SIP Field Forensic Complete Kit

Model SIP8 Features
Main Hardware Features:
Case: Mobile, easy to carry
CPU: i7
Display: 8″ (800×600) LED backlight Touchscreen color LCD display
Hardware: Very high quality high performing
components, some with military specifications.
Hardware upgrade: The unit can be upgraded at time of
purchasing for additional cost, to a large internal SSD
OS: Linux Ubuntu 64 Bit and Win 64 bit Proffesional in a dual boot
Writes Block: Using “device driver” blocking mechanism based on Maxim Suhanov Mechanism
(https://github.com/msuhanov/Linux-write-blocker)
Application Updates: Application can be easily updated via USB thumb drives and special update screen
Application Settings:
HPA/DCO Automatic Supports: The application has the ability to automatically open HPA and DCO areas, and resize the “Suspect” hard drive to its full native capacity, in order to capture any “hidden data” (HPA/DCO are special areas on the hard disk drive that support this feature)
Bad Sectors Handling: User can select to skip bad sectors/blocks, or abort the operation when it encounters bad sectors/block of sectors on the “Suspect” hard disk drive
Ports:
Forensic Images Destination: User can save Forensic Images to a local network shared folder for easy access and analysis, or save images to external USB3.0 RAID (encryption is optional) storage in a very good
speed Captured Storage Protocols and Interfaces: SAS, SATA, e-SATA enclosures, IDE, USB2.0, USB3.0, MMC, M.2 NGFF(PCIE or SATA base), 1394*, Thunderbolt*, and SCSI*
Form Factors: Capture data from various form factor devices: 3.5″, 2.5″, ZIF, 1.8″, Micro-SATA, Mini-SATA, PCIE*, Mini PCIE*, M.2 NGFF
Cross Copy from Ports and Interfaces: The user can choose to capture from one type of port, storage protocol and interface, and save the forensic Images into a different port, storage protocol and interface. The cross copy of data can be done between SAS/SATA/IDE/USB/SCSI/1394 interfaces
Application Features:
GUI: The application is built with large icons and is very simple and easy-to-navigate. In a few clicks user can set the operation, and it will be quickly up and running
Speed: Extremely fast
• Tested with Hash verification operation with SHA-1 enabled the recorded top speed was 30GB/min
with Solid State Drive, and 10GB/min with 1TB WD Blue SATA-3 Hard Disk Drive
• Tested with Forensic Imaging operation of 1 to 2 with SHA-1 enabled the recorded sustained top speed was 29GB/min with 3 SSD of SanDisk 120GB Extreme II
Extreme Speeds when performing Forensic capture with E01/Ex01 formats and with full Compression:
• The new Linux-based Imager application utilizes and optimizes multiple CPU cores to achieve one of the most efficient operations, while performing at incredibly high speeds with E01/Ex01 compression. The application allows users to manually select and adjust the number of threads and the level of compression used during each session
• Forensic data capture with Encase E01/Ex01 formats with full compression is widely used operation in the forensic industry, and generally requires a trade-off between speed, space, and time of decompressing by the EnCase application
• Comparative tests show a 20% increase in speed when using the Imager Linux-based application over the Imager® Windows-based application. Tests were performed with the same hardware and the same hard disk drives (filled with 43% of random data), and the same level 1 of compression. The Linux-based application was set to use 16 compression threads
Hash Authentication: Simultaneously calculates on-the-fly up to 3 Hash Authentication values MD5/SHA-1/SHA-2
Encryption: On-the-fly AES256 encryption of the “Suspect” Hard Disk Drive, saving the encrypted data on “Evidence” Hard Disk Drive in 100%, DD, E01/Ex01 formats
Decryption: The user can perform decryption on a drive, previously encrypted by any of the Imager units. Alternatively user can use a standalone Linux decryption utility application to perform decryption on that drive using any PC. The supplied standalone decryption utility application can be burned onto a USB
flash drive that later can be used to boot the PC to the Linux utility, where the encrypted drive and a blank destination drive were attached to the PC. (The user needs to supply to the utility application the saved encryption key)
Forensic Images can be saved in those Formats: 100% Bit by Bit, Linux DD Format, Encase E01/Ex01 formats include options for optimized compression
Evidence Drive Formats: exFAT/FAT/NTFS/HFS+/EXT4
Log Files: Audit trail in PDF formats, or txt formats with ability to customize the reports and adding company Logo
Drive Spanning: Supports spanning the captured data onto many “Evidence” drives , when the Evidence drives are not large enough (Also supports restore from spanned multiple drives)
Main application Features:
• Forensic Imaging Mode
• Forensic Restore back data to original
• Erase data from drives and Quick Format
• Hash calculation authentication and verification
• Virtual Drive Emulator (Optional)
Main Forensic Imaging Mode Features:
• Forensic Imaging Modes: Mirror Imaging bit by bit (100% or any % of th edrive), DD, E01/Ex01 – with optional compression
• Hash while capture: MD5, SHA-1, SHA-2 (all 3 can be selected simultaneously)
• Erase Reminder of the drive
Parallel operations:
Parallel Forensic Imaging – Multiple Session Operations: User can run a multiple efficient parallel operation, since many ports are available. User can mix different type of operations, and each operation is set as a new independent session. Example of operations: erase data from a hard disk drive on one port, hash verify on second port, while forensic imaging 1 to 1 on the remaining ports
