Forensic Air-Lite V MK III User Guide
1. Forensic Air Lite V MK III (FAL V MK III)
To TopThe Forensic Air Lite V MK III (FAL V MK III) is the latest addition to Forensic Computers' line of high quality powerful forensic workstations.
To TopThis manual has two main sections: Quick Start and Useful Information.
The Quick Start section of the manual will give the user enough information about the Forensic Air Lite V MK III (FAL V MK III) and its accessories to get started. There is an overview of the additional components that come with the FAL V MK III and their use. The Useful Information section goes into more detail about specific components of the Forensic Air Lite V MK III (FAL V MK III).
To Top3.1 Unpacking Your Forensic Air Lite V MK III (FAL V MK III)
The Forensic Air Lite V MK III (FAL V MK III) system has the following items: the Forensic Air Lite V MK III (FAL V MK III), the mouse, the Happy Hacking Keyboard, the Manual Bag, the CD Wallet, the two screwdrivers, the flashlight and the Forensic Write Protection Kit.
When you first receive your FAL V MK III, please familiarize yourself with all of its contents. The following table lists each of the items found in the kit.
|
Photo |
Description |
 |
Pelican 1650, which is considered one of the 'World's Most Toughest Watertight Equipment Cases', comes with an unconditional lifetime guarantee. The case itself comes with double-throw latches, an O-ring seal, 2 inch quiet heavy-duty quad wheels, metal padlock protectors, an automatic purge valve. |
 |
Forensic Air Lite V MK III (FAL V MK III) is equipped with a 12" wide screen display, a Core 2 Duo P9500 2.53Ghz processor and 4GB of RAM. |
 |
Wireless Mouse: The mouse requires batteries in order to run, so if you do have a problem later on, check the batteries. |
 |
Antec MX-1 Actively Cooled Hard Drive Enclosure with a 1 TB SATA Hard Drive with eSATA and USB 2.0 interfaces |
 |
External USB Floppy Drive |
|
Manual Bag |
|
 |
CD Wallet |
 |
Two 34mm ExpressCards: 2-port eSATA and 2-port FireWire 800 Card. The FireWire card supports 'hot swapping' and 'plug and play'. |
 |
Screwdrivers: |
 |
Flashlight |
 |
Surge Protector |
NOTE:
Do NOT close the lid of the Pelican 1520 while the FAL V MK II is in use.
Do NOT close the lid of the Pelican 1520 with any item on the interior chassis; doing so will harm the monitor that is mounted in the lid of the Pelican 1520.
Prior to closing the FAL V MK II, make sure the T35i/DVDRW Module Assembly is locked flat into the interior chassis.
To TopOver time, an investigator will need to image and re-image their OS hard drive. As of December 2007 three types of software have been used to create the initial OS hard drive images sent out with Forensic Computers' line of systems: Norton Ghost, Acronis TrueImage version 10 and Image for Windows.
3.2.1 Re-Installing the image for the OS Hard Drive (Image for Windows)
(Your username and SN for IMAGE FOR WINDOWS will be located in your CD wallet. If it is not, call us with the serial number of your system and we will locate your IMAGE FOR WINDOWS serial number.)
- Enter the BIOS and ensure that the DVD_RW is set to boot before the hard drive
- Insert the DVD into the DVDRW
- The program will automatically start up and ask you to "press <space> for menu or wait for the restore to start"
- Wait for the restore to start as it will select the first hard disk (HD0) which is your OS drive
- The program will then ask if you want to continue with the restore on HD0 (this will erase everything on the drive and restore it to factory defaults.)
- Once the restore has completed and has been rebooted, the machine will be ready for use.
- For more advance and detailed instructions please refer to the PDF included on your Image for Windows CD
3.2.2 Re-Imaging the OS Hard Drive (Image for Windows)
To Top- Start Image for Windows from desktop shortcut/start menu
- Choose operation to perform: Backup (next)
- Select Partition: HD0 / specific hard drive (next)
- Select Destination: DVDRW (next)
- Backup Options (default settings) (Finish)
Image for Windows will burn an image of the drive to the disk and then proceed to automatically validate the disk. If errors occur during validation, one must start completely over with a fresh DVDRW.
