Some acquisition tools don’t copy data in the host protected area (hpa) of a disk drive.

Multiple Image Formats The Falcon images and verifies to the following formats: native or mirror copy, dd image, e01, ex01 (e01 and ex01 with compression) and file-based copy. The Falcon supports SHA1, SHA256 or MD5 and dual-hash (MD5+SHA-1) authentication.

Multiple Imaging Ports Write-protected source ports include:

2 SAS/SATA
1 USB 3.0 (can be converted to SATA using an optional USB to SATA adapter)
1 Firewire
1 SCSI ( using the SCSI Module Option)
Destination ports include:
2 SAS/SATA
2 USB 3.0 (can be converted to SATA using an optional USB to SATA adapter)
1 Firewire
1 SCSI (using the SCSI Module Option)

A Gigabit Ethernet port for network connectivity is built-in. The unit includes a USB 3.0 device port for drive preview and two USB 2.0 host ports

Multi-task Improve efficiency and shorten the evidence collection process with the ability to wipe one destination drive while imaging to another simultaneously,or image from multiple source drives to multiple destinations. Perform up to five tasks concurrently.

Parallel Imaging Simultaneously perform multiple imaging tasks from the same source drive to multiple destinations using different imaging formats. For example, clone to a network location or a destination drive in native copy format while imaging to a different destination drive using e01 format.

Web Browser/Remote Operation An easy to use and intuitive interface allows you to connect to the Falcon from a web browser and manage all operations remotely. The browser features automatic page scaling for iPad type devices.

Broad Interface Support Built-in support for SAS/SATA/USB/Firewire storage devices. Supports 1.8″/2.5″/3.5″ IDE and 1.8″ IDE ZIF and microSATA interfaces with adapters included with Falcon. Optional adapters are available for eSATA, mSATA and flash drives.

PCIe Support Support for M.2 PCIe and M.2 NVMe type SSDs and mini-PCIe and PCIe express cards is provided using an optional express card adapter combined with specific interface adapters. The express card adapter is connected to the Falcon’s PCIe slot on the rear of the unit.

CD/DVD/Blu-ray Imaging The Falcon can image CD/DVD/Blu-ray media by using a USB optical drive connected to the USB port on the Falcon. The Falcon supports multi-session CD/DVDs.

Wipe Wipe up to DoD specifications or use Secure Erase to erase drives, wipe at speeds up to 27GB/min

Image to External Storage Device The Falcon allows you to image to an external storage device such as a NAS, using the Gigabit Ethernet port, USB 3.0 or via the SAS/SATA connection.

SCSI Module Option The SCSI Module Option expands the capability of the Forensic Falcon by providing support for imaging from and to SCSI hard drives. The Module connects seamlessly to the Falcon and provides 1 write-protected SCSI source port and 1 SCSI destination port. All Falcon features are supported with this module.

Image From Desktop/Laptop PCs Users have the ability to image from a desktop or laptop computer without removing the hard drive from the computer. Create a forensic bootable USB flash drive using software (available for download from our website) that allows the user to image a source drive from a computer on the same network without booting the native Operating System on the computer. It also allows drives connected to the networked computer (or directly connected to each other using a network cable) to appear as a destination drive without removing the drive from the computer.

Error Granularity Setting Drive error handling is enhanced with a configurable error granularity feature. When a bad sector on the source drive is found Falcon will, by default skip that sector. Changing the granularity allows more sectors to be skipped. There are 3 options ( 512 Bytes, 4096 Bytes, 64 KIB,). As an example, if 4096 Bytes is chosen, and one of the 8 sectors in that cluster size contains a bad sector, the Falcon will skip the entire cluster (or 4096 bytes or 8 sectors).

Removable Storage Drive O/S and audit trail/logs are stored on an internal drive. This drive is easily removed for secure/classified locations

7″ Touch Screen Uses a capacitive touch screen with an easy-to-use interface that provides easy navigation through all operations. An on-screen keyboard is also included.

