Uncategorized
LOGICUBE FORENSIC FALCON®-NEO A PRACTITIONERS EXPERIENCE AND REASSESSMENT BY John (Zeke) Thackray, Churchill Fellow, FSS Dip
Copyright Notice: Material contained in this paper is the copyright property of Thackray Forensics Ltd and accredited authorities as stated throughout the publication. It may not be copied or used as part of any other presentation or document, electronic or hardcopy without the express permission of the relevant copyright holder.
First Published Friday, 12th July 2018 / Revised Friday 12th March 2021
BACKGROUND AND INTRODUCTION………………………………………………………………….. 3
ASSESSMENT OVERVIEW AND OBJECTIVES……………………………………………………… 3
Relevance and Necessity…………………………………………………………………………………………………………………. 3
Authentication, Reliability and Accuracy…………………………………………………………………………………….. 3
Complies with Global Standards and Guidelines………………………………………………………………………… 3
Compatibility…………………………………………………………………………………………………………………………………….. 3
Case Investigators – First Responders (CSI/SOCO’s)…………………………………………………. 3
Digital Forensic Examiners……………………………………………………………………………………………………………. 4
FALCON®-NEO, “OUT OF THE BOX” USER FUNCTIONALITY………………………………. 4
Appearance and Packaging……………………………………………………………………………………………………………. 4
Physical Construction……………………………………………………………………………………………………………………… 4
Touch Screen – HDMI – USB 3.0 Host Ports………………………………………………………………………………… 5
Network (Dual 10GbE ports)…………………………………………………………………………………………………………. 5
Source and Destination Devices…………………………………………………………………………………………………….. 5
Network Push Option………………………………………………………………………………………………………………………. 5
Configuration – System Settings……………………………………………………………………………………………………. 5
Non-Technical First Impression…………………………………………………………………………………………………….. 6
KEY PRODUCT FEATURES………………………………………………………………………………….. 6
Performance and Speed………………………………………………………………………………………………………………….. 6
Wipe / Format………………………………………………………………………………………………………………………………….. 7
Multiple Image Formats and Imaging Ports……………………………………………………………………………….. 7
Destination Drive Encryption and Source Encrypted Drive Support……………………………………… 8
Destination Storage Drives – Encryption…………………………………………………………………………………….. 8
Source Encrypted Drives…………………………………………………………………………………………………………………. 8
Source Write-Protected Capability……………………………………………………………………………………………….. 9
Destination Read/Write Capability………………………………………………………………………………………………. 9
Source and Destination Flexibility………………………………………………………………………………………………… 9
Network Analysis/Capture…………………………………………………………………………………………………………….. 9
Imaging Surface Pro 4+ / MacIntosh Systems……………………………………………………………………………. 9
Multi-task………………………………………………………………………………………………………………………………………… 10
Multi-task Macro Management…………………………………………………………………………………………………… 10
Targeted and Logical Imaging……………………………………………………………………………………………………. 10
Audit Trial / Log Files…………………………………………………………………………………………………………………… 11
OPTIONAL FUNCTIONALITY AND ENHANCEMENTS………………………………………….. 11
Mobile Device Capture………………………………………………………………………………………………………………….. 11
Cloud Storage Acquisition……………………………………………………………………………………………………………. 12
PCIe Adapter Kit…………………………………………………………………………………………………………………………….. 12
2.5” / 3.5” IDE, 1.8” to SATA, 1.8” ZIF adaptors, flash media reader…………………………… 12
USB 3 to SATA Adapters and power supply cables………………………………………………………………….. 12
Thunderbolt 3/USB-C IO Card…………………………………………………………………………………………………….. 13
Fibre Channel Module…………………………………………………………………………………………………………………… 13
FireWire Module……………………………………………………………………………………………………………………………. 13
SCSI Module…………………………………………………………………………………………………………………………………….. 14
CONCLUSION……………………………………………………………………………………………………. 14
Relevance and Necessity………………………………………………………………………………………………………………. 14
Authentication, Reliability and Accuracy………………………………………………………………………………….. 14
Complies with Global Standards and Guidelines……………………………………………………………………… 15
Compatibility………………………………………………………………………………………………………………………………….. 15
BACKGROUND AND INTRODUCTION
The first review of the Logicube Falcon®- NEO was performed in July 2018 and having successfully used the same unit in both an IT and forensic investigative environment since, it is time to update that assessment to include the many changes and enhancements that have been made to it. Therefore, the objective of this paper is to share the years of experience, knowledge, and hands on testing both in a controlled and field environment with organizations or individuals considering or using the Logicube Falcon®- NEO.
Some things will never change, and the most important phase of any digital investigation is the initial preservation and verification of potential evidence. If this is not achieved in a safe and reliable manner any future analysis may be jeopardized and considered inadmissible.
