CRU Ditto Forensic FieldStation
Strengths: Excellent imager with lots of bells and whistles. The only imager you’ll ever need.
Weaknesses: Website and documentation could be a lot better.
Verdict: If you can tolerate the lack of resources on the website and find a way to reinforce the documentation to prevent its destruction this is a must-have for labs and field use alike. his is a simple tool but it may be one of the most important in your kit.
This is a simple tool, but it may be one of the most important in your kit. The Ditto is an imaging workstation created especially for field use. In the two or three years we've reviewed this product we've seen significant improvement both in ease of use and functionality. We tested this by imaging a 350GB disk onto a 500GB disk using .E01 imaging. It took just over two hours to image and verify. That is faster than most of the imagers that we use on our forensic computers. The .E01 image performed flawlessly in enCase, FTK and Autopsy.
When used in the lab, the Ditto has the added benefit of being addressable over a network. You can, of course, connect your computer to it directly in the field using a standard network cable, but in the lab we used the web interface over the network.
When we plugged the Ditto into the network, it grabbed a DHCP address and a couple of button presses on the device told us the address. We went over to our lab computer and browsed to the address, logged in and were presented with an intuitive web user interface. We simply plugged in our source and destination drives using supplied cables and started the image. The device immediately told us that the destination drive needed formatting so we formatted it and started the imaging.
A bit over two hours later it was done. We pulled off the destination disk and hooked it up through our write blocker to our forensic computer. A close look at it with our computer forensic tools satisfied us that the image was good. The hashes matched and the image was readily consumed by each of our test programs.
The imager, of course, contains a write blocker. It has ports for just about every conceivable device, including USB and firewire. There is an expansion module that extends the types of devices that can connect and it comes with a plethora of connector cables - all in a convenient pelican case (optional). There are so many features in this year's version of the product that space prevents us from hitting them all, but here are a few.
Secure erase includes DoD clear and sanitize as well as NIST clear and purge. The system can be configured from its front panel or from the web interface. There is a stealth mode for use with night vision goggles. Multiple user accounts can be set up. Both logical and physical imaging is available and there are multiple types of hashes. Disks can be cloned as well as imaged. Quite a bundle of features for a box that measures about 5" x 6" x 1". Finally, to our surprise (we should not have been, we seem to recall that we ran into this last year) the Ditto has Nmap (Network Mapper) built in and users can perform a network port scan. Finally, the Ditto supports iSCSI disks.
This is an interesting tool and it certainly is priced attractively. It is especially attractive when one considers that the device can be sent to a remote site to collect images of compromised computers and the IT staff at the other end can manage all of the physical connections while the admin controls the process over the internet. The IT folks then bundle everything and send it back to the lab for analysis. This can be extended within a single environment to a sort of forensic VPN.
The use of the logical capture capability allows seizure of a small portion of a large drive as well as of network shares. Of course, it also will capture CD, DVD and Blu-Ray disks. Support is by phone, email or web. Documentation was a simple set of sheets stapled together. We would like to have seen something more robust given that the device is likely to be shipped around and many users will need to reference the documents. The website is adequate with a combination of marketing/sales and utilitarian content - download updates, for example. There is no knowledge base or FAQ.