3.3 Turning the Forensic Air Lite V MK III ON
To TopThe Forensic Air Lite V MK III is in a 'ready to use' state. After connecting the power cord to an electrical socket, and retrieving the monitor, keyboard and mouse; turn the Forensic Air Lite V MK III ON.
The following programs have been added to aid in your investigations: Acrobat Adobe Reader, Quick View Plus, Open Office, Tableau Updater, Ahead Nero, Image for Windows, Norton Anti-Virus and FTK Imager. Any other specific Forensic Software tools must be purchased separately.
There is a copy of your system as you received it in your CD Wallet and is labeled Forensic Air Lite V MK III image. If by chance you need to re-install your operating system or need to restore the machine to as it was when you first received it, use this disk. If you do not have a copy of this disk, you may call and we will send one to you.
3.3.1 Using the T35i Forensic SATA/IDE Bridge
To TopStep by Step Instructions for connecting hard drives to the T35i.
- Confirm that the T35i power button is in the OFF position. The Power LED will be OFF.
- Connect the hard drive to the appropriate signal cable (either the TC6-8 IDE cable or the TC3-8 SATA signal cable).
- Connect the hard drive to the appropriate power cable (either the TC2-8 Molex cable or the TC5-8 SATA Power cable).
- Connect the appropriate signal cable to the T35i (either the TC6-8 IDE cable or the TC3-8 SATA signal cable).
- Connect the appropriate power cable to the T35i (either the TC2-8 Molex cable or the TC5-8 SATA Power Cable).
- Turn the T35i power button ON. The Power LED, the Host Det, and either the SATA Det or the IDE Det LEDs will light up. The Activity LED will also light up as communication occurs between the computer and the suspect hard drive.
T35i Setup with IDE Hard Drive
4.1 Tableau T35i SATA/IDE Forensic Bridge
To TopTableau's newest OEM product, the T35i, continues Tableau's heritage of industry leading innovation. The T35i offers an economical, high-performance alternative to the T345 for forensics professionals whose acquisition needs focus on IDE and SATA subject drives.
The T35i is designed to mount directly in a forensic workstation. Internally the T35i connects to the workstation through a high-performance FireWire800 connection. Externally, the T35i can be connected to SATA or IDE hard disks (one at a time) for write-blocked forensic acquisitions.
The T35i bundle includes the T35i and one each of the following: TC2-8 (traditional power cable), TC5-8 (SATA style power cable), TC3-8 (SATA signal cable), TC6-8 (IDE signal cable), TDA5-25 and TDA5-18 (2.5" and 1.8" IDE notebook hard disk adapters, respectively).
The T35i combines two separate forensic bridges (IDE, and SATA) into one convenient package while providing native support for each hard disk technology. The T35i is designed to be installed permanently in the front of a forensic workstation or tower which has an open 5.25" half-height drive bay.
The T35i connects to the host computer through a FireWire800 (1394B) interface. Using FireWire as the interface to the host computer allows modern operating systems to recognize that the drives themselves are hot-swappable. This, in turn, eliminates the need to turn the host computer ON and OFF each time a new hard disk is attached or removed; only the T35i needs to be power cycled.
The combination of hot-swapping and the READ-ONLY forensic mode of operation make the T35i ideally suited for use in high-volume forensic applications.
To TopThe picture below is a close-up front view of the T35i.
The Table below describes each of the elements visible on the front of the T35i.