This updated review replaces the July 2018 assessment and is designed to assist organizations or individuals to streamline the quality assurance process when considering the use of the Logicube Falcon®- NEO without the influence of the manufacturer or other third-party competitors. The assessment and testing were performed in a controlled laboratory QA process. After proven concepts and the manufacturer claims were validated, an extensive evaluation was then performed in a live environment across real evidence.
ASSESSMENT OVERVIEW AND OBJECTIVES
Prior to using any new or updated forensic hardware or software live within any digital forensic investigations, it is standard practice to conduct a quality assurance process, independent of a manufacturer’s statements of facts or claims to assess the following elements:
Relevance and Necessity
Any forensic product or its enhancements must be relevant and necessary to complement the objectives of an organization and the environment it is designated to operate in.
Authentication, Reliability and Accuracy
Assess its reliability and accuracy. (Authenticating the manufacturer’s statement of fact, ability, and functionality).
Complies with Global Standards and Guidelines
Complies with global guidelines, procedures, and unique local judicial regulations.
Compatibility
Compatibility with third party tools used within a unique forensic, IT security or legal operational environment.
Using these guidelines, the Falcon®-NEO was vigorously tested in both a controlled and live corporate and criminal investigative environment. The level of operators using the Falcon®-NEO varied between highly trained digital forensic examiners, case investigators and first responders with little or no in-depth technical background.
Case Investigators – First Responders (CSI/SOCO’s)
The CSI/SOCO’s were given the Falcon®-NEO user manual and extremely basic hands- on instruction. The lack of their scientific technical knowledge and understanding surrounding the concepts of digital evidence was more of an obstacle than the actual use of the Falcon®-NEO. They quickly grasped the basic evidence gathering concepts. However, the more advanced networking techniques were well beyond their ability and highlighted the need for more in-depth training of not only the product but the theory of digital forensics and evidence gathering.
These investigators were provided with competing products, similar in operating concepts and abilities as a comparison to the Falcon®-NEO. All investigators considered the touch screen interface of the Falcon®-NEO and the ease in which a keyboard, mouse and HDMI monitor can be added as a useful feature, which made the actual hands-on experience to be considerably more user friendly.
Digital Forensic Examiners
The digital forensic examiners were all familiar with the various hardware imaging solutions available in the marketplace comparable to the Falcon®-NEO. They all quickly became competent with the basic interface and navigated themselves around the Falcon®-NEO with ease. Some forensic examiners were less confident with the more advanced network functionality. Their understanding of the concept and need for a network functionality was limited until they were provided with specific scenarios. This once again highlighted that even highly trained digital examiners lacked basic knowledge and practical skills on the most important aspect of the forensic process, “the acquisition and preservation of data”.
One feature that was embraced by the digital forensic examiners was the multi-tasking feature and the versatility of combining different processes to run simultaneous. They were also impressed with the exceptional speed in which the forensic evidence imaging process and verification was performed. The Thunderbolt, Mobile Device Capture and Network Traffic and Cloud collation were some of the key features that raised eyebrows, interest, and enthusiasm.
FALCON®-NEO, “OUT OF THE BOX” USER FUNCTIONALITY
The overall look and feel of the newly improved Falcon NEOTM and optional modules are very impressive, particularly when comparing them to other competing and similar products in the marketplace. Its appearance and functionality have not only improved but exceeds the expectations for modern day high-tech digital investigations compared to other products. Its design maintains the high quality of a product associated with Logicube.
The Falcon®-NEO host name can now be customized to a user’s requirements. This is useful if the unit is being used on a corporate network to acquire data during covert operations.
Appearance and Packaging
The standard carry case is made of heavy-duty luggage fabric and although compact, the contents may be vulnerable if used in some adverse environments such as a military field environment or criminal crime scene. It is strongly recommended to add the Pelican case, which is optional, and more appropriate if it is intended to be used in these types of environments. A nice aspect in the design is the size and weight, which conforms to the restrictions of handheld luggage if travelling by commercial air transportation. Both case options have plenty of storage area for both the cables and spare destination storage hard drives.
Physical Construction
The physical construction of the Falcon®-NEO is not “soldier proof”; the plastic outer case would not withstand excessive heavy handling in a battlefield or some crimes scenes. This is also true for the majority of Logicube’s competitors, some of which have additional bulky hardware add-on accessories, where the standard Falcon®-NEO does not.
The availability of two DC in power ports is a nice touch for extra power when fully loading the unit with multiple source and destination drives to run various tasks. It also future proofs the system if new technology requires additional power supply to maintain stability when processing them. Only one power supply is provided out of the box. During the evaluation, every port was utilized, and a variety of simultaneous processes were executed. Only one power supply was used during the evaluation and there was no hint of any degradation to the power requirements.
Touch Screen – HDMI – USB 3.0 Host Ports
The 7” color LCD touch screen interface of the Falcon®-NEO is extremely user friendly, sensitive to the touch and simple to navigate through the various on-screen options. The brightness of the screen can be modified as desired and even turned off for “stealth mode” during covert operations.
