Scribd
Upload
4 views9 pages

Note

The document outlines the procedure for logical imaging using the File to Drive Mode, detailing steps for collecting and documenting devices, obtaining consent, and preparing for imaging. It includes instructions for connecting the Falcon device, selecting imaging settings, and managing output formats. Additionally, it emphasizes the importance of proper documentation and verification throughout the imaging process.

Uploaded by

jainflamingo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
4 views9 pages

Note

The document outlines the procedure for logical imaging using the File to Drive Mode, detailing steps for collecting and documenting devices, obtaining consent, and preparing for imaging. It includes instructions for connecting the Falcon device, selecting imaging settings, and managing output formats. Additionally, it emphasizes the importance of proper documentation and verification throughout the imaging process.

Uploaded by

jainflamingo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 9

Imaging By File to Drive Mode (Logical Imaging)

Note:
 The file to drive Mode use for the server extraction method, cloud storage
acquisition as well as for file to drive acquisition process.
 Restore Falcon-NEO2 created DD, E01, Ex01, and DMG image files to their
original state.

Step 1:
 Collect Laptop/Desktop/HDD/SSD from the custodian/client & note down
collection date & time in ‘COC’ form as well as fill the general details and take
signature on ‘COC’ from the custodian/client.
 Check with client IT team, if they were using any kind of encryption in system, if
yes then ask client to provide encryption key.

Page 1 Page 2
Imaging By File to Drive Mode (Logical Imaging)

COC Documents
Step 2: -
 Consent Letter: - If Laptop/Desktop/HDD/SSD is belongs to personal property,
it is mandatory to take custodian signature on consent form before starting
imaging. (If custodian signature is not there on consent form, imaging should
not be performed).
 If Laptop/Desktop/HDD/SSD belongs to company then no need to complete the
consent letter. Take written email that the device belongs to company and its
company property.
Step 3: -
Prepare sticky notes containing the following information: -

• Project Name:  Project Name:


 Evidence Tag:
• Evidence Tag:  Custodian Name:
• Custodian Name:  Date & Time:
 Laptop Make:
• Date & Time:  Model:
 SSD/HDD Make:
• Laptop Make:  SSD/HDD Model:
 Capacity
• Model:  Serial Number:
• SSD/HDD Make:
 Location:
• SSD/HDD Model:
• Capacity:
• Serial Number:
• Location:
Step 4: -
 Attach the sticky notes to the source drive and take photos of :-
 All sides of the Source drive
 Notable Damages (if any)
Step 5: -
 Turn on Falcon Device
Imaging By File to Drive Mode (Logical Imaging)

1. As shown in the below image, connect one end of the charger to the Falcon
Device via the DC port, and plug the other end of the charger into the
switchboard.
Towards switchboard

Towards
Device

2. To turn on the device, press and immediately release the power button located in
the top right corner.

Power
Button

3. The device will start immediately, and the Logicube interface will appear, as
shown in the image below.
Imaging By File to Drive Mode (Logical Imaging)

Step 6: -
Now connect the source drive to the left side and the destination drive to the right side
of the Falcon Logicube device with suitable connector.
Step 7: -
 Extraction Procedure: -
1. Click on the ‘Imaging’ left side of the display.
Imaging By File to Drive Mode (Logical Imaging)

2. Click on the ‘Mode’ option to select the mode.

3. After selecting the mode option, click on the ‘File to Drive Mode’.
4. Then click on the ‘Source’ option.
5. Choose the source from the list of connected drives then tap the OK icon.
6. Click on the ‘Setting’ option.
6.1. First, fill in the case information. In case Information, enter the case/file name,
Evidence ID, case ID(As per barcode system), Examiner Name, Case Notes(if any).
• Case/file Name: Evidence Tag
• Evidence ID: Evidence Tag
• Case ID: Evidence Tag
• Examiner Name: ECPL officer Name
• Case Notes: The case notes should be contained below mentioned details
o Project Name:
o Asset Tag:
o Custodian Name:
o Laptop Make:
o M/N:
o S/N:
Imaging By File to Drive Mode (Logical Imaging)

o SSD/HDD Make(Media information):


o M/N:
o S/N:
o Capacity:
o Asset Tag:
o LBA:
o Location:

6.2. Select Output Format Setting. Select file format (L01, LX01, Directory Tree,
MFT Report, ZIP Archive & AFF4 Image).
Choose file format as per requirement: -
File Format Result
L01 and LX01 Results will be in Encase L01 and LX01 archive format.
Directory Tree All results will be written in a directory tree format. All files
will appear in the same directory structure as found on the
Source drive.
MFT Report Results will list deleted files (if present) in the audit log file that
can potentially be restored or recovered.
Zip Archive Results will be in a Zip archive format.
Also, Segment Size as required [Segment size preferably 2 GB]. Compression should
be kept ON.

6.3. Click on the Advance Filter Settings. It will show Path Filter, Date Filter, File
Signature & Keywords option.

6.4. Upon clicking on Path Filter, it will allow you to select specific files or
directories within drive. You can also add preset filter or custom filter to narrow down
the search.
Imaging By File to Drive Mode (Logical Imaging)
Imaging By File to Drive Mode (Logical Imaging)

6.4.1. Upon clicking on Date Filter option, You can set included or excluded date as
per needed.

Fig. 38

6.4.2. Upon Click on File Signature option you can select specific type of file type like
document file or audio file or video file, etc. This will image only selected file type.

Fig. 39
6.4.3. Keyword search allows you to select the specific user.

6.5. Select Hash Method & Verify Option.

We can also choose the path for image storage folder by selecting ‘Capture Path’. We
can also create new folder or delete or rename it.
Imaging By File to Drive Mode (Logical Imaging)

6.6. Then click on ‘Start’.

6.7. Once the imaging is completed, click on the reset task option.

6.8. To check the imaging report, click on the ‘Log’ option, select the source drive
which you have imaged, and click on the view option to view the report.

6.9. The report will show the following details: Logicube product details, imaging
operation parameters, hash information, hash verification information, case details,
source and destination drive details including the size, partition, and encryption details
of both drives.

You might also like