|
Front Element |
Description |
||||||||||||
|
Power Switch/LED |
The Power switch controls power to the T35i as well as to the
DC OUT connector used for powering the connected hard disk. |
||||||||||||
|
SATA Det LED |
The SATA Det LED (SATA Detect) illuminates when a hard disk attached to the SATA interface connector has been properly recognized. Only one hard disk may be connected to the T35i at a time. |
||||||||||||
|
IDE Det LED |
The IDE Det LED (IDE Detect) illuminates when a hard disk attached to the IDE interface connector has been properly recognized. Only one hard disk may be connected to the T35i at a time. |
||||||||||||
|
Host Det LED |
The Host Det LED (Host Detect) indicates when the connected hard disk has been recognized by the host computer. The Host Detect LED will illuminate only after the T35i has successfully identified a hard disk connected to the front of the T35i and after the host computer has "logged in" to the coresponding T35i channel using the FireWire/1394 SBP-2 protocol. |
||||||||||||
|
Wrt Blk LED |
The Wrt Blk LED (Write Block) is illuminated whenever the Tableau bridge is in READ-ONLY mode. This LED provides a positive indication that the bridge may be used to capture a forensically sound image from a subject hard disk. |
||||||||||||
|
Activity LED |
The Activity LED indicates that the host is performing some kind of I/O to the connected hard disk. |
||||||||||||
|
DC OUT Connector |
The DC Out connector may be used to provide power from the Tableau bridge to the subject hard disk. The DC Out output is controlled by the power switch. So, using the DC Out connector guarantees that the drive will be powered ON/OFF simultaneously with the T35i bridge. |
||||||||||||
|
Disk interface Connectors (SATA and IDE) |
The disk interface connectors attach the subject hard disk to the T35i. Tableau recommends the following cables:
|
The next image is a rear view of the T35i. Captions identify each internal T35i connector and the location of the configuration switches.
The following table describes each of the elements shown in the above picture.
|
Internal Element |
Description |
|
1394B (FireWire 800) |
The T35i must be connected to the host computer via a FireWire800/1394B connection. This is the interface through which each of the T35i's two I/O channels will communicate with the host computer. It is acceptable to use FireWire400/1394A instead (with an appropriate cable adapter), but performance will be reduced. |
|
DIP Switch Bank |
The T35i has one DIP switch bank with four switches. The next section in this document, Configuration Switches, describes the function of these switches in detail. |
|
Power |
Power should be provided to the T35i through the standard 4-pin
"Molex"-style power connector shown in the picture. The T35i
requires approximately 450mA @ +5VDC for its internal
operation. This figure does not include the power requirements
of the hard disk connected to the DC OUT connector on the
T35i. |
The following table summarizes the function of the four position DIP switch.
|
Operation |
||
|
Switch |
Switch OFF |
Switch ON |
|
1 |
Bridge operates in forced READ-ONLY mode and may be used to capture forensically sound images from subject hard disks. |
Bridge operates in READ-WRITE mode. |
|
2 |
Bridge reports errors if host computer attempts to write when bridge is in READ-ONLY mode. |
Bridge does not report write errors when in READ-ONLY mode. (The bridge discards write data without returning an error.) |
|
3 |
Bridge reports that it is WRITE-PROTECTED to the host computer when in READ-ONLY mode. |
Bridge does not report that it is WRITE-PROTECTED when in READ-ONLY mode. |
|
4 |
This switch is RESERVED as must remain in the OFF position for correct operation. |
|
The following table summarizes the recommended Tableau bridge configuration depending on the operating system you are using. These recommendations apply only when using the Tableau bridge in READ-ONLY mode to capture forensic images from subject hard drives (i.e., when the Write Block LED is illuminated).
|
O/S |
SW2-1 |
SW2-2 |
Comments |
|
Windows XP |
OFF |
OFF |
In most situations, Windows XP handles READ-ONLY bridges
correctly and will work optimally when leaving switches 2 and 3
in the OFF (default) state. |
|
Windows 2000 |
ON |
ON |
Windows 2000 does not mount NTFS volumes correctly when the bridge declares that it is READ-ONLY. These settings make Windows 2000 believe the bridge is in READ-WRITE mode (even though it is not), and Windows 2000 will successfully mount NTFS volumes. |
|
Windows ME/98se |
ON |
OFF |
Windows ME/98se may not recognize that a bridge is READ-ONLY
and may attempt to write to the bridge anyway. If this happens,
Windows ME/98se will generate a "blue screen" error. The
recommended settings to the left eliminate the "blue screen"
error. |
|
Other |
OFF |
OFF |
Most other modern operating systems handle READ-ONLY forensic bridges correctly, so the default OFF settings are best for users of these operating systems. |
IMPORTANT: As long as the Write Block LED is illuminated, the Tableau bridge will never permit writes or other modifications to the subject hard disk. Switches 2 and 3 only affect the way the bridge appears to behave from the perspective of the host computer.
NOTE: Switches 2 and 3 are ignored when the Tableau bridge is in READ-WRITE mode (i.e., when the Write Block LED is off).