you walk us through the different features and capabilities that are common to all Logicube products that sort of are your brand, really, as well as those are that are unique to each imaging tool?
Todd Bellows: Sure. You know, well, I think our forensic line kind of follows an easy flow. So we offer… first thing is we offer write block. We call it the write block trio. There’s three of them. This begins with the small footprint, single mount device, meaning you can mount one drive at a time and it’s called the write protect portable. So the write protect portable supports SATA, USB and PCA interface devices.
And then we have two devices that offer the same support, but in two different footprints, one’s called the write protect desktop. The other one is the write protect bay. So both are similar to say the Falcon-NEO, which I’ve covered in depth, which allows up to say, as we recall, five simultaneous device connection threads, it’s the same on these write protect devices, which there’s no other company that offers these. Again, not on the entry-level. we’ll call it write protect portable, but on the desktop and the bay.
So the desktop model is simple. It’s just a plug and play, has a USB host connection. And then the bay version of course, would be something that would be mounted inside, say a forensic PC chassis no different than, you know, the CD-rom say, you know, interface that they plug it in. And now they have that ability in their forensic workstation. So I didn’t mention, say, older type technologies, but I wanted to make sure everybody knew that when we said like the Falcon-NEO, that we know that these write protect devices, get this, support SAS, SATA, USB, PCIE, and FireWire, and the key to all this, they can do it all at the same time. Right? In other words, not limited again to that single connection point.
So they would mount these drives. Some people have asked, well, how do I do three? Can I just mount them all at once? Well, you mount one, and you mount the second and on and on, but they’re different threads. So if they have a forensic workstation, let’s say that’s high performance, they can take advantage of, you know, processing more drives at one time with the singular device from Logicube, rather than having multiple devices to get the same output. So I think that’s really important.
And then I didn’t mention, like I was just about to say about the older technology. We mentioned IDE kind of with some of the older terms, but we do offer conversion adapters for older IDE technology. I know you said you remember it. It doesn’t mean we’re old, but it was a long time ago, as you can recall, you know, that IDE was a commonplace. So I think most people are glad that that’s in the rear view, you know, not having to deal with pins and all those things.
So, you know, secondly what we have is our forensic imager, so we have a write block trio, but then we have our image [inaudible]. We offer three key standalone kind of hardware imaging devices. The first one is the Talon Ultimate. We call it the Talon-U. The Falcon-NEO, which we kind of covered in depth. And then there’s, what’s called the desktop kind of flatbed model, which we call the ZXI Forensic.
So the Talon-U sits in kind of a unique market niche as we consider it kind of the mid tier forensic imager. So with that said, it’s like the only scalable mid tier unit of its kind. What I mean by that is, the Talon comes as a single source device, but allows for multiple outputs.
So it has a small footprint and small footprint device that gives users the ability to add items like [indecipherable] support, logical imaging, which we call file-based collection. And more importantly, the ability to open up that single source, as I was saying, that limitation to actually do say two or three sources. Now all of those I just mentioned that are options in that box, from a scalability perspective, our standard in that Falcon-NEO, you probably remember, I already covered, those are all standards out of the box in the NEO, but this gives users the ability to look at something mid tier and say, well I may not need all that stuff up front, but I might need it down the road. Instead of having to buy a whole new unit, they say, oh, I’ll just go, I want to be able to do SAS drives. I’m going to buy a license key for that.
So as with like the write block devices, the Talon Imager offers all of the interfaces that we found in those models. So all of those that I just mentioned are also supported in the Talon Ultimate. I know that I covered the Falcon-NEO extensively, but this device sits kind of on the top shelf of our offerings. Again, to reiterate, the Falcon-NEO’s the fastest platform that we offer. It gives the user q variety of interface connection options, and even allows for great scalability. You know, we talked about some of the features, but also scalability, not just the software options that are available, but also the hardware add-ons. And to me that gives somebody a great scalability or runway for what is an outstanding tool.
So kind of rounding out the forensic image or line is the device I called the ZXI Forensic. It is.. I call it a work bench model, you could pick it up and kind of walk around with if you need to, but people buy it and say, I’m just going to kind of sit it on this work bench or in my lab. It’s not something I’m going to move around. I’m just going to have it connected to my network. I’m going to do whatever work I need to do, whether it’s imaging, those collections, wiping, sanitizing, all of that stuff that can do on the box.
And a majority of the Falcon-NEO connections that we discussed, and features, are available in the ZXI forensic platform, which offers further flexibility as the users can use that tool and operate in a lab only environment, and then not tie up things like a Falcon-NEO, because we have plenty of users that buy the NEO that use it in the lab, but they’re also using it remotely. They’ll take it to client sites, site collections, things of that nature. And they may very well use it for doing things in the lab, but something like the ZXI Forensic is nice because they can have just that as a separate, say, dedicated tool.
