Falcon Neo Forensic Imager
Falcon Neo Forensic
The next-generation of Logicube's Forensic Falcon, the Falcon-NEO achieves imaging speeds surpassing 50GB/min imaging speed*. Efficient and secure digital evidence collection is accomplished with a feature-set that provides sophisticated functionality with a goal to shorten acquisition time. Designed to meet future technological advances in digital forensics, the Falcon-NEO sets new standards in forensic imaging technology.
Falcon Neo Forensic Overview
Extreme speed, imaging at surpassing 50GB/min*. Clone PCIe to PCIe at speeds over 90GB/min.
Image directly to/from Thunderbolt™ 3/USB-C external storage enclosures with an optional I/O card.
Image & verify from up to 5 source to up to 9 destination drives for ultra-efficient imaging.
Concurrent Image+Verify feature. Verification starts shortly after imaging process begins, significantly reducing the image plus verification process time.
Image to/from Fibre Channel drives and enclosures with the optional Fibre Channel Module.
Recognize source drives and partitions that are possibly encrypted.
Cloud storage acquisition software renewable option provides convenient capture of OneDrive, Google Drive, and Dropbox files.
Capture from mobile devices including Apple® iPhones, iPads, Android phones and tablets with an optional renewable software package.
Secure Erase NVMe SSDs.
File Browser/write-blocked drive preview feature provides logical access to drives and network repositories connected to Falcon-NEO. View contents of dd, e01, ex01, and dmg image files created by Falcon-NEO.
Secure sensitive evidence data with whole disk, open standard, drive encryption using the NIST recommended XTS-AES-256 cipher mode, decrypt using Falcon-NEO or Veracrypt.
Logical Imaging feature creates a logical image using pre-set, custom filters, file signature files and keyword search to capture only specific files needed.
Image to/from a network location using two 10GbE connections for fast network imaging performance and to minimize bottlenecks.
Image from a laptop using our iSCSI boot client or from a Mac®computer using Target Disk Mode without removing the hard drive.
Multi-task. Perform image, wipe, hash tasks simultaneously. Little or no speed degradation when imaging from three sources to three destinations.
Network Traffic Capture. Capture network traffic, VOIP, internet activity.
Falcon Neo Forensic Features
Extremely Fast Imaging The Falcon-NEO is the fastest forensic imaging solution available, achieving imaging speeds surpassing 50GB/min*. The product can clone PCIe to PCIe drives at speeds over 90GB/min.
Multiple Image Formats The Falcon-NEO images and verifies to the following formats: native or mirror copy, dd image,.dmg image, e01, ex01. The Falcon-NEO supports MD5, SHA1, SHA256 and dual-hash authentication.
Concurrent Image+Verify Imaging and verifying concurrently takes advantage of destination hard drives that may be faster than the source hard drive. Duration of total image+verify process time may be reduced by up to half.
Multiple Imaging Ports 6 write-protected source ports include:
1 USB 3.0 (can be converted to SATA using an optional USB to SATA adapter)
2 I/O ports for use with optional I/O cards including Thunderbolt™3/USB-C
9 destination ports include:
2 SATA only
3 USB 3.0 (can be converted to SATA using an optional USB to SATA adapter)
1 I/O ports for use with optional I/O cards including Thunderbolt™3/USB-C
All destination ports are built into the unit, no additional module or bay attachments required.
Thunderbolt 3/USB-C support An optional I/O card supports imaging directly to/from Thunderbolt 3/USB-C and USB 3.1 Gen 2 external drives and storage enclosures. The card connects to the Falcon-NEO’s 2 write-blocked source I/O ports or 1 destination I/O port. Organizations can take advantage of Thunderbolt 3 technology’s fast transfer speeds when imaging directly to large capacity Thunderbolt 3 RAID storage enclosures for evidence data collection.The I/O card does not currently support imaging in TDM from Mac® systems, please refer to the Falcon-NEO users’ manual on how to image from Mac systems in TDM using the USB ports or our iSCSI boot device.