The unit supports two USB 3.0 host ports at the front, which can be used for a mouse and keyboard. These two USB ports can also be utilized as Destination storage ports if required to save evidence to. An external monitor can also be added for better viewing using the HDMI port at the rear of the unit. This is extremely useful when working within a laboratory environment, particularly when used in combination with a mouse and keyboard.
Network (Dual 10GbE ports)
The Falcon®-NEO can be connected to an existing network and controlled through a web browser interface. It has two 10GbE ports at the rear of the unit. This is also immensely powerful and allows the connection of large NAS storage devices to the unit or a combination of both NAS storage and network connectivity.
The network ports can also be utilized to capture network traffic, which can then be examined within an array of third-party software tool.
Basic users accessing the remote operation with no network experience or limited knowledge had some difficulty, which was quickly overcome when following the remote operation instructions within the Falcon®-NEO User’s Manual. The fully illustrated guidelines are also provided with the Falcon®-NEO digitally and are simple to follow and easy to use.
Source and Destination Devices
The Falcon®-NEO has a variety of available ports for both source and destination devices. The ability and ease to control devices externally helps the user to process them with confidence and speed. The ease and access to connect both source and destination devices keeps the acquisition phase of the investigation simple and efficient, while maintaining integrity and continuity to the process.
The only negative comment that could be said about the unit is, some investigators did become confused which side was the write protective source and the read / write destination. Although it is clearly marked on each side, which function is used for each specific purpose, it would be less confusing if the labeled was on the top of the unit as well as the side. Regardless of the external labels, once the desired processing options are selected there are on screen warnings to prevent any human errors connecting devices to the wrong area.
Network Push Option
The Push feature allows the transfer of data from the Falcon®-NEO to a network location, storage drive or a repository attached to the unit. The verification option at the end of the transfer is essential when archiving old cases or creating backups to maintain data integrity.
Configuration – System Settings
The Falcon®-NEO is simple to set up and once they are applied, the selections become persistent, in that they are retained within the memory even if the unit is turned off and restarted.
There are eight different settings where a user can configure the Falcon®-NEO to their own unique operational protocols and requirements:
| Setting | Overview |
| User Profiles | Configures a profile of the user’s choice such as how the Falcon®-NEO boots with their imaging preferences |
| Passwords | Added security for system functionality and user accounts |
| Encryption | Advanced security and protection of destination drives |
| Language/Time Zone | Language and time zone settings |
| Display | Brightness or Stealth/Covert mode |
| Notifications | Extremely useful. Once a task is completed, or an error occurs a notification by sound or email/SMS/MMS or both is sent to the user |
| Advanced | APFS file to file imaging can be switched on or off |
| Debug | Used for technical support and it is recommended that it is only used when instructed to do so by Logicube Technical Support |
The user manual that accompanies the Falcon®-NEO is in a .pdf digital format and is written in non-technical language with simple to follow photographic illustrations that cover the various functionalities. For the more advanced aspects and particularly the network preview, capture and acquisition modes the user must have some sound technical networking knowledge. The frequently asked questions and index at the end of the User’s Manual is most useful for nontechnical users. A glossary of terms and definitions for commonly used abbreviations would be a useful addition for field operators who are not familiar with technical computer or forensic jargon.
Non-Technical First Impression
Logicube have maintained a good visual appearance of the Falcon®-NEO, which continues to project a “geek” factor and scientific approach to digital forensics when observed by the average person. The Falcon®-NEO is without doubt good value for money when comparing the enhancement of features and the dramatic increases in speeds when processing evidence. This is particularly evidenced when running multiple processes simultaneously on one unit. The Falcon®-NEO is compact and packaged in a very professional way, which enhances the expert appearance of a forensic examiner to those not familiar with digital investigations or the process.
KEY PRODUCT FEATURES
This section covers the key features of the Falcon®-NEO and how it performed during the assessments conducted.
Performance and Speed
It is difficult to accurately judge the precise performance of any imaging tool when estimating the process speed. There are far too many variables to consider such as the make, model and type of drives, the volume and type of data contained within them, their format and ultimately the age and conditions of both source and destination drives. Equally, the format of the evidence files and the use of compression and verification will affect the speed in which evidence is gathered and secured. Some manufacturers do not consider the time to verify the image files created as part of the acquisition speed. As a forensic investigator this is a major factor and critical consideration when gathering potential evidence to ensure it is admissible in a court of law or legal hearing.
The verification of any potential evidence is an absolute requirement to ensure the continuity and integrity is maintained. However, when harvesting intelligence or in a civil matter where the law of probability is accepted, or even when time is of an issue, the verification may not be viable. Therefore, having the ability to turn this feature on and off is valuable. Logicube have taken the image and verification process to another level and reduced the entire process dramatically. This is achieved by running the verification process concurrently, which commences shortly after imaging starts. This is a very efficient feature compared to traditional processes, used by many acquisition tools, which run sequentially, after the imaging phase has completed. If quality destination drives are utilized the Falcon®-NEO can reduce the image and verify process significantly.