Christa Miller: So we’ve talked about — or you’ve talked at length about — all of these different features that you offer and the investment that customers are making when they purchase. Having said that, tight budgets and competing needs affect a great many digital forensics labs globally. How do you and Logicube’s human sales team help to counsel them on evaluating their needs and making the choices that are the best fit?
Todd Bellows: Well, you know, it’s always difficult with budgets. Anytime we talk about budget questions and, you know, with an array of different clients in different sectors, budgets work in different ways, you know, when you talk about public companies comparative to say local government, or federal government, or international clients, I mean, there’s a lot to have to consider, but budgeting issues, I think have long plagued both private and public sectors, but also the US and global governments just in general.
And we’re always trying to help clients navigate that, not just from a perspective of, you know, when would they have money to spend, but when will we have what products, what type of upgrade paths, et cetera, et cetera, so that they can make the best choice. So at Logicube we understand, you know, what processes in a forensic digital media collection need to be followed, right? And what tools assist in accomplishing these goals. I think that’s key.
And as I mentioned earlier, Logicube I think is proud to offer the most comprehensive solutions on the market. So we understand that there’s other tools required in this process of digital forensic, we’ll say, collections. And we’re not, it’s not about, okay, if you have one of our tools, what else do you need or not need, right? There’s other things you’re going to absolutely need. But what we’re trying to do is help clients eliminate some of those pieces that might be at the front and at the back end of the collection process, where they might not have to invest as as many tools, but they’ll definitely need others.
So what I think about is we evaluate kind of their overall needs versus what their available spend might be. And one must understand that tools like the Falcon-NEO not only cut down on the variety of solutions, like I just mentioned, you know, that investor might require, but combine and help streamline different facets of that collection process. Right? So they might be able to save a little money on buying X because they already have it in the Falcon-NEO. So it reduces the number of tools and also extra money they might have to spend there.
So Logicube also continues to educate their clients. You know, we do that on, I think on a daily basis, on how they can kind of force multiply both the inputs and outputs, right? Like we talked about, okay, I could get five connection points so I can get three connection points versus maybe the typical might think, well, every tool they’re buying they might connect one device. Well, if I have three users, I need three devices. Well, hold on a second, maybe I can buy a Falcon-NEO. And that satisfies that entire piece. So by, you know, kind of looking at force multiplying, like I said, with our tools, at the same time, it saves them money over the life span of their investment.
So that’s really kind of our goal here, we work on it all the time, daily. We always talk to all of our partners and all of our clients and how can we best help them. But like I said, I always go back to the fact that we can offer more than our, we call them peers, but competitors within our space, it is kind of a niche space, right? So we want to make sure that, when we’re talking to everybody, that they understand the capabilities and they don’t overlook some of that, right?
Some of those capabilities in their own can help folks cut down on the longer term costs. So we may not sell as many longer term, but we’re selling a far more robust solution. And from an investment perspective, it’s better for the clients, right? And in the end, you know, if they’re happy, if they hire more people and they have more needs, then that’s automatically going to mean more business.
So it’s not just about, can we have a client buy a product from us and every two years, which kind of used to be the old mainstay 10, 15 years ago. Now people are starting to ask the right questions. Okay, what if I buy this today? What’s the life expectancy like? How long — not just how long will it last, and not how long will Logicube support it, but all the different criteria that you’ve put in, if I grow with this tool, how many years can I get out of it? And that’s a very, very good question. So we try to educate from that perspective.
And I think that kind of rounds out what I really wanted to say today, because these are things that, like I said, that I think that when people are just looking at dollars and cents, they overlook really what the tool can do, we’ll say two, three, four, and then we start talking five, six years out. That’s kind of unheard of with technology. You know, folks who are looking to say, Hey, I’m going to buy this. And every couple of years I’m going to replace, just because it doesn’t have the right interface. It doesn’t support X. The new drive came out, right? And all of these, et cetera, et cetera, we kind of approach that.
I can’t say that we’ve nailed everything, Christa, as far as the Falcon-NEO platform. But I think with our array of offerings, as you see, I didn’t give you a laundry list of, you know, 10 or 15 devices we sell, because people don’t need that many. These are feature packed and you know, great investments. That’s really kind of how I want to round today’s podcast out.
But I also did want to mention, you know, in conclusion, [if anyone] has any questions for Logicube? I mean, simple URL is at logicube.com. That’s L-O-G-I-C-U-B-E.com. And if anybody has questions specifically regarding sales, even support, you know, pre-sales questions, doesn’t have to be specific to that. They could email sales@logicube.com, and we’d be more than happy to help them with any questions.
Christa Miller: Great. Well, Todd, thank you again. Thank you for that information and thank you again for joining us on the Forensic Focus podcast. Thanks also to our listeners. You’ll be able to find this recording and transcription along with more articles, information and forums at www.forensicfocus.com. If there are any topics you’d like us to cover, or you’d like to suggest someone for us to interview, please let us know.
…
Read the original article on Forensic Focus
