• The server may be at “headquarters,” wherever that is.
• The server may be at a third location, which is anywhere accessible by the VPN.
With respect to E-Discovery, the Ditto device may
be pre-deployed to client or remote location sites. This
leverages the ability of E-Discovery investigations to pull
information from multiple locations and clients. As likelihood of event occurrence increases, Ditto reduces costs
and makes triage response immediate.
The author does not see the classic use of write-blockers,
duplicators, and laptops disappearing anytime soon. ‘Dead
box’ forensics with an investigator are a fact of professional
life, for forensics, and for E-Discovery.
The use of a device such as the Ditto Forensic FieldSta-
tion for remote acquisition and real time analysis provides
investigators and IT specialists a significant new tool.
When the ability to analyze remote networks is included
(it is, after all, a free feature and benefit with the product),
the Ditto device clearly provides improvements in the
investigative and E-Discovery process. The Ditto Forensic
FieldStation changes the paradigm of traditional drive
copiers. Traditional copiers just worked for local, dead box
drive analysis. In contrast, the Ditto Forensic FieldStation
looks at live volumes, analyzes those volumes, and provides
the analysis to investigators, no matter where they are. It
even stores the destination output directly onto networks.
The benefits are clear: improved response time, control of distant analysis, reduced costs, ability to acquire
networks, storage of destination output on any drive or
network, better and quicker analysis of source drives.
James Wiebe, VP R&D for CRU, is well known in the computer forensic profession. Along with his wife, Kathy, he started
Wiebe Tech in 2000 and grew it into a leading hardware forensic
company. After selling Wiebe Tech to CRU in 2008, James has
remained active with the company through an active calendar
of conference speaking, product development, and customer
Figure 5: A network of Ditto FieldStations may be operated
by a single device potentially across the planet. Sources and
destinations do not need to be near each other for forensic
acquisition to take place.
Watch James Wiebe’s overview of the CRU Ditto Forensic FieldStation at