Basic Parallel Forensic Imaging: The supported modes are:
Native SAS/SATA: 1 to 1, 1 to 2, 1 to 3, 2 to 2, 2 to 3. The 2 to 3 imaging mode uses the e-SATA port with the need to supply external power to the e-SATA plugged device and the 1:3 imaging mode need to be configured at time of purchasing of the main unit USB3.0: 1 to 1, 1 to 2, 2 to 2 and up to 4:4
More Ports for Forensic Imaging:
With the use of USB3.0 to SATA fast adapters and with the combination of e-SATA port, the unit can support up to 2 to 7 and up to 4 to 7 Forensic Imaging of SATA Hard Disk Drives. With the use of Express
Port Option enabled, and the Optional Sonnet 4 SAS Ports Express Card Adapter, the application can support up to 2 to 6 Forensic Imaging of SAS Hard Disk Drives
Parallel operation – Linux Elaborated:
Hard Drive Detection Application Screen: All hard disk drives and storage devices that are connected to the units will be scanned and displayed in one application screen called “the detection screen”. User can tap
on each drive to get its detailed info, as well as selecting it for the desired operation they are planning to use Parallel Forensic Imaging: It depends on the number and the kind of ports that each model has. The application is very flexible in running multiple sources to multiple destinations, all in a simultaneous operations. The user has the flexibility to change a role of a port from Evidence to Suspect, and is not limited by the pre-assigned “Suspect” ports. The session control application screen provides the user with a very comprehensive information and control over the running sessions, including all the setting of the session, and ability to abort the session
Parallel Forensic Imaging – Multiple Session Operations: User can run multiple efficient parallel operations and can mix different type of operations; for example erase hard disk drive on one port, hash verification on another port, while performing forensic imaging on other ports (each operation can function as a new independent session). The number of sessions also depends on the CPU: i5 -4 sessions, i7- 8
sessions
Network:
Network Capture: Data from network folder can be captured and saved into “Evidence” drives via iSCSI storage protocols. (SMB, NFS, CIFS)
Saves Forensic Images to network: Upload multiple Forensic images to a local network (DD, E01), simultaneously by using up to 8 parallel 1Gigabit/s network streams

Remote Capture – Capture Data from the Internal Hard Disk Drives of a Computer: Using USB or 1Gigabit Ethernet ports of the laptop/computer, enables capture without the needs to remove the hard drive from the Laptop/computer (Speed is restricted to performance of the Laptop/PC CPU and the 1Gigabit/s connection)
Erase and Quick Format Operation:
Hard Disk Drive Erase Protocols: DoD 5220-22M(ECE, E), Security Erase, Enhanced Security Erase, or user can define the final data filling pattern and the number of iterations (Security Erase, Enhanced Security Erase, and DoD erase protocols are NIST 800-88 compliance)
Quick Format: NTFS, FAT, HFS+, EXT4, and exFAT
Logs and Erase Certification: The application generates extensive erase log files and erase certification (option to save to NIST 800-88 format) that are easy to export to USB thumb drive
Unit as a Platform:
File Preview: Browse and preview captured data on the Internal Display
High Performances: As a platform, a forensic investigator can, in addition to imaging and capturing data, load and run third-party applications to analyze the captured data:
• Cellphone/Tablet data extraction and analysis: Cellebrite, Oxygen, BlackBag, MPE+, Paraben applications
• Triage data collection: Nuix/Encase portable applications
• Full computer forensic analysis: Encase, Nuix, and FTK applications
The units have very firm hardware that enables those said applications to run with excellent performance
Expansion capabilities and the main hardware options:
Express Card Port Option: Optional port that needs to be pre-installed at time of purchasing in the main unit: This option gives the user the ability to plug and use a few kinds of express cards adapters to support
capture and erase data from additional interfaces and devices. This option is very useful and saves in most of the cases the need for expensive and bulky expansion box. The Express Card adapters can be dual port 1394A/B, PCIE memory cards (Sony SxS), Mini-PCIE that are not supported by SATA protocols (are used in
some MacBook Air, with M.2 (NGFF) form factor)
Expansion Port and Expansion Box Option: Optional expansion ports that enable user to plug in an Expansion Box in order to add-on many other devices: User can configure the main unit with only one connectivity port or Express Card Port or Expansion Port. The Expansion Port is mostly required when user
needs to erase data from SCSI Hard Disk Drives. In addition to purchasing the Expansion Box, user can also purchase the SCSI 2 drives Kit which supports capture or erase from 2 SCSI Hard Disk drives. The SCSI 2 drives Kit includes all the cables, terminators and adapters that are needed to operate 2 SCSI hard disk
drives. (The SCSI controller is installed inside the Expansion Box). The Expansion Box is also supplied with a low profile Express Card reader pre-installed inside the Expansion Box USB3.0 to SATA adapters and Kits Option: Today USB3.0 technology is extremely fast and can run read data from SSD drives up to 20GB/min.
Factory Warranty: 1 year for parts and labour
Specifications subject to change without notice