HPA And DCO Capture Detect and capture Host Protected Areas (HPA) and Device Configuration Overlay (DCO) hidden areas on the source (suspect) drive.

Targeted Imaging feature Shortens acquisition time. Create a logical image by using pre-set filters, custom filters, file signature filters, and/or keyword search function to select and acquire only the specific files you need. An MFT report can be generated that contains a potential deleted file list. Format output to LX01, ZIP or directory tree. Users can browse and view directly on the Falcon display or manage and view on a networked Falcon from your laptop/desktop using a web browser.

Partition Imaging Select and image specific partitions on the source drive

BitLocker Support Image source drives that have been encrypted using BitLocker. Decrypt partitions (requires the BitLocker password) and then image the selected partition.

Image to or from a Network Location Use the Falcon to image to a network location using CIFS protocol and/or image from a network location using iSCSI. The Falcon uses CIFS protocol to provide file system access and the highest level of security and control. Users can also use iSCSI as a source or destination drive.

Network Services Users can disable various network services such as HTTP, SSH, Telnet, CIFS/NETBIOS, iSCSI Iperf and Ping, for security purposes.

Write-Blocked Drive Preview Preview the drive contents directly on the Falcon. The Falcon offers five different methods to preview drives connected to the Falcon. The file browser feature provides logical access to source or destination drives connected to Falcon. Users can view the drive’s partitions and contents, and view text files, jpeg, PDF, XML, HTML files. Other file types (such as .doc and .xls) can be viewed by connecting Falcon to a network and via a PC download and view. The Falcon allows you to preview source drives or destination drives using the write-blocked USB connection from the Falcon to a computer or by using the SMB protocol. Users can use the iSCSI protocol to preview source drives.

Network Push Feature Push evidence files from destination drives connected to the Falcon or from a Falcon repository to a network location. The Push feature provides a more secure method than simply copying and pasting to the analysis computer by performing an MD5 or SHA hash during the push process. Additionally, users can select to verify the file transfer to ensure data integrity. Network users can then quickly preview data or copy data to a local drive or to any other directory on the network. The Falcon generates a log file for each push process.

Image Restore File to drive mode restores dd, e01, ex01 images created by the Falcon to another drive.

Concurrent Image+Verify Imaging and verifying concurrently takes advantage of destination hard drives that may be faster than the source hard drive. Duration of total image process time may be reduced by up to half.

User Profiles/Configurations Administrators can save configuration settings and set password-protected user profiles.

Audit Trail Reporting/Log Files Provides detailed information on each operation. Log files can be viewed on Falcon or via a web browser, exported to XML, HTML or PDF format to a USB enclosure. Users can print the log files directly from their PC when connected to Falcon via a web browser.

EncryptionSecure sensitive evidence data with whole drive AES 256 bit encryption. Decryption can be performed using the Falcon or by using a free open source decryption software such as VeraCrypt, TrueCrypt or FreeOTFE (On The Fly Encryption).

Drive Trim Allows the Falcon to manipulate the DCO and HPA area of the destination drive so that the destination drive’s total native capacity matches the source drive.

Tasks Macro Allows users to set specific tasks to be performed sequentially. For example, first wipe, then image, then verify a drive.Set up to five Macros with up to 9 operations/tasks for each macro.

Drive “Time-Out” Feature Users can set a specific “time-out” for hard drives connected to Falcon. After a specified amount of idle time the drive will be automatically put into standby mode, powering down the drives.

Drive Spanning Capture from one large capacity drive to two smaller capacity drives.

Blank Disk Check Verifies if the source or destination disk is empty or has been wiped.

USB Host Ports The Falcon features two USB 2.0 host ports for keyboard, mouse or printer connectivity.

HDMI PortAn HDMI port is located on the back of the Falcon. This port can be used to connect the Falcon to a projector.

What tool should be used when performing a disk acquisition?

What type of acquisition is done if the computer has an encrypted drive?

Where do software forensics tools copy data from a suspect's disk drive?

Is the only automated disk to disk tool that allows you to copy data to a slightly smaller target drive than the original suspect's drive?