beautypg.com

CRU Ditto Forensic FieldStation User Manual

Page 31

background image

31

Protecting Your Digital Assets

TM

Ditto Forensic FieldStation User Manual

between 1 and 65535 (inclusive). A list is in the form: 80,22,23. A range is in the form: 1-40.
Both may be combined to form: 22,23,40-50,80,90-91.

Syn Scan:

Syn Scan is selected by default and is appropriate for most use cases. The Ditto

Forensic FieldStation generates raw IP packets and monitors for responses. This type of scan
is also known as “half-open scanning” since it does not open a full TCP connection.

Connect Scan:

The Ditto Forensic FieldStation uses a full system-level TCP connection in order

to determine what ports are available on the host network. This scan should only be performed
by advanced users.

The more ports being scanned, the longer the scan will take.

UDP Options

NetView can optionally scan the specified hosts for open UDP ports. By default, this feature is not
enabled. Check the box next to “UDP Options” to enable this feature. Click the “Reset” icon to reset
the UDP option back to its default values.

Ports:

By default, UDP ports for commonly used services as well as services to which the Ditto

Forensic FieldStation may be able to connect are entered into this text box, including NFS, iSCSI, and
Samba. Only ports entered into this text box will be scanned. NetView IP port ranges may be speci-
fied as any combination of lists and ranges. Valid port numbers are between 1 and 65535 (inclusive).
A list is in the form: 80,22,23. A range is in the form: 1-40. Both may be combined to form: 22,23,40-
50,80,90-91.

UDP port scanning takes much longer than TCP port scanning due to the fact that open and filtered

ports do not typically respond to queries. Therefore, any UDP port scanner will spend time retrans-

mitting its query in case the query or response was lost. Furthermore, while closed ports do usually

respond with ICMP port unreachable messages, hosts tend to limit the number of those messages

sent per second, resulting in further delay.

Netview Tips

1. See

Nmap.org

for general information about network scanning.

2. Keep your IP address lists/ranges short. This will mean faster scans and less network traffic.

3. Keep your port lists/ranges short. This will also mean faster scans and less network traffic.

4. Start by deselecting the TCP and UDP scans. Just scanning for the presence of hosts is much

quicker than running TCP and UDP scans on a network with an unknown number of machines.
Once you have a list of discovered machines, then you can decide whether to TCP and/or UDP
scan them all or scan only a subset at a time.

5. TCP scanning must be enabled in order to detect the target’s operating system.

11.2 TARGET MODE: REMOTELY ACCESS DISKS ATTACHED TO THE DITTO FORENSIC

FIELDSTATION WITH THIRD PARTY SOFTWARE

Disks attached to Ditto Forensic FieldStation may be mounted on your computer as iSCSI devices for use with
third party data acquisition tools. The machine this software is installed on does not have to be physically con-
nected to the Ditto Forensic FieldStation, but rather the software may be run remotely from a separate loca-
tion within the same network. To do so, you will need to put the Ditto Forensic FieldStation into Target Mode.

NOTE

NOTE

See also other documents in the category CRU Computer Accessories: