Logicube is the worldwide leader of hard drive duplication and forensic acquisition hardware, producing complete state of the art and extremely user friendly solutions for both industries. In 2018, Logicube engineered the Falcon-NEO. Known as one of the most powerful and reliable forensic imagers, the Falcon-NEO is a fully integrated solution that offers the ability to capture from drives, laptops, external storage, network repositories, and now from mobile devices and cloud storage.
The benefit in adding the newly released mobile device and cloud storage acquisition option is that you eliminate the need to bring any additional hardware onto the scene. All of your digital evidence is quickly captured, stored, and saved. Additionally, users can utilize commercially available analysis softwares to analyze the data extracted by the Falcon-NEO.
So first we’re going to go through the steps on how to capture data from an Android device.
Before you begin, be sure to enable the USB debugging feature. If you are unsure on how to enable the USB debugging feature, please check your owner’s manual for further instruction. We’re going to begin by connecting the phone into the Falcon-NEO source port. Once the phone is plugged in, select mode, and choose ‘mobile to file,’ and hit ‘OK’.
Next we’re going to select the source. Choose the recognized source USB_S1, and hit ‘OK.’ In the next box — ‘case info’ — you have the option of entering information about your case, such as case and file name, the case ID, and some notes.
And lastly, you’re going to select the destination. Choose the appropriate repository, SAS_D1, and hit ‘OK.’ Now you’re ready to initiate the backup. Go ahead and start the task, and confirm that you are sure you want to start the image. If the phone is unlocked and you get this popup message to unlock and initiate, go ahead and click ‘continue’ to proceed with the backup.
The image duration will vary depending on how much data is being imaged. For non-rooted phones, it will take less time to transfer since it can only capture limited data such as contacts, call logs, calendars, SMS, and phone calls. For rooted phones, it typically takes longer to transfer, since it performs a full DD backup of the entire memory.
And now we’ll go through the steps on how to capture data from an iOS device. Begin by connecting the device into the Falcon-NEO’s source port. On your device, you will see a popup message that asks to trust the computer. Go ahead and choose ‘trust.’ You may see this message several times throughout the process, so continue to choose ‘trust’ for each pop up.
Next, unlock the device with the passcode. And now you’re ready to capture the image. On the interface, select mode and choose ‘mobile to file.’ And hit ‘OK.’
Now we’re going to select the source, which is the device that is plugged in. In this case, it’s the iPhone. So we’ll choose USB_S1, and hit ‘OK.’ In the next box — ‘case info — you have the option of entering information about the case, such as case and file name, the case ID, and some notes.
And lastly, you’re going to select the destination. Go ahead and choose the appropriate repository, which is SAS_D1, and hit ‘OK’. You are now ready to initiate the backup. Go ahead and start the task, and confirm that you are sure you want to start the image.
The image duration will vary depending on how much data is being transferred. iOS transfers will capture call logs, imessages, SMS, MMS, photos, videos, contacts, website history, wifi settings, as well as deleted SMS, imessages, photos, WhatsApp, and contacts.
In this last section, we’re going to go through the steps on how to capture data from your cloud drive. The cloud acquisition supports Google, OneDrive and Dropbox. Other cloud drives will be added in future releases. For this process, you will either need a remote access, or you can plug in a USB keyboard.
The Falcon-NEO must also be connected to the internet through the wired ethernet connection on the back of the device. Begin by connecting a hard drive to the destination port on the Falcon-NEO. On the interface on the left side bar, scroll down to ‘manage repositories’ to connect your cloud, and choose the cloud tab at the very top. Then add a cloud repository.
Then we’re going to select the type of drive. You have several options, but for this purpose, we’re going to select Google Drive, and hit ‘OK’. The next screen will take you to a remote account authorization page. This is where you’re going to choose the appropriate Google account. And you’re going to allow access. You will then be taken to a page that will show you a code. You will have to copy that code and paste it into the previous window. Then close this window and go back to the interface. And you will see that the Google Srive we selected has now been added.
So you are now ready to capture your image. Select the drive, and on the left side bar, scroll up to imaging, select mode, and choose ‘file to file,’ and hit ‘OK’. Now we’re going to select the source. Choose the Google drive that was added, and hit ‘OK’.
The next box settings will display four boxes. In the first box you can input information about the case, just like you did in the iOS and Android capture, but you’re going to choose the box below that: filter settings.
Filter settings will take you to path filter, and path filter will take you to files and directories. This is where you have the option of selecting specific, or all files. In this case, we’re going to select all, which is the root. Then we’re going to hit ‘OK,’ and go back several boxes until you’re back in the main settings box.
Now we’re going to select the output format setting. Choose your output format. In this case, we’re going to choose ‘directory tree,’ and hit ‘OK’.
Lastly, you’re going to choose the image file. select the destination of where your files will go. In this case, we will choose SAS_D1, and hit ‘OK.’ And now you’re ready to initiate your backup. Start the image and confirm that you are sure you want to start the image. In this case, our data backed up very quickly, but the image duration will vary depending on how much data is being captured.
The Falcon-NEO is a sophisticated tool that just got more powerful. As the most integrated and expandable portable computer forensic imager, the Falcon-NEO is capable of not only capturing data from traditional hard drives, laptops, external storage, network repositories, mobile devices and cloud drives, but also from SCSI, SSD, FireWire and fibre channel drives. For more information, visit our website logicube.com.