It is important that the destination drives used to hold any potential evidence are fast and in good condition without any bad sectors etc. Ultimately, the speed data can be read and written to a drive will determine the actual time it takes to collect any potential evidence regardless of the forensic tool performing the task.
To maximize the performance in speed, high-quality and new destination drives should be used. Even then, if the source drives are of an inferior brand or aging, possess bad sectors, etc. the speeds will vary considerably.
Logicube state the Falcon®-NEO performs as described below:
“It achieves imaging speeds surpassing 50GB/min and can clone PCIe to PCIe at speeds of 90GB/min”
and
“Wipe at speeds of 30 GB/min for SATA drives and 72 GB/min for PCIe drives”
To establish the accuracy of this statement, a variety of different old and new types of hard drives, USB’s, and mobile devices were used during this recent assessment together with real life experience over recent years using the Falcon®-NEO. Throughout the evaluation and the years using it during digital investigations and an IT administrative environment, the Logicube statements were found to be accurate and reliable for both imaging and wiping processes. To further assess the Falcon®-NEO, a comparison of it was performed against various competing forensic acquisition hardware and software tools with like for like functionality. The exact same source and destination drives were used on each forensic product. An .e01 evidence file was created using a SHA-1 verification with no compression. The Falcon®-NEO continued to consistently exceed the speed in acquisition and verification of all other products. Some products only acquired the data at the same speed without verification.
The Falcon®-NEO is particularly impressive in speed when running the Wipe/Format feature using all available destination ports. The only disappointment experienced in this feature is the default naming convention of the drives to the title “Repository” when formatting. It would be nice to uniquely customize the drive title at the time it is formatted.
Wipe / Format
Sterilization of recycled storage devices between cases has always been an important phase of any digital investigation to prevent cross contamination between investigations, particularly if they are of a similar nature. The Falcon®-NEO now supports the ATA sanitize command and Secure Erase for supported nonvolatile memory express (NVMe) drives. Destination drives and repositories as the name suggest is typically where evidence files are stored to. Additional support to format a destination drive has been added for HFS+, EXT2 and EXT3, which once again enhances the flexibility of the Falcon®-NEO.
Multiple Image Formats and Imaging Ports
The Falcon®-NEO complements every computer forensic analysis tools and e-Discovery platforms used in the marketplace. The evidence file formats it creates can now be read using the inbuilt file browser to perform a quality assurance check. They can also be added and examined by any of the leading analytical forensic tools globally available today.
There are seven available imaging modes within the Falcon®-NEO:
| Mode | Process |
| Drive to File | Images the source to a DD, E01, EX01 or DMG file format |
| File to File | Creates logical files to a LX01, L01, Zip or directory tree. An MFT report can also be generated to identify deleted files, which is extremely useful |
| Partition to File | Creates a logical image in a DD, E01, EX01 file format. Bitlocker is also supported but requires the password |
| Net Traffic to File | Captures network traffic and can include network, internet and VOIP activity |
| Drive to Drive | Creates a bit for bit copy from source to destination drives |
| File to Drive | Restores a DD, E01, EX01 and DMG images providing they were originally created by the Falcon®– NEO |
| *Mobile to File | Extracts data from iOS (up to iOS 13.3) and Android (4.0 to 10) devices.
*This is an additional annual subscription option |
The Falcon®-NEO can “reverse read” any bad sectors encountered. Over the years this technique has found data missed by many products that do not have this ability. Reverse read simply skips the bad sector and reads it backwards, potentially capturing data that otherwise would have been marked with zeros, which is a great feature.
Another enhancement that was very impressive is the ability of the Falcon®-NEO to now resume an imaging process for drive to drive, drive to file or partition to file if the power to the unit is interrupted or a task is aborted. This feature can also be set to automatically resume once power is reconnected.
A user can create, rename, or delete folders on a destination drive or repository using the Falcon®-NEO, which provides much more flexibility in the data management process.
The Falcon®-NEO now supports Apple File System (APFS) format, which can also be viewed using the inbuilt file browser. However, this option is not switched on by default and must be turned on in the system settings screen, advanced tab before commencing this process.
Destination Drive Encryption and Source Encrypted Drive Support
The Falcon®-NEO can encrypt the storage drives, which improves the security of harvested evidence. It can also identify any potential encrypted drives and if the password is known for some types can open the containers to expose the data within them.
Destination Storage Drives – Encryption
The Falcon®-NEO supports the ability to encrypt the destination drive where the evidence files are created and saved. This is particularly useful if transporting potential evidence using public courier services or protecting sensitive case information.
Source Encrypted Drives
If the source drive is encrypted with ATA security, OPAL, VeraCrypt, TrueCrypt, Filevault or Bitlocker a padlock icon will appear next to its details. Selecting the padlock icon allows the password to be applied to unlock the drive. If the encryption type is not known a message will be presented warning the user, the drive or any available partitions may be potentially encrypted. As user become more security aware, particularly in a corporate environment, this is a nice touch and potentially saves many hours acquiring data only to discover it is encrypted at the analysis phase.
