Logicube Forensic Falcon Neo 2

The Falcon-NEO2 is the groundbreaking follow-on to the Falcon®-NEO which has long been recognized as the “Best In Class” among all imagers. Retooled and optimized with a powerful new engine, the Falcon-NEO2 is the first field imager surpassing 100GB/min E01 capture speeds. Its SAS-3 architecture (12 Gbps SAS) supports up to 5 simultaneous tasks with up to 10 source and 11 destination ports. Image SAS-3 SSDs at speeds up to 115GB/min, and PCIe drives at speeds exceeding 100GB/min. The USB ports on the Falcon-NEO2 are USB 3.2 Gen-2 (10Gbps), and two 10GbE ports continue to be available on Falcon-NEO2 for imaging to/from network repositories. The “Cloud Storage Acquisition” is standard and available out of the box on the Falcon-NEO2. Support for AFF4 capture is forthcoming and will soon be added to the Falcon-NEO2. In short, the Forensic Falcon-NEO2 is designed to take the already peerless standards set by Logicube to a higher level by offering features, capabilities, and speeds not available on any forensic field imager before.

HIGH SPEED IMAGING: The Falcon-NEO2 achieves imaging from SAS-3 SSDs to SAS-3 SSDs at speeds up to 115GB/min. Clone PCIe to PCIe at speeds exceeding 100GB/min.

SOURCE PORTS:

  • 4 SAS/SATA drives supported with 1 port
  • 2 USB 3.2 (Gen 2, can be converted to SATA using an optional USB to SATA adapter)
  • 1 PCIe
  • 2 I/O ports for use with optional I/O cards including Thunderbolt™3/USB-C

DESTINATION PORTS:

  • 4 SAS/SATA drives supported with 1 port
  • 4 USB 3.2 (Gen 2, can be converted to SATA using an optional USB to SATA adapter)
  • 1 PCIe
  • 1 I/O port for use with optional I/O cards including Thunderbolt™3/USB-C

CONCURRENT IMAGE+VERIFY: Imaging and verifying concurrently takes advantage of destination hard drives that may be faster than the source hard drive. Duration of total image+verify process time may be reduced by up to half.

MULTI-TASK: Image simultaneously from multiple sources to multiple destinations including a network repository. Supports imaging to one location while simultaneously hashing and/or wiping a second drive. Perform up to 5 tasks concurrently. Little or no speed degradation when imaging from two sources to two destinations.

CLOUD STORAGE ACQUISITION: Now included as a standard feature. Allows users to acquire files from OneDrive, Dropbox, or Google Drive. Capture to any destination drive or network repository.

THUNDERBOLT3/USB-C SUPPORT: An optional I/O card supports imaging directly to/from Thunderbolt 3/USB-C and USB 3.1 Gen 2 external drives and storage enclosures. The card connects to the Falcon-NEO2’s 2 write-blocked source I/O ports or 1 destination I/O port. Organizations can take advantage of Thunderbolt 3 technology’s fast transfer speeds when imaging directly to large capacity Thunderbolt 3 RAID storage enclosures for evidence data collection. The I/O card does not currently support imaging in TDM from Mac systems, please refer to the Falcon-NEO2 users’ manual on how to image from Mac systems in TDM using the USB ports or our iSCSI boot device.

IMAGE FROM A MAC COMPUTER: Image from a Mac computer with USB-C ports using a USB-C to USB-A cable and Target Disk Mode. Users can also image from Mac computers using Logicube’s USB boot device. Create a forensic bootable USB flash drive to image a source drive from a Mac on the same network without booting the computer’s native OS. The Falcon-NEO2 supports imaging from MacBook Pro systems and supports imaging from Mac computers that use the Apple T2 Security Chip by using file to file mode or using the Mac computer’s Disk Utility.

MOBILE DEVICE CAPTURE: Acquire critical digital evidence from mobile devices, including Apple iPhones, iPads, Android phones and tablets with an optional renewable software subscription. Capture SMS, MMS, photos, videos. Supports up to iOS version 16.x and Android 4.0 and up.

LOGICAL IMAGING FEATURE: Shortens acquisition time. Create a logical image by using pre-set filters, custom filters, file signature filters, and/or keyword search function to select and acquire only the specific files you need. An MFT report can be generated that contains a potential deleted file list. Format output to L01, LX01, ZIP or directory tree. Users can browse and view directly on the built-in display or manage and view on a networked Falcon-NEO2 from your laptop/desktop using a web browser.

