Forensic Tower User Guide

Home > Library > Documentation > Forensic Tower User Guide

• Forensic Tower
• How to Use This Manual
• Quick Start
  • Unpacking Your Forensic Tower
  • Turning the Forensic Tower On
  • Step by Step Instructions for connecting hard drives to the T35i
  • Using the CRU DataPort V SATA READ/WRITE Unit
• T35i Bridge
  • T35i Bridge Overview
  • Configuration Switches

1. Forensic Tower

To Top

The Forensic Tower is an updated version of our first forensic system. There are five 5.25” external bays, two 3.5” external bays and six 3.5” internal drive bays that allow for easy upgrades and the flexibility to configure a forensic lab system to meet your needs.

2. How to Use This Manual

To Top

This manual has two main sections: Quick Start and Useful Information.

The Quick Start section of the manual will give the user enough information about the Forensic Tower and its accessories to get started. There is an overview of the additional components that come with the Forensic Tower and their use. The Useful Information section goes into more detail about specific components of the Forensic Tower.

3. Quick Start

To Top

3.1 Unpacking Your Forensic Tower

To Top

The Forensic Tower includes the following items: the Forensic Tower, the 17” LCD Panel, the Keyboard and Mouse combo, a Manual Bag, a CD Wallet, 10 in 1 Screwdriver, 30-piece Security Screwdriver Set, a Forensic Computer’s Mouse Pad, a surge protector, a flashlight, and the T35i cable and adapter set.

Photo	Description
	Forensic Tower
	17” LCD Panel with Speakers
	Microsoft Keyboard and Mouse Combo.
	Manual Bag: The Manual Bag includes miscellaneous documentation and CD-ROMs.
	CD Wallet: In this wallet are all the device drivers and CD ROM's pertinent to your Forensic Tower system. The following is a list of the CD’s included in your CD Wallet: Windows XP Professional, Hard Drive Image, Device Drivers, Norton Anti-Virus, Ahead Nero, and Quick View.
	There are two different screwdriver sets included with the Forensic Tower system: the 30-piece Security screwdriver set and the Craftsman 10-in-1 Screwdriver. The 30-piece Security Screwdriver set comes with 30 different security bits for items such as: IBM PS/2 monitors, CATV and telephone equipment, and many ottV and telephone equipment, and many other Tools Bit Sets Pher items, and a screwdriver and a case to hold them in. There is a compartment in the handle of the screwdriver, in which one may store other bits. The Craftsman 10-in-1 screwdriver has four dual-headed bits in a “quick-change” bit system, in-shaft bit storage and a cushioned handle grip. One can use the Craftsman screwdriver as a Phillips (1 or 2), slotted (3/16 or ¼ inch), Torx ® (10 or 15), square recess (1 or 2) and also as a nut driver (1/4 or 5/16 inch).
	Flashlight: Led flashlight.
	TC2-8 Power Cable: Molex power cable to connect IDE hard drives to the T35i.
	TC5-8 SATA Power Cable: SATA power cable to connect the 15-pin SATA power connector to the T35i.
	TC3-8 SATA Signal Cable: SATA signal cable to connect ATA hard drives to the T35i.
	TC6-8 IDE Signal Cable: IDE signal cable to connect IDE hard drives to the T35i.
	TDA5-25 2.5" IDE Notebook Adapter: Adapter for 1.8" notebook hard drives.
	TDA5-18 1.8" IDE Notebook Adapter: Adapter for 2.5" notebook hard drives.

3.1.2 Turning the Forensic Tower ON

To Top

The Forensic Tower is in a “ready to use” state. After attaching the power cord, the monitor, the keyboard and mouse; turn the Forensic Tower ON.

The following programs have been added to aid in your investigations: Acrobat Adobe Reader, Quick View Plus, Open Office, Tableau Updater, Ahead Nero, Image for Windows, Norton Anti-Virus and FTK Imager. Any other specific Forensic Software tools must be purchased separately.

There is a copy of your system as you received it in your CD Wallet and is labeled Forensic Tower image. If by chance you need to re-install your operating system or need to restore the machine to as it was when you first received it, use this disk. If you do not have a copy of this disk, you may call and we will send one to you.

3.1.3 Step by Step Instructions for connecting hard drives to the T35i.

To Top

1. Confirm that the T35i power button is in the OFF position. The Power LED will be OFF.
2. Connect the hard drive to the appropriate signal cable (either the TC6-8 IDE cable or the TC3-8 SATA signal cable).
3. Connect the hard drive to the appropriate power cable (either the TC2-8 Molex cable or the TC5-8 SATA Power cable).
4. Connect the appropriate signal cable to the T35i (either the TC6-8 IDE cable or the TC3-8 SATA signal cable).
5. Connect the appropriate power cable to the T35i (either the TC2-8 Molex cable or the TC5-8 SATA Power Cable).
6. Turn the T35i power button ON. The Power LED, the Host Det, and either the SATA Det or the IDE Det LEDs will light up. The Activity LED will also light up as communication occurs between the computer and the suspect hard drive.

3.1.4 Using the CRU DataPort V SATA READ/WRITE Unit

To Top

The second bay in the Forensic Tower is a CRU DataPort V SATA unit, which is configured as READ/WRITE. The unit is NOT hot-swappable and is NOT connected to the Tableau T35i Forensic SATA/IDE Bridge.

Step by Step Instructions for inserting hard drives in the CRU DataPort V SATA READ/WRITE unit.

1. Unlock the CRU DataPort V SATA READ/WRITE unit.
2. Pull the CRU DataPort V SATA READ/WRITE hard drive tray from the CRU DataPort V SATA READ/WRITE rail.
3. Open the CRU DataPort V SATA READ/WRITE hard drive tray with the CRU Opener.
4. Insert the suspect SATA hard drive into the CRU DataPort V SATA READ/WRITE hard drive tray; aligning the power and signal connectors of the hard drive to those of the tray.
5. Place the lid of the tray back on the CRU DataPort V SATA READ/WRITE tray.
6. Insert the CRU DataPort V SATA READ/WRITE tray into the CRU DataPort V SATA READ/WRITE rail.
7. Power down the computer.
8. Turn the CRU DataPort V SATA READ/WRITE unit ON.
9. Turn the computer ON. Once the computer has booted, the host computer should see the secondary suspect hard drive as another hard drive available to “READ or WRITE” to.

4. Useful Information

To Top

4.1 Tableau T35i Forensic SAT/IDE Bridge

To Top

This document provides technical information for the Tableau T35i combination Forensic SATA/IDE Bridge.

The T35i combines two separate forensic bridges (IDE, and SATA) into one convenient package while providing native support for each hard disk technology. The T35i is designed to be installed permanently in the front of a forensic workstation or tower which has an open 5.25" half-height drive bay.

The T35i connects to the host computer through a FireWire800 (1394B) interface. Using FireWire as the interface to the host computer allows modern operating systems to recognize that the drives themselves are hot-swappable. This, in turn, eliminates the need to turn the host computer ON and OFF each time a new hard disk is attached or removed; only the T35i needs to be power cycled.

The combination of hot-swapping and the READ-ONLY forensic mode of operation make the T35i ideally suited for use in high-volume forensic applications.

4.1.1 T35i Bridge Overview

To Top

The picture below is a close-up front view of the T35i.

The Table below describes each of the elements visible on the front of the T35i.

Front Element	Description
Power Switch/LED	The Power switch controls power to the T35i as well as to the DC OUT connector used for powering the connected hard disk. The Power LED will be illuminated when there is power to the T35i and the power switch is in the "ON" position.
SATA Det LED	The SATA Det LED (SATA Detect) illuminates when a hard disk attached to the SATA interface connector has been properly recognized. Only one hard disk may be connected to the T35i at a time.
IDE Det LED	The IDE Det LED (IDE Detect) illuminates when a hard disk attached to the IDE interface connector has been properly recognized. Only one hard disk may be connected to the T35i at a time.
Host Det LED	The Host Det LED (Host Detect) indicates when the connected hard disk has been recognized by the host computer. The Host Detect LED will illuminate only after the T35i has successfully identified a hard disk connected to the front of the T35i and after the host computer has "logged in" to the coresponding T35i channel using the FireWire/1394 SBP-2 protocol.
Wrt Blk LED	The Wrt Blk LED (Write Block) is illuminated whenever the Tableau bridge is in READ-ONLY mode. This LED provides a positive indication that the bridge may be used to capture a forensically sound image from a subject hard disk.
Activity LED	The Activity LED indicates that the host is performing some kind of I/O to the connected hard disk.
DC OUT Connector	The DC Out connector may be used to provide power from the Tableau bridge to the subject hard disk. The DC Out output is controlled by the power switch. So, using the DC Out connector guarantees that the drive will be powered ON/OFF simultaneously with the T35i bridge.
Disk interface Connectors (SATA and IDE)	The disk interface connectors attach the subject hard disk to the T35i. Tableau recommends the following cables: Interface Cable SATA TC3-8 IDE TC6-8 or TC6-2

