Voom Shadow 3 User manual

Voom Shadow 3™

User Guide

Portable Computer Forensic Test Lab

For Immediate Real-Time Computer

Investi ation

Voom Shadow 3™ User Guide

Shadow 3 is a registered trademark of Voom Technologies, Inc.

All other brand names, product names, and compan names in this document

are trademarks or registered trademarks of their owners.

Third Edition

2 August 2018

(Based on the Shadow 3 v1-04 release)

NOTICE OF PROPRIETARY RIGHTS

The equipment described herein including hardware, firmware, and

software is manufactured from designs that are the propert of Voom

Technologies, Inc.

Reproduction or reverse engineering of an part of this equipment

without express written permission of Voom Technologies, Inc. is

prohibited.

Printed in U.S.A.

Shadow 3 is designed, developed, and manufactured in the USA.

Voom Technolo ies, Inc.

1000 Westgate Dr Suite 150-I

St. Paul, MN 55114

Telephone 651-998-1618

Table of Contents

1 Information..........................................................................................1

1.1 Patents...........................................................................................................1

1.2 Technical Documentation.............................................................................1

1.3 Data Protection.............................................................................................1

2 Technical Support..............................................................................2

2.1 Support by Telephone..................................................................................2

2.2 Support by E-Mail.........................................................................................2

2.3 Technical Support Tips.................................................................................2

3 Preface................................................................................................3

3.1 Product Contents..........................................................................................3

3.2 System Requirements..................................................................................3

3.3 Overview........................................................................................................3

3.4 Definitions.....................................................................................................5

3.4.1 General.........................................................................................................................5

3.4.2 Shadow.........................................................................................................................5

4 Shadow Setup..................................................................................... 6

4.1 Sin le Hard Drive System............................................................................6

4.2 Multiple Hard Drive System.........................................................................8

4.2.1 Use Multiple Shadows................................................................................................8

4.2.2 Use Third Party Write Blockers.................................................................................8

4.3 Operatin the Host Computer......................................................................8

5 Command Description.......................................................................9

5.1 Zero Shadow Command...............................................................................9

5.2 Wipe Shadow Command..............................................................................9

5.3 Park Drives Command..................................................................................9

5.3.1 Spin Drives Command................................................................................................9

5.4 Lock Shadow Command..............................................................................9

5.5 To le Ctrl Blk Command............................................................................9

6 Button Interface................................................................................11

6.1 Zero Shadow Procedure.............................................................................12

6.2 Wipe Shadow Procedure............................................................................12

6.3 Park Drives Procedure...............................................................................13

6.4 Lock Shadow Procedure............................................................................13

6.5 To le Ctrl Blk Procedure..........................................................................14

7 Serial Interface..................................................................................15

7.1 Zero Shadow Procedure.............................................................................16

7.2 Wipe Shadow Procedure............................................................................16

7.3 Park Drives Procedure...............................................................................16

7.3.1 Spin Drives Procedure..............................................................................................17

7.4 Lock Shadow Procedure............................................................................17

7.5 To le Ctrl Blk Procedure..........................................................................17

8 Shadow Internal Hard Drive Replacement.....................................18

8.1 Step 1 - Internal Hard Drive Removal........................................................18

8.2 Step 2 - Internal Hard Drive Installation....................................................18

8.3 Step 3 – Internal Hard Drive Introduction.................................................19

9 Warranty............................................................................................20

9.1 Limited Warranty.........................................................................................20

9.2 Warranty Return Instructions....................................................................21

10 Specifications.................................................................................22

10.1 CE...............................................................................................................22

10.2 FCC Exemption.........................................................................................22

1 Information

1.1 Patents

Shadow 3 is protected b patent number US 6,345,346; other patents pending.

1.2 Technical Documentation

Specifications and information contained in this manual are furnished b Voom

Technologies, Inc. for informational use onl and are subject to change at an

time without notice and should not be construed as a commitment b Voom

Technologies, Inc. Voom Technologies, Inc. assumes no responsibilit or liabilit

for an errors or inaccuracies that ma appear in this manual; including the

products, firmware and included accessories.