ENCRYPTION DETECTION: Whole disk and partition level encryption detection. Easily identify Source drives with possible encryption.

BITLOCKER, OPAL, VERACRYPT, AND TRUECRYPT DECRYPTION SUPPORT: Decrypt partitions (requires the recovery key or password) and then image the selected partition. BEK (BitLocker Encryption Key) file is supported to unlock FIPS-compliant BitLocker encryption.

APFS SUPPORT: Supports logical imaging (using file to file mode) from drives formatted to APFS (Apple File System). Requires use of Advanced set-up, reference the users’ manual for complete information. The Falcon-NEO2 can also view and browse APFS files using the built-in file browser feature.

IMAGE FROM DESKTOP/LAPTOPS: Create a forensic bootable USB flash drive to image a source drive from a computer on the same network without booting the computer’s native OS. Supports Surface Pro 4 and above laptops.

TWO 10 GBE NETWORK PORTS: Two 10 GbE network ports provide fast network imaging. Image to/from a network repository using CIFs protocol or iSCSI. Users can connect to a 10GbE NAS and connect to your network using the 2nd 10GbE port to minimize bottlenecks.

FILE BROWSER/WRITE-BLOCKED DRIVE PREVIEW: Preview drive contents directly on the Falcon-NEO2. The file browser feature provides logical access to source or destination drives and network repositories connected to Falcon-NEO2. Users can view the drive’s partitions and contents and view text files, jpeg, PDF, XML, HTML files. Users can also view the contents of .dd, e01, ex01, dmg, L01 image files created by Falcon-NEO2. Other methods to preview include using the file browser feature and Falcon-NEO2’s web browser on a PC/laptop or preview over a network via SMB or iSCSI (as an iSCSI target). 3rd party analysis tools can be used with SMB or iSCSI methods.

PARALLEL IMAGING: Simultaneously perform multiple imaging tasks from the same source drive to multiple destinations using different imaging formats. For example, clone to a network location or a destination drive in native copy format while imaging to a different destination drive using e01, ex01, dd or dmg format.

NETWORK TRAFFIC CAPTURE: Capture network traffic, internet activity and VOIP. Sniff data on a network and store captured packets on a hard drive connected to Falcon-NEO2. The data is saved and stored to a *.pcapnpg file format which can be opened by various software programs such as Wireshark. Chain destination feature allows spanning to multiple destinations.

NETWORK SERVICES: Users can disable various network services such as HTTP, SSH, Telnet, CIFS/NETBIOS, iSCSI, Iperf and Ping, for security purposes.

IMAGE RESTORE: File to drive mode restores dd,dmg,e01,ex01 images created by the Falcon-NEO2 to another drive.

TASK MACRO: Allows users to set specific tasks to be performed sequentially. For example, first wipe, then image, then verify a drive. Set up to five Macros with up to 9 operations/tasks for each macro.

NETWORK PUSH FEATURE: Push evidence files from destination drives connected to the Falcon-NEO2 or from a Falcon-NEO2 repository to a network location. The Push feature provides a more secure method than simply copying and pasting to the analysis computer by performing an MD5 or SHA hash during the push process. Additionally, users can select to verify the file transfer to ensure data integrity. Network users can then quickly preview data or copy data to a local drive or to any other directory on the network. The Falcon-NEO2 generates a log file for each push process.

WEB BROWSER/REMOTE OPERATION: An easy to use and intuitive interface allows you to connect to the Falcon-NEO2 from a web browser and manage all operations remotely. The browser features automatic page scaling for iPad, iPhone, and Android devices.

WIPE: Wipe up to DoD specifications or use Secure Erase to erase drives, wipe at speeds up to 27GB/min. Supports the ATA Sanitize command. Complies with NIST 800-88 guidelines. User selectable option to verify wipe pass value during the wipe process.

RESUME FEATURE: For drive to drive or drive to file cloning tasks that get interrupted (for example, due to a power loss or if task is aborted) giving the user the option to resume or restart.

ENCRYPTION: Secure sensitive evidence data with open-source whole drive NIST-recommended XTS-AES-256 encryption cipher mode. Decryption can be performed using the Falcon-NEO2 or by using a free open source decryption software such as VeraCrypt, TrueCrypt. or FreeOTFE.

ATA SECURITY: Unlock and clone ATA Security locked drives. Temporarily unlock drives and then clone, hash or wipe. Requires ATA Security password to unlock.