Even without the array and flexibility of additional options available for the Falcon®-NEO, the out of the box system is adequately equipped to handle most scenarios with the diversity and broad range of technologies a digital forensic examiner will encounter. Significantly important are the availability of a variety of different ports and robust cables, which are easily accessed for speed. These can also be utilized in combination with each other.
Source Write-Protected Capability
A maximum of six write-protected source devices can be connected at a single time, two SAS/SATA, one USB 3.0 and one PCIe. Two optional write protected Thunderbolt 3/USB- C I/O cards can also be added if required.
Destination Read/Write Capability
A maximum of nine destination devices can be connected at one time, two SAS/SATA, two SATA, three USB 3.0 (one on the destination side and two at the front of the unit if not used for a mouse or keyboard) and one PCIe. One optional write protected Thunderbolt 3/USB-C I/O cards can also be added if required.
There are also two 10GbE network ports, which can also be utilized for super-fast NAS destination storage or network imaging/storage and cloud collection.
Source and Destination Flexibility
Using a powered USB hub on either the source or destination sides can also significantly increase the flexibility of options particularly if used in conjunction with the optional USB 3 to SATA adapters available from Logicube. Adding the Thunderbolt, FireWire, SCSI, and Fibre Chanel modules to either the source or destination sides makes the Falcon®-NEO the most versatile and flexible all-encompassing digital imaging solution available by any manufacturer.
Network Analysis/Capture
Logicube have significantly improved the ability to perform network analysis and capture in the following areas:
- Capture network traffic, internet activity and
- Sniff data on a network and store captured packets on a destination drive connected to the Falcon®-NEO.
- Span the Net Traffic to File images over two or more Destination drives. The captured data is saved to a .pcapng file format, which can be examined by many third-party analysis tools.
The contents of a mounted network repository can also be viewed with the inbuilt file browser.
GUI support has also been added for multiple iSCSI connections, which is important if multiple NAS units are available across a network for data to be written to.
Imaging Surface Pro 4+ / MacIntosh Systems
As technology develops and devices become more sophisticated in their architecture the ability to recover potential evidence quickly and safely from within them is equally challenging and complicated. The Falcon®-NEO meets these challenges head on and can acquire data from such devices as a Surface Pro 4+, and MacIntosh systems in the following ways:
- The ability to image a laptop without removing the internal hard
- Create a forensic bootable USB flash drive to image a source drive from a computer on the same network without booting the computers in their native O/S
- Supports Surface Pro 4+
- Supports Macintosh systems target disk mode
Multi-task
The collection of large volumes of time sensitive information is critical in modern day digital investigations. Forensic examiners are often required to quickly assess if data can be eliminated, preserved in its entirety or a selective harvest of relevant information is to be collected. With the increasing high capacity of devices available to the average person, the task of harvesting and processing data from them is growing out of control. The Falcon®-NEO has taken the speed and functionality of the harvesting process to a completely new level.
Multi-task Macro Management
The Falcon®-NEO has been developed to eliminate both time and effort and can be configured to run a maximum of five multi-task macro processes, each of which can run nine tasks sequentially.
To validate this functionality and replicate a live scenario, the unit was configured to run a series of tasks as follows:
| Macro | Task | Process | Destination / Source Port | Media |
|
Macro 1 |
Task 1 | Wipe Drive (Custom) | Destination Port 1 (D 1) | 250 GB SSD |
| Task 2 | Image 1 (L01) | Network Port 1 (LAN 1) | Cloud Storage – Dropbox | |
|
Macro 2 |
Task 1 | Wipe Drive (Custom) | Destination Port 2 (D 2) | 250 GB SSD |
| Task 2 | Image 2 (Mobile Device Capture) | Source Port (USB 1) | iPhone 8, IOS 12.5 | |
|
Macro 3 |
Task 1 | Wipe Drive (Custom) | Destination Port 3 (D 3) | 250 GB SSD |
| Task 2 | Image 3 (E01) | Source Port (S 1) | 100 GB | |
|
Macro 4 |
Task 1 | Wipe Drive (Custom) | Destination Port Thunderbolt Drive (TBT D 1) | 2 TB SanDisk Removable Drive |
| Task 2 | Image 4 (EX01) | Source Port Thunderbolt Drive (TBT S 1) | 1 TB SanDisk Removable Drive | |
| Task 3 | Hash Device | Destination Port Thunderbolt Drive (TBT D 1) | 1 TB SanDisk Removable Drive | |
|
Macro 5 |
Task 1 | Wipe Drive (Custom) | Destination Port (D 4) | 250 GB SSD |
| Task 2 | Image PCIe | Source Port (PCIe SCSI Module S 1) | 100 GB SCSI |
The slowest device in the configuration controls the performance of the multi-task processing. The key advantage of multi-task macro management is the significant saving in time and man hours. Large volumes and a variety of data can be processed out of normal hours, such as over a weekend.