1.3 Data Protection

The user must be aware that an improper s stem configuration can lead to data

corruption. Please read the Shadow Setup chapter of this manual carefull

before attempting to investigate a suspect computer. Voom Technologies, Inc. is

not responsible for an loss of data resulting from the use, disuse or misuse of

this product.

2 Technical Support

2.1 Support by Telephone

Technical support is available to registered owners of Voom Technologies, Inc.

products b telephone Monda through Frida 8:00am to 4:00pm, Central Time

Zone at 651-998-1618.

2.2 Support by E-Mail

Voom Technologies, Inc. technical support is available b e-mail at

[email protected].

2.3 Technical Support Tips

Call from a telephone where ou have access to our computer. Please be

prepared to provide the following information:

●Name, telephone number, e-mail address

●Serial Number and version of the Voom Shadow product

●Make and model of our computer

●Operating s stem and version

●S mptoms of the problem

3 Preface

3.1 Product Contents

1 Voom Shadow 3 S stem

1 DC power cable (Shadow to suspect hard drive)

1 0.5m SATA Cable (Used for all configurations)

1 Auto-ranging AC Power Suppl

1 Standard serial interface cable

1 User Guide

SATA Laptop Adapter Kit:

1 SATA Extension Cable

IDE Adapter Kit:

1 IDE to SATA Adapter

1 SATA to IDE Adapter

3.2 System Requirements

The Voom Shadow 3 product is designed to operate on computers that boot from

a SATA hard drive. Shadow 3 supports drives of sizes up to 2 TB. For

computers with multiple hard drives, a separate Shadow 3 unit is required for

each hard drive. Via a IDE to SATA adapter Shadow 3 ma support PATA/IDE

hard drives. A separate IDE bus is required for each IDE drive to be shadowed.

3.3 Overview

The investigation of a computer hard drive is often a ver time consuming

process. Because it is absolutel essential that the evidence on a suspect hard

drive not be altered in an wa , investigation and anal sis of the data on the hard

drive is often times done in a lab environment.

Imagine if ou could boot and use the suspect computer all the while preventing

an alteration of the suspect hard drive. Voom Shadow 3 is an investigative tool

that is designed to enable investi ation of the hard drive in place inside the

suspect computer, while preventing an alteration of the hard drive during the

investigation.

Here’s how it works. After connecting a Shadow 3 s stem to each hard drive on

the suspect computer, the investigator will use the suspect computer to search

the contents of the hard drive(s) using an software tool alread on the computer,

including Word, Excel, File Browsers, Internet and Email browsers, picture

viewers etc... as well as view internet histor , last files accessed, last files altered

– all b simpl using the tools on the suspect computer. Investi ators may also

install any forensic software they choose to assist in the investi ation.

With Shadow, all writes that occur during the investigative process are written to

the internal Shadow hard drive. The suspect hard drive is not altered in an wa

during the investigative process.

S stem operating integrit is maintained because the Shadow remembers where

the writes occurred, and reads from the Shadow drive whenever the suspect

computer reads data from a block that the Shadow has written.

3.4 Definitions

3.4.1 General

AHCI: Advanced Host Controller Interface. Defines the operation of Serial ATA

host bus adapters in a non-implementation-specific manner. This interface is the

native interface for SATA.

Applications: Software programs such as Microsoft Word.

Boot Partition: The C:\ partition is commonl the boot partition that contains the

operating s stem. Man computers are set up with just one C:\ partition.

Remaining hard drive space, if an , is unallocated.

Ctrl: The ke board control ke .

HD or HDD: Hard Drive, also called the Hard Disk Drive.

Jumper: Refers to the hard drive jumper located at the back of the hard drive.

This jumper configures the hard drive as a slave or master hard drive based on

the number of hard drives used and the hard drive cable used.

Host Computer: The computer the Suspect/Source hard drive is located in.

Master Hard Drive: A IDE hard drive that is configured as master through

jumper setting or cable select connection.

Motherboard: The main computer circuit board, sometimes called the

mainboard.

OS: Refers to the Operating S stem. Examples include Microsoft Windows

2000 Professional and Microsoft Windows XP Home.

Partition: Partitions can be created on a hard drive so that each partition acts

like a separate hard drive. In Microsoft Windows, partitions are commonl

referred to as drive letters, such as C:\.