Logical Imaging feature Shortens acquisition time. Create a logical image by using pre-set filters, custom filters, file signature filters, and/or keyword search function to select and acquire only the specific files you need. An MFT report can be generated that contains a potential deleted file list. Format output to L01, LX01, ZIP or directory tree. Users can browse and view directly on the Falcon-NEO display or manage and view on a networked Falcon-NEO from your laptop/desktop using a web browser.
Two 10GbE Network Ports provide fast network imaging. Image to/from a network repository using CIFs protocol or iSCSI. Users can connect to a 10GbE NAS as a source and connect to your network using the 2nd 10GbE port to minimize bottlenecks. Provides a secure method to isolate the source network/NAS from the destination NAS/network.
APFS Support The Falcon-NEO supports logical imaging (using our file to file mode) from drives formatted to APFS (Apple File System). Requires use of Advanced set-up, reference our users’ manual for complete information. The Falcon-NEO can also view and browse APFS files using our file browser feature.
File Systems Falcon-NEO formats destination drives to NTFS, exFAT, HFS+, EXT4, EXT3, EXT2 or FAT32 file systems.The unit supports imaging from source drives formatted to any major file system.
Multi-task Image simultaneously from multiple sources to multiple destinations including a network repository. Supports imaging to one location while simultaneously hashing and/or wiping a second drive. Perform up to 5 tasks concurrently. Little or no speed degradation when imaging from two sources to two destinations.
Task Macro Allows users to set specific tasks to be performed sequentially. For example, first wipe, then image, then verify a drive.Set up to five Macros with up to 9 operations/tasks for each macro.
Parallel Imaging Simultaneously perform multiple imaging tasks from the same source drive to multiple destinations using different imaging formats. For example, clone to a network location or a destination drive in native copy format while imaging to a different destination drive using e01, ex01, dd or dmg format.
Web Browser/Remote Operation An easy to use and intuitive interface allows you to connect to the Falcon-NEO from a web browser and manage all operations remotely. The browser features automatic page scaling for iPad type devices.
Broad Interface Support Built-in support for SAS/SATA/USB/PCIe storage devices. Supports eSATA, mSATA and microSATA interfaces with adapters included with Falcon-NEO. Optional adapters are available for 1.8″/2.5″/3.5″ IDE, 1.8″ IDE ZIF and flash drives. Supports SCSI drives with optional SCSI module. Supports FireWire enclosures with optional FireWire® Module.
PCIe Support Support for M.2 PCIe and M.2 NVMe type SSDs and mini-PCIe and PCIe express cards is provided using optional adapters.
SCSI Module Option The SCSI Module option expands the capability of the Forensic Falcon-NEO by providing support for imaging from and to SCSI hard drives. The Module connects seamlessly to the Falcon-NEO’s PCIe ports and provides 1 write-protected SCSI source port or SCSI destination port.
FireWire Module Option The FireWire Module option provides support for FireWire enclosures.The FireWire Module connects to the Falcon-NEO’s PCIe ports and provides 1 write-protected FireWire source or destination port. Supports imaging from Mac® systems booted in Target Disk Mode.
CD/DVD/Blu-ray Imaging The Falcon-NEO can image CD/DVD/Blu-ray media by using a USB optical drive connected to the USB port on the Falcon-NEO. The Falcon supports multi-session CD/DVDs.
Wipe Wipe up to DoD specifications or use Secure Erase to erase drives, wipe at speeds up to 27GB/min. Supports the ATA Sanitize command.
Image to External Storage Device The Falcon-NEO allows you to image to an external storage device such as a NAS, using the 10GbE ports, USB 3.0 or via the SAS/SATA connection.