MULTIPLE IMAGING FORMATS: The Falcon-NEO2 images and verifies to the following formats: native or mirror copy, dd image,.dmg image, e01, ex01. The Falcon-NEO2 supports MD5, SHA1, SHA256 and dual-hash authentication.

FILE SYSTEMS: Falcon-NEO2 formats destination drives to NTFS, exFAT, HFS+, EXT4, EXT3, EXT2 or FAT32 file systems. The unit supports imaging from source drives formatted to any major file system.

AUDIT TRAIL REPORTING/LOG FILES: Provides detailed information on each operation. Log files can be viewed on Falcon-NEO2 or from a web browser, exported to XML, HTML or PDF format to a USB enclosure. Users can print the log files directly from their PC when connected to Falcon-NEO2 from a web browser.

IMAGE TO EXTERNAL STORAGE DEVICE: The Falcon-NEO2 allows you to image to an external storage device such as a NAS, using the 10 GbE ports, USB 3.2 or via the SAS/SATA connection.

DRIVE TIME-OUT FEATURE: Users can set a specific time-out for connected hard drives. After a specified amount of idle time the drive will be automatically put into standby mode, powering down the drives.

REVERSE READ: Skip past a bad sector (based on error granularity settings) then read backwards, potentially capturing data that may not necessarily be read when skipping the entire block.

DRIVE TRIM: Manipulate the DCO and HPA area of the destination drive so that the destination drive’s total native capacity matches the source drive.

PCIE SUPPORT: Support for M.2 PCIe NVMe SSDs, mini-PCIe and PCIe express cards is provided using optional adapters.

USER PROFILES/CONFIGURATIONS: Administrators can save configuration settings and set password-protected user profiles.

BROAD INTERFACE SUPPORT: Built-in support for SAS/SATA/USB/PCIe storage devices. Supports eSATA, mSATA and microSATA interfaces with adapters included with Falcon-NEO2. Optional adapters are available for 1.8″/2.5″/3.5″ IDE, 1.8″ IDE ZIF and flash drives. Supports SCSI, FireWire, and Fibre Channel drives with optional modules.

CAPTURE PATH SELECTION: Add folders to the destination repository and then select and image to the named folder. Empty folders can be deleted and folders can be renamed.

HPA/DCO/ACS3 CAPTURE: Detect and capture Host Protected Areas (HPA), Device Configuration Overlay (DCO) and Accessible Max Address (ACS3) hidden areas on the source drive.

REMOVABLE STORAGE DRIVE: OS and audit trail/log files are stored on an internal drive. This drive is easily removed for secure/classified locations.

ERROR HANDLING: Drive error handling is enhanced with a configurable error granularity feature. When a bad sector on the source drive is found the sector will be skipped by default. Changing the granularity allows more sectors to be skipped. There are 3 options (512 Bytes, 4096 Bytes, 64 KIB). As an example, if 4096 Bytes is chosen, and one of the 8 sectors in that cluster size contains a bad sector, the entire cluster (4096 bytes or 8 sectors) will be skipped.

PARTITION IMAGING: Select and image specific partitions on the source drive.

SCSI MODULE SUPPORT: The SCSI Module option expands the capability of the Forensic Falcon-NEO2 by providing support for imaging from and to SCSI hard drives. The Module connects seamlessly to the PCIe ports and provides 1 SCSI source port (write-protected) or 1 SCSI destination port.

FIREWIRE MODULE SUPPORT: The FireWire Module option provides support for FireWire enclosures. The FireWire Module connects to the Falcon-NEO2’s PCIe ports and provides 1 FireWire source (write-protected) or destination port.

FIBRE CHANNEL SUPPORT: An optional Fibre Channel module is available providing support for imaging to or from one 40-pin Fibre Channel drive. An additional kit is available to allow cloning to and from two 40-pin Fibre Channel drives.

CD/DVD/BLU-RAY IMAGING: Image CD/DVD/Blu-ray media by using a USB optical drive connected to the USB port on the Falcon-NEO2. Supports multi-session CD/DVDs.

BLANK DISK CHECK: Verifies if the source or destination disk is empty or has been wiped.

DRIVE SPANNING: Capture from one large capacity drive to two smaller capacity drives.

HDMI PORT: An HDMI port is located on the back of the Falcon-NEO2. This port can be used to connect the Falcon-NEO2 to an HDMI external display.

KEYBOARD, MOUSE: Any USB 3.2 port can be used for peripherals like a keyboard or mouse.

7″ TOUCHSCREEN: Uses a capacitive touch screen with an easy-to-use interface that provides easy navigation through all operations.