Slave Hard Drive: A IDE hard drive that is configured as slave through jumper

setting or cable select connection.

GB: Gigab te: 1000000000 b tes.

MB: Megab te: 1000000 b tes.

KB: Kilob te. 1024 b tes.

3.4.2 Shadow

Locked: When Shadow is locked, all writes to the Shadow hard drive are

blocked – this in effect causes the Shadow to act as a traditional write blocker.

Disabled: The Shadow reports Shadow disabled when an error has

occurred, such as when a cable is not connected properl ; a cable is damaged,

or an other event that causes the Shadow to be unable to operate.

Zero: This term applies to zeroing the Shadow hard drive – that is, to make the

Shadow forget about an previous writes.

4 Shadow Setup

This chapter describes how to connect the Shadow 3 to a computer s stem.

Caution for multiple hard drive systems:

Shadow 3 prevents data from being written to a

single computer hard drive. If more than one

hard drive is used in a suspect computer, then

please refer to the Multiple Hard Drive System

section.

4.1 Sin le Hard Drive System

This section describes how to connect Shadow to a standard SATA s stem.

Please use the picture on the next page as a reference during setup.

Step 1: Suspect Computer Preparation

1. Disconnect the computer AC power cable, and remove the computer

cover.

2. Disconnect the DC power cable from the suspect hard drive.

3. Disconnect the SATA cable from the suspect hard drive. Leave it

connected to the motherboard.

Step 2: Shadow Setup

1. Connect the SATA cable that was disconnected from the hard drive in

Step 1-3 to the Shadow 3 port labeled “Motherboard”.

2. Connect one end of the Voom supplied SATA cable to the Shadow 3

port labeled “Suspect Drive,” and connect the other end to the suspect

hard drive.

3. Connect the Voom supplied DC power cable from the Shadow 3 to the

Suspect drive.

4. Plug the Voom supplied AC adapter between the Shadow 3 and an AC

power outlet. (Not shown in picture.)

5. Reconnect the suspect computer AC power.

6. Turn on the Shadow 3.

7. Once the Shadow 3 is turned on and reports ready the suspect

s stem ma be booted.

The following picture is included for reference when using IDE hard drives:

4.2 Multiple Hard Drive System

For the investigation of a multiple hard drive s stem there are two approaches

which ma be used.

4.2.1 Use Multiple Shadows

Connect each hard drive to a separate Shadow 3 as described in Single Hard

Drive S stem .

4.2.2 Use Third Party Write Blockers

Because most of the writes will occur on the boot drive (or if there are no other

available SATA ports) it should be tolerable to protect the non-boot drives with a

simple write blocker. Keep in mind that the additional functionalit of Shadow 3

will not be available on the secondar hard drives.

4.3 Operatin the Host Computer

Once the s stem has been connected as described above the Shadow unit ma

be turned on. When the Shadow reports ready, then the Host computer ma be

turned on. The Host ma be operated exactl as it would be if the Shadow were

not present.

5 Command Description

5.1 Zero Shadow Command

The Zero Shadow command will make the Shadow unit forget an writes it has

made to its internal Shadow drive.

Shadow 3 will automaticall zero itself ever time ou connect the Shadow unit to

a new Suspect/Source drive. Manual zeroing of the Shadow drive should onl be

necessar when ou want to continue investigating the same Source drive but

want to start from scratch.

It is not recommended to issue the Zero Shadow command while the Host

computer is turned on as it will likel confuse the computer's operating s stem.

5.2 Wipe Shadow Command

The Wipe Shadow command will wipe the Shadow drive with a fixed b te value

across all LBAs. Wipe also locks the Shadow.

It is not recommended to issue the Wipe Shadow command while the Host

computer is turned on as it will likel confuse the computer's operating s stem.

5.3 Park Drives Command

The Park Drives command will tell the Source drive and Shadow drive to “park”

their heads in preparation for powering off. This controlled shutdown does not

stress the hard drives the wa an unexpected “emergenc ” shutdown will.

Shadow 3 will automaticall issue the Park command to the drives during normal

operation.

It is recommended to issue the Park Drives command ever time the Shadow's

LCD does not displa parked before ou turn it off. (e.g. If the Host computer

did not shutdown properl .)