Error handling Drive error handling is enhanced with a configurable error granularity feature. When a bad sector on the source drive is found Falcon-NEO will, by default skip that sector. Changing the granularity allows more sectors to be skipped. There are 3 options (512 Bytes, 4096 Bytes, 64 KIB). As an example, if 4096 Bytes is chosen, and one of the 8 sectors in that cluster size contains a bad sector, the Falcon-NEO will skip the entire cluster (4096 bytes or 8 sectors).
Reverse Read setting instructs the Falcon-NEO to skip past a bad sector ( based on error granularity settings) then read backwards, potentially capturing data that may not necessarily be read when skipping the entire block.
Removable Storage Drive OS and audit trail/log files are stored on an internal drive. This drive is easily removed for secure/classified locations.
7″ Touch Screen Uses a capacitive touch screen with an easy-to-use interface that provides easy navigation through all operations. An on-screen keyboard is also included.
HPA/DCO/ACS3 Capture Detect and capture Host Protected Areas(HPA), Device Configuration Overlay (DCO) and Accessible Max Address (ACS3) hidden areas on the source (suspect) drive.
Compact Size The Falcon-NEO is light weight, at 3.0lbs (1.36kg) and features a small footprint of 10″W X 3.25″H X 6.75″D (25.4cm X 8.2cm X 17.1cm).
Fibre Channel support An optional Fibre Channel module is available providing support for imaging to or from one 40-pin Fibre Channel drive. An additional kit is available to allow cloning to and from two 40-pin Fibre Channel drives.
Encryption Detection Whole disk and partition level encryption detection. Easily identify Source drives with possible encryption.
Cloud Storage Acquisition This optional software subscription allows you to acquire files from Google Drive or Dropbox. Use Falcon-NEO file to file mode to browse files, use filters or keyword search to select and acquire information. Capture to any destination drive or network repository connected to Falcon-NEO.
Mobile Device Capture Acquire critical digital evidence from mobile devices, including Apple® iPhones, iPads, Android phones and tablets with an optional renewable software subscription. Capture SMS, MMS, photos, videos. Supports i)S version 13.3 and Android 4.0 to 10.
Capture path selection Add folders to the destination repository and then select and image to the named folder. Empty folders can be deleted and folders can be renamed.
Image from a Mac Computer Image from a Mac computer with USB-C ports using a USB-C to USB-A cable and Target Disk Mode. Users can also image from Mac computers using Logicube’s USB boot device. Create a forensic bootable USB flash drive to image a source drive from a Mac on the same network without booting the computer’s native OS. The Falcon-NEO supports imaging from MacBook Pro® systems and supports imaging from Mac computers that use the Apple® T2 Security Chip by using file to file mode or using the Mac computer’s Disk Utility. See our application note on how to image from Macs
Image From Desktop/Laptop PCs Create a forensic bootable USB flash drive to image a source drive from a computer on the same network without booting the computer’s native OS. Supports Surface Pro 4 and above laptops. For instructions on how to create the USB flash drive go to the Falcon-NEO Knowledge Base page.
Partition Imaging Select and image specific partitions on the source drive.
BitLocker, OPAL, VeraCrypt, and TrueCrypt Decryption Support Decrypt partitions (requires the recovery key or password) and then image the selected partition. BEK (BitLocker Encryption Key) file is supported to unlock FIPS-compliant BitLocker encryption.
ATA Security Unlock and clone ATA Security locked drives. Temporarily unlock drives and then clone,hash or wipe. Requires ATA Security password to unlock.
Network Traffic Capture Capture network traffic, internet activity and VOIP. Sniff data on a network and store captured packets on a hard drive connected to Falcon-NEO. The data is saved and stored to a *.pcanpg file format which can be opened by various software programs such as Wireshark. Chain destination feature allows spanning to multiple destinations.
Network ServicesUsers can disable various network services such as HTTP, SSH, Telnet, CIFS/NETBIOS, iSCSI Iperf and Ping, for security purposes.