Using the notifications in conjunction with multi-task macro processing an email or the new SMS option can be sent when the process has finished or even if an error occurs. Setting up each macro and its associated tasks was extremely simple and there appeared to be no significant difference in speed of each process between single or multi-task processing.
The multi-task management feature allows investigators to configure the Falcon®-NEO for a variety of scenarios and save each processing session for use later. Building a library of sessions allows multiple users who do not have daily hands-on experience to confidently process and manage evidence. This also ensures that first responders and forensic examiners replicate best practice when gathering digital evidence.
Targeted and Logical Imaging
An extremely useful feature of the Falcon®-NEO is the Targeted/Logical Imaging feature. There are four key filtering options, which not only reduces the acquisition time but also ensure quality and appropriate data is recovered.
Path Filter. An investigator can navigate through a device of interest using the simple browser interface and select the files or directory structure relevant to the investigation. The preset filter option allows a more permanent automated filtering options such as, include all users’ directories or exclude windows directories. A custom file path filter can also be added if required.
Date Filter. Often in a civil litigation a court will restrict the data being harvested by a date range. The Falcon®-NEO now has a date filter option to include or exclude a date range of the information being harvested.
Signature Filter. This is another useful feature that specifically targets, documents, audio, images, videos, or archive type data and is run after a path or date filter.
Keyword Filter. A list of keywords relevant to the investigation can also be run after any previous filters have been applied. This will naturally reduce the data being harvested further.
When filters are used collectively with keyword searches only specific and relevant files are harvested. The Falcon®-NEO allows a very versatile output format, which can be either L01, LX01, ZIP or a directory tree structure. The L01 or LX01 formats now have the option to change the segment size and compression, again a useful enhancement to manage the final output. The ability to generate an MFT audit log is also extremely useful to quickly identify the presence of deleted files.
The data collected can be either reviewed directly on the Falcon-NEO display, or managed over a network from a forensic workstation using a web interface to access the unit remotely.
Targeted and logical imaging allows investigators and organizations to perform sensitive evidence gathering over large network environments or individual devices, while maintaining an efficient, accurate and reliable evidence collection to ensure the integrity and continuity of the process.
Audit Trial / Log Files
The audit trail/log files provide detailed information on each operation conducted. The log file can be reviewed directly on the display of the Falcon®-NEO or via a web browser. Logs can also be exported in an XML, HTML or PDF format to a destination device connected to the unit. In addition to the audit logs, S.M.A.R.T. data logs pre and post capture are generated and can be exported together with the audit log files from the LOGS screen.
OPTIONAL FUNCTIONALITY AND ENHANCEMENTS
The Falcon®-NEO encompasses an array of options compared to other products available in the marketplace and although the main unit itself is more than adequate for most cases, there are often occasions when unique scenarios and drive types play an integral part of a digital investigation. Logicube’s foresight and experience in the digital extraction and preservation field have designed a wide range of additional solutions that complement and enhance the functionality of the Falcon®-NEO. If these are not purchased at the time they can always be added as and when required. The optional functionality and equipment to compliment the Falcon®-NEO, as listed below, were also vigorously tested as outline throughout the various sections of this assessment:
Mobile Device Capture
The mobile device capture option is an annual renewable software subscription solution. It currently supports iOS and Android v 4.0 and above devices. An iTunes backup is performed for unlocked iOS devices. A physical extraction is performed for rooted Android devices and a logical for non-rooted. The Falcon®-NEO does not have the ability to decrypt a device and the user’s password must be known. However, this is also the case with most mobile forensic acquisition solutions. Some do have the ability to decrypt the log on credentials but often at a substantial additional cost to an already expensive solution.
There are two particularly important advantages with the mobile device capture:
- It is extremely easy to use with a simple interface that replicates the same sequence of options used when acquiring physical drives. Even non-technical operators can safely and quickly perform an extraction of an iOS or Android device using the Falcon®-
- It is exceptionally more cost effective than other available solutions in the
Mobile device capture extracts the key elements typically required during most digital investigations, such as messages, call logs, website history, contacts, wi-fi settings, photographs, and videos etc. Obviously much more data can be harvested if a physical extraction is performed on an Android device.
This is an exceptionally good additional option and a must have feature, particularly for small organizations or individuals with no mobile forensic capability and minimal budgets. The use of mobile device capture will extend their investigative skillset and ability when budgets do not allow the more expensive solutions. Although limited to iOS and Android devices, from a practical perspective these types of mobile phones account for the majority that are typically encountered in a criminal enquiry or used in a corporate environment. Therefore, having this option available in a single piece of equipment, together with the variety of data capture options the Falcon®-NEO possesses is both an efficient and extremely cost-effective way to include a mobile device capture capability to any organization.