The next image is a rear view of the T35i. Captions identify each internal T35i connector and the location of the configuration switches.

The following table describes each of the elements shown in the above picture.

Internal Element	Description
1394B (FireWire 800)	The T35i must be connected to the host computer via a FireWire800/1394B connection. This is the interface through which each of the T35i's two I/O channels will communicate with the host computer. It is acceptable to use FireWire400/1394A instead (with an appropriate cable adapter), but performance will be reduced.
DIP Switch Bank	The T35i has one DIP switch bank with four switches. The next section in this document, Configuration Switches, describes the function of these switches in detail.
Power	Power should be provided to the T35i through the standard 4-pin "Molex"-style power connector shown in the picture. The T35i requires approximately 450mA @ +5VDC for its internal operation. This figure does not include the power requirements of the hard disk connected to the DC OUT connector on the T35i. IMPORTANT: Tableau strongly recommends that the T35i be on a dedicated power supply lead. Switching the T35i on/off can lead to large current/voltage surges which can interrupt the operation of other devices which share a power supply connection with the T35i.

4.1.2 Configuration Switches

To Top

The following table summarizes the function of the four position DIP switch.

	Operation
Switch	Switch OFF	Switch ON
1	Bridge operates in forced READ-ONLY mode and may be used to capture forensically sound images from subject hard disks.	Bridge operates in READ-WRITE mode.
2	Bridge reports errors if host computer attempts to write when bridge is in READ-ONLY mode.	Bridge does not report write errors when in READ-ONLY mode. (The bridge discards write data without returning an error.)
3	Bridge reports that it is WRITE-PROTECTED to the host computer when in READ-ONLY mode.	Bridge does not report that it is WRITE-PROTECTED when in READ-ONLY mode.
4	This switch is RESERVED as must remain in the OFF position for correct operation.

The following table summarizes the recommended Tableau bridge configuration depending on the operating system you are using. These recommendations apply only when using the Tableau bridge in READ-ONLY mode to capture forensic images from subject hard drives (i.e., when the Write Block LED is illuminated).

O/S	SW2-2	SW2-3	Comments
Windows XP	OFF	OFF	In most situations, Windows XP handles READ-ONLY bridges correctly and will work optimally when leaving switches 2 and 3 in the OFF (default) state. However, Tableau has seen cases where Windows XP will not allow a user to access a READ-ONLY partition. If you encounter a situation in which Windows XP reports that a volume is "write protected" and will not allow you to access the partition, then try the switch setting recommended for Windows 2000, below.
Windows 2000	ON	ON	Windows 2000 does not mount NTFS volumes correctly when the bridge declares that it is READ-ONLY. These settings make Windows 2000 believe the bridge is in READ-WRITE mode (even though it is not), and Windows 2000 will successfully mount NTFS volumes.
Windows ME/98se	ON	OFF	Windows ME/98se may not recognize that a bridge is READ-ONLY and may attempt to write to the bridge anyway. If this happens, Windows ME/98se will generate a "blue screen" error. The recommended settings to the left eliminate the "blue screen" error. NOTE: Some forensic users prefer to see the Windows "blue screen" error if a write is attempted. Users with this preferences should use the recommended settings for Windows XP instead.
Other	OFF	OFF	Most other modern operating systems handle READ-ONLY forensic bridges correctly, so the default OFF settings are best for users of these operating systems.

IMPORTANT: As long as the Write Block LED is illuminated, the Tableau bridge will never permit writes or other modifications to the subject hard disk. Switches 2 and 3 only affect the way the bridge appears to behave from the perspective of the host computer.

NOTE: Switches 2 and 3 are ignored when the Tableau bridge is in READ-WRITE mode (i.e., when the Write Block LED is off).