Forensic FieldStation brings stealth to hard drive data capture
- By John Breeden II
- May 03, 2013
The GCN Lab has looked at a lot of security and computer forensics products over the years. Everything from password cracking tools to photo chip recovery software has been tested and analyzed. But the WiebeTech Ditto Forensic FieldStation from CRU may be the most robust tool yet for a government investigator's arsenal.
We've seen portable drive cloning and imaging tools in the past, but the Ditto FieldStation is the first that didn't require an extra device, such as a laptop, to work in the field; it doesn't even need a technician to be present during the raid or covert operation.
The Ditto FieldStation is 4.92 inches by 6.77 inches, and is only 1.72-inches wide. It's made of aluminum, both to increase its rugged specifications, and to help the unit dissipate heat during constant use. In fact, there are no fans in the Ditto at all, making its operation completely silent. As a stealthy bonus, a special mode turns off all the LCD lights on the front panel, making it both quiet and dark. On the front panel, the buttons are soft and big. They can easily be used while wearing gloves, and they don’t emit any clicking sounds when pressed.
The unit is designed to attach to any system and capture the contents of the hard drives. As such, there are many interfaces to choose from, including SATA, eSATA, PATA, USB 2.0, and Ethernet. As protection against some new technology coming out and rendering the Ditto FieldStation obsolete, there is a row of ports designated for expansion. All of the ports on the input side of the unit are write-blocked, so there’s no chance of any data being left in the wrong place.
On the other side of the unit, things get really interesting. Outputs include dual SATA, eSATA (single, dual and mirrored) and Ethernet (iSCSI, CIFS/SMB/SAMBA, NFS, FTP). The dual SATA drive ports give the FieldStation the unique ability to both clone a drive and image a drive at the same time. We tested this, adding two different drives to the SATA ports. In a single pass, the system was able to create both a full clone and a complete disk image, with each one going onto a different drive. That can save a lot of time, and it gives investigators extra protection and documentation if needed for legal reasons.
There is one extra port at the top of the unit that could come in handy for truly covert operations. The Ditto FieldStation keeps an XML log file, which is stored on an SD card. That way a complete record is kept of every person who accessed a suspect machine, what was done, what was looked at and what if anything was copied from it.
Another feature that separates the Ditto from other similar units is that the outgoing Ethernet port can be used for remote monitoring and total control of the unit. That way the technician trained to do the field forensics work doesn't have to suit up in combat gear and go in with the team. The tech can be waiting at a secure location for the operations team to attach the FieldStation to a host computer.
CRU was nice enough to setup several computers around the world for GCN to hack. All the computers already had Ditto Forensic FieldStations attached to them. As an added bonus, Web cameras were positioned facing the computers the lab team was test hacking, though it was hardly needed.
The Web interface looks just like the front panel of the Ditto. And in many ways, it’s a lot easier. For example, from the remote interface, we could triage the suspect drives. That included opening files, performing a HEX edit for metadata review and using the HDPARM command line to get information about a drive and change its parameters. This auditing ability can help an investigator zero in on the exact files he needs to copy. We realize that, depending on the type of warrant being served or operation being performed, this level of control might not be desirable, or always legal, but it's nice to have that ability, especially in any situation where the gloves have truly come off. We had no trouble working with Ditto FieldStations that were hundreds or thousands of miles away. They all performed just as well as the unit we used for all the local tests inside the lab.
An additional feature that the Ditto FieldStation can employ is wiping a drive. In fact, feds will be happy to find that the unit has several pre-set modes for sanitizing drives according to classified information handling standards. Otherwise, the user can configure a unique erasing pattern before going into the field.
As far as the speed, it varies greatly depending on which inputs and outputs are being used, the size of the drive and whether it is imaging or cloning a device. We can say that the Ditto did not seem to add any noticeable time to any of these processes, which was tested locally without a unit in the middle.
The Ditto FieldStation can be plugged into power or run off a battery, for which it also has a port. It seems to be fairly power efficient and lasted for over four hours running off a standard three-cell computer battery. And the unit didn't heat up very much at all during operations; the hard drives we attached to clone and image got much, much hotter.
The WiebeTech Ditto Forensic FieldStation sells for $1,499 which includes the unit and a box of cables for all the input and output ports. For $1,649, the price includes a waterproof Pelican case, which is certified for all airplane travel. It is available from several GSA schedules.
Overall, we were highly impressed with the Ditto FieldStation. The compact unit is an incredibly powerful tool that could easily find a home with military, police and covert operations teams. Investigators who look at computer misuse or potential crimes in their agency could also find it useful. Even with all its features, the unit was incredibly easy to use, requiring very little in the way of training, especially when working with the remote interface. For the price, we feel that any computer crime fighter would be happy to have a WiebeTech Ditto Forensic FieldStation in his tool belt.