Cloud Storage Acquisition
The cloud storage acquisition option is also an annual renewable software subscription solution in the same way as the mobile device capture feature. It currently supports Microsoft OneDrive, Google Drive and Dropbox. The log on credentials for the respective storage area are required to successfully perform an extraction of data from it. The data from the cloud storage can be saved locally in a L01, LX01, Zip file or as a directory tree structure replicating the respective storage area.
Using the File-to-File functionality the process to harvest the information is a simple step by step operation that even non-technical users can perform. With the growth of offsite storage being used by most users, this feature is again a must have solution to ensure a full investigative capability can be exploited leaving no data behind or unavailable for examination.
PCIe Adapter Kit
The PCIe adapter kit is another must have option as drives become more compact across the variety of systems available. The PCIe adapter kit includes cards for the M.2 PCIe,
M.2 SATA, M.2 NVMe, mSATA, PCIe and mini-PCIe drives. These are easy to use and attached to the PCIe slots on the Falcon®-NEO.
2.5” / 3.5” IDE, 1.8” to SATA, 1.8” ZIF adaptors, flash media reader
These adaptors and flash media reader are useful additions if encountering devices of this type. Often, it is the absence of the simplest of things such as the availability of a flash media reader that halts the investigation in its tracks.
USB 3 to SATA Adapters and power supply cables
The USB 3 to SATA adapters with power supply cables are extremely useful additions and allows much more versatility to the Falcon®-NEO adding additional source or destination drives to the USB ports for increased processing and efficiency. This is a must add feature for large investigations, eDiscovery type acquisition involving many physical drives to be preserved in a limited amount time. The additional power slot at the back of the unit is used to power the adapters and ultimately power the additional drives.
Thunderbolt 3/USB-C IO Card
One of the distinguishing features of the Falcon®-NEO is its scalability and being future- proof. The Falcon®-NEO has the capability to integrate new technologies and interfaces that may appear through the deployment of IO cards, the first and current instance of which is the TBT card. The Falcon®-NEO is the only forensic imager in its class (high-end, portable, and field-ready) to offer support for Thunderbolt.
There are currently three available Thunderbolt 3/UCB-C IO card slots on the Falcon®- NEO, two on the source side, which are write protected ports and one on the destination side, which is a read \ write port. These are excellent when encountering removable drives such as the Samsung and SanDisk portable external drives, which were used during the test as both a source and repository drive. The speed in processing were again consistent with Logicube’s claims.
The installation of the IO card is easy and straight forward and does not require any significant technical expertise. Logicube even provide a screwdriver with picture step guidelines to install it.
It is highly recommended that at least one Thunderbolt 3/UCB-C IO card is added to each side of the Falcon®-NEO to take advantage of the enhanced functionality, capability, and flexibility.
Fibre Channel / FireWire / SCSI Modules – General
The Fibre Channel, FireWire and SCSI modules can all be connected to either the source, write protected or destination read / write PCIe ports. They are exceptionally durable add on modules and the cable ribbon, which is permanently connected and held firmly in place by a unique storage mount can be quickly and simply attached to the Falcon®-NEO desired PCIe port.
All the features and functionality of the standard Falcon®-NEO are also available for the three optional modules, such as evidence file formats, drive to drive, encryption, task macro and concurrent image with verification processing etc. The speed, performance and stability were again consistent with the general functionality of the Falcon®-NEO and Logicube claims.
Each solution is delivered in a standard heavy duty cardboard box,13” x 9” x 4” and all three together wight approximately 9 lbs. Although these boxes have more than adequate protected packaging, they were further inserted into a Pelican box for security and ease of transportation. It would be nice to have the option for a purpose cutout Pelican case to host all three modules and accessories.
Fibre Channel Module
The Fibre Channel module is a hardware solution that attaches to the Falcon®-NEO and supports drives using a 40-pin SCA-2 connector and enclosures with a small form-factor pluggable (SFP) connector. The out of the box solution allows the creation of evidence files from or to a fibre channel drive and or enclosures. It can also capture data from a one 40-pin fibre channel drive to one SFP drive or vice versa. If the Fibre Channel module is added a must have is the optional kit (Part# F-DP-FC-KIT) which allows the cloning of a 40-pin drive to another 40-pin drive.
FireWire Module
The FireWire module is extremely useful and not only supports FireWire enclosures but also when imaging a Mac system when it is in target disk mode. It comes standard with a 6-pin FireWire 400 6ft cable and a FireWire 800 to 400 converter connector. A Mac system with a Thunderbolt port can also be connected to the module using any off-the- shelf Thunderbolt to FireWire adapter. The FireWire module was vigorously tested on several Mac systems that were booted in target disk mode and once the connection was authenticated the simple Falcon®-NEO processes were successfully applied even by the less experienced forensic examiners and investigators.
SCSI Module
The SCSI module provides a 68-pin SCSI port as standard and a 50 and/or 80 pin adapters available if required. The adapters are a must have if adding the SCSI option to compliment the Falcon®-NEO. The SCSI module can be added to the PCIe port as either a source, write protected or a destination, read \ write device. Some forensic hardware manufacturers have ended the life for SCSI support for their digital forensic solutions, but surprisingly these types of drives are still around and often appearing in both criminal and civil investigations.