5.3.1 Spin Drives Command

When the drives are alread parked, the menu option becomes Spin Drives. The

Spin Drives command will spin the drives back up. Use this command before

turning the Host computer back on to speed the boot process.

5.4 Lock Shadow Command

The Lock Shadow command will place the Shadow in simple write block mode.

An writes that would go to the Shadow drive are simpl thrown awa .

The Shadow will remain locked until it is turned off.

5.5 To le Ctrl Blk Command

Toggle the behavior the Shadow 3 will use regarding the HD control block

between Classic mode and Compatible mode. The Shadow 3 ships in Classic

mode. Classic mode is what Shadow 3 has alwa s used. In Compatible mode,

the Shadow 3 alters the HD control block to be more compatible with some

motherboard / OS combinations, in particular, 2007 and newer motherboards in

combination with Windows 10.

The modified behavior is entirel in software, the HD is never ph sicall altered

b the change.

There is no guarantee either mode will allow a shadowed HD to boot.

6 Button Interface

The button control panel and the LCD are the user interface. The button panel

consists of the following three buttons:

Button Function Description

Yellow Menu This button is designed to step through each of the

menu items. It alwa s steps in a forward direction.

Green Enter This button is designed to either select a menu item or

acknowledge status information.

Red Cancel This button is designed to either abort the entering of

a new command or the execution of the previous

command.

The LCD is used to displa each of the menu items, the progress of the current

command, and to acknowledge the command status information.

Whenever commands are entered from the button control panel, all status

information must be acknowledged b the operator. A special arrow character

[←] displa ed in the lower right hand corner of the LCD indicates that the unit is

waiting for acknowledgment of the data currentl displa ed in the LCD. Press

the <enter> button each time the arrow character is displa ed in order to

continue executing the current command.

Note: The user may terminate an executin command by pressin the

<cancel> button.

Note: The button command menu is unavailable when there is not a

Source Drive attached.

The button command menu is organized into levels. The prompting hierarch

used to organize the set of supported commands follows:

Level Prompt Description

1 Zero Shadow Zero (clear) the Shadow drive.

2 Wipe Shadow A more secure clearing of the Shadow drive.

3 Park Drives Prepare the drives for powering off.

Spin Drives Spin the drives back up.

4 Lock Shadow Place the Shadow unit in simple write block mode.

5 Toggle Ctrl Blk Toggle the control block mode.

Step-b -step examples of the operations that the user can perform through the

button interface are described in the following sections of this chapter:

6.1 Zero Shadow Procedure

The following table describes the normal sequence associated with performing a

Zeroing of the Shadow drive:

LCD interface Comments

Shadow3 1-04

ready classic

From the main window, press <menu> to displa the

initial menu item.

Zero Shadow Press <enter> to execute the Zero Shadow

command.

Zero Shadow

Are You Sure?

Press <enter> to perform the Zero, <cancel> to abort

the command.

Zero Shadow

* Task Done *←

Your Shadow drive has been zeroed.

Press <enter> to return to the ready screen.

6.2 Wipe Shadow Procedure

The following table describes the normal sequence associated with wiping the

Shadow drive:

LCD interface Comments

Shadow3 1-04

ready classic

From the main window, press <menu> to displa the

initial menu item.

Zero Shadow Press <menu> to proceed to the next command.

Wipe Shadow Press <enter> to execute the Wipe Shadow

command.

Wipe Shadow

Are You Sure?

Press <enter> to perform the Wipe, <cancel> to abort

the command.

Wiping Shadow

42%

Interim status.

Wiping Shadow

DONE ←

The Shadow drive has been wiped ...

0 errors

50:50 elapsed ←

Successfull .

Press <enter> to return to the ready screen.

6.3 Park Drives Procedure

The following table describes the normal sequence associated with parking the

drives:

LCD interface Comments

Shadow3 1-04

ready classic

From the main window, press <menu> to displa the

initial menu item.

Zero Shadow Press <menu> to proceed to the next command.

Wipe Shadow Press <menu> to proceed to the next command.

Park Drives

Spin Drives

Press <enter> to execute the Park Drives command.

Press <enter> to execute the Spin Drives command.

Shadow3 1-04

parked

Shadow3 1-04

ready

The drives have been parked.

