CRU Ditto Forensic FieldStation
Strengths: A lot of acquisition functionality in a small, portable footprint. We liked the combination of cloning, acquisition (in A01 or DD format) and erasing/zeroing disks in the field.
Weaknesses: We would like to see a bit more network-scanning capability, given that the tool is headed in that direction.
Verdict: This is a must-have for field work. It is everything that one needs to acquire disks and scan networks for active services in the field.
This was one we never saw coming. It's a neat little box that at first blush looks like a write-protect bridge. It is. But it is more as well. It clones disks, it acquires disks and it scans networks. It is a standalone tool that comes neatly packaged in a rugged lightweight carrying case. Everything that one needs is in the case, including cables, adapters, a power brick and a space for extra disks.
When we opened this one up, our first task was finding documentation since we had never seen this or anything like it before. Certainly, we have tested write-blockers, but this is quite a bit more than that. What we found was, at first, disappointing. It consisted of a small four-page quick-start guide. However, it turned out the guide was all we needed to get up and running.
The first step in setting up the tool - as described in the quick-start - is to connect to a network to access the built-in web interface. That was simplicity itself. We plugged the CRU Ditto Forensic FieldStation into our switch in our lab and browsed to 192.168.0.103, the DHCP address assigned by our router. If one needs a static address, the Ditto has one and users can connect to it as well if in a net 10 system. Fewer than 10 simple steps and we were on our way.
Everything one needs to configure and use the Ditto is in the web interface. Next to everything requiring user input is an information icon. This is the documentation for the tool. The documentation is extensive, contextual and easy to use and read. It makes sense and it is all that is needed. We liked that because nobody in the field wants to stop in the middle of an acquisition to thumb through a manual or break out a PC to search a PDF for a configuration help file. In this case, you simply connect a PC, configure and then start acquiring or cloning.
Cloning is something that can be tiresome in many cases. The process often entails taking a forensic image and restoring the image, a time-consuming process. With Ditto Forensic FieldStation, the user can clone a disk directly in a single step. If, on the other hand, what is really needed is a typical forensic image, that is the Ditto's meat and potatoes. Plug in the source and the destination and run. There is a nice LCD display on the tool, complete with all of the menus necessary. Once the tool is configured, users don't really need their PC anymore to run it. Reconfiguration can be done from the LCD screen as well.
The tool also has network scanning, called NetView, built in. It uses Nmap so the scans are not comprehensive and we would have liked to see CRU go the extra mile and build in something, such as Nessus, for a more complete scan. The scans show the running services - both TCP and UDP - but no vulnerability information, which would have been nice. But, even this is well beyond what we expected. This tool turns out to be a Swiss Army knife for basic forensic acquisition.
Support is based on a three year warranty and there is a good aid portal with software downloads and other useful features available to prospective customers and current users.