CONCLUSION
Logicube forensic imaging solutions have been for many years a leading forensic component used around the world by leading government, law enforcement, military, and corporate organizations. The Falcon®-NEO was vigorously tested initially in 2018 and has been used extensively in both a laboratory and field operational environment ever since. With the introduction of innovating new and enhanced features, which include, cloud storage acquisition, mobile device capture and thunderbolt, fibre channel, firewire and SCSI hardware accessories a review and further vigorous testing was performed.
In accordance with best practice the following is a review of the manufacturer’s statements of facts and claims together with an independent physical hands-on assessment:
Relevance and Necessity
It is globally accepted that the most important phase of any digital investigation is the initial harvesting and preservation of potential evidence, while maintaining the continuity and integrity of it. The average size of data now encountered on even basic digital investigations can be measured in high volume terabytes. Logicube have once again exceeded all expectations with the enhancements and new optional modules available for the Falcon®-NEO. They have clearly maintained pace with technology, listen to their user’s requirement and always look forward at new initiatives and developments. For the first time investigators have the ability and benefit of high-speed computer media imaging, network traffic and cloud collections together with a mobile forensic capability using the same hardware.
The increased enhancements in functionality and capability of the Falcon®-NEO with a variety of devices supported, encryption, mobile device capture, network traffic and cloud collections, with remote operating, once again demonstrates that Logicube remains a global leader in the field of data imaging and ahead of its competitors with the all- encompassing new features and options available in the Falcon®-NEO.
Authentication, Reliability and Accuracy
The enhanced touch-screen interface and variety of options available continues to give the Falcon®-NEO a very professional and feel-good factor, leading the way in digital forensic imaging. Statements by any manufacturer professing speeds in processing are always ambiguous but again in reality, the Falcon®-NEO performed admirably against its main competitors and always exceeded any software acquisition solution tested with today’s technology available. The speeds in acquisition of between 50GB to 90GB per minute and wiping at 30GB to 70GB per minute as validated is simply phenomenal. The concurrent verification enhances the efficiency of data acquisitions and speed in which they can be performed to ensure the continuity and integrity of data collected. The speeds achieved both in a laboratory and field environment, not only meet the requirements when handling high volume sophisticate business systems but also the extremely large capacities of standard home computers now being encountered even in small digital investigations.
The ability to automate and selectively harvest information is critical for investigations involving privacy or e-Discovery requirements. The increased capability of date range, file type and keyword filtering further increase the efficiency and quality of data collected. Many of the features of the Falcon®-NEO are considered standard and are expected from such a product but the combination of the macro-task, network, cloud, and mobile device capture functionality allows greater diversity in the use of such a tool and simplifies the process for non-technical first responders.
The Falcon®-NEO should not be considered just as a forensic, criminal, or civil ligation solution. It should also be considered by IT security consultants, system administrators and system auditors when identifying and harvesting information during routine non- criminal investigations. It also has many features that are necessary for generic IT maintenance and management, such as the capturing of network traffic for analysis and the wiping functionality that will remove information beyond recovery when recycling systems within an organization or releasing them for sale to a third party.
As a user of other competitive products that are similar, Logicube have surpassed all expectations with the new enhancements and optional modules now available for the Falcon®-NEO. This is particularly evidenced when considering not just the speed in which it processes but the additional advanced features, functionality and support it now provides with mobile device capture, cloud storage acquisition, fibre channel, firewire, SCSI and thunderbolt options.
In comparison to other digital forensic imaging solutions in the marketplace today, from a hands-on comparison and vigorous tested, Logicube has once again produced the most complete state of the art extremely user-friendly solution for digital forensic investigations and IT management with the Falcon®-NEO. The many features and functionality of the Falcon®-NEO continue to exceed those of its competitors and as such the consistent advancements in functionality, processing and reliability is not only superior but critical for today’s highly developing digital investigative and IT management world.
Complies with Global Standards and Guidelines
The simple and automated functionality, which includes remote access as required, provides a fail-safe solution for first responders and investigators to ensure consistency and best practice guidelines are not only adopted but adhered to and guaranteed. This is a must have tool in any forensic or IT security/management department, which complies with global standards and guidelines.
Compatibility
The Falcon®-NEO produces evidence files and data that are compatible with all major computer, mobile forensic, IT security and eDiscovery analysis and processing tools. The time saved with this all-in-one solution with its simple but secure data analysis and harvesting is a financial investment and will save many person hours in the long term.
Having conducted an assessment and reassessment of the Falcon®-NEO together with the years of using it in an operational environment, it is without doubt the “Best in Class” solution among the digital forensic imagers in its tier. It is also the “premier” portable forensic imager in the marketplace at the present time and a must have solution for all digital forensic, cyber security or specialist information technology practitioners.