The drives have been spun up.

6.4 Lock Shadow Procedure

The following table describes the normal sequence associated with locking the

Shadow:

LCD interface Comments

Shadow3 1-04

ready classic

From the main window, press <menu> to displa the

initial menu item.

Zero Shadow Press <menu> to proceed to the next command.

Wipe Shadow Press <menu> to proceed to the next command.

Park Drives Press <menu> to proceed to the next command.

Lock Shadow Press <enter> to execute the Lock Shadow

command.

Lock Shadow

Are You Sure?

Press <enter> to perform the Lock, <cancel> to abort

the command.

Shadow3 1-04

ready lock

The Shadow is locked.

6.5 To le Ctrl Blk Procedure

The following table describes the normal sequence associated with toggling the

control block:

LCD interface Comments

Shadow3 1-04

ready classic

From the main window, press <menu> to displa the

initial menu item.

Zero Shadow Press <menu> to proceed to the next command.

Wipe Shadow Press <menu> to proceed to the next command.

Park Drives Press <menu> to proceed to the next command.

Lock Shadow Press <menu> to proceed to the next command.

Toggle Ctrl Blk

to Compatible

Press <enter> to execute the Toggle Ctrl Blk

command.

Toggle Ctrl Blk

Are You Sure?

Press <enter> to perform the Toggle, <cancel> to

abort the command.

Shadow3 1-04

ready compat

The Shadow is now in compatible mode..

7 Serial Interface

With the Shadow 3 unit turned off, connect the supplied serial cable between the

Shadow 3 and a second computer, do not use the suspect computer. Using a

terminal program capable of serial communications, such as H perTerminal or

Tera Term , configure the serial port (usuall COM1) as described in the table

below:

Parameter Value

Baud Rate 115200

Data Bits 8

Parit none

Stop Bits 1

Flow Control none

Serial Port Settin s

Once the serial cable is connected and the terminal program configured, the

Shadow 3 unit ma be turned on.

On power-up ou should see the following sequence:

Start

!-FPGA loaded

Shadow3 1-04 Initializing...

Checking Shadow...

Checking Source...

. (only with a Source change)

!-Source Drive Changed (only with a Source change)

Shadow3 1-04 Ready

Hard Reset

T ping help will displa a brief description of the available commands.

7.1 Zero Shadow Procedure

When using the serial interface, the command s ntax for zeroing the Shadow is

given below:

Zero

The following example shows the output from a t pical Zero Shadow command.

=> Zero

!-Shadow Drive Zeroed

7.2 Wipe Shadow Procedure

When using the serial interface, the command s ntax for wiping the Shadow is

given below:

Wipe

The following example shows the output from a t pical Wipe Shadow command.

=> Wipe

Wiping shadow drive (may take over 20 minutes)...

.................................................. done

0 errors elapsed 50:50 elapsed

!-Shadow Drive Wiped

7.3 Park Drives Procedure

When using the serial interface, the command s ntax for parking the drives is

given below:

Park

The following example shows the output from a t pical Park Drives command.

=> Park

parked

!-Drives are parked

Table of contents

Popular Test Equipment manuals by other brands

UCORE ELECTRONICS

UCORE ELECTRONICS UCE-DSO4200C user manual

Time Electronics

Time Electronics 1010 user manual

Gould

Gould 400 Series Operator's manual

Fluke

Fluke AIRCHECK user manual

Depaepe Telecom

Depaepe Telecom 4 Series manual

Tektronix

Tektronix TDS 500B Technical reference

ATEQ

ATEQ F600 manual

SecuControl

SecuControl FTL Reference handbook

Keithley

Keithley 8010 reference guide

Agilent Technologies

Agilent Technologies 54610B User's and service guide

M-system

M-system Mini-M M2PHS2 instruction manual

Sunrise telecom

Sunrise telecom CaLan N1776A user manual

Testboy

Testboy TB 5300 operating instructions

Seaward

Seaward apollo 400 How to configure

Vytran

Vytran PTR-200-XLR Operator's manual

Agilent Technologies

Agilent Technologies Infiniium 80000 Series Service guide

Fluke

Fluke 9102S user guide

Fluke

Fluke 7526A Calibration manual