File Browser/Write-Blocked Drive Preview Preview drive contents directly on the Falcon-NEO. The file browser feature provides logical access to source or destination drives and network repositories connected to Falcon-NEO. Users can view the drive’s partitions and contents and view text files, jpeg, PDF, XML, HTML files. Users can also view the contents of .dd, e01, ex01, dmg, L01 image files created by Falcon-NEO. Other methods to preview include using the file browser feature and Falcon-NEO’s web browser on a PC/laptop or preview over a network via SMB or iSCSI (as an iSCSI target). 3rd party analysis tools can be used with SMB or iSCSI methods.
Network Push Feature Push evidence files from destination drives connected to the Falcon-NEO or from a Falcon-NEO repository to a network location. The Push feature provides a more secure method than simply copying and pasting to the analysis computer by performing an MD5 or SHA hash during the push process. Additionally, users can select to verify the file transfer to ensure data integrity. Network users can then quickly preview data or copy data to a local drive or to any other directory on the network. The Falcon-NEO generates a log file for each push process.
Image Restore File to drive mode restores dd,dmg,e01,ex01 images created by the Falcon-NEO to another drive.
User Profiles/Configurations Administrators can save configuration settings and set password-protected user profiles.
Audit Trail Reporting/Log Files Provides detailed information on each operation. Log files can be viewed on Falcon-NEO or via a web browser, exported to XML, HTML or PDF format to a USB enclosure. Users can print the log files directly from their PC when connected to Falcon-NEO via a web browser.
Encryption Secure sensitive evidence data with open-source whole drive NIST recommended XTS-AES-256 encryption cipher mode. Decryption can be performed using the Falcon-NEO or by using a free open source decryption software such as VeraCrypt, TrueCrypt http://www.truecrypt.org. or FreeOTFE (On The Fly Encryption), http://sourceforge.net/projects/freeotfe.mirror/.
Drive Trim Allows the Falcon-NEO to manipulate the DCO and HPA area of the destination drive so that the destination drive’s total native capacity matches the source drive.
Resume Feature for drive to drive cloning tasks that get interrupted (for example, due to a power loss or if task is aborted) will give the user the option to resume or restart.
Drive “Time-Out” Feature Users can set a specific “time-out” for hard drives connected to Falcon-NEO. After a specified amount of idle time the drive will be automatically put into standby mode, powering down the drives.
Drive Spanning Capture from one large capacity drive to two smaller capacity drives.
Blank Disk Check Verifies if the source or destination disk is empty or has been wiped.
Keyboard, Mouse Any USB 3.0 ports can be used for keyboard, mouse or printer connectivity.
HDMI Port An HDMI port is located on the back of the Falcon-NEO. This port can be used to connect the Falcon-NEO to a projector.
One-year Standard Warranty The system comes complete with a one year parts and labor warranty. Both an optional 1 year extended warranty ( total of 2 years) and a 2 year extended warranty (total of 3 years) are available.
In The Box The Falcon-NEO includes the following:
Power supply and power cord
6 SAS/SATA cables
2 CAT7 network cables
6 6-pin SATA plugs
1 1.8″ microSATA to SATA adapter
1 mSATA to SATA adapter
1 USB 3.0 male type A to USB 3.1 male type C cable
1 eSATA to SATA converter cable
Users manual on CD-ROM
*The Forensic Falcon-NEO achieves speeds surpassing 50GB/min using solid state “suspect” drives that contain a freshly installed Windows “X” OS and random data and solid state destination drives. Settings used are e01/ex01 image format, with compression and with verify “on”. The specification and condition of the suspect hard drives as well as the mode, image format and settings used during the imaging process may affect the achieved speeds.
Two new optional features added to Falcon-NEO!
The Cloud Storage Acquisition
software option allows you to capture Google Drive and Dropbox Files.
The Mobile Device Capture
software option provides the ability to acquire critical evidence from mobile devices including Apple® iPhones and Android phones.